Maryland has raised the bar for data privacy with the Maryland Online Data Privacy Act (MODPA), signed into law on May 9, 2024, and set to take effect October 1, 2025. Among its groundbreaking provisions is a stringent rule: companies cannot process sensitive personal data unless it is “strictly necessary” to provide or maintain a product or service explicitly requested by the consumer. This “strictly necessary” standard diverges sharply from the more permissive approaches of other U.S. state privacy laws, creating both a protective shield for consumers and a compliance conundrum for businesses. With its lack of clear interpretive guidance, this provision could reshape how companies handle sensitive data—while leaving many questions unanswered.
A Stricter Standard for Sensitive Data
Most state privacy laws—like those in California, Virginia, or Colorado—allow companies to process sensitive data under flexible conditions: consumers can opt out (e.g., California’s CCPA), opt in (e.g., Colorado’s CPA), or limit its use to specific purposes. Others permit processing if it’s “reasonably necessary” for disclosed business purposes, a standard that offers leeway for interpretation. Maryland’s MODPA, however, sets a higher threshold. It prohibits the collection, processing, or sharing of sensitive data—defined broadly to include race, religion, health status, sexual orientation, biometric data, precise geolocation, and children’s data—unless it’s “strictly necessary” to deliver a consumer-requested product or service. Consent, a common workaround elsewhere, isn’t an option here.
This approach marks a seismic shift. For example, a fitness app might use precise geolocation to track a run—arguably “strictly necessary” for that service—but couldn’t repurpose that data for targeted ads, even with consent. Similarly, an e-commerce site collecting ethnicity data to personalize recommendations might find that practice barred unless it’s essential to the core transaction. Maryland’s rule prioritizes data minimization over consumer choice, reflecting a belief that transparency and consent alone don’t sufficiently protect sensitive information.
Ambiguity in “Strictly Necessary”
The catch? MODPA doesn’t define “strictly necessary.” Unlike “reasonably necessary”—a term familiar in GDPR and other state laws that implies proportionality to a purpose—“strictly necessary” suggests an absolute need, with no room for ancillary uses. But what qualifies? Is biometric authentication “strictly necessary” to unlock a phone if passwords suffice? Is geolocation “strictly necessary” for a ride-sharing app but not for a weather app’s enhanced features? The law’s silence on these questions creates uncertainty, especially since it conflicts with other MODPA provisions—like opt-out rights for targeted advertising—that imply some sensitive data processing is permissible.
This vagueness could lead to inconsistent enforcement. The Maryland Attorney General, tasked with upholding MODPA, has rulemaking authority but hasn’t yet clarified the term. Without guidance, courts may step in, potentially yielding varied interpretations. Businesses face a dilemma: over-restrict data use and lose functionality, or push boundaries and risk penalties. The lack of a consent exception only heightens the stakes, as companies can’t fall back on user approval to justify processing.
Compliance Challenges and Conflicts
For organizations, MODPA’s “strictly necessary” standard poses practical hurdles. Many rely on sensitive data for analytics, advertising, or service enhancements—uses that may not meet this high bar. Take website tracking: cookies collecting precise geolocation might be “reasonably necessary” for analytics but not “strictly necessary” to load a page. Data brokers, who thrive on selling sensitive data like health or location records, face an outright ban under MODPA’s parallel prohibition on such sales, with no exceptions. Even routine operations, like using biometrics for convenience rather than necessity, could trigger violations.
The standard also clashes with MODPA’s structure. The law mandates data protection assessments for processing sensitive data, implying it’s allowed under some conditions, yet the “strictly necessary” rule suggests a near-total restriction. This internal tension mirrors a broader debate in privacy law: can consent-based frameworks coexist with strict minimization? Maryland’s answer seems to be no, but the execution muddies the waters, leaving companies to guess where the line lies.
Broader Implications
Maryland’s approach could inspire other states to adopt tougher data minimization rules, shifting the U.S. privacy landscape away from opt-in/opt-out models toward default restrictions. It aligns with a growing sentiment—echoed in Europe’s GDPR—that sensitive data deserves heightened protection, especially as technologies like AI and biometrics amplify risks. For consumers, this promises tighter control over their most intimate information, potentially curbing abuses like profiling or unauthorized data sales.
Yet, the uncertainty poses risks. Businesses may struggle to adapt without clear benchmarks, particularly smaller firms lacking legal resources. Overly cautious compliance could stifle innovation—imagine a health app dropping useful features to avoid geolocation debates. Conversely, lax interpretations might undermine MODPA’s intent, prompting stricter enforcement or amendments. The law’s delayed application to processing activities before April 1, 2026, gives breathing room, but companies must start auditing data flows now to align with this uncharted standard.
Navigating the Uncertainty
To prepare, businesses should map their sensitive data use—location, biometrics, health data—and assess what’s truly essential to their core offerings. Legal counsel can help interpret “strictly necessary” in context, while privacy tech can enforce minimization. Transparency with consumers about limited data use could also build trust, turning a compliance burden into a competitive edge. As Maryland’s Attorney General or courts clarify the term, staying agile will be key.
MODPA’s “strictly necessary” standard is a bold experiment in privacy protection—one that prioritizes consumer rights over business flexibility. Whether it becomes a model or a cautionary tale depends on how its ambiguities are resolved. For now, it’s a wake-up call: sensitive data isn’t just a compliance checkbox; it’s a responsibility with a higher bar.
For updates on MODPA enforcement, visit the Maryland Attorney General’s website (marylandattorneygeneral.gov). Businesses in Maryland should book a demo immediately if they want to be compliant and work with a Captain Compliance privacy superhero to get compliant for Marylands privacy law.
