Maryland Privacy Crackdown Raises Bar for Disclosure Compliance

Maryland joined the patchwork of 19 states enacting data privacy rules themselves in lieu of a federal standard last year when Gov. Wes Moore (D) signed the Maryland Online Data Privacy Act of 2024, empowering the state to curb exploitative data practices. The MODPA went into effect on Oct. 1, and enforcement begins on April 1, 2026.

Companies and consumers are evaluating whether the MODPA mirrors existing privacy regulations or marks a significant regulatory expansion. In either case, MODPA is a step toward restoring data privacy control into the hands of consumers.

Data Privacy Regulation

The MODPA appears to be consistent with many existing state privacy statutes. However, its scope likely extends beyond existing state statutes because it sets a low threshold for application to companies doing business in Maryland and establishes stringent data minimization requirements that encompass broad categories, specifically with respect to “sensitive data.”

Privacy advocates have praised the statute as one that “provides Marylanders with some of the strongest privacy protections in the country.”

Maryland’s law adopts definitions and provisions similar in scope to other state privacy statutes, such as defining personal and sensitive data to include nearly all types of personal information, ranging from consumer health and genetic information to geolocation data.

In terms of scope, the MODPA’s provisions are generally aligned with existing privacy laws, but key portions of its data minimization requirements are far broader.

The MODPA sets two standards for evaluating data minimization efforts depending upon the category of personal data at issue. For personal data, MODPA maintains the status quo, merely requiring entities to limit their data collection and processing to only data that is “reasonably necessary and proportionate” to provide their products or services and to obtain consent before expanding any such practices.

Data minimization requirements under the law are particularly notable and, potentially, the most stringent in the US. The MODPA holds consumers’ sensitive data to a stricter standard. Entities can only collect and process sensitive data if “strictly necessary” to deliver or maintain specific products or services. If not strictly necessary, a company is prohibited from collecting or processing sensitive data, irrespective of consumer consent.

This means that, absent necessity, companies can’t comply by simply updating their privacy disclosures. Instead, covered entities may face a wholesale prohibition on data collection—possibly requiring companies to fundamentally change their business practices.

The MODPA extends even farther beyond its stringent data minimization requirements by implementing an outright prohibition on the sale of sensitive data, regardless of consent. Even if data collected meets MODPA’s strictly-necessary standard, businesses can never sell consumers’ data to advertisers or data brokers.

Enforcement Ahead

While the MODPA appears to implement extensive privacy protections, it’s unclear how broadly the statute’s more stringent provisions will be interpreted. The scope, in practice, likely will be clarified through enforcement actions by the Maryland attorney general, who has enforcement authority.

The attorney general may pursue penalties for violations including civil penalties of up to $10,000 per violation and up to $25,000 for repeat violations, as well as injunctive relief, restitution, and reputational damage.

Companies subject to the MODPA must consider the implications of its stringent provisions on their businesses and should take steps to ensure compliance. To do so, companies should engage the following assessments.

First, covered entities should assess the types of data they are collecting and processing to determine whether such data is considered “personal” or “sensitive” under the MODPA, as varying data may trigger different requirements.

For personal data, covered entities should evaluate their privacy policies to ensure they clearly and transparently convey accurate explanations about how consumers’ data is collected, processed, used, shared, or stored. If there are any changes to data use practices, the changes should be highlighted so consumers have an opportunity to understand the changes and provide meaningful consent in accordance with the MODPA’s data minimization requirements regarding their personal data.

However, with respect to sensitive data, merely updating existing privacy policies or obtaining consumer consent may not be enough. Instead, covered entities are required to demonstrate their data collection and processing practices are strictly necessary for their core business purpose. This standard is undefined, leaving its practical application ambiguous.

Given regulators’ indications the MODPA is intended to broadly protect consumer privacy, covered entities should err on the side of caution. This may require companies to prepare internal assessments demonstrating that their data practices satisfy MODPA’s heightened standards or take steps to narrow their data collection practices.

At base, the MODPA requires companies to provide greater transparency about the ways in which consumer data is being used, processed, and shared. Increased transparency will restore consumers’ control over their data and enable consumers to demand stronger privacy protections. Consumers will have access to clear explanations about precisely how their data is used, processed and, in some instances, shared, allowing them to weigh their options meaningfully before providing consent.

The MODPA’s heightened requirements also may help consumers identify instances where their data is being misused in ways not previously disclosed. If this information comes to light, consumers can protect their privacy rights by reporting the violation to the Maryland Consumer Protection Division. Consumers also can enforce their own privacy rights through litigation, including class action litigation.

While the MODPA doesn’t offer a private right of action, consumers aren’t without recourse. Individuals who believe their data privacy rights have been violated may still pursue claims under existing common law or consumer protection statutes, such as those prohibiting deceptive or unfair business practices. This opens the door to individual or class action litigation, particularly where companies misrepresent their data practices or fail to adhere to disclosed policies.

This article does not necessarily reflect the opinion of Bloomberg Industry Group, Inc., the publisher of Bloomberg Law, Bloomberg Tax, and Bloomberg Government, or its owners.

Author Information

Michael Canty is partner in the New York office of Labaton Keller Sucharow, where he serves on the executive committee and as its general counsel.

Carol Villegas is partner in the New York office of Labaton Keller Sucharow, where she leads one of the securities litigation teams.

Danielle Izzo is an associate in the New York office of Labaton Keller Sucharow.

Write for Us: Author Guidelines