Maryland MODPA

What is MODPA?

MODPA (Md. Code, Com. Law § 14-4601 et seq.) is a state consumer privacy law that applies to controllers who process personal data of Maryland residents. It grants rights similar in spirit to CCPA and GDPR (access, correction, deletion, portability, opt-out of sale and targeted advertising) and imposes transparency, purpose limitation, data minimization, and security obligations. Processors have contractual and assistive duties. The Maryland Attorney General enforces the law; civil penalties up to $10,000 per violation apply after a 60-day cure period.

This is not legal advice. Consult qualified counsel for applicability and compliance.

Applicability (who must comply)

• Primary threshold: Controllers that process personal data of 35,000 or more Maryland consumers in a calendar year.
• Secondary threshold: Controllers that process personal data of 10,000 or more Maryland consumers (§14-4603(a)(2)) and derive more than 20% of gross revenue from the sale of personal data.
• “Consumer” includes Maryland residents acting in an individual or household context; certain employment and B2B contexts may be addressed by the law or guidance.

Key requirements

• Privacy notice: Clear, accessible disclosure of categories of data collected, purposes, categories of third parties, consumer rights, and how to exercise them.
• Consumer rights: Right to confirm, access, correct, delete, and obtain a portable copy of personal data; right to opt out of sale and targeted advertising.
• Sensitive data: Heightened obligations for sensitive data (e.g. health, precise geolocation, certain biometric and financial data); consent or other lawful basis may be required.
• Processors: Processors must assist the controller in meeting MODPA obligations; contracts must specify processing instructions and confidentiality.
• Enforcement: Maryland Attorney General; 60-day cure period before civil penalties (up to $10,000 per violation).

Evidence and review

To demonstrate compliance and respond to requests or enforcement, organizations typically need: an accurate privacy notice; a data inventory mapping to MODPA categories and purposes; documented processes for handling consumer rights requests; processor agreements that reflect MODPA; and, where relevant, risk assessments and consent records for sensitive data. Building this evidence before the effective date reduces legal and operational risk.

CyberCorrect’s free MODPA tools help you determine applicability and assess exposure so you can prioritize gaps and use the workspace to document controls and evidence.