Maryland MODPA
The Maryland Online Data Privacy Act (MODPA) establishes consumer data rights and controller obligations for personal data of Maryland residents. This page summarizes the law, key requirements, and how to build evidence for compliance.
What is MODPA?
Citation: Md. Code, Com. Law § 14-4601 et seq.
Scope: Applies to controllers that process personal data of Maryland residents.
Consumer rights granted: Access, correction, deletion, portability, and opt-out of sale and targeted advertising — similar in spirit to CCPA and GDPR.
Controller obligations: Transparency, purpose limitation, data minimization, and security.
Processor duties: Contractual and assistive obligations to support the controller.
Enforcement: Maryland Attorney General; civil penalties up to $10,000 per violation after a 60-day cure period.
This is not legal advice. Consult qualified counsel for applicability and compliance.
Applicability (who must comply)
Primary threshold
Controllers processing personal data of 35,000 or more Maryland consumers in a calendar year.
Secondary threshold
Controllers processing data of 10,000 or more Maryland consumers and deriving >20% of gross revenue from the sale of personal data (§14-4603(a)(2)).
“Consumer” means Maryland residents acting in an individual or household context; certain employment and B2B contexts may be addressed by the law or guidance.
Key requirements
Privacy notice
Clear, accessible disclosure of data categories collected, purposes, third-party categories, consumer rights, and how to exercise them.
Consumer rights
Rights to confirm, access, correct, delete, and obtain a portable copy; right to opt out of sale and targeted advertising.
Sensitive data
Heightened obligations for health, precise geolocation, biometric, and financial data; consent or another lawful basis may be required.
Processors
Must assist controllers in meeting MODPA obligations; contracts must specify processing instructions and confidentiality terms.
Enforcement
Maryland Attorney General. 60-day cure period before civil penalties apply — up to $10,000 per violation.
Evidence and review
To demonstrate compliance and respond to requests or enforcement, organizations typically need:
- An accurate privacy notice
- A data inventory mapping to MODPA categories and purposes
- Documented processes for handling consumer rights requests
- Processor agreements that reflect MODPA requirements
- Where relevant: risk assessments and consent records for sensitive data
Building this evidence before the effective date reduces legal and operational risk. CyberCorrect's free MODPA tools help you determine applicability, assess exposure, and prioritize gaps.
Free MODPA tools
Start with the Screener to confirm applicability. If you are in scope, run the review for your context — business or education, not both.