Partners Michael P. Canty and Carol C. Villegas and Associate Danielle Mazzeo are the authors of the informative article “Maryland Privacy Crackdown Raises Bar for Disclosure Compliance” published by Bloomberg Law.  The article serves as a comprehensive overview of the recent Maryland Online Data Privacy Act (MODPA) and its implications for consumer protection and data privacy, outlining the act as important step towards returning control of data privacy control into the hands of consumers.

The MODPA went into effect on October 1, 2025 and will be enforced as of April 1, 2026.  In enacting this statute, Maryland joined 19 other states who have enacted data privacy rules in lieu of a federal standard.  While the MODPA appears to align with many existing privacy statutes, it has been praised by privacy advocates for providing some of the strongest privacy protections in the country.  The article notes that, although the law adopts definitions and provisions similar in scope to other state privacy statutes such as defining personal and sensitive data to include nearly all types of personal information, the MOPDA’s scope likely extends beyond existing state statutes because it “sets a low threshold for application to companies doing business in Maryland and establishes stringent data minimization requirements that encompass broad categories, specifically with respect to ‘sensitive data.’”  In doing so, “the MODPA’s provisions are generally aligned with existing privacy laws, but key portions of its data minimization requirements are far broader.”

The authors explain that the MODPA establishes two standards for assessing data minimization, depending on the type of personal data involved.  For personal data, the statute “maintains the status quo, merely requiring entities to limit their data collection and processing to only data that is ‘reasonably necessary and proportionate’ to provide their products or services and to obtain consent before expanding any such practices.”  For sensitive data, however, the MODPA applies a stricter standard.  Entities can only collect or process sensitive user data if it is “strictly necessary” to deliver or maintain a specific product or service.  If it is not strictly necessary, “a company is prohibited from collecting or processing sensitive data, irrespective of consumer consent,” preventing companies from selling data to advertisers or data brokers.  While this statute appears to implement extensive privacy protections, the authors note that its scope “likely will be clarified through enforcement actions by the Maryland attorney general, who has enforcement authority.”

For entities that are subject to the MODPA, the authors outline necessary steps they should follow to ensure compliance, including assessing the types of consumer data they are collecting.  For personal data, entities must evaluate their privacy policies to ensure they clearly and transparently convey accurate explanations about how consumers’ data is collected, processed, used, shared, or stored.  With respect to sensitive data, however, “merely updating existing privacy policies or obtaining consumer consent may not be enough,” and covered entities are required to demonstrate their data collection and processing practices are strictly necessary for their core business purpose.

The increased transparency resulting from the MODPA’s requirement to provide details about the ways in which consumer data is being used, processed, and shared, the authors assert, “will restore consumers’ control over their data and enable consumers to demand stronger privacy protections,” and consumers having access to information about how their data is being used will allow them to “weigh their options meaningfully before providing consent.”  In addition, the MODPA’s heightened requirements “may help consumers identify instances where their data is being misused in ways not previously disclosed.”  Individuals who believe their data privacy rights have been violated may still pursue claims under existing common law or consumer protection statutes,  which “opens the door to individual or class action litigation, particularly where companies misrepresent their data practices or fail to adhere to disclosed policies.”