Maryland's New Data Privacy Law: What DPOs Need to Know About MODPA

The Maryland Online Data Privacy Act (MODPA) is set to take effect on October 1, 2025, introducing significant changes to the data privacy landscape in the state. As a Data Protection Officer (DPO), it’s crucial to understand the implications of this new law and prepare your organization for compliance. Here’s what you need to know:

Key Provisions of MODPA

  1. Scope and Applicability: MODPA applies to businesses operating in Maryland or targeting Maryland residents, with specific thresholds for data processing activities.

  2. Consumer Rights: The law grants Maryland residents new rights over their personal data, similar to other comprehensive state privacy laws.

  3. Data Protection Assessments: Companies must conduct privacy impact assessments for certain high-risk processing activities.

  4. Universal Opt-Out Mechanisms: Businesses must offer clear opt-out options for targeted advertising and data sales.

Compliance Deadlines and Enforcement

  • Effective Date: October 1, 2025
  • Enforcement Date: April 1, 2026
  • Potential Fines: Up to $10,000 per violation or $25,000 for repeated violations

Action Items for DPOs

  1. Review Data Processing Activities: Assess your organization’s data handling practices to determine if MODPA applies to your operations.

  2. Update Privacy Policies: Ensure your privacy notices reflect the new rights granted to Maryland residents.

  3. Implement Opt-Out Mechanisms: Prepare to offer clear opt-out options for targeted advertising and data sales.

  4. Conduct Data Protection Assessments: Begin planning for required privacy impact assessments, especially for high-risk processing activities.

  5. Train Staff: Educate your team on the new requirements and update internal procedures to ensure compliance.

As DPOs, it’s our responsibility to stay ahead of evolving privacy regulations. MODPA represents another step in the growing patchwork of state privacy laws in the U.S. By preparing early, we can ensure our organizations are ready to meet these new obligations and protect consumer privacy effectively.

Remember, while MODPA doesn’t take effect until late 2025, the time to start preparing is now. Stay tuned for further updates and guidance as we approach the implementation date.