What the Maryland Online Data Privacy Act Means for Businesses: Key Takeaways from the Latest US State Data Protection Law
Overview of MODPA
The Maryland Online Data Privacy Act (MODPA), effective from October 1, 2025, marks a significant development in the landscape of US state data protection laws. MODPA aligns with several existing state laws but introduces unique requirements, particularly concerning sensitive data and minors. Unlike other state laws, MODPA places a strong emphasis on the protection of minors’ data, requiring explicit consent for processing data of individuals under 18.
MODPA also mandates that data processing activities must be “reasonably necessary” for the services requested by consumers, a provision that sets it apart from other state laws. This requirement aims to limit unnecessary data collection and processing, thereby enhancing consumer privacy.
Key Compliance Obligations
Businesses operating in Maryland or handling data of Maryland residents must adhere to several compliance obligations under MODPA. Key among these is the need to ensure that data processing is justified and necessary for the services provided. Additionally, businesses must implement stricter controls when processing data of minors, including obtaining parental consent for those under 18.
Organizations are also required to maintain transparency in their data processing activities, providing clear and accessible privacy notices to consumers. Regular audits and assessments of data protection practices are recommended to ensure ongoing compliance with MODPA.
Comparison Table
| Feature/Requirement | MODPA | Colorado | Texas | Connecticut |
|---|---|---|---|---|
| Effective Date | Oct 1, 2025 | July 1, 2025 | Sept 1, 2025 | Jan 1, 2025 |
| Minor Data Protection | Yes | No | Yes | No |
| Data Processing Necessity | Yes | Yes | No | Yes |
| Parental Consent Required | Yes | No | Yes | No |
Practical Steps for Data Protection Officers
Data Protection Officers (DPOs) should prioritize understanding the specific requirements of MODPA and how they differ from other state laws. Here are some practical steps to ensure compliance:
- Conduct a Data Audit: Identify and document all data processing activities, focusing on those involving minors.
- Update Privacy Policies: Ensure that privacy notices are clear, concise, and accessible, reflecting the requirements of MODPA.
- Implement Consent Mechanisms: Develop robust mechanisms for obtaining and managing consent, particularly for processing minors’ data.
- Train Staff: Regularly train employees on data protection practices and the specific requirements of MODPA.
- Monitor Compliance: Establish a system for regular compliance checks and updates to data protection practices.
By following these steps, organizations can better navigate the complexities of MODPA and the broader US data protection landscape.
Other links on the web
- Data Protection in 2025: What’s Ahead
- 51 Useful Data Protection Resources
- Reminder: Maryland Data Protection Law
- A Fresh Start for Data Protection
- US State Privacy Legislation Tracker
- Countdown to October 6th
- What Background Makes a Good DPO
- TechDispatch Talks: Human Oversight
- Principles of Privacy by Design
- ICO Consultation on Draft Changes
- 7 Data Protection Officer Challenges
- EU AI and GDPR: Key Trends
- Top Cyber Security Blogs
- Guidelines on DSA and GDPR
- Privacy Engine Blog
- Data Protection Update - September 2025
- Data Privacy Day
- DLA Piper Data Protection