On May 9, 2024, the Maryland Online Data Privacy Act of 2024 (MODPA) was enacted into law by Governor Wes Moore of Maryland. This significant event marked the 17th comprehensive data privacy law in the U.S. and the fifth one this year alone. Unlike most state privacy laws that merely refine existing frameworks, Maryland has a unique approach.

A More Stringent Take on Data Minimization and Sensitive Data Protections

MODPA introduces a more rigorous approach to data minimization and sensitive data protections, following closely behind the recently proposed American Privacy Rights Act. As states continue to draft bills in hopes of avoiding a potential preemption capacity, it is highly likely that we will see more states enacting laws within the year.

“As fast as we’ve already seen them being enacted, we’re not at the end. … We’re almost certain to see additional states enact laws later this year, whether or not that’s Pennsylvania, Wisconsin, many other states have introduced various versions of their own privacy legislation,” said Kim Phan, who is the privacy, data security and regulatory compliance partner at Troutman Pepper Hamilton Sanders.

Is The Law a ‘Game Changer’?

MODPA is aimed at organizations that do business in the state or provide goods and services to Maryland residents. These organizations must have controlled or processed the personal data of at least 35,000 consumers or of at least 10,000 consumers, while deriving more than 20% of their gross revenue from the sale of such data in the past year.

Set to take effect on Oct. 1, 2025, the Maryland law grants its residents a set of familiar consumer rights. These include the right to confirm if their data is being processed, access it, delete it or correct inaccuracies, and to obtain a copy along with a list of the categories of third parties to whom an organization has disclosed personal data.

Maryland consumers also have the right to opt out of the processing of personal data for targeted advertising, sale, or profiling purposes. The law defines “sale” as an exchange of personal data for “monetary or other valuable consideration”—a deliberately broad scope also adopted by states like California, Colorado, and Connecticut.

Data Minimization, Expanded Sensitive Data Protections, and More

The Maryland law has taken significant strides to enhance protections for sensitive data and restrict the types of collection and processing allowed for data revealing racial or ethnic origin, religious beliefs, health data, sex life, sexual orientation, transgender or nonbinary status, and national origin or citizenship and immigration status.

Like many other state data privacy laws, sensitive data also includes biometric or genetic data, children’s data, and precise geolocation data—but Maryland has added its own unique elements to these definitions. For instance, in MODPA, data collected will be considered biometric even if it “can” be used to identify someone, regardless of intent.

MODPA also introduces stringent data minimization requirements. While most privacy laws have permitted the reasonable collection and use of personal data as long as companies provide their consumers notice or obtain consent, Maryland appears to have eliminated these loopholes.

Fight to Protect Children’s Data Continues

One of the most notable aspects of MODPA is its expanded protections for children. The law prohibits controllers from processing the personal data of children for targeted advertising purposes, and from selling such data—whether the controller “knew or should have known” that the children were under the age of 18.

“This is a bit of a reaction to another trend we’re seeing in the U.S. … I think now, states are more cognizant that teenagers need to be protected as well,” said Arsen Kourinian, a partner at Mayer Brown. He added, “Maryland, this was their reaction to that, basically by increasing the age threshold.”

On the same day, Maryland also enacted the Maryland Kids Code, which prohibits online platforms, whether social media or video game providers, from tracking children under 18 and designing features intended to prolong the time spent by children online.

“The shift to broaden both the scope and the restrictions around minors’ data, I think, seems to be kind of a general trend. … It’s not surprising to me that lawmakers are looking to expand that,” noted Matthew B. Welling, a partner at Crowell & Moring. 

~

The Maryland Online Data Privacy Act of 2024 represents an advancement in the field of data privacy, offering robust protections for sensitive data and establishing a new benchmark for data minimization requirements.