Now in Effect: Maryland Law Raises Bar on Sensitive Data, Data Minimization and Children’s Privacy
Effective October 1, the Maryland Online Data Privacy Act (MODPA) enters the scene as the 16 state comprehensive consumer privacy law (with three more set to take effect in January). MODPA’s aggressive approach to sensitive data, data minimization and children’s privacy renders it one of the most restrictive U.S. state privacy laws to date and reflects broader regulatory trends and enforcement priorities.
The law’s hardline restrictions reflect a growing national trend by lawmakers and privacy regulators who are scrutinizing how businesses collect, use and disclose sensitive data. Regulators are increasingly focused on sensitive data— and particularly precise location data, health data and children’s data— especially when such data is used for targeted advertising or otherwise shared with third parties.
Here are the highlights:
Low applicability thresholds and narrow exemptions
MODPA’s low thresholds and narrow exemptions mean that the law will likely apply to a broader spectrum of businesses than other state privacy laws.
Specifically, MODPA applies to entities that conduct business in Maryland or target products or services to Maryland residents, and that, during the prior calendar year, either (i) controlled or processed the personal data of at least 35,000 Maryland residents; or (ii) controlled or processed the personal data of at least 10,000 Maryland residents and derived more than 20% of their gross revenue from the sale of personal data. The 35,000 threshold is particularly low for Maryland’s population (about 6.3 million), relative to other states with similarly low thresholds but with much smaller populations (e.g., Delaware, New Hampshire and Rhode Island).
Further, the law deviates from the blanket nonprofit exemption seen across most state privacy laws by carving out only those nonprofits that process or share personal data solely for the purpose of assisting either law enforcement agencies in investigating criminal or fraudulent acts relating to insurance, or first responders responding to catastrophic events. And although the law includes familiar entity-level exemptions for financial institutions and affiliates subject to the GLBA, it provides only data-level exemption for data governed and handled in accordance with the Health Insurance Portability and Accountability Act.
Sweeping ban against selling sensitive data
MODPA is the first state privacy law to prohibit the sale of sensitive data under any circumstances—even with consumer consent. The law broadly defines sensitive data to include health-related data, personal data about children under the age of 13, precise geolocation, racial or ethnic origin, citizenship or immigration status, national origin, religious beliefs, genetic data or biometric data, sex life or sexual orientation, and status as transgender or nonbinary.
Such restrictions diverge from other state privacy laws such as the California Consumer Privacy Act (CCPA), which permits businesses to sell sensitive data while providing consumers the rights to limit and opt out of such use, and the Colorado Privacy Act, which permits sensitive data sales with consumer opt-in consent. Rather, MODPA’s approach goes farther even than and , which impose strict limits— although not outright bans— on selling consumer health data.
MODPA’s restrictions align with a broader regulatory focus that puts businesses’ sensitive data practices under a microscope. For example, state and federal regulators have increasingly focused on business practices concerning precise location data, as seen with the California Attorney General’s targeting CCPA compliance by advertising networks, mobile app providers and data brokers; the Texas Attorney General’s for unlawfully collecting, using and selling location data via embedded software in mobile apps; the DOJ’s new ; and FTC’s for allegedly sharing drivers’ precise location and driving behavior without affirmative consent.
Strict data minimization requirements
Data minimization— the privacy concept that personal data should only be collected if necessary— is championed by MODPA as to both personal data and sensitive data.
For example, businesses are limited to collecting personal data that is “reasonably necessary and proportionate to provide or maintain a specific product or service requested by the consumer to whom the data pertains.”
Restrictions on sensitive data collection are even more rigid. The law prohibits businesses from collecting or otherwise processing sensitive data— regardless of consent— beyond what is “strictly necessary to provide or maintain a specific product or service requested by the consumer” (emphasis added). By contrast, other state privacy laws permit such collection with consumer consent.
Once again, MODPA’s restrictions align with current enforcement priorities. For example, the California Privacy Protection Agency released an last year that emphasized the importance of data minimization for CCPA compliance. The California Attorney General’s July CCPA against Healthline echoed the importance of data minimization, particularly where health-related data is concerned.
Emphasis on children’s privacy
The law also reflects and reinforces broader regulatory priorities around children’s data.
MODPA prohibits businesses from selling personal data or using it for targeted advertising—regardless of consent— if they know or should reasonably know the consumer is under 18. This standard is broader than the “actual knowledge” standard found in other state privacy laws, which generally permit data sales and processing data for targeted advertising for individuals under the age of 13, 16 or 18 where opt-in consent is obtained.
The law reflects an increased focus on protecting minors online, expanding age thresholds, and imposing proactive obligations on businesses to identify and safeguard children’s data, as seen through Age-Appropriate Design Code acts in Maryland, Nebraska and Vermont; and social media laws in Arkansas, Georgia, Louisiana, Nebraska, Nevada, New York, Tennessee and Texas. Children’s privacy also continues to be an FTC priority, as evidenced by its recent inquiry into with respect to children and teens.
What’s Next?
Although the law took effect on October 1, it will only apply to processing activities that take place on or after April 1, 2026. Nevertheless, MODPA’s heightened requirements will require many businesses to revisit their privacy practices, even if they’re already aligned with other state laws.
Maryland’s Attorney General has exclusive enforcement powers, and violations of MODPA will be treated as unfair or deceptive trade practices under the Maryland Consumer Protection Act. Like most other state privacy laws, MODPA does not provide private right of action.
As always, we will continue to monitor developments to provide guidance and tailored support as businesses prepare to comply with MODPA and other emerging consumer privacy laws. More information on Manatt’s Privacy and Data Security practice is found .