Skip to Main Content

Insights

April 9, 2024

Maryland: The Online Data Privacy Act of 2024 Gains Traction – What Businesses Need To Know Regarding The Proposed Legislation

By Alexandra P. Moylan, Esq., CIPP/US, Michael J. Halaiko, Esq., CIPP/E

OneTrust DataGuidance

Partners Alexandra Moylan and Michael Halaiko recently published an article in OneTrust DataGuidance on Maryland’s Online Data Privacy Act of 2024 (MODPA), a comprehensive data privacy law, passed by the Maryland General Assembly on April 6 and now awaits Maryland Gov. Wes Moore’s signature. MODPA would establish strict data privacy rules, grant consumers extensive control over personal data, and impose significant obligations on businesses. Many businesses will fall within MODPA’s scope given the threshold applicability requirements. It’s critical for businesses operating in Maryland to prepare for MODPA's likely enactment, as compliance with the proposed law may likely require updated data collection and privacy practices to avoid penalties.

Below is a summary of MODPA’s key provisions:

  • Scope and Application—applies to businesses in Maryland, businesses processing data of 35,000+ consumers, or 10,000+ consumers with more than 20% revenue from data sales.
  • Data Collection and Use—limits data collection to what is “reasonably necessary” to provide products or services requested by a consumer and prohibits processing, sharing, or selling sensitive data for unrelated purposes.
  • Consumer Rights—includes the right to delete data, opt out of data sales and targeted ads, and request personal data copies and corrections.
  • Business Obligations—requires secure methods for consumer rights, mechanisms to revoke consent, non-discrimination, clear privacy notices, and contracts with processors.
  • Enforcement and Penalties—enforced by the Maryland attorney general, with penalties including civil money fines and potential criminal charges under the Consumer Protection Act.