Maryland Privacy Crackdown Raises Bar for Disclosure Compliance

Maryland’s recent privacy crackdown, anchored by the Maryland Online Data Privacy Act (MODPA), sets a new national standard for disclosure compliance and data protection. The law went into effect on October 1, 2025, and introduces some of the strictest requirements for how companies must handle and disclose the use of consumer data—especially sensitive information—raising both operational and legal expectations for compliance.

Key Compliance Requirements

• MODPA establishes a strict data minimization principle: companies may only collect and process personal data when it is “strictly necessary” to provide a requested product or service, rather than simply updating privacy disclosures.​

• The act imposes an outright ban on the sale of sensitive data (such as race, gender, sexual orientation, citizenship, and health information) without exception, moving beyond the usual “opt-in” or “opt-out” frameworks of other state laws.​

• Companies must provide clear, accessible, and meaningful privacy notices describing the data collected, its use, and whether it will be sold or shared.​

• Consumers have robust new rights: to access, correct, and delete their information; to opt out of targeted advertising and data sales; and to revoke consent, with such requests honored within 30 days.​

• Companies must implement “universal opt-out mechanisms” to respect consumer privacy choices across web services.​

Disclosure and Enforcement

• MODPA requires disclosures not only to be easily understandable but also to explicitly state how consumers may exercise rights and whether personal data may be sold or shared.​

• Enforcement begins April 1, 2026, and violators face civil penalties up to $10,000 per incident and up to $25,000 for repeat infractions, as treated under the Maryland Consumer Protection Act.​

• The Attorney General is authorized to require confidential data protection assessments for activities presenting heightened risk, including sensitive data processing or sales to third parties.​

• An enforcement “cure period” allows companies 60 days to fix problems identified by regulators through April 2027.​

Industry and National Impact

• Maryland’s approach is particularly noteworthy because it does not exempt many typical categories such as nonprofits or HIPAA-covered entities, meaning a broader spectrum of organizations must comply.​

• The law’s strict thresholds and operational demands (such as mandating periodic privacy impact assessments) are expected to force significant changes in companies’ data practices and may shape future legislation in other states.​

• These regulations have made Maryland’s law a model for consumer-centric privacy protection, with extensive implications for transparency and business accountability nationwide.​

Maryland’s crackdown not only raises the bar for disclosure compliance but signals a decisive shift in the balance of power toward consumer control and away from broad latitude for businesses in handling personal data.