- Maryland became the first state to ban the sale of sensitive data, taking a stricter approach than other states that rely on “opt-in” or “opt-out” systems.
- Companies that depend on data, especially in marketing and retail, expect challenges adapting to restrictions such as limits on geolocation tracking and prohibitions on targeted ads for minors.
- The law applies to companies doing business in or targeting Maryland residents, with thresholds based on the amount of consumer data handled or revenue from data sales.
Maryland’s new law makes it the first state to ban the sale of sensitive data — going beyond the usual “opt-out” approach.
While the state is one of about 20 with comprehensive data privacy legislation, Maryland’s rules go further, imposing stricter limits on how companies collect and use personal information. For consumers, that could mean fewer targeted ads and greater transparency over how their data is handled.
But companies that rely on the data, like in the marketing industry, say it could be a bumpy transition.
“There have been some discussions where companies are considering whether to avoid the state altogether because of some of the obligations under the law,” data protection lawyer Idara Udofia told Technical.ly.
Most other states let consumers decide whether their sensitive data can be sold through “opt-in” or “opt-out” frameworks, Udofia said.
“What’s missing is the enforcement teeth.”
AMEER AHIRRAO, CEO ARDENT PRIVACY
Maryland’s Online Data Privacy Act (MODPA), which went into effect Oct. 1, is different from other places because it uses a Universal Opt-Out Mechanism. On top of provisions common in other states like granting consumers rights to control their personal data, MODPA outright bans the sale of sensitive data, including race, gender, sexuality and citizenship status. In fact, it limits businesses to only collecting sensitive data when “strictly necessary” to provide a product or service.
The sensitive data provision also includes geolocation, which could complicate direct mail campaigns or physical mail outreach targeting older audiences, according to Sam Tomlinson, executive vice president of Baltimore-based marketing firm Warschawski.
The other category is personal data — things like your name, email or phone number. Businesses can only collect that information if it’s “reasonably necessary.”
For minors, it’s even more strict. The law prohibits selling the personal data of individuals under 18 or using it for targeted advertising.
Because of this, MODPA restrictions will particularly affect retailers that market to teenagers, according to Udofia. For example, video game companies, a major industry in Maryland, will be subject to heightened scrutiny since they primarily serve younger audiences.
FAQ: Maryland’s Online Data Privacy Act
In Baltimore, a rule banning geofencing within 1,750 feet of mental or reproductive health facilities could make event marketing more complicated, Tomlinson said. Geofencing, which uses Wi-Fi or GPS data to create a virtual boundary for sending ads, is tricky in a city packed with hospital systems.
The fine print reveals an even longer list of new restrictions businesses will have to manage — but experts say the impact all comes down to enforcement.
Stricter regulations will reshape business strategy
MODPA applies to businesses operating in Maryland or targeting Maryland residents, meaning national companies are also subject to the regulations.
A business falls under the law’s scope if, within a calendar year, it meets either of the following thresholds:
- Controls or processes the personal data of 35,000 or more consumers (excluding data used solely for completing a payment transaction), or
- Controls or processes the personal data of 10,000 or more consumers and derives 20% or more of its gross revenue from selling personal data.
The first step to prepare, according to Udofia, is to evaluate current company protocols.
“It would be advisable to evaluate your site to assess to what extent you have trackers on your site that might implicate some of the more restrictive provisions that we see within the act,” Udofia said.
The stricter standards on personal and sensitive data processing bring Maryland’s approach closer to European data privacy protections, according to Sameer Ahirrao, CEO of bwtech@UMBC-based company Ardent Privacy, which helps businesses with data privacy compliance. So how companies have prepared for that could help them comply with MODPA.
But while strong on paper, the impact will hinge on how effectively it is enforced, even though enforcement won’t start until April 2026.
Experts raise compliance issues
California passed the first comprehensive US privacy law in 2018, granting consumers a limited private right of action for data breaches. Recent district court rulings could expand the scope of this authority, though Maryland’s law is only enforced through the attorney general’s office.
MODPA oversight falls to the consumer protection division of the attorney general’s office, where residents can file complaints once the law takes effect. However, the law does not grant a “private right of action,” meaning individuals cannot directly sue companies for damages if violations occur.
“What’s missing is the enforcement teeth,” Ahirrao said. “Consumers should have the ability to sue companies for not doing the due diligence.”
Others like Tomlinson, a marketing professional, anticipate significant litigation stemming from the law and consider its requirements to be overly aggressive.
“It feels like politicians trying to get a win,” Tomlinson said, “instead of making a privacy law that works for customers and works for businesses.”
With the rise of AI, however, companies are purchasing a lot of data to train new models. Lawmakers are still working on legislation to regulate artificial intelligence systems that process personal data.
”Now with the adoption of AI, it will be a multifold problem,” Ahirrao said. “Data can be automatically processed and you won’t even know where it is used or how it is used.”
