arrow_back
All Blog Posts
Newsletter
October 16, 2025

Concord Privacy News: 10/16/2025

Maryland’s Online Data Privacy Act takes effect October 1; Massachusetts Senate passes privacy act; California approves new privacy rules for automated decision-making software

Maryland’s New Online Data Privacy Act (MODPA) Took Effect October 1 — What It Means for Your Business

On October 1, 2025, Maryland’s Online Data Privacy Act (MODPA) officially went into effect — the latest in a wave of U.S. state-level privacy laws shaping how organizations must collect, use, and protect personal data. For SaaS companies and digital service providers, MODPA introduces new compliance obligations that will affect operations, data handling, and consumer rights.

Even if your business isn’t headquartered in Maryland, if you do business there or target Maryland residents, MODPA may apply. It’s a notable shift in the privacy landscape and a reminder that state-level rules are accelerating.

Key Provisions of MODPA

  • Who it applies to: Companies that do business with or target Maryland residents, meeting thresholds like handling data of ≥ 35,000 consumers or ≥ 10,000 consumers with ≥ 20% revenue from data sales.
  • Consumer rights: Individuals can access, delete, and opt out of certain uses of their personal data.
  • Sensitive data & minors: Limits on the sale and use of sensitive personal data; prohibits selling data of minors under 18.
  • Targeted advertising & data sales: Restrictions on using personal data for targeted ads and selling personal data.
  • Enforcement: Maryland Attorney General enforces the law; violations can result in legal action.

Implications & Challenges for SaaS / Digital Businesses

  • Broader compliance scope: Even if Maryland isn’t your home state, targeting users there or collecting their data brings you under MODPA’s reach.
  • Operational adjustments: You’ll need processes for data subject requests (access, deletion) and workflows to exclude certain data uses or sales.
  • Reassessment of business models: Data-driven personalization and monetization may need changes to comply with limits on data sales and sensitive data.
  • Data architecture and mapping: Clear, up-to-date mapping of personal data flows is essential for compliance and DSAR handling.
  • Age verification & profiling safeguards: Extra care is required when handling data of minors or profiling by age.
  • Policy updates and disclosures: Notices, privacy policies, and terms must reflect MODPA rights and restrictions.
  • Enforcement and penalties: Early compliance reduces legal risk and strengthens customer trust.

What You Should Do Now

To prepare for MODPA, start by determining whether your business falls under the law’s scope and identifying any gaps between your current privacy practices and the new requirements. Update consent and opt-out mechanisms, review how you handle sensitive data, and ensure your privacy policies clearly reflect consumer rights under MODPA. Implement systems to track how personal data flows through your organization, train staff on new processes, and stay informed about guidance or updates to maintain ongoing compliance.

Getting ahead now means you can avoid compliance surprises and position your brand as a privacy-forward leader.

Other Privacy News of Note

Massachusetts Senate Passes Privacy Act, Sets a New Standard for Consumers

The Massachusetts Senate unanimously approved the Massachusetts Data Privacy Act on September 25, setting a new standard for consumer data protection in the state. MassSenate states that the legislation, passed with a 40-0 vote, grants Massachusetts residents the right to know what personal data is collected about them and the ability to opt out of data sales and targeted advertising. The Massachusetts Data Privacy Act, also known as S.2608, specifically protects sensitive personal information such as health care data, biometric information, precise geolocation, and details about a person’s religion, ethnicity, and immigration status. Read more.

California Approves New Privacy Rules for Automated Decision-Making Software

California’s Privacy Protection Agency on Tuesday announced it had received final approval from the California Office of Administrative Law on regulations regarding cybersecurity audits, risk assessments and automated decision-making tools, ending a yearslong process of feedback and markups. The new regulations, which have drawn mixed reactions, were approved by the CPPA board in July and submitted to the law office for formal acceptance, which they needed before they could take effect next year. Read more.

Product
Consent ManagementPrivacy RequestsData MappingIntegrationsSign InSign Up
Solutions
SoftwareE-CommerceFinancial ServicesGovernmentHealthcareStartupsOpen Source
Resources
PricingHelp DocsBlogRoadmapContact UsBook a MeetingAffiliate Program
Your Privacy Choices
Support CommitmentLeadershipMerch
Social
Concord Light Blue White Logo
© 2024 Concord Technologies Inc | All Rights Reserved | Website Privacy Policy | Disclaimer | SaaS Agreement | Data Protection Agreement |Affiliate Agreement