State Privacy Laws: Maryland
Maryland Online Data Protection Act (MODPA)
Overview
The Maryland Online Data Protection Act gives Maryland residents power over their personal data by granting them privacy rights. While the MODPA is similar in many ways to other state privacy laws, it is considered more stringent than other states in terms of its broad applicability, controller requirements, and higher penalties; it also requires controllers to conduct privacy impact assessments on a regular basis for the processing of personal data that presents a heightened risk of harm to the consumer.
Key Dates
- Signed into law: May 9, 2024
- Effective date: October 1, 2025
Thresholds
The MODPA applies to any person that conducts business in Maryland or provides products or services that are targeted to residents of Maryland, and that during the preceding calendar year:
- Controlled or processed personal data of at least 35,000 consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction; or
- Controlled or processed personal data of at least 10,000 consumers and derived more than twenty percent (20%) of its gross revenue from the sale of personal data.
Consumer Rights
- The right to confirm whether a controller processes their personal data and if so, access their data.
- The right to correct inaccuracies in their personal data.
- The right to delete personal data provided by or obtained about the consumer, unless retention of the data is required by law.
- The right to obtain a copy of their personal data held by the controller in a readily usable format (i.e., data portability) that allows the consumer to easily transfer their data to another controller.
- The right to obtain a list of the categories of third parties to which the controller has disclosed their data or to which the controller has disclosed data generally.
- The right to opt out of the processing of their personal data for the purposes of targeted advertising, the sale of their personal data, or profiling.
Sensitive Data
Sensitive data is defined as personal data revealing:
- Racial or ethnic origin
- Religious beliefs
- Physical or mental health status, including gender affirming treatments and reproductive or sexual health care
- Sex life or sexual orientation
- Status as transgender or non-binary
- National origin
- Citizenship or immigration status
- Genetic or biometric data
- Data collected from a known child
- Geolocation data
Penalties
Up to $10,000 for each violation and $25,000 per violation for repeated violations.
Configure Your Consent Banner for MODPA
Regions are used to customize the behavior and experience based on an individual user’s location. As an example, this allows you to provide different experiences to users based on regional differences (like GDPR in the EU vs. MODPA in Maryland). When a user visits your site, we will automatically determine their location and will match them to the most granular region rule that you have setup in Concord. This can go down to the state/province level, which allows for different experiences for different laws (like MODPA in Maryland).
Recommended Consent Settings
Based on the current laws, we recommend the following regional settings:
- Consent Mode: Implied
- Blocking Mode: Strict
- Google Consent Mode V2: Basic
- Consent Duration: 12 months
- Enable Limit Sensitive Information: Enabled
- Enable Do Not Sell Consent: Enabled
- Enable Global Privacy Control: Enabled
For step-by-step instruction on how to configure your consent banner for different geographical regions within the Concord app, see our help document https://www.concord.tech/docs/configure-consent-banner-difference-regions.
Important Note: While you can get as granular as you want, we typically recommend a single global policy that meets the strictest guidelines across regions, or higher splits (like separate GDPR and United States regions). If you have any questions on how and why to configure your regions in certain ways, please reach out to our support team.
