Overview

The Maryland Online Data Privacy Act (MODPA) is set to take effect on October 1 and marks a significant shift in how personal data is protected at the state level. Falling in line with other states’ privacy laws, Maryland’s law grants residents rights over their personal information, including the ability to access, correct, delete, and port their data. Consumers can also opt out of targeted advertising, data sales, and certain profiling activities. MODPA applies to businesses that process the personal data of at least 35,000 Maryland residents annually—or just 10,000 residents if more than 20 percent of a business’s revenue comes from selling personal data—making it one of the most inclusive privacy laws in the U.S.

What sets MODPA apart is its strict data minimization requirements and its mandate for Data Protection Assessments (DPAs). Businesses must limit data collection to what is strictly necessary to provide a requested service, and they are prohibited from selling sensitive data such as health, biometric, and geolocation information. Crucially, MODPA requires controllers to conduct and document DPAs for any data processing activities that present a heightened risk of harm to consumers—such as targeted advertising, profiling, or the use of sensitive data. These assessments must evaluate the benefits of the processing against potential risks to consumer privacy, reinforcing a proactive approach to data ethics and accountability.

When is a DPA required?

  • Targeted advertising
  • Sales of personal data
  • Profiling that presents a reasonably foreseeable risk of unfair or deceptive treatment, financial/physical injury, intrusion on solitude or seclusion, or discrimination
  • Processing of sensitive data (e.g., precise geolocation, health, biometric/genetic data, children’s data, racial/ethnic origin, religious beliefs, sexual orientation)
  • Any other processing that presents a heightened risk of harm to consumers

Timing and updates

  • Complete a DPA before commencing high‑risk processing
  • Update the DPA upon material changes to the processing, and review it periodically
  • Applies to processing initiated on or after the effective date

What should be included in the DPA

  • Description of processing: nature, scope, context, duration, and recipients (including processors/subprocessors)
  • Purpose specification and necessity/proportionality: why the data is needed and how collection/use/retention is minimized to what is reasonably necessary for the disclosed purpose
  • Categories of personal and sensitive data, sources, audiences, and retention
  • Benefits vs. risks: assessment of benefits to the controller/consumer/public vs. reasonably foreseeable risks to consumers
  • Risk mitigation: technical/organizational safeguards, de-identification or aggregation, data governance, access controls, security, and deletion schedules
  • Targeted ads/sale/profiling specifics: logic used, inputs, outputs, human oversight, and safeguards to prevent unfair, deceptive, discriminatory, or intrusive outcomes
  • Children and vulnerable populations: heightened risks and tailored safeguards, if applicable
  • Processor involvement: tasks, instructions, data elements, and how processors assist with and adhere to the assessment’s controls
  • Outcomes: residual risk and decision to proceed, modify, or not proceed

Recordkeeping and regulator access

  • Maintain DPAs for each covered activity while processing continues and for a reasonable period thereafter; DPAs should be reviewed on at least an annual basis
  • Provide DPAs to the Maryland Attorney General upon request (not for public disclosure)
  • A single DPA may cover a set of substantially similar processing activities; DPAs prepared for other states may be used if they are reasonably comparable and updated to meet Maryland’s requirements (notably strict data minimization)

Action items now

  • Map processing to identify targeted ads, sale, profiling, and sensitive data uses
  • Stand up a Maryland‑aligned DPA template and intake workflow gated “pre‑go‑live”
  • Embed necessity/proportionality and retention minimization in product and data life cycles
  • Update vendor contracts to require DPA cooperation and risk controls
  • Build a DPA register and review cadence; link to change management
  • Train product, marketing, analytics, and procurement teams

For advice on compliance with the Maryland DPA requirements listed above, please reach out to the authors of this article.