Regulatory Updates & Compliance
Privacy & Legal Professionals
Data Privacy & Regulations
Blog

MODPA: A New High Bar for Consumer Privacy

December 19, 2025
3 min. Read
Dan Clark
Dan Clark
Sr. Product Manager & Counsel - Privacy & Governance
Blog

MODPA: A New High Bar for Consumer Privacy

December 19, 2025
3 min. Read

The Maryland Online Data Privacy Act (MODPA) went into effect on October 1, 2025. While MODPA shares some similarities with existing US state comprehensive privacy laws, there certain significant differences may impose financial and operational challenges for your business. For example, MODPA introduces some of the strongest data minimization standards in the country, forcing businesses to fundamentally rethink how much data they collect and why. 

The Core Tenets of MODPA

While MODPA covers a lot of ground, these 5 provisions set MODPA apart and may require updates to your privacy operations:

1. The Strict Minimization Rule for All Data

Forget "opt-in" or "opt-out" for a moment, MODPA puts the focus squarely on necessity, which is a much stricter standard than CCPA’s reliance on business or operational purpose for the basis of processing:

  • For all Personal Data: Businesses can only collect, use, and share personal data (like name or email) that is reasonably necessary and proportionate to provide the specific product or service you requested. This is a fundamental shift toward data minimization.
  • For Sensitive Data: The rules are even tighter. Sensitive data (like health information, racial or ethnic origin, religious beliefs, sexual orientation, precise geolocation, and biometric data) can only be processed if it is strictly necessary to provide your requested product or service.
  • What this means for you: Companies can no longer justify collecting vast amounts of data simply because it might be useful later. They must prove the data is required for the core function you asked for (e.g., your shipping address is necessary for shipping a product, but your marital status likely is not).

2. Ban on the Sale of Sensitive Data

MODPA expressly bans the sale of sensitive data without exception. This means that, unlike other state privacy laws, under no circumstances, not even with consumer consent, may a business sell sensitive personal data. 

3. Enhanced Protection for Minors

MODPA raises the bar for protecting younger users. Companies are prohibited from using personal data for targeted advertising or selling data if they knew or should have known the consumer is under the age of 18. This "should have known" standard is more expansive than in many other state laws.

4. Your Rights as a Maryland Consumer

Similar to laws like the CCPA and VCDPA, MODPA grants consumers rights over the processing of their personal data:

  • Right to Access and Portability: Know what data is being collected and receive a copy in a usable format.
  • Right to Correction and Deletion: Request that inaccurate personal data be corrected and that your data be deleted.
  • Right to Opt-Out: You have the right to opt out of the processing of your personal data for targeted advertising, the sale of personal data, or certain types of profiling. Businesses must also honor universal opt-out signals (like Global Privacy Control).

5. Data Protection Assessments (DPAs)

MODPA mandates that businesses perform a Data Protection Assessment (DPA) for any processing activity that presents a heightened risk of harm. For example, the law requires DPAs for targeted advertising, personal data sales, and, notably, any use of sensitive data. 

Effective Date, Enforcement, and Time to Operationalize

Even though MODPA went into effect on October 1, 2025, businesses have time to operationalize their privacy programs to comply. While MODPA requires business to consider preparing DPAs subject to this law for any in-scope business activities on or before October 1, 2025, MODPA does not apply to ​“any personal data processing activities before April 1, 2026. Additionally, MODPA currently includes a 60-day cure period for alleged violations until April 1, 2027.

How Relyance AI Supports MODPA Compliance

For the companies that need to comply with MODPA, these requirements, especially the strict necessity standard and the comprehensive DPA requirement, can be complex and challenging to implement.This is where AI-native compliance platforms like Relyance AI step in to automate and operationalize these mandates.

In short, Relyance AI's platform allows businesses to move beyond manual compliance checks to a live, enforceable system, ensuring that the letter and spirit of MODPA are embedded directly into their digital products and codebases.

The Maryland Online Data Privacy Act (MODPA) went into effect on October 1, 2025. While MODPA shares some similarities with existing US state comprehensive privacy laws, there certain significant differences may impose financial and operational challenges for your business. For example, MODPA introduces some of the strongest data minimization standards in the country, forcing businesses to fundamentally rethink how much data they collect and why. 

The Core Tenets of MODPA

While MODPA covers a lot of ground, these 5 provisions set MODPA apart and may require updates to your privacy operations:

1. The Strict Minimization Rule for All Data

Forget "opt-in" or "opt-out" for a moment, MODPA puts the focus squarely on necessity, which is a much stricter standard than CCPA’s reliance on business or operational purpose for the basis of processing:

  • For all Personal Data: Businesses can only collect, use, and share personal data (like name or email) that is reasonably necessary and proportionate to provide the specific product or service you requested. This is a fundamental shift toward data minimization.
  • For Sensitive Data: The rules are even tighter. Sensitive data (like health information, racial or ethnic origin, religious beliefs, sexual orientation, precise geolocation, and biometric data) can only be processed if it is strictly necessary to provide your requested product or service.
  • What this means for you: Companies can no longer justify collecting vast amounts of data simply because it might be useful later. They must prove the data is required for the core function you asked for (e.g., your shipping address is necessary for shipping a product, but your marital status likely is not).

2. Ban on the Sale of Sensitive Data

MODPA expressly bans the sale of sensitive data without exception. This means that, unlike other state privacy laws, under no circumstances, not even with consumer consent, may a business sell sensitive personal data. 

3. Enhanced Protection for Minors

MODPA raises the bar for protecting younger users. Companies are prohibited from using personal data for targeted advertising or selling data if they knew or should have known the consumer is under the age of 18. This "should have known" standard is more expansive than in many other state laws.

4. Your Rights as a Maryland Consumer

Similar to laws like the CCPA and VCDPA, MODPA grants consumers rights over the processing of their personal data:

  • Right to Access and Portability: Know what data is being collected and receive a copy in a usable format.
  • Right to Correction and Deletion: Request that inaccurate personal data be corrected and that your data be deleted.
  • Right to Opt-Out: You have the right to opt out of the processing of your personal data for targeted advertising, the sale of personal data, or certain types of profiling. Businesses must also honor universal opt-out signals (like Global Privacy Control).

5. Data Protection Assessments (DPAs)

MODPA mandates that businesses perform a Data Protection Assessment (DPA) for any processing activity that presents a heightened risk of harm. For example, the law requires DPAs for targeted advertising, personal data sales, and, notably, any use of sensitive data. 

Effective Date, Enforcement, and Time to Operationalize

Even though MODPA went into effect on October 1, 2025, businesses have time to operationalize their privacy programs to comply. While MODPA requires business to consider preparing DPAs subject to this law for any in-scope business activities on or before October 1, 2025, MODPA does not apply to ​“any personal data processing activities before April 1, 2026. Additionally, MODPA currently includes a 60-day cure period for alleged violations until April 1, 2027.

How Relyance AI Supports MODPA Compliance

For the companies that need to comply with MODPA, these requirements, especially the strict necessity standard and the comprehensive DPA requirement, can be complex and challenging to implement.This is where AI-native compliance platforms like Relyance AI step in to automate and operationalize these mandates.

In short, Relyance AI's platform allows businesses to move beyond manual compliance checks to a live, enforceable system, ensuring that the letter and spirit of MODPA are embedded directly into their digital products and codebases.

You may also like

When 84% of your customers are ready to walk

December 18, 2025
When 84% of your customers are ready to walk

The foundation: Moving from static mapping to "living" data intelligence

December 8, 2025
The foundation: Moving from static mapping to "living" data intelligence
Relyance modern privacy vendor blog

5 signs you’ve outgrown your privacy vendor

December 3, 2025
5 signs you’ve outgrown your privacy vendor
No items found.
No items found.
News, Events & Culture
|
Regulatory Updates & Compliance
|
Practical Guides
|
Insights & Strategy
|
INSIGHTS
|
Podcast
|
Customer Stories
|
Checklist
|
E-guide
|
Conference
|
On-Demand Webinar
|
Webinar
|
Data Sheet
|
Demo
|
Whitepaper
|