Maryland Online Data Privacy Act

While the Maryland Online Data Privacy Act (MD-ODPA) definitely takes most of its content and structure from similar laws from other states, such as the Virginia Consumer Data Protection Act, it is more than a mere copy. Notably, the MODPA seems to be inspired by the amendments to Connecticut’s privacy law on the subject of consumer health data, and Virginia’s recent changes related to children’s data, which may signal the evolution of a new standard for state privacy laws. The MODPA also differs from other state laws that could potentially become significant.

When Does It Go Into Effect?

The Maryland privacy law goes into effect on October 1, 2025.

What Rights Do Consumers Have Under Maryland's Law?

The MD-ODPA gives consumers the following rights.

  • Right to Know - Consumers have the right to confirm whether a business is processing their personal data and to access that data.
  • Right to Correct - Consumers can request that a business correct any inaccurate personal information it holds about a consumer.
  • Right to Delete - Upon request, businesses must delete personal data concerning the consumer.
  • Right to Portability - Upon request, businesses must provide a copy of the consumer’s personal data in a readily portable format so that it can be transmitted to another controller.
  • Right to Opt Out - Consumers can opt out of:
    • The sale of their personal data
      • Note: Businesses are not allowed to sell any sensitive data
    • Targeted advertising
    • Profiling in furtherance of automated decisions that produce legal or similarly significant effects

Can Businesses Be Sued by Consumers?

The MD-ODPA does not grant a private right of action to consumers, meaning they cannot sue an organization over violations.

What’s Different in this Law?

The MD-ODPA deviates a bit from what has become the standard model for state privacy laws. In some sections it has incorporated unique amendments by other states, in other places it sets out new rules not found anywhere else.

Personal Data from Minors

Most state privacy laws apply special rules to the processing of personal data from children under the age of 13. However, general concern is growing among lawmakers that at least some of these protections should be expanded to all minors under the age of 18, such as in the case with Virginia’s recent changes to its privacy law.

Maryland’s new privacy law is somewhere in the middle. As with other states, data from children under 13 is considered “sensitive data” the processing of which is significantly restricted (see more on that below). The MD-ODPA goes even further by completely prohibiting the sale of the personal data of minors under the age of 18, or the use of their data for targeted advertising. These rules apply if the business “knows or should have known” that the consumer was a minor; unfortunately, the MD-ODPA doesn’t provide much guidance on what that means.

Consumer Health Data

Consumer health data is another area that has been singled out lately for special privacy protections. Connecticut, for example, passed major amendments to its privacy law on the subject. The overall concern is that certain data can be used to identify a consumer’s health condition (which most people would agree is sensitive information), but it falls completely outside of HIPAA protections.

For example, a retailer may infer from a woman’s purchase of maternity clothes and prenatal vitamins that she is pregnant. Alternatively, a business could establish a virtual geofence around a doctor’s office and identify people who come and go from that location.

Maryland’s privacy law borrows heavily from the Connecticut model. Consumer health data is defined as any data that a business “uses to identify a consumer’s physical or mental health status,” and the following rules apply to its processing:

  • It is considered “sensitive data,” which means it may only be processed when strictly necessary, and the business may not sell it under any circumstances.
  • All employees who handle consumer health data must be subject to a duty of confidentiality.
  • All processors who handle consumer health data must be contractually limited in how they can use it.
  • Businesses may not establish a geofence within 1,750 feet of a mental health or reproductive health facility for the purpose of tracking, identifying, collecting data from, or sending notifications to a consumer regarding their health data.

As with the Connecticut law, one of the biggest hurdles for businesses will be determining which data counts as consumer health data. Any company in a field that is even remotely health-related should take a careful look at their privacy practices.

Data Minimization

The MD-ODPA takes a stricter approach when it comes to data minimization, and the implications for compliance are not entirely clear.

Here is what the Maryland law says about the duty to minimize data collection:


A controller or processor shall limit the collection of personal data to what is limit the collection of personal data to what is reasonably necessary and proportionate to provide or maintain a specific product or service requested by the consumer to whom the data pertains.  


Now compare it to the language from the Colorado Privacy Act:


"A controller's collection of personal data must be adequate, relevant, and limited to what is reasonably necessary in relation to the specified purposes for which the data are processed."


Instead of being necessary in relation to the processing purposes specified in a business’s privacy notice, all data collection must be necessary and proportionate to provide or maintain a specific product or service requested by the consumer.

How does this apply in the context of an eCommerce website that uses targeted advertising? Is that collection of data necessary to “maintain” the website, and is the site a “specific service requested by the consumer”? Perhaps. The law certainly contemplates the use of targeted advertising (via opt-out rights), so we’re stuck with trying to figure out how it fits within this strict data minimization rule.

Sensitive Data

The MD-ODPA also varies significantly in its general rule regarding sensitive data. Most other state privacy laws require prior consent for processing sensitive data. While the Maryland law similarly defines what sensitive data is, it prohibits all processing of sensitive data unless it is strictly necessary to provide or maintain a specific product or service requested by the consumer.

Consent does not appear to overcome this restriction. In fact, a previous draft of the statute stated that sensitive data processing was only allowed if strictly necessary and the consumer consented to it.