Maryland’s Unique State Privacy Law Takes Effect October 1 – What You Should Know

On October 1, Maryland’s law may be the last US state comprehensive privacy law to take effect in 2025, but it certainly is not least. While the Maryland Online Data Privacy Act of 2024 (MODPA) mirrors existing US state comprehensive privacy laws in many ways, certain key differences may pose unusual and operational challenges for businesses subject to the law, some of which we outline below.

1. Lower thresholds and narrower exemptions

MODPA applies to persons that do business in Maryland or target products/services to Maryland residents, and that, during the prior calendar year, either controlled or processed the personal data of at least 35,000 Maryland residents or controlled or processed the personal data of at least 10,000 Maryland residents and derived more than 20% of their gross revenue from the sale of personal data. The 35,000 threshold is relatively low given the size and population of Maryland compared to other states with similarly low thresholds (e.g., Delaware, New Hampshire and Rhode Island). MODPA also lacks an entity-level exemption for covered entities under the Health Insurance Portability and Accountability Act-and most nonprofits (unless the nonprofit provides specific services to law enforcement agencies or first responders). The lower threshold coupled with narrower exemptions means that smaller organizations presently not subject to existing US state comprehensive privacy laws may need to comply with MODPA.

2. Strict data minimization requirement

MODPA requires controllers to limit collection of personal data to what is “reasonably necessary and proportionate to provide or maintain a specific product or service requested by the consumer … ” (emphasis added), which is more restrictive than most US state comprehensive privacy laws that require limiting the collection of personal data to what is reasonably necessary in relation to the purposes for which the personal data is processed/disclosed. The impact of this narrower construction may be significant, particularly for personal data collected via cookies and other online tracking technologies, which likely collect personal data that controllers don’t strictly need to provide the specific product or service requested (e.g., for analytics and interest-based advertising).

3. Broader definition of biometric data and consumer health data

MODPA diverges from most US state comprehensive privacy laws by expanding the definition of biometric data to include data “… that can be used to uniquely authenticate a consumer’s identity” (emphasis added), rather than data that is used or intended to be used for such purposes. This means controllers operating in gray areas as to whether personal data collected is biometric data (e.g., avatars, smart glasses) are more likely subject to MODPA and need to contend with additional obligations and restrictions. Furthermore, biometric data is covered under the definition of sensitive data and is subject to other obligations and restrictions, such as those related to collection, use, sharing, access and confidentiality.

4. Restrictions on the sale of sensitive data

MODPA prohibits the sale (for monetary or other valuable consideration) of sensitive personal data, regardless of whether the consumer has consented to such a sale, unless the sale is necessary to provide or maintain a specific product or service requested by a consumer. However, like other US state comprehensive privacy laws, MODPA exempts consumer-directed disclosures from the definition of “sale,” so it may be permissible to disclose sensitive personal data (including biometric data) to third parties if the consumer has instructed/used the controller to do so.

5. Stricter protections for minors

MODPA bans selling or using personal data of individuals under the age of 18 for targeted advertising if the controller “knew or should have known” the person was a minor, which is more stringent than the willful disregard threshold found in most other US state comprehensive privacy laws, and increases the age threshold for a child or minor from 13 to 16 in most states to 18.

Maryland’s attorney general has exclusive enforcement power over MODPA and the discretion to provide a 60-day “cure period” for alleged violations (subject to that period sunsetting on April 1, 2027). It’s also important to note that while the law itself does not contain a private right of action, it also does not expressly preclude the right of consumers to bring a private cause of action otherwise provided by law; this differs significantly from other US state comprehensive privacy laws that expressly state that a violation of the law may not be used as a basis for a private cause of action.

This content is provided for general informational purposes only, and your access or use of the content does not create an attorney-client relationship between you or your organization and Cooley LLP, Cooley (UK) LLP, or any other affiliated practice or entity (collectively referred to as "Cooley"). By accessing this content, you agree that the information provided does not constitute legal or other professional advice. This content is not a substitute for obtaining legal advice from a qualified attorney licensed in your jurisdiction, and you should not act or refrain from acting based on this content. This content may be changed without notice. It is not guaranteed to be complete, correct or up to date, and it may not reflect the most current legal developments. Prior results do not guarantee a similar outcome. Do not send any confidential information to Cooley, as we do not have any duty to keep any information you provide to us confidential. When advising companies, our attorney-client relationship is with the company, not with any individual. This content may have been generated with the assistance of artificial intelligence (Al) in accordance with our Al Principles, may be considered Attorney Advertising and is subject to our legal notices.