Crabcakes & Football (& Privacy): That’s What Maryland Does

Written By Kellie Bubeck

The patchwork quilt of state privacy laws keeps growing. With no federal privacy law to unify the rules, businesses are left juggling compliance with dozens of state laws. Maryland just added another square to that quilt with the Maryland Online Data Privacy Act (MODPA), which takes effect October 1, 2025. If you sell to Marylanders, advertise there, or have users signing up from Maryland, this law just landed on your compliance roadmap.

Does MODPA Apply to Your Business?

MODPA applies if you handle the personal data of 35,000 or more Maryland residents a year, or 10,000 or more and earn over 20 percent of revenue from selling data. This isn’t just a legal technicality. MODPA can impact your marketing campaigns, loyalty programs, ad targeting, and even how you design products and services.

Maryland Gives Consumers New Power

Maryland residents will gain the ability to access, correct, delete, and download their data, see which categories of third parties you share it with, and opt out of targeted ads, data sales, and profiling. You have 45 days to respond to a request. Miss that deadline and you may get a call from the Maryland Attorney General’s office.

Sensitive Data Is Off-Limits (Mostly)

Maryland goes further than most states by allowing collection of sensitive data only when it is strictly necessary to deliver what the consumer asked for. Sensitive data includes health information, race, religion, sexual orientation, children’s data, and precise location. No more collecting data “just in case,” no selling, no profiling.

What Smart Companies Are Doing Now

Smart companies are rewriting their privacy policies to make them consumer-friendly and compliant, building request response workflows that actually meet the 45-day deadline, tightening vendor contracts with privacy and security terms, documenting risk assessments for targeted ads, data sales, and profiling, and training staff to recognize and correctly respond to consumer data requests.

Enforcement

There is no private right of action, but the Attorney General has the power to enforce MODPA and will give businesses a short cure window until April 1, 2027, but waiting for a notice before you act can be costly and disruptive. Treat MODPA as part of your broader privacy strategy and get started now.

Kellie Bubeck https://www.bubecklaw.com/about
Next

Privacy Sweep Alert: Global Privacy Control Enforcement Goes Multi-State