TL;DR
The Maryland Online Data Privacy Act (MODPA) is operative for personal data processing as of April 1, 2026 — the deadline by which controllers must comply with its data-handling provisions. MODPA is among the strictest US state privacy laws: it imposes hard data minimization, broad sensitive data limits, and additional protections for minors. If you collect data on Maryland residents, this is the deadline to be compliant. Save your privacy notice, DPAs, processor agreements, and data inventory as date-stamped PDFs with Convert: Web to PDF and Convert: Anything to PDF. Track regulator updates with ScrapeMaster.
What MODPA Is — Quick Overview
The Maryland Online Data Privacy Act of 2024 was signed into law and took effect October 1, 2025, with the operative date for personal data processing on April 1, 2026. That bifurcation is important: the law was on the books for six months before controllers had to actually comply with the data-handling parts.
Scope thresholds for MODPA applicability:
- Persons conducting business in Maryland or producing products/services targeting Maryland residents
- During a calendar year, controlled or processed personal data of at least:
- 35,000 consumers; OR
- 10,000 consumers AND derived more than 20% of gross revenue from the sale of personal data
If you operate a website used by Maryland residents and you meet either threshold, MODPA applies.
Why MODPA Is Among the Strictest US State Privacy Laws
Most US state privacy laws follow a Virginia-style model: notice + opt-out + DPAs for high-risk processing. MODPA goes further in several ways:
1. Strict Data Minimization
MODPA requires that personal data collection be "limited to what is reasonably necessary and proportionate to provide or maintain a specific product or service requested by the consumer." This is closer to GDPR's strict purpose limitation than to typical US state law's general "purpose-limited" language.
What this means in practice:
- You can't collect data "just in case" or for unspecified future uses
- You must justify each data category against the specific service the consumer requested
- "Improvement of services" is not automatically a justified purpose
2. Strong Sensitive Data Restrictions
MODPA broadly prohibits the sale of sensitive data. Sensitive data includes:
- Racial or ethnic origin
- Religious beliefs
- Mental or physical health diagnosis
- Sex life or sexual orientation
- Citizenship or immigration status
- Genetic or biometric data
- Personal data of a known child
- Precise geolocation
- (Other categories defined in the statute)
Many other state laws permit sensitive data processing with consent. MODPA largely prohibits sale even with consent.
3. Minors' Data Protections (Beyond Federal COPPA)
MODPA imposes additional obligations around personal data of consumers known to be minors (under 18 in some contexts). This stacks on top of federal COPPA obligations for under-13 children — the FTC's updated COPPA rule has a April 22, 2026 compliance deadline.
4. Geofencing of Sensitive Locations
MODPA restricts geofencing around sensitive locations (mental/reproductive health facilities, etc.), which is unusual for state privacy law.
5. Universal Opt-Out Recognition
Like several other state laws, MODPA recognizes universal opt-out signals like Global Privacy Control (GPC). Honoring these is mandatory for sale and targeted advertising opt-outs.
What Controllers Must Have in Place by April 1, 2026
If MODPA applies to you, by April 1, 2026, you must have:
A. Privacy Notice
A clear, conspicuous privacy notice that includes:
- Categories of personal data processed
- Purposes of processing
- Categories of personal data shared with third parties
- Categories of third parties with whom data is shared
- Consumer rights and how to exercise them
- Process for appealing rights request denials
- An opt-out mechanism (link or button)
Save the notice as a date-stamped PDF on April 1, 2026 with Convert: Web to PDF. This proves what your notice was on the operative date.
B. Consumer Rights Mechanism
Verifiable mechanism for consumers to exercise rights:
- Access (one copy of personal data)
- Correction
- Deletion
- Portability
- Opt-out (sale, targeted advertising, certain profiling)
Including an appeals process when a request is denied.
C. Data Protection Assessments (DPAs)
For processing that presents heightened risk:
- Targeted advertising
- Sale of personal data
- Profiling that could result in unlawful disparate impact, financial/physical/reputational injury, intrusion on private affairs, or unfair effects
- Sensitive data processing
- Processing of personal data of minors
A DPA must identify benefits, risks, mitigations, and rationale. Maintain DPAs and provide to the AG on request.
D. Processor Contracts
Contracts with all processors that include the elements MODPA requires:
- Process data only on the controller's instructions
- Confidentiality obligations
- Data security requirements
- Subcontractor flow-down
- Audit/inspection rights
- Deletion or return obligations on termination
E. Reasonable Security Practices
Administrative, technical, and physical safeguards proportional to the data and the risk. Specifics aren't prescribed; the standard is "reasonable."
F. Data Minimization Implementation
Operationally limit collection to what's reasonably necessary for the service. This means going through your data inventory and asking whether each field is justified.
G. Sensitive Data Controls
Don't sell sensitive data (broadly prohibited). Process sensitive data only with affirmative consent and only when justified.
H. Children's / Minors' Data Provisions
For data on minors, additional consent and processing limits apply — beyond federal COPPA.
What to Save as PDFs on April 1, 2026
Compliance benders are most useful when they capture state at specific dates. On April 1, save:
| Item | How to Save | Why |
|---|---|---|
| Privacy notice | Convert: Web to PDF | What it said on April 1 |
| Privacy policy archive (older versions) | Convert: Web to PDF | Demonstrates evolution |
| Internal MODPA implementation memo | Convert: Anything to PDF | Internal record |
| DPA templates | Convert: Anything to PDF | Standardized structure |
| Specific DPAs completed | Convert: Anything to PDF | Per-process records |
| Processor list with MODPA classifications | Convert: Anything to PDF | Vendor inventory |
| Processor contract amendments | Convert: Anything to PDF | Updated terms in force |
| Consumer rights workflow documentation | Convert: Anything to PDF | Operational record |
| Security audit | Convert: Anything to PDF | Reasonable security demonstration |
| Data inventory snapshot | Convert: Anything to PDF | Data minimization evidence |
| Sensitive data identification record | Convert: Anything to PDF | Sensitive data scope clarity |
| Children's data inventory | Convert: Anything to PDF | MODPA + COPPA overlap |
Convert: Anything to PDF handles Word/Excel/email/screenshot conversions locally — important because compliance documents often contain sensitive details that shouldn't be uploaded to cloud-based tools.
Comparison: MODPA vs. Other State Privacy Laws
| Feature | MODPA (Maryland) | CCPA (California) | CDPA (Virginia) | Indiana / Kentucky / Rhode Island |
|---|---|---|---|---|
| Operative date | Apr 1, 2026 | 2020 (updated) | 2023 | Jan 1, 2026 |
| Data minimization | Strict | General | General | General |
| Sensitive data sale | Largely prohibited | Right to limit | Consent | Consent |
| Children's data | Strong, beyond COPPA | Strong | Standard | Standard |
| Geofencing of sensitive locations | Restricted | Limited | None specific | None specific |
| Universal opt-out signal | Required | Required (GPC) | Required | Required |
| Private right of action | None | Limited (breach) | None | None |
| Enforcement | AG | CPPA + AG | AG | AG |
The data minimization requirement is what most distinguishes MODPA.
What Maryland Means for Your Existing Compliance Program
If you already comply with CCPA/CPRA, GDPR, or another comprehensive privacy law, MODPA largely overlaps but adds friction in specific areas:
Data minimization requires fresh review. General compliance with "purpose limitation" under GDPR isn't automatically MODPA-compliant; the strict "reasonably necessary and proportionate" standard may require eliminating data fields you've kept "just in case."
Sensitive data sale restrictions are stricter than CCPA. CCPA allows sale of sensitive data with right-to-limit. MODPA broadly prohibits sale.
Minors' data extends beyond COPPA. If your business addresses anyone under 18 in any way, MODPA imposes additional obligations on top of federal COPPA. The April 2026 timeline overlaps with COPPA's April 22 update deadline.
Universal opt-out signals. If your business doesn't yet honor GPC, Maryland (and other state laws) make it mandatory.
Operational Steps Before and After April 1, 2026
Before April 1
- Audit all data collection against the data minimization standard
- Identify and tag sensitive data flows
- Review children's/minors' data flows
- Update privacy notice
- Update processor contracts (DPAs)
- Build or update consumer rights workflows
- Implement universal opt-out signal handling
- Document Data Protection Assessments for high-risk processing
- Implement geofencing restrictions if applicable
- Train customer support on MODPA-specific rights
On April 1
- Save privacy notice as PDF (date-stamped)
- Save updated processor contracts as PDF
- Save DPAs as PDF
- Verify sensitive data controls are in place
- Confirm consumer rights workflow handles MODPA's specific rights
- Confirm universal opt-out signal handling
After April 1
- Monitor consumer rights requests for volume changes
- Track Maryland AG enforcement actions and guidance
- Review new processing activities against MODPA before launch
- Maintain DPA documentation as new processing arises
- Watch for amendments and rule-making
How ScrapeMaster Helps Privacy Teams Track Updates
Privacy law moves quickly. The Maryland AG, CPPA, FTC, and other regulators publish guidance, enforcement actions, and proposed amendments regularly. Tracking everything manually is impractical.
ScrapeMaster helps build a structured intake from law-tracking sites:
- IAPP Daily Dashboard
- State AG announcement pages
- CPPA news/comment pages
- FTC press releases
- Major privacy law firm blogs
As you browse these in your monitoring routine, ScrapeMaster captures Date | Source | Title | URL | Affected Jurisdiction(s) into a CSV/JSON. Your team triages from a structured queue rather than re-reading every site.
Privacy Considerations for Compliance Documents Themselves
Compliance binders contain sensitive information: third-party processor lists, internal data flows, security audit summaries. These shouldn't be uploaded to free online PDF tools.
Local-only browser tools — Convert: Web to PDF and Convert: Anything to PDF — process documents in your browser without sending anything to an external server. For internal compliance packages, this is the only acceptable approach.
Frequently asked questions
When does MODPA take effect?
MODPA was effective October 1, 2025, but its operative date for personal data processing is April 1, 2026. Controllers must be compliant with data-handling provisions by April 1.
Who must comply with MODPA?
Persons conducting business in Maryland or producing products/services targeting Maryland residents that process personal data of at least 35,000 Maryland consumers, OR 10,000 consumers AND derive 20%+ of revenue from the sale of personal data.
What's MODPA's data minimization standard?
Personal data collection must be "limited to what is reasonably necessary and proportionate to provide or maintain a specific product or service requested by the consumer." This is stricter than typical state law "purpose limitation."
Does MODPA prohibit selling sensitive data?
MODPA broadly prohibits sale of sensitive data, with limited exceptions. This is stricter than several other state laws that allow sale with consent or right-to-limit.
What sensitive data categories does MODPA cover?
Racial/ethnic origin, religious beliefs, health diagnoses, sex life/sexual orientation, citizenship or immigration status, genetic/biometric data, data of a known child, precise geolocation, and other categories defined in the statute.
What about minors' data under MODPA?
MODPA imposes additional obligations beyond federal COPPA for personal data of minors. This stacks on top of the FTC's updated COPPA rule (compliance deadline April 22, 2026).
Does MODPA require Data Protection Assessments?
Yes — for processing that presents heightened risk: targeted advertising, sale, certain profiling, sensitive data, and processing of minors' data.
What enforcement does MODPA have?
Enforcement is exclusively by the Maryland Attorney General. There is no private right of action.
How should I document MODPA compliance?
Maintain a compliance binder of date-stamped PDFs: privacy notice, DPAs, processor contracts, data inventory, security documentation, and consumer rights workflow records. Use local-only PDF tools to avoid uploading sensitive compliance materials.
How does this overlap with other 2026 privacy laws?
Indiana, Kentucky, Rhode Island, and Minnesota's privacy laws took effect January 1, 2026. California's updated CCPA regulations also took effect January 1. MODPA's April 1 operative date and COPPA's April 22 deadline make Q2 2026 a busy compliance quarter.
Bottom Line
April 1, 2026 is when MODPA's data-handling requirements apply. With strict data minimization, broad sensitive data sale prohibition, and minors' data protections beyond federal COPPA, MODPA is among the strictest US state privacy laws.
If you operate a website used by Maryland residents and meet the thresholds, you need: a compliant privacy notice, DPAs for high-risk processing, processor contracts, sensitive data controls, minors' data controls, universal opt-out handling, and reasonable security practices.
Save everything as date-stamped PDFs. Convert: Web to PDF for your live privacy notice and online disclosures. Convert: Anything to PDF for internal Word/Excel/email compliance documentation. ScrapeMaster for tracking regulator updates and guidance from the Maryland AG and other privacy authorities. And CineMan AI helps process the wave of privacy-firm analyses being published around this deadline.