Law: Maryland Online Data Privacy Act of 2024 (MODPA)

Regulator: The Division of Consumer Protection in the Attorney General's office in Maryland (AG)

Summary: The MODPA was approved by the Governor of Maryland on May 9, 2024, and will enter into effect on October 1, 2025. The MODPA marks the State's first comprehensive privacy legislation and establishes obligations for controllers and processors. The MODPA introduces strict data minimization requirements regarding the collection and use of sensitive personal information and lays down obligations regarding vendor management and the conducting of data protection assessments. The MODPA also provides consumer rights, including the right to confirmation, access, correction, deletion, and opt out, among others. The AG is granted exclusive authority to enforce the provisions of the MODPA and does not provide for a private right of action.

Additionally, personal data protections are provided in supplementary legislation such as the  Act Concerning Consumer Protection – Online Products and Services – Data of Children (the Children's Act) which outlines requirements for covered entities that offer an online product reasonably likely to be accessed by children. The Children's Act was passed on May 9, 2024 and will enter into effect on October 1, 2025. Furthermore, breach requirements and the security of personal data is regulated by the Act Concerning the Maryland Personal Information Protection Act – Security Breach Notification Requirements – Modifications (the Data Breach Notification Law). The Data Breach Notification Law requires, among other things, any business that owns or licenses, or maintains computerized data that includes the personal information of an individual residing in Maryland to notify affected individuals of a data breach.