Why Maryland’s New Privacy Law Could be The Strictest in The US

Maryland’s governor signed SB 541 on May 8, enacting the Maryland Online Data Privacy Act (MODPA) and creating a high-water mark for comprehensive state privacy legislation.

• Maryland is the 17th state to enact a comprehensive privacy law and has charted a different course from other states.
• The MODPA has a relatively broad application, novel “data minimization” requirements, and particularly strict rules on processing sensitive data.
• The law takes effect on October 1, 2026, giving businesses more than two years to prepare—but some organizations might need to make significant changes to their operations to comply.

What’s so special about Maryland’s new privacy law?

As with every other “comprehensive” US state privacy law (except in California), Maryland’s “MODPA” takes its structure and language from the Virginia Consumer Data Protection Act (VCDPA)—but it diverges more significantly than any other “Virginia-style” law.

Maryland has chosen to include almost all the obligations present in other state’s laws, putting it on the stricter end of the spectrum from the start. These requirements include:

• Complying with consumers’ requests to access, correct, and delete their personal data, download it in a portable format, and opt out of targeted ads, the sale of their personal data, and certain forms of profiling. 
• Honoring Global Privacy Control (GPC) and other opt-out signals
• Conducting data protection assessments before conducting certain risky activities

But what makes Maryland’s law exceptional is how it approaches data minimization and sensitive data.

What does Maryland’s new privacy law say about data minimization?

In other states, businesses are generally allowed to collect and use people’s personal data by default—as long as they meet certain requirements and apply some relatively broad principles.

Maryland’s data minimization rules turn this usual model on its head with the following sentence: 

“A controller shall limit the collection of personal data to what is reasonably necessary and proportionate to provide or maintain a specific product or service requested by the consumer.”

This single requirement arguably makes Maryland stricter on privacy than any other state. It means that by default, MODPA-covered businesses cannot collect any personal data about a Maryland consumer unless they need it for a specific product or service requested by that consumer.

We don’t yet know how this will be applied in enforcement. But let’s imagine you work at an ecommerce store, and someone buys a product from your website. 

• Collecting the customer’s name, address, and payment details would likely be “reasonably necessary and proportionate” for the purpose of sending them the product. 
• Collecting additional information for targeted advertising might not be reasonably necessary and proportionate for that purpose.

If you want to process a consumer’s personal data for other purposes that aren’t “reasonably necessary for” or “compatible” with the purposes you disclosed to the consumer, you must request opt-in consent (and you can’t rely on a statement in your terms and conditions).

What about sensitive data?

The MODPA is even stricter when it comes to sensitive data, which the law defines as follows:

• Personal data revealing:
  • Racial or ethnic origin
  • Religious beliefs
  • Consumer health data
  • Sex life
  • Sexual orientation
  • Status as transgender or nonbinary
  • National origin
  • Citizenship or immigration status
• Genetic data
• Biometric data
• Children’s personal data
• Precise geolocation data

Now, here’s the crucial part:

“Except where the collection or processing is strictly necessary to provide or maintain a specific product or service requested by the consumer to whom the personal data pertains, (a controller may not) collect, process, or share sensitive data concerning a consumer.”

So the data minimization rule for sensitive data is similar to the rule for personal data in general, except:

• It applies when collecting, processing, or sharing sensitive data (rather than just “collecting” it).
• Businesses may only collect, process, or share sensitive data when strictly necessary for a requested product or service (rather than “reasonably necessary”).

What’s the difference between “strictly necessary” and “reasonably necessary”? The law doesn’t say. 

But Maryland clearly intended to ensure that businesses do not process sensitive data unless they really need to, so expect the Attorney General to take this provision seriously.

And unlike with “regular” personal data, a business cannot even ask for consent to use sensitive data for other purposes.

Finally, “selling” sensitive data is forbidden, whether for money or other “valuable consideration”. This prohibition could cover sharing sensitive data with a third party via cookies, pixels, or other tracking technology.

Who has to comply with Maryland’s new privacy law?

Maryland’s new privacy law applies to a business that conducts business in Maryland or provides products or services that are targeted to Maryland residents and that, during the previous year, either:

• Controlled or processed the personal data of at least 35,000 consumers except where “solely for the purpose of completing a payment transaction”, or
• Controlled or processed the personal data of at least 10,000 consumers and earned more than 20% of its revenue from selling personal data.

As such, the MODPA could apply if you process personal data about just 0.58% of Maryland’s six million residents. 

But as usual, employee and business-to-business data aren’t covered, and exemptions apply for data processed under the Health Insurance Portability and Accountability Act (HIPAA), the Fair Credit Reporting Act (FCRA), and other laws.

Enforcement of the MODPA falls under Maryland’s consumer protection law, which includes fines of up to $10,000 per violation or $25,000 for repeated violations. Until April 2027, the Attorney General can—but isn’t obliged to—offer businesses a chance to “cure” their violation and avoid enforcement.

Maryland Online Data Privacy Act: Key takeaways

• The MODPA includes all kinds of provisions from other “Virginia-style” laws but with additional data minimization and sensitive data requirements.
• Businesses may not collect personal data unless “reasonably necessary and proportionate” to provide a requested product or service.
• Businesses may not process sensitive data unless “strictly necessary” to provide a requested product or service and may not sell sensitive data for any reason.
• Before the MODPA takes effect in October 2026, covered businesses must provide a way to enable Maryland consumers to exercise their privacy rights and must configure their websites to process Global Privacy Control (GPC) and other universal opt-out mechanisms.