Support Centre



Law: Maryland Online Data Privacy Act of 2024 (MODPA)

Regulator: The Division of Consumer Protection in the Attorney General's office in Maryland (AG)

Summary: The MODPA was approved by the Governor of Maryland on May 9, 2024, and will enter into effect on October 1, 2025. The MODPA marks the State's first comprehensive privacy legislation and establishes obligations for controllers and processors. The MODPA introduces strict data minimization requirements regarding the collection and use of sensitive personal information and lays down obligations regarding vendor management and the conducting of data protection assessments. The MODPA also provides consumer rights, including the right to confirmation, access, correction, deletion, and opt out, among others. The AG is granted exclusive authority to enforce the provisions of the MODPA and does not provide for a private right of action.

Additionally, personal data protections are provided in supplementary legislation such as the  Act Concerning Consumer Protection – Online Products and Services – Data of Children (the Children's Act) which outlines requirements for covered entities that offer an online product reasonably likely to be accessed by children. The Children's Act was passed on May 9, 2024 and will enter into effect on October 1, 2025. Furthermore, breach requirements and the security of personal data is regulated by the Act Concerning the Maryland Personal Information Protection Act – Security Breach Notification Requirements – Modifications (the Data Breach Notification Law). The Data Breach Notification Law requires, among other things, any business that owns or licenses, or maintains computerized data that includes the personal information of an individual residing in Maryland to notify affected individuals of a data breach.


In its 2024 legislative session, Maryland's General Assembly passed two significant data privacy laws: the Maryland Online Data Protection Act of 2024 (MODPA)1 and the Maryland Age-Appropriate Design Code, also known as the Maryland Kids Code. Both laws are codified in the Commercial Law Article of Maryland's Annotated Code and were signed by Governor Wes Moore on May 9, 2024.

While MODPA contains restrictions and limitations on the collection, processing, use, and sale of children's data, the Maryland Kids Code aims to further protect children's online safety and privacy. It is based on similar age-appropriate design code laws enacted in the UK and California, and requires covered entities to implement Privacy by Design and Default when it comes to online products that children are reasonably likely to access. The Maryland Kids Code will become effective on October 1, 2024. Alexandra P. Moylan and Michael J. Halaiko, from Nelson Mullins Riley & Scarborough LLP, explore the key provisions of the Maryland Kids Code, how covered entities can ensure compliance, and how this law compares to similar laws.

Three states - Kentucky, Maryland, and Nebraska - welcomed Spring 2024 by passing comprehensive consumer privacy laws, joining the laws in New Hampshire and New Jersey1 enacted earlier this year. With the five new laws enacted in early Q2 2024, more than one-third of states have consumer privacy laws on the books.

In this part one Insight article, Julia Jacobson, Alexandra Kiosse, and Alan Friel, from Squire Patton Boggs, answer common questions such as the scope of protection, effective dates, and applicability, about the three newest state consumer privacy laws.

In its current legislative session, Maryland's General Assembly is considering the Maryland Online Data Privacy Act of 2024 (MODPA). The bill passed both the Maryland House of Representatives (House Bill 567) and the State Senate (Senate Bill 541) and is expected to go to a conference committee to resolve differences between the two versions before its final passage. If passed, the MODPA would go into effect on October 1, 2025. Alexandra P. Moylan and Michael J. Halaiko, from Nelson Mullins Riley & Scarborough LLP, take a look at the formation of MODPA, in particular its proposed scope, obligations on businesses, and provisions for consumer rights and penalties.

On 29 May 2022, House Bill 866 for the Genetic Information Privacy Act was enacted without the Governor's signature. The Act applies to direct-to-consumer genetic testing companies that collect genetic information from residents of the State of Maryland and will  go into effect on 1 October 2022. In this article, OneTrust DataGuidance highlights key provisions of the Act, in particular on its scope, key definitions, business obligations, and enforcement provisions.