Understanding the Maryland Online Data Privacy Act (MODPA): Why It Matters
The Maryland Online Data Privacy Act (MODPA) is set to take effect on October 1, 2025, and marks a significant step towards enhancing data privacy for residents of Maryland. This comprehensive regulation aims to provide consumers with greater control over their personal data while imposing stringent requirements on businesses that handle this information. Here’s a detailed look at what MODPA entails and why it’s important for both consumers and businesses.
Why is MODPA Important?
MODPA represents a significant advancement in data privacy regulation, aligning Maryland with other jurisdictions that prioritize consumer data protection. Businesses operating in Maryland must prepare to comply with these new standards, ensuring that they respect and safeguard the personal data of their consumers. The introduction of MODPA is crucial for several reasons:
- Enhanced Consumer Protection: It provides Maryland residents with robust rights to access, control, and protect their personal data, fostering trust in digital transactions.
- Transparency and Accountability: Businesses are held accountable for their data practices, ensuring greater transparency and reducing the likelihood of data misuse.
- Data Security: The regulation emphasizes the importance of data security, requiring businesses to implement appropriate measures to protect consumer data from breaches.
- Adaptation to Modern Challenges: By addressing issues such as automated decision-making and targeted advertising, MODPA is tailored to the complexities of modern data processing.
Scope and Application
MODPA applies to businesses that operate in Maryland or target their products and services to Maryland residents. Specifically, it covers entities that:
- Controlled or processed the personal data of at least 35,000 consumers in the previous calendar year (excluding data used solely for payment transactions).
- Controlled or processed the personal data of at least 10,000 consumers and made more than 20% of their gross revenue from selling personal data.
Notably, the act does not apply to employees or business-to-business (B2B) companies, focusing instead on consumer interactions.
Maryland Consumer Rights
MODPA aligns with the consumer privacy laws of most other states, defining a consumer as an individual residing in Maryland and acting solely in a personal capacity, excluding those acting in employment or commercial contexts. Under MODPA, consumers are granted several rights to ensure transparency and control over their personal data which include:
- Access and Confirmation: Consumers can confirm whether their data is being processed and access their personal data held by controllers.
- Correction: Consumers can correct inaccuracies in their personal data.
- Deletion: Consumers can request the deletion of their data, unless retention is required by law.
- Data Portability: If data is processed automatically, consumers can obtain a copy of their data in a portable format to transfer it to another controller.
- Third-Party Disclosure: Consumers can obtain a list of third parties to whom their data has been disclosed.
- Opt-Out Rights: Consumers can opt out of data processing for targeted advertising, the sale of personal data, or profiling that affects them legally or significantly.
Controllers must respond to consumer requests within 45 days, extendable by another 45 days if necessary. If a request is denied, the controller must inform the consumer of the reasons and provide instructions for an appeal.
Controller and Processor Responsibilities
MODPA sets forth strict guidelines for how controllers (entities that determine the purposes and means of processing personal data) and processors (entities that process data on behalf of controllers) handle consumer data:
- Prohibited Actions: Controllers cannot collect, process, or share sensitive data unless necessary to provide a requested service. They are also prohibited from selling sensitive data, processing data in a discriminatory manner, or targeting advertising at minors under 18 without consent.
- Non-Discrimination: Controllers must not discriminate against consumers for exercising their rights under MODPA.
- Consumer Consent: Controllers must obtain consumer consent for data processing that goes beyond what is necessary for the disclosed purposes. Consumers can revoke consent, and controllers must cease processing the data within 30 days of the revocation.
- Appeals Process: Controllers must establish an appeals process for consumers whose requests are denied, with a response required within 60 days.
Data Protection and Security
Processors are required to adhere to the controller’s instructions and assist in fulfilling obligations related to consumer rights, data security, and breach notifications. They must also provide necessary information for controllers to conduct and document Data Protection Assessments (DPAs) for activities that pose a heightened risk of harm to consumers.
Under MODPA, controllers are required to perform “data protection assessments” for any processing activities that pose a heightened risk of harm. This includes an assessment for each algorithm used. Such activities encompass:
- Processing personal data for targeted advertising
- Selling personal data
- Processing sensitive data
- Profiling personal data when it poses a foreseeable risk of unfair, abusive, or deceptive treatment of consumers or results in substantial consumer injury
These assessments must evaluate and compare the benefits of the processing activities for all parties involved against the potential risks to consumer rights. MODPA permits the use of impact assessments conducted for other state privacy laws to fulfill its assessment requirements. These data protection assessment requirements will apply to processing activities starting on or after October 1, 2025.
Data Minimization Requirements
MODPA mandates that the collection of personal data be limited to what is reasonably necessary to provide or maintain the requested product or service. This requirement is even stricter for sensitive data. The Act also stipulates that controllers must obtain consent before processing personal data for purposes beyond those originally disclosed and deemed necessary or compatible.
However, MODPA allows controllers and processors to engage in specific processing activities, such as fraud prevention and internal operations, as long as these activities are reasonably necessary and proportionate to their intended purposes.
Special Provisions
MODPA includes specific provisions such as:
- Health Data: Special requirements apply to processing consumer health data.
- Third-Party Notice: Third parties must notify consumers before using or sharing their information in ways that differ from the initial collection terms.
- Algorithm Assessments: DPAs are required for any algorithmic activities that present heightened risks to consumers.
BigID’s Approach to MODPA
BigID is the industry leading platform for data privacy, security, compliance, and AI data management that enables organizations to proactively prepare for MODPA and achieve compliance with its patented identity-aware privacy automation.
With BigID, businesses can:
- Identify All Data: Discover and classify data to build an inventory, map data flows, and gain visibility on all personal and sensitive information subject to MODPA requirements.
- Automate Data Rights Management: Automatically manage privacy requests, preferences, and consent, including opting out of data selling, targeted advertising, and user profiling.
- Apply Policies: Remediate policy-based risk with controls and workflows to take action on MODPA requirements.
- Minimize Data: Apply data minimization practices by identifying, categorizing, and deleting unnecessary or excessive personal data to efficiently manage the data lifecycle.
- Implement Data Protection Controls: Automate data protection controls to enforce data access and other security measures, which are crucial to safeguarding data and complying with MODPA.
- Assess Risk: Automate privacy impact assessments, data inventory reports, and remediation workflows to identify and remediate risks to maintain compliance.
Schedule a 1:1 demo to see how BigID can accelerate your compliance with MODPA.