Verstehen der Maryland Online Data Privacy Act (MODPA): Why It Matters

Die Maryland Online Data Privacy Act (MODPA) ist voraussichtlich am 1. Oktober 2025, and marks a significant step towards enhancing data privacy for residents of Maryland. This comprehensive regulation aims to provide consumers with greater control over their personenbezogene Daten while imposing stringent requirements on businesses that handle this information. Here’s a detailed look at what MODPA entails and why it’s important for both consumers and businesses.

Why is MODPA Important?

MODPA represents a significant advancement in data privacy regulation, aligning Maryland with other jurisdictions that prioritize consumer data protection. Businesses operating in Maryland must prepare to comply with these new standards, ensuring that they respect and safeguard the personal data of their consumers. The introduction of MODPA is crucial for several reasons:

1. Verbesserter Verbraucherschutz: It provides Maryland residents with robust rights to access, control, and protect their personal data, fostering trust in digital transactions.
2. Transparenz und Rechenschaftspflicht: Businesses are held accountable for their data practices, ensuring greater transparency and reducing the likelihood of data misuse.
3. Datensicherheit: The regulation emphasizes the importance of data security, requiring businesses to implement appropriate measures to protect consumer data from breaches.
4. Adaptation to Modern Challenges: By addressing issues such as automated decision-making and targeted advertising, MODPA is tailored to the complexities of modern data processing.

Umfang und Anwendung

MODPA applies to businesses that operate in Maryland or target their products and services to Maryland residents. Specifically, it covers entities that:

• Controlled or processed the personal data of at least 35,000 consumers in the previous calendar year (excluding data used solely for payment transactions).
• Controlled or processed the personal data of at least 10,000 consumers and made more than 20% of their gross revenue from selling personal data.

Notably, the act does not apply to employees or business-to-business (B2B) companies, focusing instead on consumer interactions.

Maryland Consumer Rights

MODPA aligns with the consumer privacy laws of most other states, defining a consumer as an individual residing in Maryland and acting solely in a personal capacity, excluding those acting in employment or commercial contexts. Under MODPA, consumers are granted several rights to ensure transparency and control over their personal data which include:

1. Access and Confirmation: Consumers can confirm whether their data is being processed and access their personal data held by controllers.
2. Correction: Consumers can correct inaccuracies in their personal data.
3. Deletion: Verbraucher können request the deletion of their data, unless retention is required by law.
4. Data Portability: If data is processed automatically, consumers can obtain a copy of their data in a portable format to transfer it to another controller.
5. Third-Party Disclosure: Consumers can obtain a list of third parties to whom their data has been disclosed.
6. Opt-Out Rights: Consumers can opt out of data processing for targeted advertising, the sale of personal data, or profiling that affects them legally or significantly.

Controllers must respond to consumer requests within 45 days, extendable by another 45 days if necessary. If a request is denied, the controller must inform the consumer of the reasons and provide instructions for an appeal.

Controller and Processor Responsibilities

MODPA sets forth strict guidelines for how controllers (entities that determine the purposes and means of processing personal data) and processors (entities that process data on behalf of controllers) handle consumer data:

• Prohibited Actions: Controllers cannot collect, process, or share sensitive data unless necessary to provide a requested service. They are also prohibited from selling sensitive data, processing data in a discriminatory manner, or targeting advertising at minors under 18 without consent.
• Nichtdiskriminierung: Controllers must not discriminate against consumers for exercising their rights under MODPA.
• Consumer Consent: Controllers must obtain consumer consent for data processing that goes beyond what is necessary for the disclosed purposes. Consumers can revoke consent, and controllers must cease processing the data within 30 days of the revocation.
• Appeals Process: Controllers must establish an appeals process for consumers whose requests are denied, with a response required within 60 days.

Data Protection and Security

Processors are required to adhere to the controller’s instructions and assist in fulfilling obligations related to consumer rights, data security, and breach notifications. They must also provide necessary information for controllers to conduct and document Data Protection Assessments (DPAs) for activities that pose a heightened risk of harm to consumers.

Under MODPA, controllers are required to perform “data protection assessments” for any processing activities that pose a heightened risk of harm. This includes an assessment for each algorithm used. Such activities encompass:

• Processing personal data for targeted advertising
• Verkauf personenbezogener Daten
• Verarbeitung sensibler Daten
• Profiling personal data when it poses a foreseeable risk of unfair, abusive, or deceptive treatment of consumers or results in substantial consumer injury

These assessments must evaluate and compare the benefits of the processing activities for all parties involved against the potential risks to consumer rights. MODPA permits the use of Folgenabschätzungen conducted for other state privacy laws to fulfill its assessment requirements. These data protection assessment requirements will apply to processing activities starting on or after October 1, 2025.

Data Minimization Requirements

MODPA mandates that the collection of personal data be limited to what is reasonably necessary to provide or maintain the requested product or service. This requirement is even stricter for sensitive data. The Act also stipulates that controllers must obtain consent before processing personal data for purposes beyond those originally disclosed and deemed necessary or compatible.

However, MODPA allows controllers and processors to engage in specific processing activities, such as fraud prevention and internal operations, as long as these activities are reasonably necessary and proportionate to their intended purposes.

Special Provisions

MODPA includes specific provisions such as:

• Health Data: Special requirements apply to processing consumer health data.
• Third-Party Notice: Third parties must notify consumers before using or sharing their information in ways that differ from the initial collection terms.
• Algorithm Assessments: DPAs are required for any algorithmic activities that present heightened risks to consumers.

BigID’s Approach to MODPA

BigID is the industry leading platform for data privacy, security, compliance, and AI-Datenmanagement that enables organizations to proactively prepare for MODPA and achieve compliance with its patented identity-aware privacy automation.

Mit BigID können Unternehmen:

• Alle Daten identifizieren: Entdecken und klassifizieren Sie Daten to build an inventory, map data flows, and gain visibility on all personal and sensitive information subject to MODPA requirements.
• Automatisieren Sie die Verwaltung von Datenrechten: Verwalten Sie Datenschutzanfragen, Einstellungen und Einwilligungen automatisch, einschließlich der Deaktivierung von Datenverkauf, gezielter Werbung und Benutzerprofilierung.
• Richtlinien anwenden: Remediate policy-based risk with controls and workflows to take action on MODPA requirements.
• Daten minimieren: Wenden Sie Verfahren zur Datenminimierung an, indem Sie unnötige oder übermäßige personenbezogene Daten identifizieren, kategorisieren und löschen, um den Datenlebenszyklus effizient zu verwalten.
• Implementieren Sie Datenschutzkontrollen: Automate data protection controls to enforce data access and other security measures, which are crucial to safeguarding data and complying with MODPA.
• Risiko einschätzen: Automatisieren Sie privacy impact assessments, Datenbestandsberichte und Korrektur-Workflows zum Identifizieren und Beheben von Risiken, um die Compliance aufrechtzuerhalten.

Vereinbaren Sie eine 1:1-Demo to see how BigID can accelerate your compliance with MODPA.

Autor

Alexis Porter

Leiterin für Content Marketing

Alexis arbeitet als Content Marketing Manager für den branchenführenden DSPM-Anbieter BigID. Sie hat sich darauf spezialisiert, Tech-Start-ups dabei zu helfen, ihre Stimme zu schärfen, um überzeugende Geschichten zu erzählen, die bei unterschiedlichen Zielgruppen Anklang finden. Sie hat einen Bachelor-Abschluss in professionellem Schreiben und einen Master-Abschluss in Marketingkommunikation von der University of Denver. Alexis arbeitet von Orlando, FL aus.