On May 9, 2024, Maryland Governor Wes Moore signed the Maryland Online Data Privacy Act of 2024 (MODPA) into law. The new comprehensive privacy law will go into effect on October 1, 2025, though it will not apply to any data processing activity before April 1, 2026.

MODPA has lower thresholds compared to other state privacy laws, applying to organizations that conduct business in Maryland or provide products and services targeted at Maryland residents that control the private data of either 1) at least 35,000 Maryland residents or 2) at least 10,000 Maryland residents if they derive more than 20% of gross revenue from the sale of personal data.

The law has similar obligations for data controllers as existing state privacy laws, requiring clear and accessible privacy notices and limiting data collection and usage to only what is reasonably necessary. It also grants consumers similar rights, such as the right to access and assess their data and clear methods to opt-out and revoke consent.

Exclusions include data covered by existing laws such as HIPAA and the Gramm-Leach-Bliley Act (GLBA) and some entity-level exclusions such as for regulatory bodies.