Introduction
The Maryland Online Data Privacy Act of 2024, widely referred to as the data privacy act MODPA, is Maryland’s first comprehensive data privacy law. It governs how businesses handle online data collection and processing involving Maryland residents.
Governor Wes Moore signed MODPA into law on May 9, 2024. The law became effective on October 1, 2025, with its core obligations applying to personal data processing activities occurring on or after April 1, 2026. This phased approach gives covered businesses a focused window to implement changes.
MODPA sits alongside other state privacy laws like the CCPA and the VCDPA, but introduces stricter rules on sensitive data, data minimization, and children’s data. It covers data collection and use across websites, apps, cookies, targeted advertising, and profiling of Maryland residents, making it relevant for virtually any business with an online presence that reaches Maryland consumers.

Scope and Applicability: Is Your Business Subject to MODPA?
Determining whether MODPA applies to your business comes down to three factors: location, activities, and volume of personal data.
MODPA applies to businesses that conduct business in Maryland or target Maryland residents with services targeted at them, regardless of where the business is physically located. This means out-of-state companies, including Shopify stores that ship to Maryland or run Maryland-targeted marketing, can fall under its scope.
The two main thresholds are:
Threshold | Requirement |
|---|---|
Threshold 1 | Process personal data of at least 35,000 Maryland consumers in a calendar year (excluding payment-only transactions) |
Threshold 2 | Process personal data of at least 10,000 Maryland consumers and derive 20% or more of gross revenue from selling personal data |
MODPA applies to entities processing data of 35,000 Maryland consumers annually, and MODPA applies to businesses processing the personal data of at least 10,000 Maryland residents and deriving over 20% of their revenue from selling personal data.
A “consumer” means a Maryland resident acting in an individual or household context. MODPA does not apply to business or employee data, so business-to-business contacts and employee data are generally excluded from the threshold calculations.
Many nonprofits are in scope because MODPA’s nonprofit exemption is very narrow, applying mainly to organizations that process personal data solely to assist law enforcement or first responders during catastrophic events. Most charities, trade associations, and universities must comply.
Financial institutions regulated under the Gramm-Leach-Bliley Act may have some exemptions, but should still carefully review overlaps around online marketing, cookies, and targeted advertising.
For e-commerce businesses, the practical step is to map your customer base and traffic sources. Review order history, analytics, and marketing campaigns to estimate how many Maryland consumers you engage each year and whether those thresholds will be met.
- No coding required
- Works with all Shopify themes
- Blocks tracking before consent
- Google Consent Mode v2 ready
- Trusted by 180k+ stores
- 2,900+ 5-star reviews
- Google CMP Partner
Key Concepts and Definitions Under MODPA
Understanding MODPA’s terminology is essential for building a compliance strategy. Here are the core definitions that affect how you process data.
Personal data is any information linked or reasonably linkable to an identified or identifiable consumer. This includes names, emails, device IDs, and online identifiers from cookies. It excludes the identified data that has been appropriately processed to prevent re-identification, as well as publicly available information.
Sensitive data under MODPA is broadly defined. It includes racial or ethnic origin, religious beliefs, consumer health data, mental health status, sex life, sexual orientation, precise geolocation, national origin, citizenship or immigration status, and personal data of children. Sensitive data also includes genetic, biometric, and health data. This definition of sensitive data that MODPA uses is broader than that of many other state laws.
The “sale of personal data” covers exchanges for monetary or other valuable consideration, not just direct monetary payments. MODPA prohibits the sale of sensitive data altogether, meaning consent does not override the prohibition on selling sensitive data.
A “controller” is the business deciding the purposes and means of processing personal data, such as a Shopify merchant running an online store. A “processor” is a service provider that processes data on the controller’s behalf, such as analytics or marketing vendors.
Targeted advertising means displaying ads based on personal data collected from activity across non-affiliated websites or apps. This is distinct from contextual ads based solely on the page a user is currently viewing.
Profiling and automated decision-making refer to automated processes used to evaluate personal aspects of consumers or to make decisions that could have legal or similarly significant effects.
Consumer Rights and Business Duties Under MODPA
MODPA grants Maryland residents a robust set of consumer rights and imposes clear response obligations on covered businesses.
The main consumer rights include:
- The right to confirm if a business is processing their data
- The right to access their personal data in a readily usable format
- The right to correct inaccuracies in their personal data
- The right to delete their personal data held by businesses
- The right to data portability
- The right to obtain a list of third-party categories receiving their consumer’s personal data
Consumers also have the right to opt out of targeted advertising, the sale of their personal data, and specific profiling or automated decisions that have legal or similarly important consequences. Businesses must honor universal opt-out mechanisms, including global privacy control signals sent by browsers or privacy tools. Consumers can also appoint representatives to exercise their rights on their behalf.
For consumer rights requests, controllers must respond to consumer requests within 45 days, with one possible 45-day extension where reasonably necessary. Maryland consumers can request data access within 45 days. Businesses must provide one free copy of the data every 12 months.
If a request is denied, the business must offer an appeal process and respond to appeals within 60 days, then provide a way to complain to the Maryland Consumer Protection Division if the appeal is unsuccessful. Consumers can withdraw consent within 30 days of request, and companies must halt processing sensitive data within 30 days of consent revocation.
Businesses may not discriminate against consumers who exercise their data subject rights. Equal treatment is required, with limited allowances for loyalty programs or diversity initiatives consistent with other privacy laws.
To streamline compliance efforts, businesses should implement processes or tools to centralize and track consumer rights requests across multiple laws, including MODPA, GDPR, and CCPA.

Sensitive Data, Children’s Data, and Data Minimization
MODPA is unusually strict on sensitive personal data and children’s data compared to most other U.S. state laws.
MODPA prohibits the sale of sensitive data entirely. It also prohibits the sale of sensitive personal data entirely, regardless of consumer consent. Selling sensitive data is categorically banned. Organizations should gather sensitive data only when it is strictly essential to deliver or support a particular product or service requested by the consumer. Processing sensitive data outside of what is strictly necessary requires specific opt-in sensitive data consent from the consumer. Businesses must provide easy ways for consumers to revoke that consent later.
For minors under 18, MODPA imposes enhanced protections. Businesses cannot sell or process the personal data of consumers under 18 for targeted advertising if they are aware of the consumer’s age. The law uses a “knew or should have known” standard, which is broader than the actual-knowledge standard found in many other state laws.
MODPA’s data minimization principle requires businesses to limit data collection, use, and retention to what is reasonably necessary and proportionate to the disclosed purposes. Excessive or unrelated data collection is not permitted, even with consumer consent.
Practically, businesses should regularly review their data collection points, including checkout forms, newsletter sign-ups, cookie categories, and third-party pixels, and remove fields or trackers not essential for stated purposes.
Pandectes can help Shopify merchants implement granular consent management and cookie controls to separate essential data from marketing or analytics data, supporting MODPA’s minimization and sensitive data safeguards.
High-Risk Processing, Data Protection Assessments, and Automated Decision Making
MODPA requires businesses to conduct data protection assessments for certain high-risk processing activities. Businesses must conduct data protection assessments for high-risk processing starting from when the law’s obligations apply.
The types of processing that typically trigger risk assessments include:
- Targeted advertising based on personal data
- Sale of personal data
- Processing sensitive data
- Profiling and automated decision-making producing legal or similarly significant effects
- Large-scale data processing with heightened risk of harm
A data protection assessment should document the purposes of processing, its benefits, the potential risks, and the safeguards implemented to mitigate them. MODPA expects separate, algorithm-specific assessments for each automated decision-making system used for high-risk data processing activities, especially when decisions could affect access to credit, employment, housing, or similarly significant opportunities.
While assessments generally remain internal, the Maryland Attorney General can request them during investigations to evaluate whether a controller’s conduct aligns with MODPA’s requirements.
Businesses building or using algorithms for personalization, credit decisions, or fraud detection should involve legal, privacy, and technical teams early to ensure assessments and documentation are in place before large-scale deployment.
Scalable consent management and tracking systems, such as those offered by Pandectes, support these assessments by providing clear records of consent signals and data flows for targeted advertising and profiling.
Business Obligations: Contracts, Transparency, and Security
Beyond consumer rights, MODPA imposes day-to-day operational duties on controllers and processors around contracts, notices, and security controls.
Clear and accessible privacy policies must outline what data is collected and how consumers can exercise their rights. Privacy notices must disclose:
- Categories of personal data collected
- Purposes of further processing
- Categories of third-party recipients (businesses must disclose third parties receiving personal data)
- Consumer rights and opt-out mechanisms
- Contact information
MODPA requires detailed data processing agreements between controllers and processors. These contracts must specify processing instructions, permitted and prohibited uses, reasonable security measures, data transfer conditions, and assistance with consumer rights requests and data protection assessments.
For consumer health data, biometric and genetic data, and other highly sensitive categories, controllers must implement special contractual and access controls, limiting access to authorized personnel under confidentiality obligations.
MODPA requires businesses to implement reasonable security measures. Security obligations include reasonable administrative, technical, and physical safeguards appropriate to the nature, volume, and sensitivity of the personal data processed, including encryption, access controls, and regular audits.
Organizations should maintain records of processing activities, vendor inventories, and data flows so they can quickly identify where Maryland consumer data resides. Shopify merchants should review and update their vendor contracts for analytics, email marketing, reviews, personalization, and ad tech to ensure MODPA-compliant data protection clauses are in place well before April 1, 2026.

Enforcement, Penalties, and Timeline for Compliance
MODPA is enforced exclusively by the Maryland Attorney General’s Consumer Protection Division. There is no private right of action, meaning consumers cannot sue directly for violations under MODPA, though they retain other legal remedies.
Violations are considered unfair, deceptive, or abusive trade practices according to the Maryland Consumer Protection Act. Penalties can reach up to $10,000 per violation for the first offense. Subsequent violations can incur penalties of $25,000 each. The Maryland Attorney General may also seek injunctive relief, restitution, and disgorgement of profits.
Organizations have a 60-day cure period for compliance violations until April 1, 2027. After that date, the Attorney General may proceed directly to enforcement without offering an opportunity to cure. MODPA enforcement begins on October 1, 2025, but its obligations apply to processing activities after April 1, 2026, giving businesses a focused preparation window.
Factors influencing enforcement decisions may include the severity of the violation, the number of consumers affected, willfulness, and whether the business had reasonable compliance efforts in place.
Do not wait for enforcement actions. Treat 2025 through early 2026 as the period to implement policies, conduct assessments, and deploy consent management tools. Strong documentation, including policies, training records, data protection assessments, and vendor contracts, will be critical evidence of good-faith compliance if regulators investigate.
Practical Compliance Steps for Businesses (Including Shopify Merchants)
Here is a pragmatic checklist for operationalizing MODPA compliance across people, processes, and technology.
- Conduct a data inventory: Identify what personal data you collect data from Maryland residents, through which channels (web, apps, cookies), and for which purposes. Flag any sensitive or children’s data.
- Update privacy notices: Reflect MODPA requirements in your policies, including detailed disclosures about data collection, targeted advertising, profiling, consumer rights, and opt-out or consent mechanisms.
- Implement consent management: Deploy or enhance tools for cookie consent and tracking technologies, ensuring Maryland consumers can opt-out of targeted advertising, and that consent signals are recorded and respected.
- Build consumer request workflows: Create internal processes for consumer rights requests and appeals, including authentication procedures, 45-day and 60-day deadlines, and escalation paths for complex requests.
- Conduct data protection assessments: Complete risk assessments for targeted advertising, the sale of personal data, sensitive data processing, and automated decision-making that may significantly affect consumers. Document risk and mitigation steps.
- Run a data privacy audit: Review all third-party pixels, analytics services, and ad-tech integrations for MODPA alignment. Remove what is not essential to protect personal data.
- Leverage Pandectes GDPR Compliance: Shopify merchants can deploy compliant cookie banners, manage opt-outs and consumer consent across multiple jurisdictions, integrate with Google Consent Mode, and centralize audit-ready consent tracking logs that support MODPA and other state privacy laws. Pandectes GDPR Compliance is a privacy-compliance SaaS app for Shopify stores, designed to handle cross-border privacy requirements and now including MODPA. The app provides customizable cookie banners and consent management tools that help honor opt-outs for targeted advertising, analytics cookies, and other non-essential data collection from Maryland consumers. Pandectes tracks and stores granular consent records, which support data protection assessments and demonstrate compliance with MODPA’s consent and opt-out obligations during investigations or audits.
Conclusion
The Maryland Online Data Privacy Act (MODPA) represents a significant step forward in consumer data protection, imposing strict limits on the collection, use, and sale of sensitive data, including biometric data and other sensitive data MODPA covers. Businesses operating in or targeting Maryland residents must navigate compliance challenges by updating privacy policies, implementing transparent consent management, and conducting thorough data protection assessments.
Embracing tools that support global privacy control and respect consumer rights will be essential to meet MODPA’s requirements and avoid penalties related to deceptive trade practices. Proactive preparation will not only ensure legal compliance but also build consumer trust in an increasingly privacy-conscious market.


