MODPA Goes into Effect on October 1, 2025: What You Need to Know

Sameer Ahirrao -

October 1, 2025, marks the official start of the Maryland Online Data Privacy Act of 2024 (MODPA). While Maryland may be the last U.S. state to implement a comprehensive privacy law this year, MODPA introduces unique requirements that businesses need to understand, and act on right away.

Although it shares similarities with other state privacy laws, certain provisions of MODPA present distinct operational and compliance challenges. Here’s a breakdown of the most critical aspects of the law and their implications for organizations.

1. Lower Thresholds and Narrower Exemptions

MODPA sets its scope based on what a business did in the prior calendar year. The law applies to organizations that:

  • Handled the personal data of at least 35,000 Maryland residents, or
  • Handled the personal data of at least 10,000 Maryland residents and earned more than 20% of gross revenue from selling personal data.

The 35,000-resident threshold is relatively low compared to many other state privacy laws. This means even mid-sized companies could find themselves within scope.

Additionally, MODPA does not provide the same broad exemptions seen elsewhere. Unlike other state laws:

  • HIPAA-covered entities are not exempt at the entity level.
  • Most nonprofits are also not exempt (except those providing services to law enforcement or first responders).

What this means: Organizations that previously escaped compliance under other state privacy laws, especially smaller businesses and nonprofits, may now need to prepare for MODPA.

2. Strict Data Minimization Requirement

MODPA mandates that controllers limit data collection to what is “reasonably necessary and proportionate to provide or maintain a specific product or service requested by the consumer.”

This is stricter than most other U.S. state privacy laws, which usually require data collection to be reasonably necessary for the purposes for which it is processed.

Impact:

  • Data collected for analytics, interest-based advertising, or behavioral tracking may exceed MODPA’s limits.
  • Businesses relying heavily on cookies, digital tracking, or third-party integrations may need to adjust their data collection strategies.

3. Broader Definition of Biometric Data

MODPA expands the definition of biometric data to include any data “that can be used to uniquely authenticate a consumer’s identity,” instead of data merely used or intended to be used for authentication.

Implication:

  • Companies using emerging technologies (e.g., avatars, smart glasses, wearable devices) must carefully evaluate whether the data they collect qualifies as biometric.
  • Biometric data is also treated as sensitive data, triggering stricter requirements for collection, use, sharing, and access.

4. Restrictions on the Collection and Sale of Sensitive Data

MODPA imposes significant restrictions on sensitive data, including biometric data, precise geolocation, race/ethnicity, health, and sexual orientation:

  • Collection, use, or sharing is allowed only if strictly necessary to provide a product or service requested by the consumer.
  • Sale of sensitive data is strictly prohibited, though consumer-directed disclosures may be allowed if the consumer initiates or authorizes them.

Actionable Insight: Organizations must implement robust policies for handling sensitive data and ensure any disclosures align with MODPA’s restrictions.

5. Enhanced Protections for Minors

MODPA increases protections for minors by:

  • Prohibiting the sale or use of personal data for targeted advertising if the controller knew or should have known the individual was under 18.
  • Raising the minor age threshold to 18, compared to 13–16 in other state laws.

Implication: Businesses must have reliable age verification processes and data handling practices for minors.

6. Enforcement and Legal Considerations

  • Enforcement: Maryland’s Attorney General has exclusive enforcement authority.
  • Cure Period: The AG may allow a 60-day cure period for alleged violations (effective until April 1, 2027).
  • Private Right of Action: While MODPA does not explicitly grant a private right of action, it also does not prevent consumers from seeking remedies under other applicable laws.

Tip: Companies should document compliance efforts thoroughly and maintain clear audit trails to mitigate enforcement risk.

Final Thoughts

MODPA introduces a range of new obligations that may impact businesses of all sizes, from startups to large enterprises. Key focus areas include data minimization, sensitive and biometric data handling, minor protections, and internal compliance processes.

Businesses operating in Maryland should review current practices immediately and make necessary adjustments to ensure compliance. The new law carries real operational and legal implications that could affect your business strategy, technology deployments, and customer interactions.

About Ardent Privacy

Ardent’s mission is to help enterprises implement meaningful security and privacy programs aligned to their business mission, building trust and protecting data assets. Ardent’s technology “TurtleShield” is a holistic software platform that empowers enterprise security, legal, and data teams to implement and manage data privacy within the organizations with rapid data asset visibility and actions to enable privacy compliance, govern AI risk, meaningful data protection, and reduce cost of compliance and data breaches. Our unique and patented ML/AI-powered technology helps organizations comply with evolving privacy and AI regulations and accelerates adoption of AI technologies. Ardent offers a low code platform to automate Privacy & AI governance, rapid data discovery of sensitive data and consent management with regional focus for global regulations.