Maryland may soon have a new online data privacy law that will change the obligations for many businesses providing services in the State.

For the past several years, Maryland legislators have attempted to enact a data privacy law akin to laws in fourteen other states. This year, a compromise bill might find its way to the Maryland governor.

Federal law provides very limited online data privacy requirements, spread across several laws such as the Health Insurance Portability and Accountability Act, the Gramm-Leach-Bliley Act, and the Children’s Online Privacy Protection Act. In order to protect the rights of consumers, several states have enacted more specific and stringent laws in recent years. These state laws vary on a range of issues, from what data can be collected by companies, and what rights consumers are given, and to the powers of enforcement.

The proposed legislation known as the Maryland Online Data Privacy Act of 2024 (“MODPA”) is a compromise bill between consumers and the business community. It provides strong protections for consumers—such as a firm data minimization requirement—while also omitting a private cause of action for violations. The data minimization requirement under MODPA, which limits collection of personal data to what is reasonably necessary to provide the service requested by the customer, sets it apart from nearly every other state with corresponding legislation.

Additionally, under the current draft of the MODPA, consumers could obtain and request corrections to their personal data, without the threat of discrimination. Consumers would also be able to opt out of the processing of personal data for the purposes of targeted advertising, and to request deletion of personal data. The MODPA prohibits processing of data for children under eighteen years of age, a step further than Federal Law that only extends to thirteen year-olds. Additionally, it requires the consent of consumers for the collection of sensitive data such as biometric data and geolocation information.

For businesses serving Maryland, the enactment of MODPA would require a change in privacy policies, consumer request response plans, and business plans based on data collection. Businesses that merely maintain electronic information related to their customers might have to reassess their approach to consumer data.

Even if MODPA is not passed during this Legislative Session, a similar law will inevitably be enacted in the near future. Businesses need to be prepared for more stringent regulations related to consumer data. If you are considering reassessing your approach to consumer data, contact Jonathan Saltzman at the Law Offices of Oren D. Saltzman, LLC for more information.

If you have any questions related to your data privacy obligations, you can contact us directly at