Maryland Online Data Privacy Act (MODPA)
A practical compliance guide for website owners. Learn what Maryland's privacy law requires and how to implement it on your site.
Who Must Comply
Conducts business in Maryland or targets Maryland residents AND controls/processes personal data of 35K+ consumers (excl. payment transactions), OR controls/processes data of 10K+ consumers and derives 20%+ of gross revenue from selling personal data
What Your Website Must Do
| Requirement | Status |
|---|---|
| Cookie consent banner | Recommended |
| Do Not Sell link | Required |
| Do Not Share link | Required |
| Honor GPC browser signals | Recommended |
| Universal opt-out mechanism | Not required |
| Sensitive data opt-in consent | Required |
Required Links & Notices
The MODPA requires the following links or notices to be visible on your website:
- 1Do Not Sell or Share My Personal Data
- 2Privacy Policy
Enforcement & Penalties
Key Things to Know
Maryland has enacted one of the strongest state privacy laws in the US. It is notable for having no cure period (the AG can enforce immediately), requiring data minimization, and restricting the sale of sensitive data entirely (not just requiring opt-in).
Data minimization: Maryland is the first state to require true data minimization — businesses may only collect data that is "reasonably necessary and proportionate" to the purpose disclosed. This goes beyond other states' opt-out models.
No sale of sensitive data: Unlike other states that require opt-in consent for sensitive data, Maryland prohibits the sale of sensitive data entirely. This is the strictest approach of any state.
How to Configure LegalBanner for MODPA
- 1
Create your site
Sign up for free and add your website domain in the dashboard.
- 2
Set consent mode to "Opt-out"
In Settings, select the consent mode that matches Maryland's requirements.
- 3
Install the snippet
Add the one-line script tag to your website. The banner, opt-out links, and GPC support are automatic.
- 4
Generate your Privacy Policy
Use the built-in policy wizard to generate a MODPA-compliant privacy policy.
Set up MODPA compliance in 5 minutes
LegalBanner handles Maryland privacy requirements automatically — cookie banner, opt-out links, and GPC support included.
Frequently Asked Questions
What makes Maryland's privacy law the strongest?
Maryland has no cure period (immediate enforcement), requires data minimization, prohibits sale of sensitive data entirely (not just opt-in), and has escalating penalties ($10K first, $25K subsequent). It is the most consumer-protective state privacy law.
What is the data minimization requirement?
Maryland requires businesses to collect only personal data that is 'reasonably necessary and proportionate' to the disclosed purpose. This is a higher standard than other states, which generally allow any collection with notice and opt-out.
When does the Maryland MODPA take effect?
The MODPA takes effect October 1, 2025.
Does Maryland require honoring GPC signals?
The MODPA does not explicitly require GPC support, but given the law's strict approach to data minimization, implementing GPC is strongly recommended.
What are the penalties for MODPA violations?
$10,000 per violation for first offenses, escalating to $25,000 for subsequent violations. There is no cure period — the AG can take immediate enforcement action.