Maryland’s Strict New Privacy Law Effective October 2025: What Companies Should Know

Summary of Key Privacy Requirements

• The Maryland Online Data Privacy Act (MODPA) bans collection, processing, or sharing of sensitive personal information (SPI) unless strictly necessary to provide a product or service requested by the consumer.
  
• Maryland defines sensitive personal information (SPI) to include health, biometric, sexual orientation, citizenship/immigration, children’s data, and precise geolocation.
  
• Consent is not enough. Businesses must prove the data is necessary for a product specifically requested by the consumer.
  
• Data protection assessments must include necessity assessments for all SPI processing. This is new, so your existing PIAs will almost certainly not cover this requirement.
  
• Companies cannot sell personal data of anyone under 18. For some companies, this could significantly affect their entire business.
  
• Privacy notices, third-party agreements, and inventories must be updated to reflect MODPA obligations.
  
• Uncertainty remains around the meaning of “strictly necessary,” which may be clarified through enforcement.

Background

The Maryland Online Data Privacy Act (MODPA) is effective on October 1, 2025. While most U.S. state privacy laws (such as California, Virginia, and Colorado) require consent for sensitive data, Maryland goes further by prohibiting SPI processing unless it is strictly necessary for delivering a requested service. Going beyond the consent model makes MODPA one of the strictest state privacy laws. It is all the more important that companies have a clear understanding of exactly what data is moving through the business, from or to where, and for what purpose. Under MODPA, a single missed data element can create cascading risk. 

Key Takeaways

Strictly Necessary Standard

MODPA’s key change from other states is the ban on unnecessary SPI processing. Sensitive personal information is not to be processed unless it is strictly necessary to fulfill a consumer’s specific request. This goes beyond consent, requiring organizations to justify processing with a documented business necessity. Until regulators or courts provide guidance on what “strictly necessary” means in practice, companies should prepare by fully understanding what SPI they collect and how they use it.

Broad Scope of Sensitive Personal Information

Sensitive data under MODPA includes racial/ethnic origin, health data, religious beliefs, sex life/sexual orientation, gender identity, immigration status, children’s data, geolocation, genetic/biometric identifiers, and more. While similar to other laws, Maryland’s ban amplifies the compliance burden by limiting processing, not just regulating it.

Data Protection and Necessity Assessments

Since Maryland requires companies to prove that SPI processing is strictly necessary, businesses must create necessity assessments. Existing assessments must be updated, and new SPI use cases documented to withstand regulatory scrutiny.

Youth Data Prohibition

MODPA prohibits selling personal data of anyone under 18. If your company’s business model includes monetizing data for people under 18 years old, key stakeholders will need to be involved to determine business impact. 

Documentation: Notices, Inventories, and Contracts

Privacy notices must be rewritten to align with the “strictly necessary” rule rather than consent. Data inventories must record SPI uses and necessity assessments. Third-party agreements should be reviewed to ensure SPI is shared only when strictly necessary and with adequate protections.

Compliance Uncertainty

The vague “strictly necessary” requirement may create difficult uncertainty for businesses. Legal teams must prepare for regulatory inquiries and monitor for guidance from the state. Since the standard is stricter than other states, Maryland is set to emerge as a testing ground for data minimization enforcement.

Action Items for Privacy Professionals

• Begin necessity assessments for all SPI processing  
• Update data inventories to reflect necessity determinations, SPI usage, and possibly Maryland residency
• Revise privacy notices to reflect MODPA’s requirements
• Find all the data flows of sensitive personal data and children’s data into and out of your tech stack
• Audit and renegotiate third-party contracts for SPI compliance
• Implement age-screening and ensure no sale of data about people under 18 years old
• Train staff on the “strictly necessary” standard and document all product or marketing decisions

Automate Privacy Assessments, Data Maps, and Risk Discovery with Privado.ai Agents

Privado.ai is the modern privacy platform to reduce compliance risk at scale.

• Agentic Assessments: Populate entire assessments with agents that analyze any related documentation and contracts
• Dynamic Data Maps: Build complete data maps without manual assessments by scanning code, websites, mobile apps, SaaS apps, and documentation
• Web Auditor & App Auditor: Scan your websites and apps to verify CMPs, cookies, pixels, SDKs, and data flows are compliant with each privacy law