
Understand why CIPA lawsuits are rising and how to minimize privacy risk on your website.
Thank you!
Please check your email to view the guide.

The Maryland Online Data Privacy Act (MODPA) is effective on October 1, 2025. While most U.S. state privacy laws (such as California, Virginia, and Colorado) require consent for sensitive data, Maryland goes further by prohibiting SPI processing unless it is strictly necessary for delivering a requested service. Going beyond the consent model makes MODPA one of the strictest state privacy laws. It is all the more important that companies have a clear understanding of exactly what data is moving through the business, from or to where, and for what purpose. Under MODPA, a single missed data element can create cascading risk.
MODPA’s key change from other states is the ban on unnecessary SPI processing. Sensitive personal information is not to be processed unless it is strictly necessary to fulfill a consumer’s specific request. This goes beyond consent, requiring organizations to justify processing with a documented business necessity. Until regulators or courts provide guidance on what “strictly necessary” means in practice, companies should prepare by fully understanding what SPI they collect and how they use it.
Sensitive data under MODPA includes racial/ethnic origin, health data, religious beliefs, sex life/sexual orientation, gender identity, immigration status, children’s data, geolocation, genetic/biometric identifiers, and more. While similar to other laws, Maryland’s ban amplifies the compliance burden by limiting processing, not just regulating it.
Since Maryland requires companies to prove that SPI processing is strictly necessary, businesses must create necessity assessments. Existing assessments must be updated, and new SPI use cases documented to withstand regulatory scrutiny.
MODPA prohibits selling personal data of anyone under 18. If your company’s business model includes monetizing data for people under 18 years old, key stakeholders will need to be involved to determine business impact.
Privacy notices must be rewritten to align with the “strictly necessary” rule rather than consent. Data inventories must record SPI uses and necessity assessments. Third-party agreements should be reviewed to ensure SPI is shared only when strictly necessary and with adequate protections.
The vague “strictly necessary” requirement may create difficult uncertainty for businesses. Legal teams must prepare for regulatory inquiries and monitor for guidance from the state. Since the standard is stricter than other states, Maryland is set to emerge as a testing ground for data minimization enforcement.
Privado AI is the modern privacy platform to reduce compliance risk at scale.