The Maryland Online Data Privacy Act (MODPA), signed into law in 2024, is one of the most comprehensive U.S. state privacy laws. It applies to businesses that process the personal data of 100,000 or more Maryland residents, or 25,000 residents if the company derives at least 20% of revenue from selling personal data. This law sets strict requirements for data handling, user rights, and business accountability.

Key Features and Requirements

• Consumer Rights: Maryland residents have the right to access, correct, delete, and obtain a copy of their personal data.

• Opt-Out Options: Individuals can opt out of targeted advertising, data sales, and profiling that produces legal or significant effects.

• Sensitive Data: Businesses must obtain explicit consent before processing sensitive data like health, biometrics, race, or precise location.

• Data Minimization & Purpose Limitation: Companies must only collect data necessary for specified purposes.

• Impact Assessments: Required for high-risk processing activities, similar to GDPR’s DPIAs.

The law goes into effect October 1, 2025, giving businesses time to implement compliant processes.

Why It Matters

Maryland’s law sets a high bar for privacy, combining elements of GDPR and other U.S. laws like California’s CPRA. It emphasizes user autonomy, transparency, and accountability. Non-compliance may result in legal action by the Maryland Attorney General, making early adoption critical for risk mitigation and brand trust.

Key Enhancements

• Fewer Purposes: The number of data processing purposes has been reduced and simplified.

• Clearer Language: Purpose descriptions and vendor disclosures are written in more user-friendly terms.

• Vendor Accountability: Vendors must provide clearer, standardized privacy practices.

• UI Requirements: Consent UIs must be more informative and user-centric.

Compliance & Benefits

TCF 2.2 strengthens GDPR and ePrivacy alignment by reducing ambiguity in consent practices. It’s designed to improve user experience and ensure that consent signals are genuinely informed and freely given. Organizations using CMPs should upgrade to TCF 2.2 to stay compliant and avoid enforcement risks.

TCF 2.2 is especially important for businesses relying on programmatic advertising, personalized content, and cross-site tracking, ensuring transparency and legal integrity in the ad tech ecosystem.