The Maryland Online Data Privacy Act (MODPA) was signed into law in May 2024 and goes into effect on October 1, 2025. The MODPA grants Maryland residents broad rights over their personal data and imposes strict requirements on covered businesses, including data minimization and processing limits.
To Whom Does the MODPA Apply?
MODPA applies to entities doing business in Maryland or offering products/services to Maryland residents that process the personal data of at least 35,000 Maryland consumers annually, or process data of at least 10,000 Maryland consumers and earn over 20% of gross revenue from selling personal data. Most dealers do not earn revenue from selling consumer data, but most Maryland dealers are likely to meet the 35,000 consumer threshold.
MODPA does not apply to business data or employee data. It does contain an exemption for entities and data that are subject to the Gramm-Leach-Bliley Act (GLBA). While this exemption should provide an argument for many Maryland dealers that some of their activities are outside the scope of the new law, the exact contours of this exemption are untested and unclear. In fact, many other states with similar exemptions routinely apply their state privacy laws against dealers.
Many dealers choose to comply with state privacy laws, regardless of the possible exemption, because these laws are becoming the de facto consumer protection standard in their state, in addition to customer expectations regarding privacy rights. In addition, OEM or lender contracts may require dealers to comply. It is also particularly complicated for multi-state dealer groups who must comply with a patchwork of state laws, and therefore often prefer a uniform approach to compliance with MODPA and other state privacy laws. For all these reasons and more, it is prudent for all Maryland dealers to take steps to comply with MODPA.
Consumer Rights Under MODPA
Much like other state privacy laws, MODPA grants Maryland consumers a series of rights with respect to their personal data. In particular, Maryland consumers can request that you (as a controller):
- Confirm whether you are processing the consumer’s personal data.
- Grant access to a copy of the consumer’s personal data.
- Correct inaccuracies in the consumer’s personal data.
- Delete the consumer’s personal data.
- Provide a copy of the consumer’s personal data processed by the controller to the consumer in a portable and readily usable format.
- Opt-out of the processing of personal data for targeted advertising, the sale of personal data, and profiling solely automated decisions.
Under MODPA, you must respond to requests within 45 days of receipt, with an extension of 45 days if reasonably necessary. Further, the consumer, within a 12-month period, can request a free copy of the response.
Additional Provisions
MODPA also contains rules regarding “sensitive data” and data minimization.
- Disclosing “sensitive data” is limited, and its sale is prohibited. Sensitive data includes information regarding race, ethnicity, religion, health, sex life, sexual orientation, transgender or nonbinary status, national origin, and immigration or citizenship status.
- Using data of known or suspected minors (under 18) for targeted advertising is prohibited.
- The law bans using geofences near mental or sexual health facilities to collect data or send notifications.
“Controller” Obligations
In addition to consumer rights, MODPA places a series of obligations on Maryland businesses. You must:
- Provide clear privacy policies.
- Conduct data protection assessments for high-risk processing.
- Limit data collection to what is “reasonably necessary” for the provision of the specific products or services requested, with a “strictly necessary” standard for sensitive data.
- Establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the personal data that is appropriate to the volume and nature of the personal data.
- Provide a mechanism for the consumer to revoke consent that is as easy as the mechanism used to provide consent (where required under MODPA).
- Enter into contracts with processors (service providers) that contain certain required provisions, including limiting the scope of the processor’s use of the personal data.
This last item—the requirement to enter into new contracts with all third parties with whom you share data, and ensuring that they adequately assist in responding to consumer requests—is perhaps the most sweeping obligation under MODPA, and the most difficult for most businesses. ComplyAuto does this for you—all of it. We have years of experience, and with over 10,000 dealer customers, we know how to get these agreements signed, and by whom.
Enforcement
MODPA gives sole enforcement authority to the Maryland Attorney General under the Maryland Consumer Protection Act as an unfair, abusive, or deceptive practice. The law does not provide a private right of action for consumers to sue. Violations can result in penalties up to $10,000 per violation and $25,000 for repeated offenses. A cure period of 60 days for alleged violations is available at the Attorney General’s discretion.
ComplyAuto Makes Compliance Simple
MODPA, like the other 18 currently effective state privacy laws, is complicated, and contains its own unique provisions. This can present tremendous challenges if you try to “do it yourself.”
Keeping up with evolving state privacy laws can be overwhelming for dealerships. That’s why ComplyAuto has done the hard work for you. Our software is ready to keep you compliant with MODPA and other state privacy laws today.
If you have questions about MODPA or want to learn more about how you can simplify your dealership’s compliance, reach out today. ComplyAuto is your trusted partner, and our software makes compliance straightforward and efficient, keeping you ahead of complex legal requirements.
Partnering with ComplyAuto is the smart choice for dealerships. Schedule a demo to learn more about our Privacy software to comply with MODPA today.