The Maryland Online Data Privacy Act of 2024 (Act) establishes regulations for the processing, protection, and management of consumer personal data by controllers and their data processors. The Act took effect on October 1, 2025, but will not be enforced until April 1, 2026. The new law establishes protections for the personal data of Maryland residents by setting standards for how businesses–controllers and service providers of personal data-collect, process, and share information. The law grants consumers a host of rights, including the ability to access, correct, delete, and transfer their personal data, as well as opt out of targeted advertising, the sale of their data, and automated profiling. This article provides an overview of the Act for organizations that must comply with the new requirements and for Maryland consumers. To understand the full scope of the Act, we must first look at which organizations and individuals fall under its jurisdiction.
Applicability
The Act applies to any person or organization, including nonprofits, that conducts business in Maryland or provides products or services targeted to Maryland residents, that controlled or processed the personal data of at least 35,000 consumers in the preceding calendar year (excluding data solely for payment transactions). Additionally, it applies to any person or organization that controlled or processed the personal data of at least 10,000 consumers and derived more than 20% of gross revenue from the sale of personal data.
While the Act’s scope is broad, certain organizations are explicitly exempt from its provisions. Those include the federal government, the Maryland state government, and all of its administrative, executive, and legislative units or subdivisions. Other entities exempted include, among others, financial institutions subject to Title V of the Gramm-Leach-Bliley Act (GLBA), National Securities associations registered with the Securities and Exchange Commission or the Federal Commodity Exchange Act, and nonprofit controllers processing or sharing personal data solely for assisting law enforcement or first responders.
Controllers
The Act defines a controller as a person or entity that, alone or jointly with others, determines the purpose and means of processing personal data. Personal data is defined as any information that identifies a person or can be linked to a person, including home address, driver’s license number, passport information, bank account number, and usernames and passwords.
Controllers have multiple responsibilities under the Act. Controllers are responsible for ensuring compliance with the Act, including providing privacy notices to consumers explaining what data is being collected, why it is processed, and with whom it is shared. Controllers must allow consumers to access, correct, or delete their data. Controllers are obligated to respond promptly to consumer requests and appeals, limit data collection to only what is necessary, and implement robust security measures to protect data integrity and confidentiality.
Among these comprehensive responsibilities, the processing of sensitive personal data is subject to an even higher standard of care. Consent is required for processing sensitive data. The Act defines sensitive data as personal data revealing racial or ethnic origin, religious beliefs, consumer health data, sex life, sexual orientation, status as transgender or nonbinary, national origin, citizenship or immigration status, genetic data, biometric data, personal data of children, and precise geolocation data.
Controllers must not discriminate against consumers who exercise their rights or process data in ways that disadvantage protected groups.
When a controller uses a data processor, formal contracts are necessary to ensure compliance with the Act’s data-handling standards.
Controllers are required to conduct regular data protection assessments for activities that pose risks, such as targeted advertising or profiling, and maintain oversight of de-identified data shared with third parties. Controllers shall limit the collection of personal data, provide clear privacy notices, and mechanisms for consumers to exercise their rights. In parallel with the obligations on controllers, the Act is fundamentally structured around granting new, enforceable rights to individuals whose data is processed: consumers.
Consumers
The Act defines consumers as individuals who are Maryland residents. The term “consumer” does not include individuals acting in a commercial or employment context. Consumers have the right to inquire whether a controller is processing their personal data, access their personal data, correct inaccuracies in their personal data, delete their personal data unless retention is required by law, obtain a copy of their personal data in a portable format, and receive a list of third parties to whom their data has been disclosed. Consumers may also opt out of targeted advertising, the sale of personal data, and profiling for automated decisions with significant effects. Controllers are required to comply with these requests unless specific exceptions apply.
Exercising these rights follows a defined process that includes specific deadlines for the controller's response and provisions for appeals. Consumers can exercise their rights under the Act by submitting a request through the controller's designated channel. Controllers must respond to consumer requests within 45 days of receiving the request, with an additional 45-day extension provided the consumer is informed of the extension and the reason within the first 45 days. If a controller declines to act on a consumer’s request, they must inform the consumer within 45 days and provide instructions for appealing the decision.
Consumers may designate authorized agents to act on their behalf. If appeals are denied, controllers must provide a means to submit complaints to the Division of Consumer Protection within the Maryland Office of the Attorney General. Failure to adhere to any of these requirements for controllers or processors carries significant legal and financial consequences.
Violations
Violations by controllers or processors will be considered an unfair, abusive, or deceptive trade practice under the Maryland Consumer Protection Act (MCPA). This means the Division of Consumer Protection within the Maryland Office of the Attorney General (Division) is responsible for enforcing the Act, handling consumer complaints, and overseeing compliance with privacy regulations. Penalties may include civil fines of up to $10,000 per violation, and if a controller or processor repeats the same violation, the fine may increase to up to $25,000 per subsequent violation.
Consumers can visit the Maryland Office of the Attorney General’s
website for clear explanations of their rights under the Act. The site also provides guidance for businesses and organizations (controllers and processors) on how to comply with the law.
Conclusion
The Act represents a significant shift in the state’s approach to digital privacy. Effective April 1, 2026, it imposes comprehensive obligations on organizations–known as controllers and processors–that conduct business in Maryland and meet specific consumer data thresholds. The law has broad applicability, including exemptions and specific duties for controllers, particularly regarding the collection and consent for sensitive personal data. The Act empowers Maryland residents with new rights, from the ability to access and correct their data to the ability to opt out of targeted advertising, all backed by a structured process for requesting removal or correction. Enforcement by the Division, with potential monetary penalties, underscores the seriousness of the regulatory approach. Lawyers representing organizations subject to the law need to properly advise on the Act’s expanded consumer rights, including setting up a structured process for data requests. Furthermore, legal counsel should review contracts with third-party data processors to ensure compliance across the organization’s data-handling ecosystem. Lawyers representing consumers need to understand the nuances of the law to help their clients effectively understand their rights and assist them in filing data requests or a formal complaint with the Division.
______________
For further reading, see
What to Know About Maryland’s Consumer Data Privacy Act, Aracri, Colleen, MSBA Website, April 19, 2024. (link)