Maryland's Online Data Privacy Act (MODPA) introduces some of the nation's strictest data privacy regulations. Scheduled to take effect in October 2025, MODPA restricts how businesses, including healthcare organizations, collect, process, and manage sensitive personal data.
What happened
On May 9, 2024, Maryland Governor Wes Moore signed the Maryland Online Data Privacy Act (MODPA), making Maryland the seventeenth state to adopt a comprehensive data privacy law.
MODPA requires businesses, including healthcare organizations, to limit data collection to what is necessary and directly related to the product or service requested by the consumer. The limitation applies to personal data and sensitive information, such as race, ethnicity, and sexual orientation.
Furthermore, the law broadens the definition of biometric data, imposes stricter protections for consumer health and children’s data, and includes an anti-discrimination provision.
Ultimately, MODPA will take effect on October 1, 2025, applying to personal data processing activities from April 1, 2026.
Going deeper
Data minimization: MODPA imposes a strict data minimization requirement, demanding that data collection be closely tied to the product or service requested by the consumer. So, even with consumer consent, data collected for unrelated uses is prohibited.
In contrast, other states like California mandate transparency about data purposes but permit broader collection as long as the purposes are disclosed. Similarly, New York’s SHIELD Act limits data collection to identified purposes but offers greater flexibility compared to Maryland’s restrictions.
Sensitive data: The law restricts the collection, processing, and sale of sensitive personal data about race, ethnicity, and sexual orientation unless it is required for a consumer-requested product or service.
Moreover, MODPA requires HIPAA-covered entities, like healthcare providers, to implement confidentiality agreements.
Biometric data: MODPA’s definition of biometric data is more inclusive, encompassing any information used to identify a person, not just for identification purposes. It includes any biological characteristics used to authenticate an individual’s identity, not just those used for direct identification.
For example, if a fitness app collects facial recognition data to track user engagement, that data would be considered biometric under MODPA, even though it is not used for direct identification.
Children’s data: The law prohibits the sale and targeted advertising of data to children under 18. Moreover, the restriction applies regardless of whether the business is aware of the consumer's age, protecting younger users from data exploitation and intrusive marketing practices.
Anti-discrimination provision: MODPA prohibits businesses from using personal data to discriminate against consumers, preventing unequal access to services, higher prices, or other forms of bias.
For example, a healthcare provider cannot use sensitive personal information, like race or sexual orientation, to determine the quality or cost of care offered to a patient.
Why it matters
MODPA sets a new standard for data privacy and protection, especially health-related data, biometric data, and data related to children. With the advent of MODPA, Maryland aligns itself with the national shift towards protecting consumer data.
The bottom line
Businesses, including healthcare organizations, operating in Maryland, must reassess and possibly overhaul their data-handling practices to comply with MODPA by October 2025.
FAQs
What is MODPA, and when does it take effect?
MODPA, or the Maryland Online Data Privacy Act, is a data privacy law regulating the collection, processing, and sale of personal data, specifically sensitive information, including protected health information (PHI).
The law will give Maryland residents greater control over their personal data and impose stricter requirements on businesses that handle such data. MODPA will take effect in October 2025, giving businesses time to adjust their data-handling practices to comply with the new regulations.
What is PHI?
Protected health information (PHI) is any information that can be used to identify a patient and relates to their health status, treatment, or payment for healthcare.
Does MODPA overlap with HIPAA requirements?
Yes, both laws protect sensitive information, including health-related data. HIPAA specifically addresses PHI within the healthcare industry, while MODPA protects all types of sensitive personal data, including PHI, across various industries.
Healthcare organizations operating in Maryland must comply with HIPAA’s Privacy and Security Rules, as well as MODPA’s broader requirements, like implementing confidentiality agreements.
