Maryland’s Online Data Privacy Act goes into effect October 1st, 2025.
As of this writing, Maryland is the eighteenth state to adopt comprehensive data privacy legislation. Maryland’s law is one of the strictest in the nation, with a low applicability threshold, tough rules on sensitive data, and strong enforcement powers.
Who does it apply to?
The law applies to businesses that conduct business in Maryland or target Maryland residents if they process the personal data of:
- 35,000 consumers annually, or
- 10,000 consumers if more than 20% of revenue comes from selling data (which is lower than most state laws).
Businesses that meet these thresholds are called “Controllers.” However, there are exemptions including government agencies, financial institutions, nonprofits supporting law enforcement, and data already regulated under federal privacy laws such as HIPAA, FERPA, and the Gramm-Leach-Bliley Act.
What rights do consumers have?
Maryland residents gain the right to:
- Access and correct their data
- Request deletion
- Obtain data portability
- See which third parties receive their data
- Opt out of sales, targeted ads, and profiling
In addition, controllers must respond within 45 days and provide an appeals process for denied requests.
What obligations do businesses have?
Businesses must:
- Limit data collection to what is necessary
- Implement strong data security practices
- Provide an easy way to revoke consent within 30 days
- Honor universal opt-out mechanisms (UOOMs)
- Conduct impact assessments for high-risk processing
Moreover, the law prohibits the sale of sensitive data, targeted advertising to minors under 18, and use of geofencing near health facilities. Geofencing is a type of location-based marketing or advertising. A mobile app or software using GPS, RFID, WiFi or Cellular data defines a virtual geographic area – a “geofence.” When the device enters or leaves the fenced-in area, boundary, a marketing or advertising message is sent.
How will the law be enforced?
The Maryland Attorney General has exclusive enforcement authority. Violations may result in civil penalties of up to $10,000 per violation and $25,000 for repeat violations. However, businesses may be granted a 60-day cure period depending on the circumstances.