Since 2018, which is when California first passed the California Consumer Privacy Act, 18 other US states have enacted their own comprehensive data privacy laws.
The International Association of Privacy Professionals diligently maintains an incredibly useful US state privacy legislation tracker, which I make sure to check every couple of weeks.
But remembering the nuances between these laws is nearly impossible. (A few privacy lawyers have confided in me that even they’re losing track.)
Maybe a privacy-themed version of the “Fifty Nifty United States” song would help?
🎶 California, Colorado, Connecticut, Delaware, Indiana, Iowa, Kentucky, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Rhode Island, Tennessee, Texas, Utah and Virginia! 🎵 🤘
State of play in Maryland
To be fair, there’s a decent amount of overlap between many of these laws.
Utah and Virginia, for example, define a “sale” as “the exchange of personal data for monetary consideration by a controller to a third party.” Connecticut, Colorado and California, meanwhile, have a similar definition but add the extra nuance of “monetary or other valuable consideration.”
But there are many significant differences.
Take the Maryland Online Data Privacy Act (MODPA), which passed in April and goes into effect on Oct. 1, 2025.
Most of the provisions within MODPA are similar to other state privacy laws, including how it defines a sale. But there are also provisions – the ones pertaining to the treatment of sensitive data – that make it one of the toughest privacy laws in the US so far.
Sensitive state of affairs
In fact, there are certain aspects of Maryland’s law that are stricter than California’s, which is considered the granddaddy of comprehensive US state private legislation.
In California, residents have the right to opt out of and limit the use and disclosure of sensitive personal information, such as racial or ethnic origin, sexual orientation, citizenship status, consumer health data, religious beliefs, biometric data and precise geolocation data.
But Maryland goes significantly further, says Julie Rooney, deputy general counsel and head of US privacy at OpenX.
MODPA outright bans the sale of personal data and places tight restrictions on the collecting, processing or sharing of personal data, unless it’s “strictly necessary to provide or maintain a specific product or service requested by the consumer.”
“‘Strictly necessary’ is very stringent language and very limiting if you take it at its word,” Rooney says. “Meanwhile, there’s simply a blanket prohibition on selling sensitive data with no exceptions – and that’s unique.”
Unique and ironclad.
“No other state has implemented such a complete prohibition,” says Gary Kibel, a partner at Davis+Gilbert. “As drafted, you can’t even sell sensitive personal information with consent from the user!”
‘Requested by the consumer’?
And MODPA also pushes the envelope with data minimization.
Under the law, controllers are only allowed to collect personal information that is both “reasonably necessary and proportionate” to provide or maintain a product or service “requested by the consumer.” This appears to mean that unless you actually need the data to fulfill a consumer’s request, you can’t collect it.
“That’s a higher bar than other state laws,” says Ron De Jesus, field chief privacy officer at data governance and privacy platform Transcend.
It’s also a somewhat ambiguous bar. The law doesn’t get into detail about what exactly “requested by the consumer” means, Rooney says.
“That piece is confusing,” she says. “Do you need consent? Or is personalized advertising fine as long as someone is getting something they’ve requested, like a streaming service? It’s just not clear.”
High bar, low threshold
What is clear, though, is that businesses shouldn’t sleep on getting ready for MODPA compliance.
That’s because MODPA has the lowest applicability threshold of any state privacy bill.
“Many businesses that have never dealt with data privacy regulations might be in for a rude awakening,” De Jesus says.
The law covers any business that controls or processes the personal data of at least 35,000 consumers or that controls or processes the personal data of at least 10,000 consumers and derives more than 20% of its gross revenue from the sale of that data.
So, what’s the best strategy for complying with Maryland’s new privacy law by next October?
“Hire really smart outside counsel 😊,” Kibel says.
(Gary added that smiley emoji himself.)
🙏 Thanks for reading! For our US-based readers, have a great long Labor Day weekend next week. I can only hope you have as much fun as this little guy is clearly planning to have. As always, feel free to drop me a line at allison@adexchanger.com with any comments or feedback.
