Maryland Online Data Privacy Act (MODPA), ADM and profiling provisions
Effective date
Penalty
Violations treated as unfair, abusive, or deceptive trade practices under the Maryland Consumer Protection Act. Up to $10,000 for first violation; up to $25,…
Cure period
60 days
Obligations mapped
9 obligations
Overview
Statute effective October 1, 2025, but enforcement does not begin until April 1, 2026. The law does not apply to processing activities before April 1, 2026. Considered one of the strongest state privacy laws due to strict data minimization and a complete ban on selling sensitive data (not only opt-in consent). The threshold of 35,000 consumers is lower than most states. Controllers must handle profiling and automated decision-making with strong consumer protections, including documented risk assessments and opt-out rights. Impact assessments required per algorithm used in high-risk processing. Nonprofits are largely included. Universal opt-out signals required from day one. 60-day cure period with no sunset date in the current statute.
This is a privacy law with automated decision-making provisions.
See if this regulation applies to your company with the free exposure scan.
Who this applies to
This regulation applies to the following roles:
- Deployers and users of covered AI systems and tools
- Organizations operating in Maryland
This regulation applies to companies that use or deploy AI tools and systems built by other vendors. If your company uses AI-powered products in the areas listed below, this regulation may apply to you.
SB 541
AI categories covered
- Consumer-facing AI
- Automated decision-making
- Algorithmic profiling
Specific AI use cases:
- Customer profiling and segmentation
- Credit scoring and risk assessment
What this requires you to do
9 obligations identified from statutory analysis.
14-4605(F)
14-4605(B)(7)(III)
14-4608
14-4607(B)(1)(I)
14-4610
Regulation summaries are simplified for readability and may not capture every nuance of the underlying statute. Verify important details against primary sources linked on this page.
Enforcement and penalties
Violations treated as unfair, abusive, or deceptive trade practices under the Maryland Consumer Protection Act. Up to $10,000 for first violation; up to $25,000 for each subsequent violation.
Cure period: 60 days.
Penalty amounts are based on statutory text and may be subject to adjustment, judicial interpretation, or enforcement discretion.
Legislative history
effective
Enforcement begins. Law does not apply to processing activities before this date.
effective
Statute effective
signed
SB 541 passed Maryland General Assembly
Related regulations
- In EffectAI-Specific
Maryland HB 1202 (Facial Recognition in Hiring)
Prohibits creating facial templates of job applicants during interviews without signed consent. Where applicable, the waiver may need to include the applicant's name, interview date, consent to facial recognition use, and whether the applicant read the waiver. Scope is narrower than Illinois BIPA: it only covers facial recognition during interviews, not biometric data collection generally.
Effective
- In EffectAI-Specific
Maryland AI Governance Act of 2024 (SB 818)
Requires Maryland state agencies to inventory AI systems, conduct impact assessments, and follow DoIT policies for AI procurement and use. Applies to state government agencies only, not the private sector.
Effective
- In EffectAI-Specific
Maryland Nonconsensual Pornography Deepfake Expansion (SB 360)
Expands Maryland's revenge porn statute to cover AI-generated and computer-generated sexual imagery. Strengthens civil remedies for victims of synthetic intimate images.
Effective
- In EffectSector-Specific
Maryland Healthcare AI Utilization Review (HB 820)
May apply to AI tools used in healthcare coverage decisions, calling for determinations based on individual patient data rather than group datasets. Where applicable, final utilization review decisions may need to be made by a physician in the same specialty. Where applicable, carriers may need to report whether AI was used in adverse decisions. Does not ban AI in healthcare: where applicable it may require AI to use individual patient data and may mandate human physician final decisions.
Effective
Maryland AI regulation guide lists every tracked rule for this jurisdiction with timelines and obligation tallies.
Regulation summaries are simplified for readability and may not capture every nuance of the underlying statute. Verify important details against primary sources linked on this page.