Maryland Online Data Privacy Act (MODPA)

Overview

The Maryland Online Data Privacy Act (MODPA), codified at Md. Code Ann., Com. Law § 14-4601 et seq. and enacted as SB 541/HB 567 (2024), is the most restrictive comprehensive state privacy law after the CCPA. Its signature distinction is a paradigm shift: while most state laws operate on a notice-and-choice model (disclose purposes and allow opt-out), Maryland adopts a data-minimization-first model — collection is limited to what is strictly necessary to provide the product or service the consumer requested. Processing for analytics, marketing, or personalization is not justified simply by disclosing it.

The law took effect October 1, 2025; processing obligations began April 1, 2026.

Applicability thresholds are among the lowest in the country: (a) 35,000+ Maryland consumers processed per year, or (b) 10,000+ consumers AND 20%+ of gross revenue from data sales.

Exemptions: HIPAA, GLBA, non-profits, higher-ed, FCRA/DPPA/FERPA/COPPA-regulated data, employee/B2B.

Consumer Rights

• Right to confirm and access
• Right to correct
• Right to delete
• Right to portability
• Right to opt out of sale, targeted advertising, and profiling
• Right to appeal

Compliance Requirements

The minimization-first model has direct architectural implications:

In practice, every data field must be tagged with a purpose classification (purpose:core_service vs. purpose:analytics, purpose:marketing), and for Maryland residents the system must collect only core_service fields by default. Additional fields require explicit opt-in consent.

Sensitive data requires opt-in consent. GPC/UOOM is mandatory. DPIAs are required for high-risk processing.

Cure Period + Enforcement

The Maryland AG holds exclusive enforcement authority. Penalties reach $10,000 per violation, rising to $25,000 per subsequent violation — escalating tier among the highest nationwide. The 60-day cure period is active and shrinks to 30 days on April 1, 2027.

How Inori Addresses This

Inori already operates close to the minimization-first model because the platform is narrow in scope:

• Data inventory: Each collected field (name, email, organization, certificate content, usage telemetry, payment token) maps to core_service — the platform cannot perform COI compliance analysis without them. Analytics beyond billing/capacity are opt-in.
• Notice: src/content/legal/privacy.mdx v1.2 discloses that certificate content is used solely for compliance analysis and not for training AI models.
• GPC (mandatory): middleware.ts:respectGpc honors Sec-GPC: 1; analytics (PostHog) and error monitoring (Sentry) are disabled for GPC sessions, aligning with Maryland's stricter non-core default.
• DSAR: /api/dsar serves all MODPA rights with a 30-day SLA.
• Hard purge: 90-day cron deletes tenant data after account closure.
• Deferred: Field-level purpose tagging in the data-model schema and jurisdiction-conditional collection logic (if (jurisdiction === 'MD') → collect_core_only()) ship in a later sprint. Today, the platform's narrow scope means the practical delta is small.

Related Concepts

See CCPA/CPRA for the only more restrictive peer, VCDPA and Colorado Privacy Act for the notice-and-choice baseline Maryland departs from, GPC for the mandatory signal, and DSAR for the request pipeline.