By Felicity Slater and Kate Black
The Maryland Online Data Privacy Act (“MODPA” or the “Act”), which takes effect October 1, 2025, establishes a set of novel requirements that will have a particular impact for companies operating in the health and wellness sectors.
Most notably, the MODPA:
Bans the “sale” of “sensitive data,” a term which is defined to include “personal data that a controller uses to identify a consumer’s physical or mental health status;”
Requires that entities only collect and process “sensitive data” when doing so is “strictly necessary to provide or maintain a specific product or service requested by the consumer;”
Forbids covered entities from geofencing “mental health” or “reproductive or sexual health” facilities for the purpose of identifying, tracking, collecting data from, or sending notifications to consumers about their health; and
Grants consumers the right to opt-out of “profiling” conducted for the purpose of making solely automated decisions resulting in the provision or denial of “health care services.”
The structure of the Act’s exceptions provides far less leeway for non-Health Insurance Portability and Accountability Act (HIPAA) covered entities than do the exemptions provided by certain other state comprehensive privacy laws.
Companies that collect and process health and wellness-related data will need to adapt their compliance programs to comply with the MODPA. Most critically, such entities must establish mechanisms to exclude sensitive data from sale data flows, to determine what data is “strictly necessary” for the provision of its products and services, and to exclude “sensitive data” that is not “strictly necessary” for such purposes from the scope of their collection and processing.
Applicability
The MODPA governs persons (not a defined term) that do business in Maryland or that target products or services as Maryland residents and that, during the prior calendar year, “(1) controlled or processed the personal data of at least 35,000 [Maryland residents] …or (2) controlled or processed the personal data of at least 10,000 [Maryland residents]…and derived more than 20% of its gross revenue from the sale of personal data.” §14–4602(1).
The Act exempts:
Protected Health Information (“PHI”) covered Health Information Portability and Accountability Act (“HIPAA”) but does not provide entity-level exemptions for HIPAA Covered Entities or their Business Associates;
Medical records data governed by Maryland’s medical records law, but only when that data is “held by an entity that is a covered entity or business associate under HIPAA;” and
Data that has been de-identified in accordance with HIPAA, but only when data was derived from HIPAA-covered Individually Identifiable Health Information (“IIHI”) or “personal information consistent with the human subject protection requirements of the U.S. Food and Drug Administration.” §14–4603(B)(1)-(6)
Requirements
The MODPA creates main two buckets of substantive requirements that will impact companies operating in the health and wellness spaces:
A set of restrictive obligations for companies that collect and process “consumer health data,” §14–460(I)(1), and
A separate set of requirements for the collection and processing of “sensitive personal data,” a term which it defines to include “consumer health data” as well as “genetic and biometric data” and data that reveals information about an individual’s “sex life.” §14–460(GG)
The MODPA’s “consumer health data”-specific requirements forbid covered persons from: (1) granting an employee or contractor access to “consumer health data” unless the employee or contractor is subject to a duty of confidentiality or confidentiality is a condition of their employment; (2) sharing “consumer health data” with a processor unless the processor signs a contract that meets the Act’s requirements (see §14-4608); or (3) geofencing a “mental health” or “reproductive or sexual health” facility “for the purpose of identifying, tracking, or collecting data from, or sending any notification to a consumer regarding the consumer’s consumer health data.” §14–4604(1)-(3)
The MODPA’s “sensitive data”-specific requirements (1) flatly prohibit the “sale” of “sensitive data” and (2) establish a novel data minimization standard, forbidding entities from collecting, processing, or sharing “sensitive personal information” unless such “collection or processing is strictly necessary to provide or maintain a specific product or service requested by the consumer to whom the personal data pertains.” §14–4607(A)(1)-(2)
It’s not clear how this data minimization standard will interact with the MODPA’s separate internal use exception, which could provide opportunities for entities to collect and process “sensitive data” for internal uses beyond those that are “strictly necessary” to provide the products and services that a consumer requests. This exception provides that an obligation imposed under the Act “may not restrict a controller’s or processor’s ability to collect, use, or retain personal data for internal use to: (iii) perform internal operations that are: 1. reasonably aligned with the expectations of the consumer or can be reasonably anticipated based on the consumer’s existing relationship with the controller; or 2. otherwise compatible with processing data in furtherance of: a. the provision of a product or service specifically requested by a consumer; or b. the performance of a contract to which the consumer is a party.” §14–4612(B)(2)
The Act requires controllers to conduct data protection impact assessments, or DPIAs, “for each of the controller’s processing activities that present a heightened risk of harm to a consumer.” “Heightened risk of harm” is defined for purposes of this section to include any processing of “sensitive personal data.” §14–4610(b) Finally, the MODPA requires controllers to provide details in their privacy notices about the categories of “sensitive personal data” that they process and share with third parties. §14–4607(D)
Consumer Rights
Along with standard rights to opt out of the processing of personal data for purposes of targeted advertising and sale, the MODPA gives consumers the right to opt-out of “profiling in furtherance of solely automated decisions that produce legal or similarly significant effects,” including decisions that result in the provision or denial of access to health care services. §14–4605(B)(7)
Enforcement
Violations of the MODPA’s requirements are deemed to violate the state’s consumer protection act and are enforceable by the Maryland Attorney General (the “MD AG” or the “AG”). The MD AG may, but is not required to, provide companies with a right to cure before bringing enforcement actions under the Act, if it determines that a cure is possible. §14–4613; §14-4614
Amendments
The Maryland Legislature is currently considering HB 1365, which would amend the MODPA’s restriction on the processing of personal data to align with those contained in other state comprehensive privacy laws. The amendment as currently drafted would not impact the Act’s sensitive data-focused restrictions.
Hintze Law PLLC is a Chambers-ranked and Legal 500-recognized, boutique law firm that provides counseling exclusively on global privacy, data security, and AI law. Its attorneys and data consultants support technology, ecommerce, advertising, media, retail, healthcare, and mobile companies, organizations, and industry associations in all aspects of privacy, data security, and AI law.
Felicity Slater is an Associate at Hintze Law PLLC. Felicity has experience with global data protection issues, including data breach notification laws, privacy impact assessments, GDPR, and privacy statements.
Kate Black is a Partner at Hintze Law PLLC and is chair of the firm’s Health and Biotech Privacy Group, and co-chair of the Regulatory Defense Group, and Artificial Intelligence and Machine Learning Group.
