The Maryland Online Data Privacy Act (MODPA) was signed into law in May 2024 and went into effect on October 1, 2025. The MODPA grants Maryland residents broad rights over their personal data and imposes strict requirements on covered businesses, including data minimization and processing limits.
MODPA applies to entities doing business in Maryland or offering products/services to Maryland residents that process the personal data of at least 35,000 Maryland consumers annually, or process data of at least 10,000 Maryland consumers and earn over 20% of gross revenue from selling personal data. Most dealers do not earn revenue from selling consumer data, but most Maryland dealers are likely to meet the 35,000 consumer threshold.
MODPA does not apply to business data or employee data. It does contain an exemption for entities and data that are subject to the Gramm-Leach-Bliley Act (GLBA). While this exemption should provide an argument for many Maryland dealers that some of their activities are outside the scope of the new law, the exact contours of this exemption are untested and unclear. In fact, many other states with similar exemptions routinely apply their state privacy laws against dealers.
Many dealers choose to comply with state privacy laws, regardless of the possible exemption, because these laws are becoming the de facto consumer protection standard in their state, in addition to customer expectations regarding privacy rights. In addition, OEM or lender contracts may require dealers to comply. It is also particularly complicated for multi-state dealer groups who must comply with a patchwork of state laws, and therefore often prefer a uniform approach to compliance with MODPA and other state privacy laws. For all these reasons and more, it is prudent for all Maryland dealers to take steps to comply with MODPA.
Download Bulletin PDF