Maryland Privacy Law Compliance Isn't Impossible, Says Lawyer
Businesses are working toward compliance with Maryland’s comprehensive privacy law, despite its differences with 19 other states' comprehensive privacy laws, two McNees privacy attorneys said in an interview with Privacy Daily on Monday. Devin Chwastyk, who co-chairs the firm’s privacy and data security group, predicted “the phone will start ringing with more vigor” as the Maryland Online Data Privacy Act’s April 1 “enforcement deadline approaches.” In addition, he said MODPA may signal the end of “cookie-cutter” state privacy bills.
Sign up for a free preview to unlock the rest of this article
Export Compliance Daily combines U.S. export control news, foreign border import regulation and policy developments into a single daily information service that reliably informs its trade professional readers about important current issues affecting their operations.
MODPA took effect on Oct. 1, but won’t apply to data processing activities until April 1, 2026. In addition, it gives the AG the option of providing a 60-day right to cure until that provision sunsets on April 1, 2027. However, MODPA’s major differences with other states' comprehensive privacy laws, including a prohibition on selling sensitive data and uncommon and broadly applicable data minimization requirements, have raised concerns that some businesses may leave the Maryland market rather than comply (see 2509290023). Some from industry have even asked DOJ to consider preempting MODPA (see 2509220061).
However, Chwastyk said complying with the Maryland law is doable. “If you’ve already worked on compliance with any of the other … U.S. state privacy laws, you’re probably in reasonably good shape, and it's just going to take some refinement of your privacy policy disclosures and then your actual practices.”
“If you are a Maryland company and have not in the past been concerned with consumer data privacy, it is more of a challenge,” added the lawyer, who wrote a series of blog posts on complying with MODPA. “But with four months to work on it, [it’s] certainly not anything impossible.”
“The push for compliance is driven by the potential enforcement of the law,” noted Chwastyk, citing a similar compliance “lag for businesses” after Europe’s GDPR and the California Consumer Privacy Act (CCPA) took effect, he said. In Maryland, by “staggering the effective date and the period where enforcement will begin,” the state “gave businesses sort of a grace period … to get up to speed."
McNees lawyers are already working with business-to-consumer clients to update privacy policies “in anticipation of that enforcement period beginning” April 1, 2026, which the firm treats as the first day that businesses need to be processing data in compliance with MODPA, even with the discretionary right to cure lasting another year, Chwastyk said.
One challenge experienced by clients so far has been finessing privacy policies to deal with “conflicting provisions between Maryland’s law and other states' laws,” said Kayla Bushey, another McNees privacy attorney.
For instance, “Maryland has very stringent data processing requirements and obligations when it comes to sensitive data,” which “can conflict with some of the norms that companies used in their privacy policies when they were complying with [California and laws in other states],” Bushey said. Under MODPA, businesses can’t sell sensitive data, whereas other states' laws allow consumers to provide consent for selling it, she said.
One unknown is how strictly the Maryland attorney general’s office will enforce MODPA. So far, the AG’s office has played its cards close to the vest, Bushey said. “Other than just letting consumers know what the law is on their website, I haven't seen a lot more actually from the Maryland AG, as opposed to other states that have been a lot more vocal about their intentions.”
However, Chwastyk advised looking at how other states enforce their laws. “What we tend to see in other states are data privacy investigations that follow on after a data security breach,” he said. “And one thing that the regulators are routinely looking for after a breach is documentation showing that the company has been conducting data protection impact assessments.”
“Any businesses that pay lip service to privacy compliance by updating the public-facing privacy policies on their website may not be operationalizing risk assessments and documenting that those have been conducted whenever a new product or service or a change in data collection practices arises,” added the privacy attorney. If a company experiences a hack -- especially one involving sensitive data -- but hasn’t “been undertaking those risk assessments systematically … that's where you will get an increased level of scrutiny from the regulators.”
Another wildcard with MODPA compliance is the possibility of Maryland’s legislature amending the law in its 2026 session starting Jan. 8. In 2025, a bill aimed at softening controversial aspects of MODPA stalled (see 2502100032). Also, some say there’s a chance the AG office could make rules to flesh out the MODPA's requirements (see 2509040040). Despite such uncertainty, Chwastyk said “the core concepts under these [state privacy] laws are pretty similar,” such as requiring disclosures “at the front end, at the point where you’re collecting data.”
Maryland’s additions to what’s typically been in comprehensive privacy bills could be the start of a trend, said Chwastyk, comparing the situation to what happened previously with states’ data breach notification laws. Those “started out as a cookie-cutter product in all the states that adopted them but gradually became customized to expand the definition of personally identifiable information or add data security requirements.”
Likewise, many of the 20 states now have “cookie-cutter consumer privacy laws” based on legislation that originally appeared in Washington state, though it never became law there, he said. Now, however, there’s “a little bit more maturity in the legislation” and “states are starting to customize and expand on that cookie-cutter template.”