Maryland Online Data Privacy Act (MODPA)

The Maryland Online Data Privacy Act (MODPA) is a law that addresses the privacy rights of Maryland consumers and imposes stringent obligations on businesses that collect and process personal data of Maryland residents, particularly with respect to data minimization, sensitive data, restrictions on the sale of data, and protections for minors. The MODPA went into effect on October 1, 2025, with enforcement beginning on April 1, 2026.

Key MODPA Requirements

MODPA imposes the following core obligations on businesses that must comply with the law:

Data Minimization

Under MODPA, NextRoll customers must limit their collection of personal data from consumers to what is reasonably necessary and proportionate to provide or maintain a specific product or service requested by the consumer to whom the data pertains. Please note that the MODPA does not explicitly define “reasonably necessary and proportionate” and there is not yet guidance from the Maryland AG on how this requirement will be interpreted in the advertising context. Some legal and privacy experts believe that consent-based behavioral advertising data collection may be permissible under MODPA so long as the data collected is not sensitive personal data. For this reason, you may see consent banners addressing MODPA for visitors to sites with a Maryland IP-address. Please consult with a legal or privacy expert to determine what is right for your business.

Purpose Limitation

Businesses subject to MODPA may only process personal data for the purpose(s) that are reasonably necessary to, or compatible with, the purpose(s) disclosed to the consumer unless the business obtains the consumer’s consent.

Specifically, Section 14–4607 (A) (7) of the MODPA says, a controller may not . . . [u]nless the controller obtains the consumer’s consent, process, personal data for a purpose that is neither reasonably necessary to, nor compatible with, the disclosed purposes for which the personal data is processed, as disclosed to the consumer.

Defining Sensitive Data under MODPA

Under MODPA, sensitive data is broadly defined and includes “data revealing . . .”

• racial or ethnic origin;
• religious beliefs;
• consumer health data;
• sex life;
• sexual orientation;
• status as transgender or nonbinary;
• national origin;
• citizenship or immigration status;
• genetic data or biometric data;
• personal data of a consumer that the controller knows or has reason to know is a child; and
• “precise geolocation data.”

Precise Geolocation data is defined as information derived from technology that can precisely and accurately identify the specific location of a consumer within a radius of 1,750 feet and includes GPS level latitude and longitude coordinates or other similar mechanisms.

Explicit Opt-In Consent Required to Collect Health Data and Other Sensitive Data

MODPA requires that consumers opt-in to the processing of sensitive data. Accordingly, your company’s data collection may trigger MODPA if your website pages pertain to a visitor’s health or reveals a site visitor’s mental or physical health status since under MODPA, consumer health data includes “personal data that a controller uses to identify a consumer’s physical or mental health status.”

Sensitive Data Restrictions

Businesses that must comply with MODPA may only collect, process, and share sensitive data if it is strictly necessary to provide a specific product or service requested by the consumer. Similar to the data minimization standard, MODPA does not define “strictly necessary.” NextRoll customers should also note that MODPA prohibits the sale of sensitive data.

Minor Data Protections

MODPA imposes strict requirements on the use of minor data. Specifically, the law prohibits the following:

• Targeted advertising to minors under 18.
• Selling the personal data of a minor under 18.

Privacy Notice Disclosures

MODPA requires that businesses clearly disclose the following in their privacy notices:

• Categories of personal data collected
• Purposes of processing
• Categories of personal data shared with third parties
• Categories of third-parties with which personal data is shared
• Consumer rights and opt-out methods
• Whether data is sold or used for targeted advertising or profiling

Consumer Rights

Consumers have the right to know, access, correct, delete, and obtain a copy of their data. Additionally, businesses subject to MODPA must provide consumers with the ability to opt-out of targeted advertising, the sale of personal data, and profiling in furtherance of solely automated decisions that produce legal or similarly significant effects on the consumer.

Universal Opt-Out Signals

Businesses subject to MODPA must recognize and honor browser-based opt-out signals, sometimes referred to as the Global Privacy Control (“GPC”). NextRoll’s technology has GPC and honors GPC signals. Please ensure any other personal data collected on your site by your company or other third parties also has GPC.

Does your company need to comply with MODPA?

If you do business in Maryland, including operating a website that’s accessible to Maryland residents, you may need to comply with MODPA. MODPA focuses on whether your business collects the personal data of Maryland consumers. Therefore, the law may apply to your business even if your business is located in a state other than Maryland or a country other than the United States.

However, not all businesses are subject to Maryland laws. Only businesses that conduct business in Maryland or produce products or services targeted to Maryland residents and meet the following criteria must comply:

• Control or process the personal data of 35,000 or more MD consumers; OR
• Control or process the personal data of 10,000 consumers in a year AND derive 20% or more of its gross revenue from the sale of personal data.

Some health and financial businesses that are already operating under federal data security laws and HIPAA are exempt from complying with MODPA in certain circumstances. For example:

• Health providers and insurers are already under HIPAA.
• Banks and financial companies covered by Gramm-Leach-Bliley.
• Credit reporting agencies operating under the Fair Credit Reporting Act.

How NextRoll and AdRoll comply with MODPA

The following addresses the ways in which NextRoll via AdRoll complies with MODPA.

• Privacy Notice Disclosures. NextRoll’s Privacy Notice includes the required notice and disclosure provisions. NextRoll will continue to update its Privacy Notice as necessary.
• Consumer Opt-Outs: Interest-Based Advertising. NextRoll honors consumer choices with regard to their data. Consumers can opt-out of interest-based advertising. NextRoll’s interest-based advertising opt-out is available:
  • on NextRoll websites;
  • in NextRoll’s Privacy Notice; and
  • by clicking the blue AdChoices icon on any ad served by NextRoll.
• Consumer Opt-Outs: Sale of Data. NextRoll also allows users to opt out of the sale of their personal information. Aside from data used for interest-based advertising mentioned above, the data that is sold by NextRoll is pursuant to NextRoll’s Contact Data product, which sells consumer business emails. This opt-out is available in the footer of NextRoll websites.
• NextRoll Terms of Service. In addition, NextRoll’s Terms of Service require its customers to include disclosures in their privacy notices that specify the data collected by NextRoll.
• Global Privacy Control (GPC). NextRoll’s Technology recognizes and honors Opt-Out Preference Signals, such as GPC. This means that NextRoll will not share or sell personal information from consumers who communicate an Opt-Out Preference Signal through the GPC mechanism.
• Consumer Data Requests. Consumers can make data requests on NextRoll’s privacy request webpage or via the toll-free number: 1-833-611-1920.

How you can comply with MODPA

Privacy Notice Disclosures

Section 7 of NextRoll’s Terms of Service lays out customer data privacy obligations. Specifically, it sets forth the disclosures customers must make in their privacy notices, as required under various privacy laws, such as MODPA. These requirements include:

• Disclosing the categories of data collected by NextRoll, and the purposes for which data is collected and used by NextRoll;
• Instructions on how end users can opt out of receiving interest-based advertising; and
• Instructions on how end users may opt out of receiving targeted advertising.

Consumer Opt-Outs

Under MODPA, NextRoll customers are considered to be “sharing” data with NextRoll because NextRoll provides targeted advertising. Therefore, NextRoll customers who are required to comply with MODPA must allow Maryland consumers to opt-out of targeted advertising by either:

• including an opt-out on their website; OR
• ensuring NextRoll’s Global Privacy Control technology covers all instances of selling or sharing by the company. Please note that a company cannot rely on Global Privacy Controls handled by NextRoll’s technology if the company shares or sells personal information for any activity beyond targeted advertising or with another party.

Opt-in Banners

NextRoll does not provide legal advice, but we can assist in configuring technology to facilitate the use of opt-in banners for compliance within your company. For more information, please contact support@adroll.com.

Pixel Placement

To ensure compliance with laws restricting the collection of consumer health data or sensitive personal data, like MODPA, review the placement of the AdRoll pixel on your website to avoid collecting personal data on pages containing health-related information or information revealing mental or physical condition or status of site visitors. For guidance, please reach out to support@adroll.com.

Geoblocking

NextRoll can block data collection for website visitors from Maryland based on the IP address of the website visitor. Customers can decline the option to geoblock data collection from visitors in Maryland by confirming independent compliance with MODPA. You know your business best and you may have a Maryland-oriented consent banner or your business may take other compliance measures you deem available to comply with MODPA. NextRoll will continue to monitor enforcement of MODPA and any guidance from the Maryland AG on how to interpret MODPA and will provide notice of geoblocking or consent banners in Maryland (or other solutions deemed appropriate) when and if guidance is provided by the Maryland AG.

Available Advertising Options without Pixel Data Collection

NextRoll can still serve ads to Maryland consumers or consumers from any state a customer elects to geo-block the collection of personal data.

Our current CTV; Direct-out-of-Home (“DOOH”), Experian-Audiences and Contextual and Key Word advertising do not rely on data derived from NextRoll’s technology and/or online data addressed by MODPA and other US State privacy laws. Reach out to support@nextroll.com with a “geoblocking question” so we can assist you with these solutions.

Resources

• Maryland Online Data Privacy Act
• Pixel Placement and Privacy Choices in Health & Wellness Business