ARTICLE
19 September 2025

Maryland's New Privacy Regulation Sets A New Standard For Data Minimization

AC
Ankura Consulting Group LLC

Contributor

Ankura Consulting Group LLC logo
Ankura Consulting Group, LLC is an independent global expert services and advisory firm that delivers end-to-end solutions to help clients at critical inflection points related to conflict, crisis, performance, risk, strategy, and transformation. Ankura consists of more than 1,800 professionals and has served 3,000+ clients across 55 countries. Collaborative lateral thinking, hard-earned experience, and multidisciplinary capabilities drive results and Ankura is unrivalled in its ability to assist clients to Protect, Create, and Recover Value. For more information, please visit, ankura.com.
Explore Firm Details
The Maryland Online Data Privacy Act (MODPA) raises the bar for data minimization in the United States, placing clear boundaries on how businesses may collect and process personal information.
United States Maryland Privacy
Colleen M. Yushchak and David Manek

The Maryland Online Data Privacy Act (MODPA) raises the bar for data minimization in the United States, placing clear boundaries on how businesses may collect and process personal information. Unlike many other state privacy laws, MODPA ties data practices directly to consumer expectations, making it one of the most consumer-centric privacy frameworks in the country. Companies have recognized this and are now scrambling to make sure that they address these new requirements in a way that can be documented and shared if a regulator asks them to demonstrate compliance.

Consumer-Centric Scope

Under MODPA, businesses can collect and process only the personal data that is "reasonably necessary and proportionate" to provide or maintain a specific product or service explicitly requested by the consumer. This means companies cannot rely on broad consent or general business needs to justify excessive data collection.

Stricter Standard for Sensitive Data

The law goes further when it comes to sensitive personal data, including details such as race, ethnicity, sexual orientation, citizenship, precise geolocation, or health information. For these categories, the threshold rises to "strictly necessary," regardless of consumer consent. This makes MODPA notably stricter than other state privacy laws that often allow consent to override necessity.

No Consent Override for Sensitive Data

Even if consumers explicitly agree, businesses may not collect or process sensitive personal data unless it is strictly required to deliver the product or service they requested. By removing consent as a fallback option, MODPA reinforces a protective, rights-first approach to data governance.

Permitted Processing for Specific Purposes

While the law emphasizes limitation, MODPA recognizes that certain back-end activities are essential for both consumers and businesses. Controllers and processors may engage in processing that is reasonably necessary and proportionate for purposes such as:

  • Fraud prevention and detection.
  • Investigating and responding to security incidents.
  • Internal operations that are reasonably anticipated by consumers.

Practical Guidance for Meeting Data Minimization Requirements Under Maryland's MODPA

1. Review and update data inventory:

  • Create or update a data inventory to identify data elements collected from consumers.
  • Identify and understand sensitive data collected from consumers and tag it appropriately in your data inventory.
  • For each data element collected from the consumer, be sure to tie a specific product or service explicitly requested by the consumer or tie it to another limited purpose that could include fraud prevention and detection, investigating, and responding to security incidents or internal operations reasonably anticipated by consumers.

2. Apply Necessity Tests:

  • Ensure data is necessary for service delivery.
  • Only collect sensitive data if strictly necessary for providing a service.
  • Avoid relying solely on consent for processing sensitive data.

3. Update Data Governance:

  • Revise policies to align with MODPA requirements.
  • Limit use of consumer data to necessary purposes.
  • Update vendor contracts to adhere to data minimization standards.

4. Embed Minimization in Practices:

  • Implement data minimization by design in products.
  • Restrict access to sensitive data based on need.
  • Limit data retention to necessary durations.

5. Prepare for Compliance Reviews:

  • Document necessity of collected data.
  • Conduct privacy impact assessments (PIAs) for high-risk activities.
  • Train employees on MODPA standards for data handling.

Why MODPA Matters

By embedding strict data minimization requirements into law, MODPA moves beyond transparency and notice requirements, forcing businesses to rethink their data strategies. Companies operating in Maryland must not only disclose their practices but also demonstrate necessity at every stage of data processing, particularly with sensitive information.

As privacy laws continue to evolve across the U.S., MODPA's "necessity-first" approach could set the tone for stronger consumer protections nationwide.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Photo of Colleen M. Yushchak
Colleen M. Yushchak
Photo of David Manek
David Manek
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More