Maryland MODPA AI Compliance 2026: Data Minimization & Profiling Rules
Every other state privacy law lets you collect broadly and give consumers an opt-out. Maryland's Online Data Privacy Act doesn't work that way — it caps what you can collect in the first place, no matter what the consumer consents to. If your AI product trains on user data or scores Maryland residents, that's a different compliance model than CCPA or VCDPA.
Does MODPA Apply to Your AI Product?
MODPA applies to businesses that conduct business in Maryland or target products and services to Maryland residents and that, during a calendar year:
- Control or process the personal data of 35,000 or more Maryland consumers, excluding data controlled solely to complete a payment transaction, OR
- Control or process personal data of 10,000 or more consumers and derive over 20% of gross revenue from the sale of personal data
That 35,000-consumer threshold is lower than most peer states, and it's a headcount, not a revenue floor — a free-tier AI tool can cross it fast. Unlike most other state laws, MODPA also has no separate carve-out that softens obligations for smaller processors of sensitive data; the minimization and sale-ban rules apply regardless of scale once you're in scope.
Data Minimization: The Rule That Changes AI Product Design
MODPA's headline provision limits collection and processing of personal data to what is "reasonably necessary and proportionate" to provide the specific product or service the consumer requested — a standard that applies independent of consent. Most US privacy laws treat consent as the master key: collect more, get more consent, keep going. MODPA doesn't give you that escape hatch.
For an AI company, this cuts against a common pattern: collecting broad behavioral or content data "to improve the model" beyond what the specific feature a user signed up for actually requires. Under MODPA, that broader collection needs its own reasonably-necessary justification tied to the product the Maryland consumer is using — a blanket "we use data to improve our AI" disclosure in a privacy policy is not, by itself, a minimization defense.
Sensitive Data: A Sale Ban, Not Just an Opt-Out
Near-total sale ban
MODPA prohibits selling sensitive data in nearly all cases — this includes health, precise geolocation, biometric, genetic, and status data such as immigration or citizenship status, and consumer data known to be under 18.
Consent gate for processing
Processing sensitive data at all requires consent, and that consent must be a clear, affirmative act, not a bundled or pre-checked default.
Under-18 targeted advertising ban
MODPA bans targeted advertising and the sale of data for consumers the business knew or should have known are under 18 — a stricter age line than the under-13 or under-16 thresholds common elsewhere.
AI-inferred sensitive data counts
If your model infers a sensitive category — health status, sexual orientation, immigration status — from otherwise non-sensitive inputs, that inferred output is itself treated as sensitive data under MODPA's broad definition.
Profiling Rights AI Companies Still Owe Maryland Consumers
On top of the minimization and sensitive-data rules, MODPA carries the now-standard state privacy toolkit for algorithmic decisions: consumers get the right to opt out of profiling used for decisions that produce legal or similarly significant effects — credit, employment, housing, healthcare, insurance, and education outcomes. If your AI scores or ranks Maryland consumers for any of those categories, you need an operational opt-out path, not just a policy statement.
MODPA Compliance Checklist for AI Companies
- ☐Count Maryland consumers against the 35,000 threshold
- ☐Calculate whether you cross 10,000 consumers + 20% revenue from data sales
- ☐Reassess quarterly — the 35,000 floor is easy to cross unnoticed on a growing free tier
- ☐Map every data field collected against the specific feature it serves
- ☐Flag any collection justified only by 'model improvement' with no per-feature tie
- ☐Remove or re-justify collection that exceeds what the requested product needs
- ☐Don't rely on consent language to justify minimization gaps
- ☐Inventory sensitive data categories, including AI-inferred sensitive outputs
- ☐Confirm no sensitive data is sold, directly or via data-sharing partnerships
- ☐Build affirmative, non-bundled consent flows for sensitive data processing
- ☐Block targeted advertising and data sale for known or suspected under-18 users
- ☐Build an opt-out mechanism for profiling feeding legal-or-significant-effect decisions
- ☐Document data flows across first-party systems and third-party AI vendors
- ☐Retain records the Maryland AG could request during an investigation
See where your AI product is exposed
RatedWithAI helps SaaS and platform teams surface compliance and trust gaps across their web properties. Start with a free scan to understand how your product presents to users and regulators alike.
Scan Your Product for Free →Frequently Asked Questions
We already have CCPA and VCDPA compliance — is that enough for MODPA?
Not by itself. CCPA and VCDPA-style programs are built around consent and opt-out, but MODPA's data-minimization mandate applies regardless of consent, and its sensitive-data sale ban is stricter than the opt-out model those laws use. You'll need a separate minimization review of what you collect and process for Maryland consumers, plus a hard stop on any sensitive-data sale.
Does MODPA apply if my AI company isn't based in Maryland?
Yes. MODPA applies based on where consumers are located and whether your product targets them, not where your company is headquartered. Any AI SaaS product with Maryland users can trigger the thresholds regardless of where the business is incorporated or operated.
What counts as 'reasonably necessary and proportionate' under MODPA?
The law ties the standard to the specific product or service the consumer requested, not to the business's broader goals like model improvement or personalization generally. In practice, this means justifying each category of data collection against the discrete feature it supports, rather than a blanket 'necessary for our AI to work' rationale.