What makes Maryland's MODPA the strictest US state privacy law, and why does that matter for advertisers?

The Maryland Online Data Privacy Act, effective October 1, 2025, earns the description of strictest US comprehensive state privacy law because it breaks from the dominant notice-and-consent model in two structural ways that constrain advertising more tightly than any other state framework. The dominant model — used in Virginia, Colorado, Connecticut and most other states — lets businesses collect and use broad categories of personal data as long as they disclose it in a privacy policy and, for sensitive data, obtain opt-in consent. Under that model, consent is the key that unlocks almost any data use. MODPA changes the lock. Its first structural break is a hard data-minimization mandate: a business may only collect personal data that is reasonably necessary and proportionate to provide or maintain the specific product or service that the consumer requested, and no amount of disclosure or consent can justify collecting more. For sensitive data, the standard tightens to strictly necessary. This means a business cannot collect data simply because it might be useful for advertising later; if the data is not necessary to deliver what the consumer asked for, collecting it is unlawful regardless of consent. The second structural break is an outright ban on selling sensitive data — Maryland provides no consent path that makes the sale of sensitive personal data lawful, where other states permit it with opt-in consent. MODPA also prohibits targeted advertising to consumers the business knows are under 18 and bans selling minors' data. For advertisers, these breaks matter because the advertising data economy has been built on collecting broadly and monetizing through audience-building, retargeting and data sharing. MODPA constrains the collection at the source and forecloses the most sensitive monetization entirely. The practical effect is that advertisers operating in Maryland — or, more realistically, advertisers who choose to build to Maryland's floor nationally rather than maintain state-by-state carve-outs — must justify every data collection against necessity, must never route sensitive data into a sale or an ad audience, and must treat consent as insufficient on its own. Because building to the strictest standard is operationally simpler than per-state variation, MODPA effectively becomes the national design target for privacy-conscious advertisers. For the broader federal-state framework, see the United States compliance reference , and map your collection practices with the Legal Compliance Scan . The organizing principle is that MODPA replaces consent-unlocks-everything with necessity-is-the-ceiling, which constrains advertising at the data source.

How does MODPA's data-minimization requirement work, and how is it different from a privacy policy disclosure?

MODPA's data-minimization requirement works by making necessity, not disclosure, the legal limit on data collection — a fundamentally different mechanism from the privacy-policy model that most advertisers are accustomed to, and one that requires rethinking how data is gathered in the first place. Under the privacy-policy model, a business can collect a wide range of data so long as it tells consumers it is doing so; the disclosure is the compliance act. MODPA inverts this: the law states that a controller may only collect personal data that is reasonably necessary and proportionate to provide or maintain the specific product or service requested by the consumer, and for sensitive data the collection and processing must be strictly necessary to provide or maintain that product or service. The privacy policy still has to exist, but it can no longer expand what the business is allowed to collect — it can only describe collection that is already justified by necessity. The practical test becomes: for each data element collected, can the business articulate why it is necessary to deliver the product or service the consumer actually asked for? If a consumer signs up for a newsletter, collecting their email is necessary; collecting their precise geolocation, browsing history across other sites, or inferred health interests is not, and therefore cannot be collected for that newsletter regardless of what the privacy policy says. For advertising, this is the consequential part: the common practice of collecting broad behavioral data and building it into ad audiences fails the necessity test when the data was not needed to provide the requested service. A business cannot justify collecting extra data on the basis that it will be used for targeted advertising, because targeted advertising is not the product the consumer requested. This forces a discipline that most ad-data operations have never had: each collection must be mapped to a specific, necessary purpose, and data collected for one necessary purpose cannot be silently repurposed for advertising. The compliance work is therefore an inventory exercise — cataloging every data element collected, mapping each to the product or service that justifies it, and eliminating collection that cannot be justified — followed by a controls exercise to prevent necessary-purpose data from leaking into advertising uses. For sensitive data the bar is higher and the safe answer is almost always not to collect it for anything ad-related. Run the collection-mapping exercise with the AI Compliance Audit , and for sector-specific minimization see the e-commerce and DTC compliance guide . The organizing principle is that under MODPA necessity caps collection, so a privacy policy can describe but never expand what you collect.

What does MODPA's sensitive-data sale ban cover, and how does it affect ad audiences?

MODPA's sensitive-data sale ban is an absolute prohibition with no consent exception, and it covers a broad set of data categories, which together make it one of the most significant constraints on advertising data in any US state. The ban prohibits a controller from selling sensitive data — full stop. Where laws like Virginia's and Colorado's allow the processing of sensitive data, and even its sale, provided the business obtains opt-in consent, Maryland removes the consent path for sale entirely: there is no mechanism by which selling sensitive personal data becomes lawful in the state. The definition of sensitive data is broad and tracks the categories common to state privacy laws: data revealing racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis, sex life or sexual orientation, and citizenship or immigration status; genetic and biometric data; precise geolocation data; and personal data of a known child. Two features make this especially consequential for advertisers. First, sale is defined broadly across state privacy laws to mean disclosure for monetary or other valuable consideration, which sweeps in many ad-tech data flows that do not involve a direct cash payment — including arrangements where data is shared with a platform in exchange for advertising value. Second, MODPA also restricts processing of sensitive data to what is strictly necessary, so even uses short of a sale are constrained. For ad audiences, the implications are direct: a business cannot build or contribute to an audience that is constructed from sensitive-category signals if doing so involves selling that sensitive data, and the strict-necessity processing limit means sensitive data generally cannot be processed for advertising at all. Custom audiences seeded from health interests, precise location, ethnicity proxies or sexual-orientation signals are foreclosed; lookalike modeling built on sensitive seed data is foreclosed; and any data-sharing arrangement with an ad platform that transmits sensitive data and constitutes a sale is prohibited. The safe operating rule is to treat sensitive data as entirely off-limits for advertising in Maryland — neither collected for ad purposes, nor processed for them, nor sold — and, because building to that rule nationally is simpler than maintaining a Maryland exception, to apply it everywhere. This dovetails with the health-data constraints that other laws impose; see the consumer health data and ad targeting analysis for the overlapping health-specific rules. Confirm no audience draws on sensitive signals with the Legal Compliance Scan . The organizing principle is that MODPA makes sensitive data unsellable and barely processable, so it must be treated as off-limits for advertising.

How does MODPA treat targeted advertising, sale and sharing, and what opt-out rights apply?

MODPA, like the other comprehensive state privacy laws, grants consumers opt-out rights over targeted advertising and the sale of personal data, and understanding how these defined terms map onto everyday ad operations is essential because the terms reach further than their plain-English meanings suggest. Targeted advertising is defined as displaying ads to a consumer based on personal data obtained from that consumer's activities across non-affiliated websites or applications to predict their preferences or interests — in other words, the cross-context behavioral advertising that powers most retargeting and interest-based campaigns. Sale is defined as the exchange of personal data for monetary or other valuable consideration, a definition broad enough to capture many ad-tech data flows that do not involve a direct payment, because sharing data with a platform in return for advertising capabilities can constitute valuable consideration. Consumers have the right to opt out of both, and MODPA requires controllers to honor those opt-outs, including through universal opt-out mechanisms — browser or device signals like Global Privacy Control that communicate a consumer's choice automatically. The combination matters for advertisers because the everyday building blocks of digital advertising fall within these definitions: sending pixel or CRM data to Meta, Google or TikTok to build custom audiences, constructing lookalike audiences from that data, and running interest-based retargeting all generally constitute targeted advertising, sale or sharing, and therefore must be suppressed for any consumer who has opted out or whose device transmits a universal opt-out signal. The operational requirement is a suppression capability: the business must be able to identify opted-out consumers and exclude their data from the flows that build ad audiences and serve targeted ads. For sensitive data, the analysis is stricter still, because MODPA bans the sale of sensitive data outright and restricts its processing, so opt-out is not even the relevant mechanism — sensitive data simply cannot be sold and generally cannot be processed for advertising. The practical build is therefore twofold: a robust opt-out and universal-signal-honoring system for ordinary personal data used in targeted advertising, and a hard exclusion of sensitive data from all ad uses. Because twelve states require universal opt-out recognition by January 1, 2026, the suppression capability is not Maryland-specific; it is a national requirement. See the US state privacy laws and universal opt-out analysis for the multi-state detail, and audit your suppression with the AI Compliance Audit . The organizing principle is that retargeting and audience-building are targeted advertising and sale under MODPA, so opt-out suppression is mandatory and sensitive data is excluded entirely.

How does MODPA fit into the broader 2025-2026 wave of state privacy laws?

MODPA is the strictest member of a broader 2025-2026 wave of US state privacy laws, and understanding its place in that wave helps advertisers see why building to the highest standard, rather than the patchwork minimum, is the only sustainable strategy. By 2026 roughly twenty states have enacted comprehensive consumer privacy laws, and the period from 2025 into 2026 brought a cluster of effective dates: Tennessee's law took effect July 1, 2025, Minnesota's on July 31, 2025, and Maryland's MODPA on October 1, 2025, while Indiana, Kentucky and Rhode Island laws took effect January 1, 2026, alongside new California regulations covering automated decision-making technology, risk assessments and cybersecurity audits. Most of these laws share a common architecture — rights to access, delete, correct and port data; rights to opt out of targeted advertising, sale and profiling; and opt-in consent for sensitive data — but they diverge at the edges, and MODPA sits at the strict end of every axis. Where most states let sensitive data be processed and sold with consent, Maryland bans the sale of sensitive data and limits processing to strict necessity. Where most states rely on notice and consent, Maryland imposes hard data minimization. Where most states are enforced only by the attorney general, the wave as a whole is seeing more active enforcement, including a multi-state sweep in late 2025 by California, Colorado and Connecticut authorities targeting businesses that failed to honor opt-out signals. A defining feature of the 2026 landscape is the universal opt-out mandate: twelve states — including California, Colorado, Connecticut, Texas, New Jersey, Oregon, Delaware, Montana, Nebraska, New Hampshire, Minnesota and Maryland — require businesses to recognize universal opt-out mechanisms, and California, Colorado and Connecticut have confirmed that Global Privacy Control qualifies. For an advertiser operating nationally, maintaining a different data practice in each state is operationally untenable and legally risky, because the strictest applicable law effectively governs any consumer whose state is unknown or who could be in a strict state. The rational response is to build to the union of the strictest requirements: MODPA-level data minimization, no sale or ad-processing of sensitive data, robust opt-out and universal-signal honoring, and no targeted advertising to known minors. That single high standard satisfies every state at once and removes the fragility of per-state carve-outs. Track the wave's effective dates and enforcement on the Policy Change Tracker , and benchmark your posture with the Legal Compliance Scan . The organizing principle is that MODPA sets the strict edge of the 2026 wave, so building to its standard nationally is simpler and safer than a state-by-state patchwork.

What does a MODPA-ready advertising workflow look like in practice?

A MODPA-ready advertising workflow operationalizes two disciplines that most ad-data operations have never enforced — collection limited by necessity, and sensitive data excluded from all advertising — and it builds them into the campaign lifecycle so compliance is structural rather than a final review. The workflow has six stages. The first is collection mapping: inventory every data element the business collects from consumers and map each to the specific product or service that justifies it under the reasonably-necessary-and-proportionate standard; any element that cannot be tied to a necessary purpose is eliminated, and no element is retained on the theory that it might be useful for advertising. The second is sensitive-data exclusion: identify every category of sensitive data — health, precise geolocation, racial or ethnic origin, religious belief, sexual orientation, immigration status, genetic and biometric data — and ensure none of it is collected for advertising, processed for advertising, or sold, because MODPA bans the sale of sensitive data outright and limits its processing to strict necessity. The third is audience hygiene: confirm that no custom or lookalike audience is seeded from sensitive signals, and that audience-building from ordinary personal data is treated as targeted advertising and sale subject to opt-out. The fourth is opt-out and universal-signal honoring: build a suppression system that identifies opted-out consumers and those transmitting Global Privacy Control, and excludes their data from the pixel, CRM and audience flows that feed targeted advertising — a capability that twelve states now require. The fifth is minors protection: ensure no targeted advertising reaches consumers the business knows are under 18, and that minors' data is never sold. The sixth is documentation and monitoring: maintain the collection map, the necessity justifications, the sensitive-data exclusions, the suppression configuration and the opt-out logs, and track the moving landscape of effective dates and enforcement so the workflow updates as new state laws and regulations come online. Because MODPA is the strictest state law, a workflow built to satisfy it satisfies the rest of the 2026 wave at the same time, which is why building to Maryland's floor nationally is the efficient choice rather than a compliance cost. The payoff is an advertising program that is resilient to the patchwork, defensible to regulators across states, and free of the most dangerous data flows. Operationalize the mapping and suppression with the AI Compliance Audit and the Legal Compliance Scan , and monitor state developments on the Policy Change Tracker . The organizing principle is collection by necessity, sensitive data excluded, opt-outs honored, minors protected, and everything documented.

Maryland MODPA 2026: Data Minimization & Ad Targeting

Quick Answer

The Maryland Online Data Privacy Act (MODPA), in effect since October 1, 2025, is the strictest comprehensive state privacy law in the United States, and it changes the rules for advertisers in two ways that go further than any other state. First, MODPA imposes a hard data-minimization mandate: businesses may only collect personal data that is reasonably necessary and proportionate to provide or maintain the specific product or service the consumer requested, and for sensitive data the standard is stricter still — collection and processing must be strictly necessary to provide that product or service. This is a structural break from the notice-and-consent model most state laws use, because no privacy-policy disclosure or consumer consent can justify collecting data the business does not actually need; the necessity test is the ceiling. Second, MODPA bans the sale of sensitive data outright — there is no consent path that makes selling sensitive personal data lawful in Maryland — and it prohibits processing sensitive data beyond what is strictly necessary, as well as selling minors' data and serving targeted advertising to consumers the business knows are under 18. Sensitive data is defined broadly to include health and mental-health data, precise geolocation, racial or ethnic origin, religious beliefs, sexual orientation, citizenship or immigration status, and genetic and biometric data. For advertisers, the practical consequences are concrete: building custom or lookalike audiences from sensitive-category signals is foreclosed, any data flow to ad platforms that constitutes a sale of sensitive data is prohibited, retargeting and audience-building generally count as targeted advertising or sale and trigger opt-out rights, and the data-minimization rule means you cannot hoard data for future ad uses you have not defined. MODPA also sits inside a 2026 wave in which twelve states require recognition of universal opt-out signals like Global Privacy Control. The compliant posture is to minimize collection to documented necessity, never sell or build audiences from sensitive data, honor opt-out signals, and treat Maryland's floor as the standard to build to. Map your exposure with the Legal Compliance Scan, audit data flows with the AI Compliance Audit, and track state law on the Policy Change Tracker.

Maryland's MODPA in 2026: Data Minimization, the Sensitive-Data Sale Ban and What It Means for Ad Targeting

Why MODPA Raises the Floor for Advertisers

The Maryland Online Data Privacy Act (MODPA), in effect since October 1, 2025, is the strictest comprehensive state privacy law in the United States. For advertisers it is not just another state to add to a compliance matrix — it changes the underlying rules of how ad data can be collected and used.

Most state laws follow a notice-and-consent model: collect broadly, disclose it, get opt-in consent for sensitive data. MODPA breaks that model in two ways — it caps collection at necessity regardless of consent, and it bans the sale of sensitive data outright. Both constraints hit the advertising data economy at its source.

"A controller shall limit the collection of personal data to what is reasonably necessary and proportionate to provide or maintain a specific product or service requested by the consumer.
— Maryland Online Data Privacy Act, data minimization provision"

This guide explains MODPA's data-minimization mandate, the sensitive-data sale ban, how targeted advertising and sale are defined, and MODPA's place in the 2026 multi-state wave. Map your exposure with the Legal Compliance Scan, audit data flows with the AI Compliance Audit, and track state law on the Policy Change Tracker.

What MODPA Changes That Other Laws Do Not

Two structural breaks set MODPA apart from Virginia, Colorado, Connecticut and the rest of the state framework — and both constrain advertising more tightly than any other state.

MODPA vs. the Common Model

Dimension	Most state laws	MODPA
Collection limit	Disclose in privacy policy; consent unlocks broad use	Reasonably necessary and proportionate to the requested service
Sensitive data	Process and sell with opt-in consent	Sale banned outright; processing limited to strictly necessary
Minors	Consent / parental rules	No targeted ads to known under-18s; no sale of minors' data

The result: consent no longer unlocks everything, and the most sensitive monetization is foreclosed. Advertisers must justify every collection against necessity and never route sensitive data into a sale or an ad audience. For the surrounding framework, see the United States compliance reference.

Data Minimization: Collection Tied to Necessity

MODPA makes necessity, not disclosure, the legal limit on collection. A controller may only collect personal data reasonably necessary and proportionate to provide the specific product or service the consumer requested — and for sensitive data, only what is strictly necessary.

The Necessity Test in Practice

Per-element justification: For each data element, articulate why it is necessary to deliver what the consumer asked for. If you cannot, you cannot collect it.
No advertising rationale: "We'll use it for targeted advertising" does not justify collection, because targeted advertising is not the requested product.
No silent repurposing: Data collected for a necessary purpose cannot be quietly redirected into ad audiences.

The compliance work is an inventory: catalog every data element, map each to the purpose that justifies it, and eliminate the rest. Run the mapping with the AI Compliance Audit, and see the e-commerce and DTC compliance guide for sector-specific minimization.

The Sensitive-Data Sale Ban and What It Covers

MODPA bans the sale of sensitive data with no consent exception, and the definition is broad. Where Virginia and Colorado allow sensitive-data sale with opt-in consent, Maryland removes the consent path entirely.

Sensitive Data Categories (Off-Limits for Ad Sale)

Identity and belief: racial or ethnic origin, religious beliefs, citizenship or immigration status.
Health and intimacy: mental or physical health condition, sex life or sexual orientation.
Technical identifiers: genetic and biometric data, precise geolocation, and the personal data of a known child.

Because "sale" is defined broadly — disclosure for monetary or other valuable consideration — many ad-tech flows that involve no direct payment still count. Combined with the strict-necessity processing limit, the safe rule is to treat sensitive data as entirely off-limits for advertising. This overlaps with health-specific rules in the consumer health data and ad targeting analysis. Confirm no audience uses sensitive signals with the Legal Compliance Scan.

Targeted Advertising, Sale and Sharing Under MODPA

The defined terms reach further than their plain meanings. Understanding them is essential because the everyday building blocks of digital advertising fall inside them.

How the Definitions Map to Ad Operations

Targeted advertising: ads based on cross-context behavioral data — i.e., most retargeting and interest-based campaigns. Opt-out applies.
Sale: exchange of personal data for monetary or other valuable consideration — broad enough to capture data shared with a platform for advertising value.
Universal opt-out: MODPA requires honoring device signals like Global Privacy Control, automatically suppressing these flows.

The operational requirement is a suppression capability: identify opted-out consumers and those sending a universal signal, and exclude their data from the pixel, CRM and audience flows that feed targeted ads. For sensitive data, opt-out is moot — it simply cannot be sold or processed for ads. See the universal opt-out analysis for the multi-state detail.

MODPA in the 2026 Multi-State Wave

MODPA is the strictest member of a broad 2025-2026 wave. Roughly twenty states now have comprehensive privacy laws, with a cluster of recent effective dates and a defining universal opt-out mandate.

The 2026 Landscape

Development	Detail	Advertiser impact
Recent effective dates	TN (Jul 2025), MN (Jul 2025), MD MODPA (Oct 2025), IN/KY/RI (Jan 2026)	Expanding patchwork of opt-out and sensitive-data rules
Universal opt-out	12 states require honoring signals like GPC by Jan 1, 2026	Suppression of targeted-ad flows becomes mandatory
Enforcement	CA/CO/CT multi-state opt-out sweep, late 2025	Failure to honor opt-outs is actively penalized

Maintaining a different data practice per state is operationally untenable and legally risky. The rational response is to build to the union of the strictest requirements — MODPA-level minimization, no sale or ad-processing of sensitive data, robust opt-out honoring, no targeted ads to known minors. That single standard satisfies every state at once. Track effective dates on the Policy Change Tracker.

A MODPA-Ready Advertising Workflow

Build collection-by-necessity and sensitive-data exclusion into the campaign lifecycle so compliance is structural, not a final review.

Six Stages

1. Collection mapping: Inventory every data element; map each to the service that justifies it; eliminate the rest.
2. Sensitive-data exclusion: Never collect, process or sell sensitive data for advertising.
3. Audience hygiene: No audiences seeded from sensitive signals; treat audience-building as targeted advertising and sale.
4. Opt-out honoring: Suppress data of opted-out consumers and those sending Global Privacy Control.
5. Minors protection: No targeted ads to known under-18s; never sell minors' data.
6. Document and monitor: Keep the collection map, necessity justifications, exclusions, suppression config and opt-out logs; track new laws.

Because MODPA is the strictest state law, a workflow built to satisfy it satisfies the rest of the 2026 wave at the same time. Operationalize with the AI Compliance Audit and the Legal Compliance Scan.

MODPA Advertising Compliance Checklist

[ ] Every collected data element mapped to a reasonably-necessary, proportionate purpose
[ ] No data collected on the rationale that it may serve future advertising
[ ] Sensitive data never collected, processed or sold for advertising
[ ] No custom or lookalike audience seeded from sensitive-category signals
[ ] Audience-building treated as targeted advertising and sale, subject to opt-out
[ ] Global Privacy Control and universal opt-out signals honored and suppressed
[ ] No targeted advertising to consumers known to be under 18
[ ] Minors' data never sold
[ ] Collection map, necessity justifications and opt-out logs documented
[ ] Built to MODPA's floor nationally rather than per-state carve-outs

Map collection with the Legal Compliance Scan, audit data flows with the AI Compliance Audit, and monitor state developments on the Policy Change Tracker.

Don't miss the next policy change.

Create a free account — track every policy change across 8 platforms, get instant alerts, and access every free compliance tool. Or try our Meta Rejection Predictor first.

Create Free Account

Report Keywords — Run AI Compliance Audit

#MODPA#Maryland#Data Minimization#Sensitive Data#State Privacy#Targeted Advertising#Ad Targeting#GDPR#Advertisers#Compliance Guide 2026#Brand Safety

Share This Report

Tweet Share

Maryland's MODPA in 2026: Data Minimization, the Sensitive-Data Sale Ban and What It Means for Ad Targeting

Why MODPA Raises the Floor for Advertisers

What MODPA Changes That Other Laws Do Not

MODPA vs. the Common Model

Data Minimization: Collection Tied to Necessity

The Necessity Test in Practice

The Sensitive-Data Sale Ban and What It Covers

Sensitive Data Categories (Off-Limits for Ad Sale)

Targeted Advertising, Sale and Sharing Under MODPA

How the Definitions Map to Ad Operations

MODPA in the 2026 Multi-State Wave

The 2026 Landscape

A MODPA-Ready Advertising Workflow

Six Stages

MODPA Advertising Compliance Checklist

Don't miss the next policy change.

Report Keywords — Run AI Compliance Audit

Share This Report

Related Posts

Consumer Health Data and Ad Targeting in 2026: My Health My Data Act, Pixel Leakage and the FTC Enforcement Wave

Dark Patterns in Your Ad Funnel: The EU Digital Fairness Act and FTC Crackdown in 2026

EU DSA Article 26 — Political Advertising Transparency: First-Year Implementation Data Across 27 Member States

Related Resources

All Tools

Platform Guides

Knowledge Hub

Policy Tracker