What types of compliance documents can ComplianceIQ generate?

ComplianceIQ generates privacy policies, terms of service, employee handbooks, data handling policies, OSHA compliance documents, acceptable use policies, HIPAA compliance docs, information security policies, and more — all tailored to your industry.

Are the generated documents legally valid?

ComplianceIQ generates comprehensive, industry-standard compliance documents informed by current regulations. While they provide an excellent foundation, we recommend having critical documents reviewed by legal counsel for your specific jurisdiction.

How does ComplianceIQ stay current with regulations?

Our AI models are continuously updated with the latest regulatory frameworks including GDPR, CCPA, HIPAA, SOC 2, OSHA, and more. Pro and Enterprise plans include regulatory update alerts.

← All states·MODPA

Maryland (MODPA) Privacy Law Compliance

The Maryland Online Data Privacy Act (effective October 1, 2025) is the most consumer-protective state privacy law to date. Three distinctions: (1) the strictest data minimisation standard in the US — collection limited to 'reasonably necessary and proportionate' to provide/maintain the specific product/service requested; (2) an outright BAN on selling sensitive data (no opt-in cure); (3) extensive protections for minors (no targeted advertising to anyone known to be under 18).

Statute

Maryland Online Data Privacy Act

Md. Comm. Law §14-4601 et seq.

Effective

Oct 1, 2025

Enforcer

Maryland Attorney General

(exclusive)

Consumer rights

9 business obligations

Run free policy audit Does this apply to me? ↓

Who must comply

Persons that conduct business in Maryland OR provide products/services targeted to Maryland residents
AND one of: (a) control or process personal data of 35,000+ Maryland consumers (excluding payment-only); OR (b) control/process data of 10,000+ Maryland consumers AND derive 20%+ gross revenue from the sale of personal data

Exemptions

State + local government, financial institutions subject to GLBA
HIPAA PHI + BA processing, non-profits, higher-education institutions
Employment + B2B data fully exempt
FCRA, DPPA, FERPA in context

Consumer rights (8)

Right to access / know

Confirm whether personal data is processed and obtain a copy in a portable format

Right to correct

Correct inaccurate personal data

Right to delete

Request deletion of personal data the controller has collected

Right to data portability

Receive data in a portable, machine-readable format

Right to opt out of sale

Opt out of the sale of personal data to third parties

Right to opt out of targeted advertising

Opt out of cross-context behavioural advertising

Right to opt out of profiling with legal effect

Opt out of automated decisions producing legal or similarly significant effects

Right to appeal

Appeal a controller's refusal to honour a rights request (typically 45–60 days)

Business obligations (9)

Public privacy notice

Clear, accessible notice of categories collected, purposes, third parties, rights, and contact channel

Rights response within 45 days

Respond to consumer rights requests within 45 days (extendable by 45 more with notice)

Data processing agreements

Written contracts with processors restricting their processing to the controller's documented instructions

Data protection assessments

Document risk assessment for targeted advertising, sale, profiling, sensitive data processing

Honour universal opt-out signals (GPC)

Recognise the Global Privacy Control browser signal as a valid opt-out (where required)

Reasonable security practices

Administrative, technical, physical safeguards appropriate to the data's sensitivity

Strict data minimisation

Collection limited to data 'reasonably necessary and proportionate' to provide/maintain the SPECIFIC product or service requested — narrower than other states' 'adequate, relevant, reasonably necessary'

BAN on selling sensitive data

Sale of sensitive personal data is PROHIBITED — even with consent (no opt-in cure)

Ban on targeted advertising to minors

Targeted advertising to consumers known to be under 18 is prohibited

Required privacy notice elements

Categories of personal data processed (narrowly tied to specific service)
Purpose of processing (must be specific — generic 'business purposes' fails)
Categories shared + categories of third parties
Rights + how to exercise + appeal process
Statement that sensitive data is NOT sold
Statement that targeted advertising to minors is NOT performed
Statement of UOOM (GPC) recognition

Don't hand-check this. Drop your existing privacy policy into the free policy audit and we'll grade every required element and surface the missing language.

Common compliance pitfalls

⚠ Data minimisation is genuinely strict

Most state laws say 'adequate, relevant, reasonably necessary'. Maryland says 'reasonably necessary AND proportionate to provide/maintain the SPECIFIC product/service requested'. Collecting data for future product expansion, monetisation, or research without explicit consent is prohibited.

⚠ Cannot sell sensitive data even with consent

Maryland is the first US state to BAN the sale of sensitive data outright. No opt-in cure — if your business model depends on monetising health, race, sexual orientation, biometric, citizenship, religion, precise geolocation data of Maryland residents, restructure it.

⚠ No targeted ads to under-18s known

Many state laws stop at 16 or 17. Maryland prohibits targeted advertising to ANY consumer known to be under 18. 'Known' includes actual + constructive knowledge (age-gate, school email, verified age).

FAQ

Is Maryland enforceable now?

Yes. Effective October 1, 2025. The 60-day cure window sunsets April 1, 2027 — until then AG must offer cure for first-time violations.

What counts as sensitive data?

Race, religion, ethnicity, sexual orientation, citizenship, immigration status, health, biometric, genetic, precise geolocation (within ~1,750 ft), national origin, child's data, consumer's status as a victim of a crime.

How does the minimisation standard work?

Collection must be 'reasonably necessary and proportionate to provide or maintain the specific product or service requested by the consumer'. Maryland AG has interpreted this strictly — you can collect what's needed to deliver the requested service, period. Secondary use requires explicit consent.

Grade your Maryland privacy policy in 20 seconds

Paste your privacy policy and we'll score it against MODPA requirements — categories collected, rights enumeration, opt-out mechanism, sensitive data handling. Free, 3 audits/day, no signup.

Run free audit for Maryland