New California & Maryland Data Rules May Impact Your Website

Developments out of California and Maryland this month change obligations for browser developers and website operators alike, creating some new hurdles for both to jump through. These laws intensify requirements for transparency, automated opt outs, and sensitive data handling. Businesses that rely on web analytics, targeted marketing, or third party integrations have to be especially mindful of these changes. Let's talk about them.

If you're just looking for tips, skip to the bottom!

Out-Of-State Website Operators Need to Beware

It's important to note, while both discussed laws are state laws, they carry broad applicability. Both the California and Maryland laws apply to websites that collect or process data of their residents. Therefore, businesses need not operate in Maryland or California to fall within the purview of these two laws (with some exceptions). 

In this day and age, it's challenging to predict where web traffic will come from. Even if your business does not market to California or Maryland residents, it is entirely likely that users from those states will–at some point or another–interact with your business website. Therefore it is best practice for your website to be compliant with the most strict law presently in effect. More on this in the tips section!

California’s “Opt Me Out Act” (AB 566) 

The Opt Me Out Act (OMOA) was signed into law on October 8, 2025, but will not take effect until January 1, 2027. Even so, because of OMOA’s shifted liability burdens, website operators–not just browser developers–need to be aware of the law’s requirements, and should be careful to implement compliance measures as early as possible.

Starting January 1, 2027, OMOA will require all web browsers (like Chrome, Safari, Firefox) used by California residents to include an easy-to-find, consumer-configurable opt-out preference signal. This has been referred to as a Global Privacy Control (“GPC”), or colloquially as a browser “privacy switch.” Effectively, whenever a user visits a website using the configured browser, the signal tells that website to stop sharing or selling data (depending on user preferences). What’s unique about this approach is that it lets a consumer set and forget privacy preferences globally, for all websites visited with that configured browser, rather than having to consent to (or opt-out of) data collection and sales on every different website a user visits. 

While much of the burden will be on browser developers to engineer the integrations that allow for the privacy switches, website operators are responsible for making sure their site can both detect and honor that signal. This is a relatively small configuration hurdle, but can carry penalties of up to $7,500 for failure to comply.

To ensure compliance, businesses should conduct periodic audits of tracking technologies to ensure scripts and cookies respect privacy signals. Website privacy notices should also disclose compliance with browser-level opt-out tools. 

It is likely the case that vendors (website hosting services, and marketing and analytics vendors) will be releasing technical modifications to help clients stay in compliance with the change in law. However, it is ultimately on website operators to have the conversation, and coordinate with vendors to ensure compliance. There is no provision in the law that reduces or insulates business owners from liability, simply because they are naive to how the browser requirement works.

The Maryland Online Data Privacy Act (MODPA)

Unlike under OMOA, website operators have immediate compliance obligations under MODPA, which went into effect as of October 1, 2025 (read the law here). While I summarize MODPA’s main takeaways below, its rules and requirements are truly extensive. If MODPA applies to your company (or if it seems like it could in the near future), your business needs to be aware of the entire scope of the law, and should undergo a compliance audit. 

Most topically, website operators should already have a clear and conspicuous web-link opt-out mechanism on their site, and must enable consumers to opt out of targeted ads and the sale of personal data using an opt-out preference signal, such as a Global Privacy Control (“GPC”, as explained above). 

MODPA is one of the strictest frameworks in the U.S. for handling user data. The law effectively codified the data minimization principle of “strict necessity,” by prohibiting businesses from processing “sensitive data” unless strictly necessary to deliver a product or service specifically requested by the consumer, or unless the consumer has given explicit (opt-in) consent. Regardless of consent, MODPA categorically prohibits the sale of “sensitive data.” 

“Sensitive data” is broadly defined to include health, biometric, sexual orientation, geolocation, and citizenship data. 

MODPA further limits the processing of data of consumers if it is known, or should be known that the consumer is under the age of 18. And, the sale of any data (including non-sensitive data) from consumers under the age of 18 is prohibited. Therefore, any company that engages in targeted advertising for minors should reexamine data collection, processing, and sales practices. 

MODPA Applicability

Again, though MODPA is a state law, it applies to any entity that provides products or services to Maryland residents, even if the entity is not a Maryland business. Fortunately, small businesses may be protected if they: (1) do not control or process personal data of at least 35,000 Maryland consumers (excluding payment information used solely for the purpose of processing a transaction); or (2) do not control or process personal data of at least 10,000 Maryland consumers and derive more than 20 percent of gross revenue from sale of personal data. 

While there are a few exceptions to MODPA, including government entities and financial institutions, it does not contain any carve-outs for small businesses. 

Miscellaneous Additional MODPA Requirements

• Data Protection Assessment Requirements: Internal Data Protection Assessments must be conducted for any processing that carries a “heightened risk of harm,” such as AI-driven decisions, or profiling;

• Written Contracts: Contracts between data controllers and processors must be in writing, and set out processing instructions, security measures, audit rights, among other requirements.

• Security Requirements: controllers and processors must both implement “reasonable administrative, technical and physical” safeguards to protect the confidentiality, integrity and accessibility of personal data. 

Penalties for Noncompliance

Violations of MODPA are considered a deceptive trade practice under Maryland’s Consumer Protection Act, and carry civil penalties of up to $10,000 per violation for first time offenses, and up to $25,000 thereafter. These fines are hefty, but there is some good news. MODPA does not contain a private right of action; therefore, individual consumers are prohibited from making claims against businesses. And, MODPA contains some compliance breathing room: for violations occurring prior to April 1, 2027, if it is possible for the violating entity to cure their defect, the Attorney General must give at least 60 days to do so. 

Takeaways from These Laws

Even if MODPA does not apply to your business, the language of the act is indicative of a larger shift in the data privacy landscape toward automated, user-controlled privacy over consent fatigue. Given trends in states’ data laws, website owners should anticipate that browser-level controls will eventually supersede traditional cookie pop-ups, and should make sure sooner rather than later that websites recognize and honor GPCs. 

For AI-drive or data-rich startups, especially those running analytics, email tracking, or ad personalization, compliance preparation should include: 

• Updating privacy policies to clearly list data categories collected, purposes of use, and third-party sharing; 

• Implement “data minimization” defaults to collect only that data that is necessary for the specific feature or service offered; 

• Configure universal opt-out mechanisms and prominent “do not sell/share” links on websites;

• Review and revise vendor contracts to ensure they contain confidentiality clauses that prohibit unauthorized use of data, and contain data security obligations that align with MODPA; 

• Implementing a unified consent logic that integrates state-specific opt-outs and GPCs; 

• Maintaining records of compliance and/or audit logs that demonstrate that the website honors user choices in real time.

In many regards, compliance has become as much of a technical engineering challenge as a legal one, and could take considerable time and effort to implement. Early adoption of universal opt-out support and tighter data minimization practices not only reduces risk, but can also strengthen consumer trust, an increasingly valuable asset in a landscape becoming increasingly focused on consumer choice and data protection.