Maryland’s Strong New Privacy Law: What Cannabis Ecommerce Needs to Know in 2025

Maryland’s Online Data Privacy Act (MODPA) launches major changes for cannabis dispensaries and hemp retailers with online sales in 2025–2026. Going beyond the frameworks seen in California and Colorado, MODPA’s strict sensitive data standards, robust opt-out rights (including Global Privacy Control signals), and heightened data minimization rules will reshape digital compliance in the state’s bustling cannabis market.

This guide addresses what cannabis operators, compliance teams, and marketers must know before October 1, 2025—and how to avoid major enforcement risks as Maryland’s law goes live and applies to processing activities from April 1, 2026.

MODPA at a Glance: Critical Dates and Who’s Covered

Effective Dates

• October 1, 2025: Core provisions in effect—sensitive data rules, privacy notices, consumer rights, etc.
• April 1, 2026: Universal opt‑out signal (Global Privacy Control) compliance required, along with expanded processing applicability.

Who Is Covered?

• Cannabis dispensaries, multi-state operators (MSOs), hemp and cannabinoid retailers serving over 35,000 Maryland residents annually (or 10,000 if 20%+ of annual revenue is from data sales) are generally required to comply (JD Supra).
• No broad exemption for regulated cannabis businesses—compliance is not optional.

Penalties

• Enforcement by the Maryland Attorney General.
• Fines up to $10,000 per violation.

What Makes MODPA Tougher Than Other State Privacy Laws?

While MODPA resembles privacy laws in California, Colorado, Minnesota, and Tennessee, several provisions stand out:

• Necessity Standard for Sensitive Data:

• You may only collect/process sensitive personal data when it is "strictly necessary to provide or maintain a specific product or service requested by the consumer."

• Cannabis ecommerce: age verification, payment processing, delivery—minimal data only, no extras for marketing or analytics.

• Data Minimization:

• Information collected must be reasonably necessary and proportionate.

• Loyalty program signups and online order forms: No collecting unnecessary details (e.g., medical status, secondary contact info) unless essential for a transaction.

• Universal Opt-Out Mechanism:

• Lithium up in April 2026: Businesses must honor browser-based Global Privacy Control (GPC) signals, letting users opt out of targeted ads, data sales, and profiling by default.

• Sensitive Data Sale Prohibition:

• Selling or sharing sensitive data (medical info, government IDs, biometric data) is outright banned, regardless of customer consent.

• Protection for Minors:

• No "sale" or use of personal data for targeted advertising if you know (or should know) a user is under 18.

Cannabis and MODPA: Applying the New Privacy Standards

Data Collection: Only What’s Necessary

• Age and ID Verification: Collect only what’s essential—date of birth, proof of legal age (e.g., via government ID). Avoid storing images of IDs or extraneous details unless specifically legally required, and dispose of data as soon as verification is complete (CannabisRegulations.ai).

• Payment and Delivery Details: Limit data collection to name, delivery address, and payment info. Do not retain payment data longer than necessary for the transaction.

• Loyalty Programs: No more broad data grabs for promotions. Only collect details directly needed for point accrual/redemption. Do not collect medical status, purchase histories, or lifestyle information unless strictly essential, and never sell this data.

Privacy Notices and Consumer Rights

• Updated Privacy Policy: Must disclose categories of personal data, including sensitive data, the purposes for collection, how consumers can exercise their rights, and explain if data is sold or used for targeted ads (White & Case).
• Clear Consent Language: Obtain granular, informed consent for any use of sensitive information (including biometric, health, or government ID data).
• Delete Upon Request: Enable consumers to request deletion, correction, or transfer of their personal data—and respond efficiently.

Opt-Out, Targeted Ads, and Loyalty Marketing

• Honor Opt-Outs: By April 2026, must automatically respect browser signals (e.g., the Global Privacy Control) indicating no tracking or data sales—no dark patterns to discourage opt-outs!
• Targeted Advertising: You cannot use sensitive data (e.g., past purchases, medical or ID info) for profiling or personalized offers. Minimize what is used for segmentation to generic, non-sensitive traits.
• Loyalty & Email Offers: Structure programs so opt-out covers all non-essential communications. Be very specific about what data is used for rewards or targeted messaging.

Special Challenge: Cannabis Age Gates and ID Systems

Practical Tips for Maryland Operators

• Strict Age Gating: Maryland requires robust proof-of-age for all online THC sales—mere pop-up self-attestation is not enough (CannabisRegulations.ai). MODPA prohibits retaining or reusing more information than legally needed.

• Minors’ Data: Do not sell or use personal data of anyone under 18 for targeted advertising or profiling. If there’s reason to know a customer is a minor, all data use for targeting must stop.

• Disposable Data: If ID images are captured for delivery/age gates, put in place automatic deletion protocols—hold only as long as absolutely required.

Multi-State Overlap: Maryland, Tennessee, Minnesota & Beyond

Takeaway:

• Maryland sets the lowest applicability threshold among these states, so even medium-sized MSOs must comply if they operate online in MD.
• No grandfathering: If you comply with California or Colorado, you’ll still need to tighten controls for Maryland, especially around opt-out signals and necessity of data collected for loyalty, advertising, or third-party services (MMMLaw, ComplianceHub).

Enforcement and Risk: Maryland Attorney General Focus

• The Maryland AG has signaled a proactive enforcement stance for digital businesses, especially those handling sensitive or health-related data.
• Repeat or flagrant violations—such as selling loyalty program lists, ignoring opt-out signals, or over-collecting ID data—could draw maximum statutory fines.
• Ongoing risk of added requirements via further rulemaking; stay alert for updates into 2026.

5 Steps for Cannabis Compliance Before October 2025

1. Map and Minimize Data: Audit age gate, payment, and delivery flows. Remove optional fields, require only what is essential, and review retention/deletion practices.
2. Update Consent and Privacy Notices: Rewrite policies in plain English, including granular disclosures for sensitive and loyalty program information.
3. Test Opt-Out Mechanisms: Implement and honor browser-based GPC/universal opt-out tools well ahead of April 2026.
4. Review Third-Party Processors: Ensure all service providers (delivery, payment, marketing) meet MODPA’s strict standards.
5. Train Staff and Refresh Practices: Provide updated privacy training focused on cannabis transactional risks—especially front-line ID checkers and marketing teams.

Key Takeaways for 2025

• Maryland’s privacy law is the most sensitive-data-restrictive in the US, with narrow exceptions.
• All dispensaries, MSOs, and cannabinoid retailers with digital sales or loyalty programs must act now to comply.
• Honoring opt-outs and revising data collection practices are non-negotiable—penalties for even inadvertent violations can be steep.
• Multi-state operators face a patchwork, but MODPA sets a new baseline due to its strictness and low threshold.

Stay on top of evolving privacy risks. For detailed regulatory tracking, sample privacy policies, and compliance frameworks for Maryland and multi-state cannabis operations, tap into CannabisRegulations.ai—your partner for confident cannabis compliance in 2025 and beyond.