The Maryland Online Data Privacy Act (MODPA) became law in 2024, and it goes into effect on October 1, 2025. Even if your dealership isn’t in Maryland, this law is worth watching—because it’s part of a bigger trend: states across the country are rolling out their own rules for how businesses collect, use, and protect customer data.

For auto and heavy truck dealerships, this isn’t just another compliance headache—it’s a preview of where the whole industry is heading.

What Maryland Did

The Maryland Online Data Privacy Act (MODPA) gives residents stronger control over their personal information. Starting October 1, 2025, it requires businesses to:

• Tell people what data they’re collecting and why
• Only collect what’s necessary to provide the service
• Get consent before handling sensitive information (like health data, biometrics, or precise location)
• Give consumers the right to access, correct, or delete their data
• Provide an easy way to opt out of targeted advertising or data sales
• Establish, implement, and maintain reasonable data security practices to protect the personal data they hold

That last point is especially important. MODPA doesn’t just focus on privacy—it requires dealerships and other businesses to actively safeguard customer information.

The law applies to any business that processes the personal data of 35,000 Maryland consumers annually, or 10,000 consumers while earning over 20% of revenue from selling that data. Most dealers don’t sell consumer data, but many Maryland rooftops will hit that 35,000 threshold.

There are exemptions—MODPA doesn’t apply to employee or business data, and there’s a carve-out for entities subject to the Gramm-Leach-Bliley Act (GLBA). But that exemption isn’t ironclad. Other states with similar language have still applied their privacy laws to dealers.

That’s why many dealerships, especially multi-state groups, choose to comply regardless. OEM or lender contracts may require it, customers expect it, and it’s far easier to follow a uniform standard than juggle a patchwork of state rules.

What Dealers Should Do

1. Act now. MODPA becomes enforceable on October 1, 2025. Dealers that wait will be racing the clock.
2. Get your house in order. Make sure you can prove how you’re protecting customer data—not just for the FTC, but for whichever state might come knocking.
3. Stay flexible. State laws vary, but if your systems and policies are grounded in cybersecurity and data privacy best practices, you’ll be able to adapt quickly.
4. Think beyond compliance. Customers care about privacy and security. Showing you take both seriously builds trust—and that trust drives sales and service loyalty.