CookieChimp Logo
Get Started

What Are the MODPA Cookie Consent Requirements?

Everything you need to know about MODPA cookie consent compliance in 2026. Complete guide covering opt-out requirements, cookie banner elements, consent records, and technical implementation for United States - Maryland.

Opt-out GPC Required Children's Privacy Rules

Summary

This guide provides comprehensive technical implementation requirements for Maryland (MODPA). One of the strictest US state laws: strong data minimization, an outright ban on the sale of sensitive data, and opt-out rights for targeted advertising and sale. Must honor universal opt-out mechanisms (GPC).

This jurisdiction follows an opt-out consent model, meaning websites can place certain cookies initially but must provide clear mechanisms for users to opt-out of non-essential tracking. Users must be informed about cookies and given easy options to refuse them.

Additional requirements for this jurisdiction include: recognition and automatic honoring of Global Privacy Control (GPC) signals sent by users' browsers, special protections and consent mechanisms for children's personal data.

Website owners and operators subject to these regulations must implement compliant cookie consent banners, maintain proper consent records, and ensure their tracking technologies respect user privacy choices. This guide outlines all technical requirements needed to achieve compliance.

Key Requirements Overview

Consent Model
Opt-out
Default State
Mixed
Cookie Walls
Discouraged

Technical Requirements

Prior consent for non-essential cookies
Purpose granularity required
Equal prominence for accept/reject buttons
No pre-checked boxes allowed
Dark patterns prohibited
Proof of consent required
Local storage covered by regulation

Implementation Guidance

Maryland's MODPA took effect October 1, 2025 (applying to processing activities from April 1, 2026) and sets a new, stricter standard. Beyond honoring GPC and offering opt-outs, MODPA imposes strict data minimization — collection of personal data must be 'reasonably necessary and proportionate' to the specific product or service the consumer requests — bans the sale of sensitive data, and prohibits targeted advertising or sale of the data of consumers under 18. Review what data your cookies and trackers actually collect against the minimization standard; an opt-out alone is not sufficient if the collection itself is not necessary.

Special Protections

Children's Privacy

Targeted advertising and the sale of personal data are prohibited where the controller knew or should have known the consumer is under 18.

Sensitive Data

The sale of sensitive data is prohibited outright. Collection and processing of sensitive data is limited to what is strictly necessary to provide the product or service requested by the consumer.

Record Keeping Requirements

Required Consent Record Fields

For each consent action, you must maintain records containing:

  • Timestamp ISO
  • Opt Out Status
  • Gpc Signal Status
  • Policy Version
Re-consent Trigger: Not Required Generally

CookieChimp handles all of this automatically. Our platform maintains comprehensive consent records including all required fields, timestamps, consent strings, IP addresses, user agents, and more. Records are securely stored and easily exportable for compliance audits. Learn more about our consent management

Frequently Asked Questions About MODPA Cookie Consent

Maryland (MODPA) is a privacy regulation applicable in United States - Maryland. One of the strictest US state laws: strong data minimization, an outright ban on the sale of sensitive data, and opt-out rights for targeted advertising and sale. Must honor universal opt-out mechanisms (GPC). It requires websites to provide clear mechanisms for users to refuse non-essential cookies (opt-out model).

Yes. Under MODPA, websites must display a cookie consent banner that includes: opt out of targeted ads link, link privacy policy, manage preferences button. The banner must be shown to inform users about cookie usage and provide opt-out options.

MODPA follows an opt-out consent model. This means websites may place certain cookies but must provide clear and easy ways for users to opt out of non-essential tracking.

Yes. MODPA requires websites to recognize and automatically honor Global Privacy Control (GPC) signals sent by users' browsers as a valid opt-out request.

Targeted advertising and the sale of personal data are prohibited where the controller knew or should have known the consumer is under 18.

MODPA requires maintaining consent records that include: timestamp iso, opt out status, gpc signal status, policy version.

Legal Disclaimer: For engineering implementation guidance only. Not legal advice. This guide provides technical implementation guidance only and should not be considered legal advice. Privacy laws are complex and frequently updated. We recommend consulting with qualified legal counsel to ensure full compliance with applicable regulations.

Found an issue or have feedback on this page?

Explore Other Jurisdictions

View All

California (CPRA/CCPA Regs)

United States - California

Opt-out GPC

Covers 'sharing' for cross-context behavioral advertising.

Learn more

Colorado (CPA)

United States - Colorado

Opt-out GPC

Targeted advertising and sale require easy opt-out.

Learn more

Virginia (CDPA)

United States - Virginia

Opt-out

Opt-out rights for targeted ads and sale; no mandatory GPC recognition.

Learn more

Connecticut (CTDPA)

United States - Connecticut

Opt-out GPC

Opt-out for targeted ads and sales; GPC recognition required from Jan 2025.

Learn more

Utah (UCPA)

United States - Utah

Opt-out

Opt-out for sale and targeted advertising; no GPC requirement.

Learn more

Texas (TDPSA)

United States - Texas

Opt-out GPC

Opt-out for sale and targeted ads; must honor UOOMs like GPC.

Learn more