Three more states moved the U.S. closer to a true state-by-state privacy patchwork: Maryland’s MODPA is now in force, while Massachusetts and Pennsylvania advanced broad consumer privacy bills. For data teams, the operational burden is less about “having a policy” and more about executing rights, thresholds, and enforcement expectations that vary by state.
Maryland’s MODPA takes effect as more states push comprehensive privacy rules
Maryland’s Online Data Privacy Act (MODPA) took effect on Oct. 1, 2025, adding to what the source describes as a total of 17 comprehensive state privacy laws in the U.S. The update was reported Nov. 10, 2025 alongside parallel legislative progress in Massachusetts and Pennsylvania, underscoring how quickly compliance targets are multiplying for companies operating nationally.
In Massachusetts, the Massachusetts Data Privacy Act (MDPA) passed and is awaiting House approval. The bill would apply to entities processing data from more than 60,000 consumers—or more than 20,000 consumers if data sales exceed 20% of revenue—introducing state-specific applicability tests that don’t cleanly map to other states’ laws. In Pennsylvania, the House approved the Consumer Data Privacy Act, which would grant rights to access, correct, and delete personal data, and to opt out of targeted advertising and data sales; the source notes applicability for businesses with more than $10M in annual revenue.
The source also highlights a growing enforcement coordination layer: Minnesota and New Hampshire joined the bipartisan Consortium of Privacy Regulators. Separately, additional state regulations from Indiana, Kentucky, and Rhode Island are slated to take effect Jan. 1, 2026.
- Engineering impact: Rights fulfillment (access/correct/delete/opt-out) becomes a systems problem—requiring verified identity flows, auditable request handling, and data lineage that can answer “where does this person’s data live?” across products and vendors.
- Scope creep risk: Differing thresholds (e.g., consumer-count triggers, revenue triggers, and “data sales” tests) mean one national program may still need state-specific decision logic and documentation to defend applicability calls.
- Enforcement posture is shifting: Cross-state coordination via the Consortium of Privacy Regulators raises the odds that inconsistent practices (or weak vendor oversight) get noticed beyond a single jurisdiction.
- Synthetic data as exposure control: Where teams can replace personal data in analytics, testing, and model development, synthetic datasets can reduce the blast radius of rights requests and limit regulated-data handling in non-production workflows.