Blog

Maryland’s stricter privacy law and $1.3M California fine signal a new compliance era

Julie Rubash, General Counsel and Chief Privacy Officer
October 6, 2025

Want to receive these privacy recaps in your inbox each week? Subscribe here.

The past week has brought two significant privacy developments that are reshaping compliance requirements for U.S. businesses: 

Maryland’s Online Data Privacy Act has become the nation’s 17th active comprehensive privacy law, introducing unprecedented data minimization standards that exceed those of any other state. Meanwhile, the California Privacy Protection Agency issued its largest fine to date, penalizing Tractor Supply Co. $1.3 million for opt-out failures and disclosure violations that reflect enforcement patterns now appearing across multiple state jurisdictions.

Keep reading for the full details and my takeaways.

United States

Maryland’s Comprehensive Privacy Law Takes Effect

The Maryland Online Data Privacy Act (MODPA) took effect October 1, 2025, making Maryland the 17th U.S. state with an active comprehensive privacy law. Laws in three more states (Indiana, Kentucky, and Rhode Island) will take effect on January 1, 2026, bringing the total to 20 by the start of the new year. 

TAKEAWAY

MODPA is a significant departure from most other comprehensive privacy laws, which, with some minor exceptions, are modeled after the laws of Colorado, Virginia, Connecticut, or Utah. 

Most notably, MODPA includes stricter data minimization requirements than any other state, requiring controllers to limit the collection of personal data to what is “reasonably necessary and proportionate to provide or maintain a specific product or service requested by the consumer to whom the data pertains.” 

A separate standard applies to the processing of personal data, which, unless consent is obtained, is limited to purposes that are reasonably necessary and compatible with purposes disclosed to the consumer. Comprehensive privacy laws in most other states apply a variation of this latter standard to both the collection and use of personal data, without MODPA’s stricter standard for collection. MODPA also includes a prohibition on the collection, processing, or sharing of sensitive data “except where strictly necessary to provide or maintain a specific product or service requested by the consumer to whom the personal data pertains” and an outright prohibition on the sale of sensitive data, neither of which is seen in any other comprehensive privacy law to date.

Tractor Supply Co. Fined $1.3M for Opt-Out and Disclosure Failures.

The California Privacy Protection Agency (CPPA) issued its highest fine to date based on allegations that rural lifestyle retailer Tractor Supply Co. failed to honor user opt-out requests, provided insufficient disclosures, and did not put required contracts in place with third parties.

 

Notably, the “Do Not Sell My Personal Information” link on the company’s website directed users to a web form that did not function to opt users out of the sale of personal information collected from third-party advertising tracking technologies. 

Furthermore, the website was not configured to honor Global Privacy Control (GPC) signals, and its privacy policy did not adequately notify consumers of their rights. 

TAKEAWAY

Although the fine is higher than in other CCPA enforcement actions, the allegations follow a pattern familiar to many recent actions by the CCPA, as well as those of Attorneys General in California and other states. 

Specifically, almost every publicly announced action under a comprehensive privacy law in the last year has focused on opt-out failures (non-functional, incomplete, confusing, or difficult-to-use opt-out mechanisms), insufficient disclosures (inaccurate, incomplete, or vague), and/or failures to implement required contracts.     

A LITTLE MORE PRIVACY, IF YOU PLEASE

A Little Privacy, Please weekly recaps are provided for general, informational purposes only, do not constitute legal advice, and should not be relied upon for legal decision-making. Please consult an attorney to determine how legal updates may impact you or your business.

Latest Blog Posts

Maryland’s stricter privacy law and $1.3M California fine signal a new compliance era

October 6, 2025

Maryland's stricter privacy law takes effect while California issues...

California Privacy Rules Expand in 2026; ICO Backs Meta’s Consent Model as Global Standards Shift

September 29, 2025

California Privacy Rules Expand in 2026; ICO Backs Meta's...

Meta CIPA Verdict Upheld as French Cookie Enforcement Distinguishes First vs. Third-Party Responsibilities

September 22, 2025

California court upholds Meta's CIPA violation for SDK data...

Latest White Papers

Connecting Legal & Marketing Teams on Consent and Preferences

February 4, 2025

Break down data silos and unlock better collaboration. Marketing...

Navigating Sensitive Data in the U.S.

February 4, 2025

Download our comprehensive guide to learn how different states...

Enterprise Guide To Cookie management & Tracker List Curation

July 1, 2024

How to review the tracking tech on your websites...

Keep in touch

Sign up for our newsletter to keep up with privacy news for adtech and martech,
plus occasional company news.

Let's explore what we can do together.

We'll be in touch within 48 hours

    First name *

    Last name *

    Email address *

    Company *

    Message *

    * indicates required fields