Maryland’s stricter privacy law and $1.3M California fine signal a new compliance era

Want to receive these privacy recaps in your inbox each week? Subscribe here.

The past week has brought two significant privacy developments that are reshaping compliance requirements for U.S. businesses: 

Maryland’s Online Data Privacy Act has become the nation’s 17th active comprehensive privacy law, introducing unprecedented data minimization standards that exceed those of any other state. Meanwhile, the California Privacy Protection Agency issued its largest fine to date, penalizing Tractor Supply Co. $1.3 million for opt-out failures and disclosure violations that reflect enforcement patterns now appearing across multiple state jurisdictions.

Keep reading for the full details and my takeaways.

United States

Maryland’s Comprehensive Privacy Law Takes Effect

The Maryland Online Data Privacy Act (MODPA) took effect October 1, 2025, making Maryland the 17th U.S. state with an active comprehensive privacy law. Laws in three more states (Indiana, Kentucky, and Rhode Island) will take effect on January 1, 2026, bringing the total to 20 by the start of the new year. 

TAKEAWAY

MODPA is a significant departure from most other comprehensive privacy laws, which, with some minor exceptions, are modeled after the laws of Colorado, Virginia, Connecticut, or Utah. 

Most notably, MODPA includes stricter data minimization requirements than any other state, requiring controllers to limit the collection of personal data to what is “reasonably necessary and proportionate to provide or maintain a specific product or service requested by the consumer to whom the data pertains.” 

A separate standard applies to the processing of personal data, which, unless consent is obtained, is limited to purposes that are reasonably necessary and compatible with purposes disclosed to the consumer. Comprehensive privacy laws in most other states apply a variation of this latter standard to both the collection and use of personal data, without MODPA’s stricter standard for collection. MODPA also includes a prohibition on the collection, processing, or sharing of sensitive data “except where strictly necessary to provide or maintain a specific product or service requested by the consumer to whom the personal data pertains” and an outright prohibition on the sale of sensitive data, neither of which is seen in any other comprehensive privacy law to date.

Tractor Supply Co. Fined $1.3M for Opt-Out and Disclosure Failures.

The California Privacy Protection Agency (CPPA) issued its highest fine to date based on allegations that rural lifestyle retailer Tractor Supply Co. failed to honor user opt-out requests, provided insufficient disclosures, and did not put required contracts in place with third parties.

Notably, the “Do Not Sell My Personal Information” link on the company’s website directed users to a web form that did not function to opt users out of the sale of personal information collected from third-party advertising tracking technologies. 

Furthermore, the website was not configured to honor Global Privacy Control (GPC) signals, and its privacy policy did not adequately notify consumers of their rights. 

TAKEAWAY

Although the fine is higher than in other CCPA enforcement actions, the allegations follow a pattern familiar to many recent actions by the CCPA, as well as those of Attorneys General in California and other states. 

Specifically, almost every publicly announced action under a comprehensive privacy law in the last year has focused on opt-out failures (non-functional, incomplete, confusing, or difficult-to-use opt-out mechanisms), insufficient disclosures (inaccurate, incomplete, or vague), and/or failures to implement required contracts.     

A LITTLE MORE PRIVACY, IF YOU PLEASE

• FTC Accuses Sendit of Collecting Children’s Data Without Parental Consent. 
• Does Google Tag Manager (GTM) require user consent? Breaking down the 2025 decision from Germany

A Little Privacy, Please weekly recaps are provided for general, informational purposes only, do not constitute legal advice, and should not be relied upon for legal decision-making. Please consult an attorney to determine how legal updates may impact you or your business.