For decades, notice and consent has been the foundation of U.S. privacy law. The model is simple: companies tell consumers what data they collect, how they use it, and if necessary, ask for their consent. If a user checks the box, data collection is fair game. In the EU, it's much the same - but consent is a bit more important and there are a few more hoops, like data minimisation and data reuse.
But does consent and notice actually work? In practice, it’s been more of a legal safety net for businesses than a meaningful protection for consumers.
Few people read privacy policies, and those who do rarely understand the full implications. The illusion of choice has left consumers overwhelmed by dark patterns, deceptive consent flows, and excessive data collection.
In 2025, we’re finally seeing a shift in U.S. privacy law that acknowledges this failure—and Maryland’s Online Data Privacy Act (MODPA) may be the biggest push yet toward a new approach.
Moving Beyond "Notice & Consent" to "Necessity & Purpose"
Most U.S. privacy laws (CCPA, VCDPA) allow broad data collection as long as companies disclose it and obtain consent.
By contrast, Maryland sets hard limits:
Personal data → Can only be collected if reasonably necessary for a consumer-requested service.
Sensitive data → Can only be processed if strictly necessary for that service.
Consumer consent won’t override these restrictions, a major departure from U.S. norms where consent acts as a legal safety net.
Is this an acknowledgment that consent alone doesn’t work?
Does this make Maryland stricter than the GDPR?
Well, yes - because of the lack of exceptions.
GDPR allows secondary data use if it is "compatible" with the original purpose.MODPA does not appear to provide such flexibility, making compliance even more rigid than GDPR in some cases. However, it does permit you to be able to determine the original scope of the purpose - being "reasonable and appropriate" which could mean the original purpose is broader than those under GDPR.
Under GDPR, secondary use of sensitive data may be permitted for public interest, research, or legal claims. MODPA appears to lack these exceptions, making it even more restrictive.
Why does this matter?
It Acknowledges That Consent Doesn't Work
For years, privacy experts have warned that people don’t read or understand privacy notices. Maryland’s approach forces businesses to justify why they need the data instead of pushing responsibility onto consumers.
No More Broad Consents:
Businesses will need detailed data maps to ensure every piece of personal data has a clear and necessary use case. "We told you in our privacy policy" won’t be a defence anymore.
This means that data mapping & governance are now non-negotiable—if you don’t know your data flows, you can’t comply.
AI, Targeted Ads & Analytics Could Be in Trouble:
If secondary data processing is restricted, businesses relying on AI training, behavioral advertising, and internal analytics may face serious challenges.
Every data point must be justified—if it’s not strictly necessary for a requested service, it’s off-limits.
How Might "Strictly Necessary" Be Interpreted?
One clue to how Maryland might enforce its "strict necessity" rule comes from Privacy and Electronic Communications Regulations (PECR) - which governs cookies and tracking technologies.
Under PECR:
Businesses must get consent for most tracking and data collection.
The only exception is if the data is strictly necessary for an explicitly requested service.
Key test: Would the service work the same way without the data? If yes, the data isn’t necessary and cannot be collected without consent.
If Maryland’s strict necessity test is applied the same way, AI personalisation, analytics, and advertising could be severely restricted.
MODPA moves the U.S. toward privacy by design, limiting data collection and processing based on necessity rather than user consent. This shift could reshape U.S. privacy laws, restrict AI development, and set a new precedent for data protection.
What's next:
A March 4 hearing will review a proposed amendment (HB 1365) that clarifies some of these rules.
If Maryland enforces this law strictly, it could set a precedent for other states and even push Congress toward a national data minimisation standard.
Comments