Maryland’s Online Data Privacy Act started enforcement on April 1, 2026 — with the lowest applicability bar of any US state privacy law. The threshold is just 35,000 Maryland consumers per year, covering only 0.56% of the population (vs Colorado’s 1.72%, Oregon’s 2.35%, Delaware’s 3.43%). The brutal twist isn’t the threshold. It’s that MODPA’s data-minimisation rule overrides consent entirely — even with a perfect cookie banner, you cannot lawfully collect more than what is “reasonably necessary” to deliver the product the consumer asked for. Default Meta Pixel, GA4, and Klaviyo installs on a WooCommerce store fail that test the moment the threshold trips.
The 35,000-Buyer Threshold Reaches Almost Everyone
The 35,000-consumer threshold can be reached by any WooCommerce store with roughly 100 Maryland buyers per day on average (Seresa analysis based on US Census Maryland population data and MODPA Section 14-4602(A)). Maryland is small — about 6.2 million people — but it sits inside the I-95 corridor where ecommerce volume runs hot. A store doing $4-6M in annual revenue with a typical East Coast geographic split is already over the line.
The penalties are not theoretical. MODPA enforcement began April 1, 2026, with civil penalties up to $10,000 per violation and $25,000 per repeat violation (Maryland Attorney General). Maryland AG Anthony G. Brown has been explicit that organisations that fail to comply can face penalties of up to ten thousand dollars per violation and twenty-five thousand dollars per repeat offence.
This is also the first US privacy law where adding a consent banner does not solve the problem. Most state laws — CCPA, CPRA, Colorado, Connecticut, Virginia — treat consent as a workaround. MODPA does not. Consent is necessary for some collection, but it is no longer sufficient for any of it.
What Makes MODPA Different: Minimisation Overrides Consent
Data minimisation, under MODPA Section 14-4607, is the legal requirement to collect only personal data that is reasonably necessary and proportionate to provide the product or service the consumer actually requested. Even with a signed, timestamped, perfectly logged consent record, you cannot lawfully collect more than that. The minimisation rule is in addition to consent, not replaced by it.
The rule has teeth in two specific places. First, the sensitive data definition under Section 14-4601 covers a wide net: precise geolocation, race, religion, mental or physical health, sex life or sexual orientation, citizenship status, genetic and biometric data, children’s data, and consumer health data. MODPA bans the sale of sensitive data outright — there is no consent workaround and no opt-out checkbox available (EPIC / State of Surveillance, 2026). EPIC’s reporting on MODPA spelled it out directly: the law flat-out bans selling sensitive data, with no consent workaround and no opt-out checkbox, and it demands companies only collect what they actually need.
Second, the age threshold. MODPA’s age threshold protects every consumer under 18 — the highest age threshold of any US state privacy law (federal COPPA stops at 13, most state laws at 16; EPIC, Potomac Law, 2026). For an ecommerce site, that means any visitor in high school or below counts as a protected minor for data collection purposes — and you almost certainly cannot identify them at the pixel layer.
You may be interested in: GPC Enforcement 2026: What Sephora, Honda, and Tractor Supply Fines Tell WordPress Store Owners
What Your Default WooCommerce Pixel Stack Actually Collects
Open your WooCommerce checkout in a private browser, install a request inspector, and watch what fires when a Maryland buyer completes an order. A typical default stack sends:
- Meta Pixel: page URL with order ID, customer email (hashed via Advanced Matching), customer name, phone, billing address, IP, user agent, fbp/fbc cookies, viewed and added-to-cart product IDs, basket value.
- GA4 (gtag.js): client_id, IP-derived geolocation, full referral path, full page URL with query params, viewport, device, OS, browser language, full ecommerce object including line items.
- Klaviyo: email, full name, billing and shipping address, phone, order line items, browse history backfill from cookie.
- Hotjar / similar: session recording with form-field data unless every input is explicitly masked.
For a customer buying a single $40 item, almost none of that is “reasonably necessary” to fulfil the order. The order ID, the line items, and a payment confirmation hash are necessary. Everything else is convenience for marketing analytics — which is the exact category MODPA’s minimisation rule narrows.
The Hotjar and full-page-URL captures are the most exposed. Session recordings can sweep up health-related search queries, sensitive product browsing, and form fields that include addresses or phone numbers — all of which can land inside MODPA’s sensitive-data category for any Maryland buyer who happens to type them. Pre-Apr 1 that was a privacy-policy disclosure problem. Post-Apr 1 it is a statutory minimisation breach.
The Cure Period Clock: April 1, 2027
MODPA includes a 60-day cure period — a chance to fix a violation after notice and avoid penalties. The 60-day cure period is available until April 1, 2027 — after that, the AG decides case-by-case whether to offer one at all (Maryland State Bar Association, 2026). That gives roughly eleven months to get a typical pixel stack into compliance before grace becomes discretionary.
The competitive piece worth noting: most legal coverage of MODPA stops at “data minimisation” as a phrase. Most technical coverage stops at “add a consent banner.” The bridge — what specific fields a default Meta Pixel, GA4, Klaviyo, and Hotjar collect, and which ones fail the necessity test for which use case — is the work that has to happen on each store individually.
You may be interested in: Every WooCommerce Pixel Fires Across Borders
The Architectural Fix: Per-Destination Event Filtering
Default pixels are designed to send everything they can grab — the platforms wrote them that way because more data means better attribution and lookalike modelling. They cannot be trimmed at the source. That’s why the architectural answer to MODPA isn’t a different pixel; it’s a different ingestion pattern.
Per-destination event filtering means collecting events once at the WordPress hook layer with the full payload, then making a per-destination decision about which fields go to which platform. Meta’s CAPI gets order ID, hashed email, hashed phone, basket value — the fields it needs for attribution matching. GA4 gets client_id, ecommerce object, basket value — nothing about identity. Klaviyo gets the fields actually used for transactional emails. Sensitive fields and Maryland-buyer enrichment data get held at the server and never leave.
Transmute Engine™ is a first-party Node.js server that runs on your subdomain (e.g., data.yourstore.com). The inPIPE WordPress plugin captures events from woocommerce_payment_complete and other hooks, batches them, and sends them to your Transmute Engine server. The server applies per-destination filtering rules — by jurisdiction, by sensitivity, by destination requirement — and only then routes minimum-necessary fields to each downstream platform. Collect once, filter per destination, satisfy MODPA without losing GA4 or CAPI attribution.
Key Takeaways
- Lowest threshold in the US: MODPA applies at 35,000 Maryland consumers — 0.56% of the population, half of Colorado’s bar and a sixth of Delaware’s.
- Minimisation overrides consent: A perfect consent banner is not a defence. Collection must be reasonably necessary even with consent.
- Penalties: $10,000 per violation, $25,000 per repeat. 60-day cure period available until April 1, 2027 only.
- Sensitive data sale ban: Geolocation, health data, biometric data, children’s data — no consent workaround for sale, period.
- Age 18 protection: Highest age threshold of any US state privacy law. Pixel-level identification of minors is structurally weak.
- Architectural fix: Per-destination event filtering on a first-party server — not a consent-management plugin — is what satisfies the necessity test.
Frequently Asked Questions
If you intentionally direct sales to Maryland residents (e.g., shipping there, accepting Maryland addresses) and process the personal data of 35,000 or more Maryland consumers per year, MODPA applies regardless of where your business is registered. The threshold is the consumer count, not the company location — and the bar is 35,000 buyers, far lower than CCPA’s 100,000 or Delaware’s 35,000-with-revenue test.
MODPA’s data-minimisation rule (Section 14-4607) limits collection to what is reasonably necessary for the product or service the consumer requested. Marketing analytics, lookalike modelling, and session recording on sensitive forms are common categories that fail this test. The sale of sensitive data — precise geolocation, health, biometric, children’s, religion, citizenship, sex-life data — is banned outright under Section 14-4601 with no consent workaround.
CCPA and CPRA treat consent and opt-out as the primary compliance mechanisms — collect what you need, disclose it, give the consumer the right to opt out of sale or sharing. MODPA adds a structural minimisation rule on top: even with consent, collection must be necessary. It also applies at a far lower threshold (35,000 vs 100,000 buyers) and bans sensitive-data sale outright. A WooCommerce store that satisfies CCPA can still breach MODPA on the same checkout.
The cure period closes in April 2027. Audit your pixel stack against the necessity standard now — visit seresa.io to see what per-destination filtering looks like on a WooCommerce stack.
