Regulatory Insight

Beyond the Policy: Maryland's New Privacy Enforcement Is a Wake-Up Call for Small Business AI

April 3, 2026  ·  5 min read

As of April 1, 2026, the grace period for the Maryland Online Data Privacy Act (MODPA) has officially ended. For organizations with 10–100 employees, the question has shifted from "does this apply to me?" to "am I ready for an audit?"

Maryland now holds the title for some of the strictest data-minimization standards in the country. But for most small businesses, the real challenge isn't just updated fine print — it's the collision of new privacy rules with the rapid adoption of AI across sales, marketing, HR, and operations.

Whether you're using an AI-driven CRM to score leads, automations to triage support tickets, or third-party tools that quietly profile customers in the background, MODPA now expects a disciplined, vCISO-style approach to make sure innovation doesn't become a legal liability.

The Rule of 35k: "We're Too Small" No Longer Holds

You're likely in scope if you handled the personal data of 35,000 or more Maryland residents in the last 12 months — or 10,000 or more if a meaningful share of revenue comes from selling or monetizing that data.

For a 20-person firm, that number sounds large — until you add it up. A newsletter list with 25,000 Maryland subscribers. Eighteen months of e-commerce orders tied to Baltimore–DC zip codes. A popular local app with most monthly active users in the corridor. You can hit 35,000 records long before you hit 35,000 customers. Unique visitors, dormant leads, and inactive accounts still count if you're storing their personal data.

Consent Isn't Enough Anymore

Most small businesses operate on a simple rule: get consent, show a cookie banner, and you're covered. MODPA is less forgiving. It requires that you only collect and keep what is reasonably necessary and proportionate to deliver the service someone actually asked for.

In practice: just because a form field can be there doesn't mean it should. Just because a customer consented once doesn't entitle you to store everything indefinitely. Just because a vendor can enrich your data doesn't mean every enrichment field is justifiable. The firms that adapt successfully treat data like risk-weighted inventory, not free storage.

MODPA Is Maryland's First AI Law — Even If It Doesn't Say "AI"

MODPA never markets itself as an AI law, but its rules land exactly where small-business AI experiments live: lead-scoring models, propensity-to-churn scores, automated risk or fraud scoring, and GenAI tools drafting emails or recommendations based on customer histories. Under MODPA, these are often forms of profiling or high-risk processing — especially if they can meaningfully affect someone's price, offer, eligibility, or experience.

That triggers the expectation for a Data Protection Assessment (DPA) before you launch or materially change those systems. For a 10–100 employee firm, a vCISO-led DPA doesn't need to be a hundred-page document — but it does need to be real: what decision is being automated, what data feeds it, who could be harmed by a mistake, and who signs off that the residual risk is acceptable.

Your AI roadmap now lives inside a privacy law.

vCISO vs. Legal: Different Jobs, Same Goal

Small organizations often misfire by assuming that either "our lawyer handles privacy" or "our IT person handles security." In reality, they solve different halves of the problem. Legal defines what MODPA requires in policy and contract language. A vCISO finds where that data actually lives, enforces minimization in your systems and workflows, runs the Data Protection Assessments, and makes sure your vendor controls match what the contracts say.

The most resilient DMV organizations let legal define the rules of the game, and a vCISO run the playbook.

The DMV Advantage: Build Once, Comply Everywhere

If you're operating in the DMV, you're navigating Maryland (MODPA), Virginia (VCDPA), and D.C. breach notification and consumer-protection rules simultaneously. Managing three separate programs is a losing game for a 40-person firm.

The smarter approach: design to MODPA's stricter standard first, then map down into Virginia and D.C. requirements. If your minimization, sensitive data controls, AI assessments, and consumer rights processes meet Maryland's bar, you're largely covering your Virginia and D.C. exposure as a byproduct. You build once, then tune per jurisdiction — compliance as an asset, not drag.

One Diagnostic Question

If a regulator, investor, or strategic customer asked tomorrow how many Maryland residents you hold data on — and how many are being profiled or scored by AI-enabled tools — could you answer confidently on one page?

If the honest answer is not yet, you don't need a thousand-page policy. You need a focused 90-day MODPA and AI governance sprint, and someone to own it. For DMV organizations between 10 and 100 employees, that's exactly the gap a strong vCISO is designed to fill.