sGeotargeting after MODPA: what Maryland marketers need to change now

Local marketing isn’t going away. But the assumptions behind tactics many teams relied on—geo-fencing, visit-based attribution, and foot-traffic reporting—are being challenged by Maryland’s Online Data Privacy Act (MODPA).

This piece is not legal advice. It’s a marketer’s view of what’s shifting, why it’s causing confusion, and how to keep using location signals without defaulting to surveillance.

What MODPA changes, in plain English

MODPA’s most disruptive move is also the simplest to explain: it treats precise location as sensitive data, and it sets a clear bar for what “precise” means.

In the statute, “precise geolocation data” is information derived from technology that can identify a consumer’s specific location within a radius of 1,750 feet, including GPS-level latitude and longitude coordinates. A 1,750-foot radius is roughly a third of a mile, so a lot of mobile signals can fall inside that range.

MODPA lists precise geolocation as “sensitive data.” And two provisions drive most of the operational change:

• Sensitive data can only be collected, processed, or shared when it’s strictly necessary to provide or maintain a product or service the consumer requested, and the controller obtains the consumer’s consent.
• The law prohibits the sale of sensitive data.

Multiple analyses flag MODPA’s unusually strict approach to data minimization and sensitive data compared with other state privacy laws.

Timing matters, too. MODPA took effect on October 1, 2025, and several compliance guides note Maryland’s Attorney General enforcement begins April 1, 2026 (with some describing that regulatory actions apply to processing after that date).

There’s one more detail that matters for location teams: geofencing around sensitive health locations. MODPA defines “geofence” broadly (GPS, cell tower connectivity, cellular data, Wi-Fi, RFID, and other location determination technologies). In its consumer health data provisions, it prohibits using a geofence within 1,750 feet of a mental health facility or a reproductive or sexual health facility for the purpose of identifying, tracking, collecting data from, or sending notifications to a consumer regarding the consumer’s consumer health data.

Even if your brand has nothing to do with health, this signals how seriously Maryland views location risk near real-world places that can reveal something sensitive.

Recently, an agency told me they’d Googled “MODPA and geo-fencing,” copied the first AI-generated summary they saw, and walked away with a simple takeaway: “Geo-fencing is only restricted near certain health facilities, so housing targets should be fine.”

That’s exactly how confusion spreads. Yes, MODPA has a highly specific restriction around geofencing near certain health facilities for consumer health data. But the bigger operational shift is broader: precise geolocation is treated as sensitive data, and the law prohibits the sale of sensitive data.

For many “geo-fencing” tactics, the practical risk isn’t whether a state official can prove an ad hit your phone. It’s whether the upstream location supply chain can still exist in the same form—data collection, classification, sharing, and resale included. When that chain changes, “we’ll keep running the same campaign” stops being a given.

Why geo-fencing and foot-traffic reporting are in the blast radius

Most location-based tactics sit on a chain of assumptions: we can access device-level location signals (often via apps), match them to ad exposure or audiences, and then move those signals between partners to report “visits” or other outcomes.

‍

{{26-geo-targeting-POV-1="/tables"}}

‍

MODPA challenges that chain. If precise location is involved, the question isn’t just “do we have permission?” It’s also “is this strictly necessary for a consumer-requested service?” and “is any sensitive data being sold along the path?”

That’s why two advertisers can run what looks like the same “local” campaign and have very different risk profiles. One might be using broad geography and contextual local signals. Another might be leaning on a mobile location feed designed for high-frequency tracking.

‍

And it’s not just Maryland. In 2024, the FTC finalized an order with InMarket that prohibits selling, sharing, or licensing precise location data and also bans products that categorize or target consumers based on sensitive location data. The direction of travel is clear: location is being treated more like a sensitive identifier than a neutral ad signal.

How to talk about “location-based” now

One reason MODPA is causing so much confusion is that “location-based advertising” has always been an umbrella term. In practice, it usually covers three separate activities:

• Location-based targeting: deciding where ads are delivered (DMA, ZIP, neighborhood, within-radius, venue-level).
• Location-based measurement: tying exposure to outcomes, including store visits or trade-area lift.
• Location-based reporting: insights dashboards that summarize what happened in local markets.

‍

{{26-geo-targeting-POV-2="/tables"}}

‍

Under MODPA, those three buckets can have very different risk profiles. A campaign targeted to a metro area can be “location-based” without touching precise geolocation. A foot-traffic report, on the other hand, can require device-level signals depending on how it’s built. That’s why “we aren’t geo-fencing” doesn’t automatically mean “we aren’t using sensitive location.”

If you take nothing else from this piece, take this: stop evaluating local tactics by what they’re called. Evaluate them by what data they require.

Three mistakes I’m seeing in Maryland right now

Before we get into solutions, it’s worth calling out where campaigns tend to go sideways. These aren’t edge cases. They’re patterns I’m seeing across otherwise thoughtful teams, usually because “location” gets treated as one big bucket instead of a few very different practices.

Mistake #1: Treating “local” as synonymous with “precise location”

Local targeting can be done without precise geolocation. The problem is that many teams default to the most granular option because it used to produce a tidy story: build a fence, show an ad, count a visit.

Under MODPA, that default is risky. “Local” is a strategy. “Precise location data” is a data type with special rules.

Mistake #2: Assuming aggregation makes everything safe

Aggregation and de-identification can reduce risk, but they don’t automatically neutralize how data was collected or transferred. If a location feed conflicts with sensitive-data restrictions upstream, a dashboard summary later doesn’t fix it.

Mistake #3: Treating compliance as a vendor checkbox

I’m not anti-vendor. I’m anti-black-box.

If a partner can’t explain where location data comes from, how it’s classified, what “sale” means in their contracts, and how state privacy signals are honored, you’re being asked to carry risk without visibility.

And I hear the pushback that usually follows: “Even if it’s restricted, how would anyone prove where an ad came from?” It’s the wrong frame. Enforcement pressure tends to show up upstream—on the parties collecting, packaging, and selling data, and on the contracts and technical signals that govern how that data moves. When sensitive-location supply gets filtered, withheld, or reclassified, campaigns don’t blow up with a dramatic headline. They just stop matching the way they used to.

That’s also why standards are shifting in the background.  In late 2025, IAB Tech Lab added a Maryland state section to its GPP updates, continuing the push to standardize how consent and opt-out signals travel through the ecosystem. If your partners aren’t keeping up, reporting becomes unstable fast—even when the creative is doing its job.

The shift I’m recommending: from “where people go” to “how places perform”

Here’s the mindset change that makes the rest manageable:

Stop thinking of location as an identity signal. Start thinking of it as a market signal.

In a privacy-first model, the core question becomes: “How is this place, this trade area, this group of ZIPs, this context performing?” You can still plan locally and learn locally. You just stop needing to follow a person’s phone to do it.

A practical playbook for privacy-first, location-informed advertising

The good news: there are clear, workable ways to keep local performance strong without leaning on the riskiest forms of location data. Think of the steps below as building blocks. You don’t have to adopt all of them at once, but the more you layer, the more resilient your strategy becomes under MODPA and beyond.

1. Prioritize first-party, permissioned location where it’s genuinely part of the experience

If you have an app, a loyalty program, a store locator, appointment scheduling, or logged-in journeys, you may already have permissioned signals tied to a user-requested service. Use those insights to guide planning and creative, then activate media without exporting sensitive location into an opaque chain.

‍

In practice, this often means using first-party geography to answer questions like: Where are our best customers coming from? Where do repeat buyers cluster? Which trade areas deserve heavier investment? You can plan smarter without needing device-level tracking to be the engine.

2. Use contextual and place-based buying that doesn’t depend on tracking individuals

Contextual is not a consolation prize. For geotargeting, it can look like buying into local environments that signal intent without device-level tracking: local news and weather, regional sports, event coverage, and publisher packages tied to a DMA or metro.

Two quick examples:

• A home services brand can prioritize context tied to seasonal and local triggers (weather coverage, local lifestyle content) while targeting at city or DMA level.
• A QSR brand can align creative to local events and time windows, then evaluate lift at market level instead of forcing a visit-based narrative.

‍

3. Replace “foot-traffic attribution” with incrementality and modeled lift

If your local strategy lives or dies on a single foot-traffic number, MODPA is going to expose the fragility.

As privacy constraints increase, choose methodologies that are defensible:

• Geo experiments and holdouts
• Modeled lift that blends multiple signals (media exposure, sales, site traffic, store data)
• Calibration against truth sets where you have permissioned data

Also reconsider the KPI itself. “Visits” is a proxy. In many categories, incremental sales, store-level revenue, CRM growth, inbound calls, or appointment completions are stronger anchors.

4. Treat privacy signals as part of campaign operations

Maryland is one state, but it’s part of a growing patchwork. The IAB’s State of Data 2024 report found that 95% of data and advertising decision-makers at U.S. brands, agencies, and publishers expect continued legislation and signal loss years to come. That expectation should be built into how you run campaigns, not bolted on after a contract is signed.

‍

5. Make trust a feature, not a talking point

PwC’s 2024 Voice of the Consumer survey reports that 83% of consumers say protecting personal data is crucial to earning their trust, and 80% want assurances their personal information won’t be shared. Cisco’s 2024 Consumer Privacy Survey reports that 53% of respondents said they were aware of privacy laws. 

‍

Consumers are paying attention, and they will use the controls they’re given.

‍

Vendor questions you can copy/paste today

If you’re running geo-fencing, visit-based attribution, or foot-traffic reporting in Maryland, ask every partner these questions. If they can’t answer cleanly, pause.

1. What location signals do you use (GPS, Wi-Fi, cell tower, app SDK data, etc.), and do they meet MODPA’s “precise geolocation” definition (within 1,750 feet)?
2. Do you classify precise location as sensitive data under MODPA, and what controls do you apply as a result?
3. Are you selling sensitive data or enabling any transfer that could be considered a sale?
4. If you rely on consent, whose consent is it, how is it captured, and is the collection/processing also “strictly necessary” to provide a product or service requested by the consumer?
5. How do you honor opt-out preference signals and state privacy signals (including Maryland via GPP)?
6. What is your policy on sensitive points of interest, and do you follow any industry standards (such as NAI’s enhanced standards)?
7. What is your retention period for location data, and what’s your deletion process?
8. Can you provide a high-level map of data flows: collection, processing, sharing, retention, deletion?

‍

{{26-geo-targeting-POV-3="/tables"}}

‍

A short Maryland-ready action plan

If you want a simple 30-day plan that reduces risk and keeps performance moving:

• Inventory: list every campaign and report that references location, visits, foot traffic, store proximity, or geo-fencing. Flag anything using device-level visitation audiences.
• Classify: separate “broad local” (DMA/ZIP/city + contextual) from “precise location” (device-level signals, visit-based attribution). Treat them differently.
• Replace fragile tactics: where possible, swap hyper-granular fences for broader geographies and contextual local buys.
• Rebuild measurement: design at least one geo holdout test and define a KPI basket that isn’t anchored to “visits” alone.
• Update operations: require documentation of data handling, and make sure partners can support modern privacy signaling. 

Where AI Digital fits (and how we’re helping Maryland teams)

At AI Digital, our job is to help brands and agencies keep performance strong while the rules and the signals keep shifting.

Our Open Garden framework is built for cross-platform planning and execution without getting trapped inside a single ecosystem’s constraints. For MODPA-era geotargeting, two pieces are especially relevant:

• Smart Supply: premium supply selection designed to lean into quality inventory and contextual environments with more transparency and control.
• Elevate: an AI-powered software layer built to surface real-time insights, forecasting, and attribution analysis when deterministic signals get weaker.

The goal isn’t to “replace geotargeting.” It’s to rebuild it around durable inputs and defensible measurement.

A final thought, from one Maryland marketer to another

MODPA doesn’t shut the door on location-informed advertising; it raises the bar on how responsibly it’s done.

If you’re a marketer, agency, or brand in Maryland and you’re unsure whether your current geo-fencing, visit attribution, or foot-traffic reporting is still on solid ground, I’d love to chat. AI Digital is helping partners pressure-test current approaches and build compliant alternatives that still drive outcomes.

You don’t have to stop advertising locally. You just have to get more precise about what “location-based” really means now.

‍