Continue reading on DataGuidance with:
Free Member
Limited ArticlesCreate an account to continue accessing select articles, resources, and guidance notes.
Already have an account? Log in
Maryland - US Sectoral Privacy Overview
May 2024
1. RIGHT TO PRIVACY/ CONSTITUTIONAL PROTECTION
Maryland law does not provide for a general right to privacy.
2. KEY PRIVACY LAWS
MPIPA
Maryland's Personal Information Protection Act (MPIPA, or the Maryland Data Breach Notification Law), Md. Code Com. Law §14-3501 et seq., was enacted in 2008 and amended several times, most recently in 2022. MPIPA provides security and deletion requirements and imposes data breach notification obligations on Maryland businesses that process 'personal information' as defined in the statute.
Under MPIPA, 'personal information' includes a Maryland resident's first name or initial and last name in combination with either (Md. Code Com. Law § 14-3501(e)(1)(i)):
- a social security number, tax identification number, passport number, driver's license number, or other government identification number;
- account number, credit card number, or debit card number, along with a security code or password permitting access to a financial account;
- health information;
- health insurance policy, certificate, or subscriber identification number in combination with a unique identifier;
- biometric data; and
- genetic information under certain circumstances.
Personal information also includes a username or email address in combination with a password or security question and answer permitting access to the user's email account (Md. Code Com. Law §14-3501(e)(1)(ii)). In addition, personal information may include standalone genetic information when not properly rendered unreadable or unusable (Md. Code, Com. Law §14-3501(e)(1)(iii).
When a business destroys a Maryland customer's, employee's, or former employee's records containing personal information, the business must take reasonable steps to protect against unauthorized disclosures of the information (Md. Code Com. Law §14-3502(b)).
Security obligations attach to businesses that own or license the personal information of Maryland residents. Specifically, businesses must implement and maintain reasonable security procedures and practices based on a risk analysis considering the business and the information at issue. If a business uses a non-affiliated third party as a service provider and discloses personal information of Maryland residents under a written contract, then the business must require the third party to implement and maintain reasonable security procedures appropriate to the personal information and reasonably designed to protect from unauthorized access, modification, disclosure, or destruction (Md. Code Com. Law §14-3503).
Obligations attach to an entity when there is a breach of a security system. A 'breach of a security system' means 'unauthorized acquisition' of computerized data and includes an exception for good faith acquisition. In the event of a breach, a business that owns or licenses the information must:
- conduct in good faith a reasonable and prompt investigation to determine the likelihood that personal information has been or will be misused; and
- only if there is a likelihood of misuse, the business should then notify the individual of the breach.
The notification must be provided 'as soon as reasonably practicable' and not later than 45 days after the conclusion of an investigation. If the business determines that notification is not required, then it must maintain records of that determination for three years after making the determination (Md. Code Com. Law §14-3504).
Email breaches only allow for only electronic notification that prompts individuals to change their password and security system or take some other action to protect their email account (Md. Code Com. Law § 14-3504).
If a business suffers a breach but does not own or license the information, it must notify the owner or licensor of the information 'as soon as practicable' and not later than 45 days and provide relevant information regarding the breach.
If individual notice must be provided, then the business must first provide notice to the Maryland Office of the Attorney General (AG). Breaches affecting more than 1,000 individuals require notification to consumer reporting agencies. The data breach notification statute is enforced as an unfair and deceptive trade practice, which allows for privacy causes of action and for enforcement by the AG (Md. Code Com. Law §14-3506). Entities and their affiliates subject to and in compliance with the Gramm–Leach–Bliley Act of 1999 (GLBA), the Fair and Accurate Credit Transactions Act of 2003 (FACTA), and the Health Insurance Portability and Accountability Act of 1996 (HIPAA) are exempt (Md. Code Com. Law §14-3507).
MODPA
The Maryland Online Data Privacy Act of 2024 (MODPA) was signed into law on May 9, 2024, and will take effect October 1, 2025, though it will not 'have any effect on or application to any personal data processing activities before April 1, 2026.' The MODPA marks Maryland's first comprehensive privacy legislation, making Maryland the 17th state to enact such a law. The MODPA establishes obligations for data controllers and processors, introduces strict data minimization requirements regarding sensitive personal information, and identifies consumer rights for Maryland residents.
The MODPA applies to organizations that conduct business in Maryland or provide services or products that are targeted to Maryland residents, and, during the immediately preceding calendar year, either:
- controlled or processed the personal data of at least 35,000 Maryland consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction; or
- controlled or processed the personal data of at least 10,000 Maryland consumers and derived more than 20 percent of their gross revenue from the sale of personal data.
The MODPA excludes:
- regulatory, administrative, advisory, executive, appointive, legislative, or judicial bodies of the State of Maryland;
- national securities associations that are registered under Section 15 of the Federal Securities Exchange Act of 1934 or registered future associations designated in accordance with Section 17 of the Federal Commodity Exchange Act; or
- financial institutions or affiliates of financial institutions that are subject to Title V of the Gramm-Leach-Bliley Act (GLBA) and regulations adopted under the GLBA.
The MODPA imposes several new obligations for controllers, including limiting data collection to what is reasonably necessary for providing requested services, establishing robust data security practices, and refraining from processing personal data for targeted advertising or selling personal data related to minors under 18. Notably, the MODPA prohibits the sale of 'sensitive data,' defined as 'personal data that includes:
- data revealing racial or ethnic origin; religious beliefs; consumer health data; sex life; sexual orientation; status as transgender or nonbinary; national origin; or citizenship or immigration status;
- genetic data or biometric data;
- personal data of a consumer that the controller knows or has reason to know is a child; or
- precise geolocation data.'
The Maryland AG has exclusive enforcement power over the MODPA. The law expressly provides that a violation constitutes an unfair, abusive, or deceptive trade practice, though there is no private right of action for consumers under the act. With respect to an alleged violation on or before April 1, 2027, the Maryland AG may issue a notice of violation and a 60-day opportunity to cure it. If the controller or processor fails to remedy the issue within those 60 days, the AG can initiate an enforcement action. Penalties can be up to $10,000 per violation, but if the fine is in connection with a repeat violation, it may cost up to $25,000 for each violation. In addition to civil penalties, a person who commits a UDAP violation is guilty of a misdemeanor and is subject to a fine of up to $1,000 or imprisonment of up to one year, or both.
3. HEALTH DATA
The MODPA's definition of consumer health data encompasses personal data that a controller uses to identify a consumer’s physical or mental health status, including data related to gender-affirming treatment or reproductive or sexual healthcare. A person may not grant an employee or contractor access to consumer health data unless the recipient is subject to a contractual or statutory duty of confidentiality, or confidentiality is required as a condition of employment. Consumer health data is considered sensitive personal data under the MODPA. As such, the MODPA's restrictions on sensitive personal data would similarly apply to consumer health data. Once in effect, the MODPA would also prohibit the use of geofence technology to establish a virtual boundary around certain health facilities for the purpose of identifying, tracking, or collecting data from, or sending notifications to consumers regarding the consumers’ consumer health data.
Maryland also places obligations on entities that handle 'protected health information' which is defined coextensively with the HIPAA Privacy Rule (45 Code of Federal Regulations Part 164) codified in the Maryland Medical Records Statute, §4-301 et seq. of the Health-General Law of Maryland (Md. Code, Health Law).
All medical records must be kept confidential or provided under specifically permitted circumstances, including if authorized by the 'person in interest' (that is, the person whose record it is or someone authorized to consent or who is otherwise an authorized representative), including explicitly on health care exchanges. Disclosures are also permitted:
- to a health care provider's authorized employees, legal counsel, medical staff, or consultants for purposes of providing, evaluating, or seeking payment for health care services;
- to another health care provider for the sole purpose of treatment;
- to an insurance carrier for coordinating care under certain prerequisites;
- immediate family members under certain prerequisites;
- to organ, tissue, or eye recovery agencies;
- for educational, research, health care delivery system evaluation, or faculty accreditation under certain prerequisites;
- if a health care provider determines immediate disclosure is necessary for emergency health care needs; or
- if there is a compulsory process (such as a subpoena) or a government investigation.
The Medical Records Statute allows for a private right of action, which allows an individual to recover actual damages. Healthcare providers who knowingly and willfully violate the provisions of the statute may be guilty of a misdemeanor and, if convicted, they can be subject to a fine of $1,000 for the first offense and not exceeding $5,000 for each subsequent conviction. Fraudulently obtaining a medical record can also lead to a criminal conviction, fines of up to $250,000, and imprisonment of up to ten years (Md. Code, Health Law §4-309). Further, beginning June 1, 2024, healthcare providers who knowingly violate the provisions of the statute involving abortion care and other ‘sensitive health services’ (as defined by the Secretary of the Maryland Department of Health) may be guilty of a misdemeanor and, if convicted, they can be subject to a fine up to $10,000 per day. (Md. Code, Health Law §4-302.5).
While not yet expressly codified in Maryland law, recent guidance issued by the Office of Civil Rights (OCR) of the Department of Health and Human Resources (HHS), responsible for enforcing HIPAA, issued guidance regarding the use of online tracking technologies (such as cookies) by regulated entities and their business associates. The use of tracking technologies in a manner that would result in impermissible disclosures of protected health information (PHI) to tracking technology vendors, or any other violations of the HIPAA Rules, may result in a civil money penalty.
4. FINANCIAL DATA
§1-301 et seq. of the Financial Institutions Law of the Code of Maryland (Md. Code, Fin. Inst. Law) places certain restrictions on what 'fiduciary institutions' (primarily banks, credit unions, and savings and loans) may do with 'financial records' (statements, documents providing authority over accounts, checks, and other information relating to accounts).
Specifically, fiduciary institutions may not disclose financial records of customers unless one of seven enumerated exceptions apply, including the following (Md. Code, Fin. Inst. Law § 1-302):
- the customer has authorized the disclosure to that person;
- proceedings have been instituted for the appointment of a guardian of the property or of the person of the customer, and court-appointed counsel presents to the fiduciary institution an order of appointment or a certified copy of the order issued by, or under the direction or supervision of, the court or an officer of the court;
- the customer is disabled and a guardian is appointed or qualified by a court, and the guardian presents to the fiduciary institution an order of appointment or a certified copy of the order issued by, or under the direction or supervision of, the court or an officer of the court;
- the customer is deceased and a personal representative is appointed or qualified by a court, and the personal representative presents to the fiduciary institution letters of administration issued by or under the direction or supervision of the court or an officer of the court;
- the Department of Human Services requests the financial record in the course of verifying the individual’s eligibility for public assistance;
- the institution received a request directly from an adult protective services program in a local department of social services that, under Title 14 of the Family Law Article, is investigating a suspected financial abuse or financial exploitation of the customer;
- the institution received a request, notice, or subpoena for information directly from the Child Support Administration of the Department of Human Services or indirectly through the Federal Parent Locator Service; or
- the institution received a request, notice, or subpoena for information directly from the Comptroller.
The statute does not prohibit disclosures for the examination of bank records, reporting requirements, handling of records by fiduciary institution staff, or one of 13 other allowances (Md. Code, Fin. Inst. Law § 1-303):
- the preparation, examination, handling, or maintenance of financial records by any officer, employee, or agent of a fiduciary institution that has custody of the records;
- the examination of financial records by a certified public accountant while engaged by a fiduciary institution to perform an independent audit;
- the examination of financial records by, or the disclosure of financial records to, any officer, employee, or agent of a supervisory agency for use only in the exercise of that person's duties as an officer, employee, or agent;
- the publication of information derived from financial records if the information cannot be identified to any particular customer, deposit, or account;
- the making of reports or returns required or permitted by federal or state law;
- the disclosure of any information permitted to be disclosed under those provisions of the Md. Code, Com. Law that relates to the dishonor of a negotiable instrument;
- the exchange, in the regular course of business, of credit information between a fiduciary institution and any other fiduciary institution or commercial enterprise, if made directly or through a consumer reporting agency;
- the exchange, in the regular course of business, of a statement of a mortgage account on the subject property in connection with a sale, refinancing, or foreclosure, of real property, or the disclosure, in the regular course of business, of a statement of a mortgage account on the subject property to the holder of any subordinate mortgage or security interest;
- the disclosure to a state's attorney of any information in accordance with § 8-104(c) of the Criminal Law Code of the Code of Maryland (Md. Code, Crim. Law) (regarding the presentation of a certificate under oath to prove insufficient funds and dishonor of checks);
- a fiduciary institution from disclosing to the Department of Human Services an individual's financial records that the department determines are necessary to verify or confirm the individual's eligibility or ineligibility for public assistance;
- in a prosecution outside the state for the crime of obtaining property or services by bad check, the presentation to the prosecutor of a certificate under oath by an authorized representative of a drawee that declares:
- the dishonor of the check by the drawee;
- the lack of an account with the drawee at the time of utterance; or
- the insufficiency of the drawer's funds at the time of presentation and utterance;
- the disclosure of the financial records of one of its customers by a fiduciary institution to an affiliate that extends credit for the sole purpose of evaluating a requested or existing extension of credit to that customer by an affiliate of the fiduciary institution; or
- a fiduciary institution from disclosing to the Comptroller an individual's financial records that the Comptroller determines are necessary to enforce the tax laws of the state.
Intentional violations are punishable as misdemeanors, potentially leading to a fine of up to $1,000 (Md. Code, Fin. Inst. Law § 1-305).
5. EMPLOYMENT DATA
Maryland's law on username and privacy protections, codified under §3-712 of the Labor and Employment Law of the Code of Maryland, prohibits employers from requesting or requiring that an employee or prospective employee disclose login information accessing any personal account or service through an electronic communications device.
Employers may still enact workplace policies to limit and monitor the use of an employee's electronic equipment, including the use of social media and email use. Employers may also require disclosure of login information for access to an employment-related account, service, or electronic communications device. The AG may bring an enforcement action for injunctive relief or damages.
6. ONLINE PRIVACY
Once effective, the MODPA will require data controllers to clearly disclose to consumers if they sell personal data to third parties or process personal data for targeted advertising or profiling, and provide a clear method for consumers to opt out. The option to opt out of these types of personal data processing is one of the multiple consumer rights under the MODPA. Consumers may also:
- confirm whether a controller processes their personal data and if so, accesses their data;
- correct inaccuracies in their personal data;
- delete personal data provided by or obtained about the consumer, unless retention of the data is required by law;
- obtain a copy of their personal data held by the controller in a readily usable format (i.e., data portability) that allows the consumer to easily transfer their data to another controller; and
- obtain a list of the categories of third parties to which the controller has disclosed their data or to which the controller has disclosed data generally.
7. UNSOLICITED COMMERCIAL COMMUNICATIONS
Maryland's Spam Deterrence Statute, codified under §3-805.1 of the Md. Code, Crim. Law prohibits the knowing use of a computer used in communication to:
- relay or transmit multiple messages to deceive or mislead recipients;
- use materially false headings;
- register for 15 or more accounts in order to deceive others;
- falsely represent the right to use five or more IP addresses; and/or
- access a computer used in commerce without authorization and intentionally initiate transmission of multiple electronic mail advertisements.
Violations of the statute, depending on their severity, can lead to either a misdemeanor or felony, as well as forfeiture of any gains made as a result of the communications. Specifically,
- a person who violates Md. Code, Crim, Law §3-805.1(b)(1), (2), (3), (4), or (5) is guilty of a misdemeanor and on conviction is subject to imprisonment not exceeding three years or a fine not exceeding $5,000 or both;
- a person who violates Md. Code, Crim, Law §3-805.1(b)(1), (2), (3), (4), or (5) involving the transmission of more than 250 commercial electronic mail messages during a 24-hour period, 2,500 commercial electronic mail messages during any 30-day period, or 25,000 commercial electronic mail messages during any 1-year period is guilty of a misdemeanor and on conviction is subject to imprisonment not exceeding five years or a fine not exceeding $10,000 or both;
- a person who violates Md. Code, Crim, Law §3-805.1(b)(3) involving 20 or more electronic mail accounts or ten or more domain names and intentionally initiates the transmission of multiple commercial electronic mail messages from the accounts or using the domain names is guilty of a misdemeanor and on conviction is subject to imprisonment not exceeding five years or a fine not exceeding $10,000 or both;
- a person who violates Md. Code, Crim, Law §3-805.1(b)(1), (2), (3), (4), or (5) that causes a loss of $500 or more during any 1-year period is guilty of a misdemeanor and on conviction is subject to imprisonment not exceeding five years or a fine not exceeding $10,000 or both;
- a person who violates Md. Code, Crim, Law §3-805.1(b)(1), (2), (3), (4), or (5) in concert with three or more other persons as the leader or organizer of the action that constitutes the violation is guilty of a misdemeanor and on conviction is subject to imprisonment not exceeding five years or a fine not exceeding $10,000 or both;
- a person who violates Md. Code, Crim, Law §3-805.1(b)(1), (2), (3), (4), or (5) in furtherance of a felony, or who has previously been convicted of an offense under the laws of Maryland, another state, or under any federal law involving the transmission of multiple commercial electronic mail messages is guilty of a felony and on conviction is subject to imprisonment not exceeding ten years or a fine not exceeding $25,000 or both; and
- a person who violates Md. Code, Crim, Law §3-805.1(b)(6) or (7) is guilty of a misdemeanor and on conviction is subject to imprisonment not exceeding one year or a fine not exceeding $5,000 or both.
8. PRIVACY POLICIES
There is no general law in Maryland requiring the use of privacy policies or placing requirements on the content of privacy policies. §13-101 et seq. of the Md. Code, Com. Law, prohibits organizations from engaging in unfair or deceptive business practices. Such practices may include false or misleading representations in privacy policies.
9. DATA DISPOSAL/CYBERSECURITY/DATA SECURITY
Both the MODPA and the Data Breach Notification Law described above create general disposal and security requirements.
For more information, please see OneTrust DataGuidance's Guidance Notes on Maryland – Data Breach.
10. OTHER SPECIFIC JURISDICTIONAL REQUIREMENTS
Child Online Safety
HB 603/SB 571, also known as the Maryland Age Appropriate Design Code or the Kids Code, were two identical bills signed into Maryland law on May 9, 2024. The Kids Code will go into effect on October 1, 2024, and will require default privacy settings and safety measures for children, including how social media and other companies collect or sell data of users who are minors. The upcoming law will also require companies to complete assessments that specifically look at how a new feature might affect children before the feature is rolled out to the public. Companies would be subject to fines of $2,500 per child for each negligent violation and $7,500 per child for an intentional violation. Maryland is only the second state to enact such legislation, following California’s Age Appropriate Design Code
Education Data
The Student Data Privacy Act of 2015, codified under §4-131 of the Education Law of the Code of Maryland ('Md. Code, Educ. Law'), protects information or material that personally identifies a PreK-12 student in Maryland, or is linked to information or material that personally identifies an individual student in the state, and is gathered by an operator who is, a third party acting by way of contract with a school system or department through the operation of a site, service, or application. Covered information includes 19 different categories of information, including the following:
- educational and disciplinary record;
- first and last name;
- home address and geolocation information;
- telephone number;
- electronic mail address or other information that allows physical or online contact;
- test results, grades, and student evaluations;
- special education data;
- criminal records;
- medical records and health records;
- social security number
- biometric information;
- socioeconomic information;
- food purchases;
- political and religious affiliations;
- text messages;
- student identifiers;
- search activity;
- photos;
- voice recordings;
- online behavior or usage of applications;
- persistent unique identifiers; and
- confidential information (defined by the Department of Information Technology).
Operators must protect covered information, implement, and maintain reasonable security procedures, and delete the information within a reasonable time period if a school or system requests deletion. Operators may not engage in targeted advertising, use information obtained other than for a school purpose, sell student information, or disclose covered information unless disclosure falls under one of ten specified reasons, including the following:
- if the disclosure is made only in furtherance of the PreK-12 school purpose of the site, service, or application and the recipient of the covered information:
- does not further disclose the information; and
- is legally required to comply with Md. Code, Educ. Law §4-131(c) and (d)(1);
- to ensure legal or regulatory compliance;
- to take precautions against liability;
- to respond to or participate in the judicial process;
- to protect the safety of users or others or the security or integrity of the site, service, or application;
- to a service provider, provided the operator contractually:
- prohibits the service provider from using any covered information for any purpose other than providing the contracted service to, or on behalf of, the operator;
- except for a purpose expressly permitted under this subsection, prohibits the service provider from disclosing covered information provided by the operator with a third party; and
- requires the service provider to comply with the requirements of Md. Code, Educ. Law §4-131(c) and (d)(1)(i) through (iii);
- if Md. Code, Educ. Law § 4-131(d)(1)(i) through (iii) is not violated;
- if federal or state law requires the operator to disclose the information, and the operator complies with the requirements of federal and state law in protecting and disclosing the information;
- for legitimate research purposes such as:
- required by federal or state law; or
- allowed by federal or state law if a student's covered information is not used for advertising or to make a profile on the student for a purpose other than a PreK-12 school purpose; or
- to a state or local education agency, including public schools and local school systems, for a PreK-12 school purpose, as permitted by federal and state law.
Operators may use aggregated or de-identified information to improve the site and products.