Maryland - US Sectoral Privacy Overview
Maryland law does not provide for a general right to privacy.
Maryland's Personal Information Protection Act, codified under §14-3501 et seq. of the Commercial Law of the Code of Maryland ('the Md. Code, Com. Law') provides security and deletion requirements and imposes data breach notification obligations on Maryland businesses that process 'personal information' as defined in the statute.
'Personal information' includes a Maryland resident's first name or initial and last name in combination with either (Md. Code, Com. Law § 14-3501(e)(1)(i)):
- a social security number, tax identification number, passport number, driver's license number, other government identification number;
- account number, credit card number, or debit card number, along with a security code or password permitting access to a financial account;
- health information;
- health insurance policy, certificate, or subscriber identification number in combination with a unique identifier;
- biometric data; and
- genetic information under certain circumstances.
Personal information also includes a username or email address in combination with a password or security question and answer permitting access to the user's email account (Md. Code, Com. Law §14-3501(e)(1)(ii)). In addition, personal information may include standalone genetic information when not properly rendered unreadable or unusable (Md. Code, Com. Law §14-3501(e)(1)(iii)).
When a business destroys a Maryland customer's, employee's, or former employee's records containing personal information, the business must take reasonable steps to protect against unauthorized disclosures of the information (Md. Code, Com. Law §14-3502(b)).
Security obligations attach to businesses that own or license personal information of Maryland residents. Specifically, businesses must implement and maintain reasonable security procedures and practices based on a risk analysis considering the business and the information at issue. If a business uses a non-affiliated third party as a service provider and discloses personal information of Maryland residents under a written contract, then the business must require the third party to implement and maintain reasonable security procedures appropriate to the personal information and reasonably designed to protect from unauthorized access, modification, disclosure, or destruction (Md. Code, Com. Law §14-3503).
Obligations attach to an entity when there is a breach of a security system. A 'breach of a security system' means 'unauthorized acquisition' of computerized data and includes an exception for good faith acquisition. In the event of a breach, a business that owns or licenses the information must:
- conduct in good faith a reasonable and prompt investigation to determine the likelihood that personal information has been or will be misused; and
- only if there is a likelihood of misuse, the business should then notify the individual of the breach.
The notification must be provided 'as soon as reasonably practicable' and not later than 45 days after the conclusion of an investigation. If the business determines that notification is not required, then it must maintain records of that determination for three years after making the determination (Md. Code, Com. Law §14-3504).
Email breaches only allow for only electronic notification that prompts individuals to change their password and security system or take some other action to protect their email account (Md. Code, Com. Law § 14-3504).
If a business suffers a breach but does not own or license the information, it must notify the owner or licensor of the information 'as soon as practicable' and not later than 45 days, and provide relevant information regarding the breach.
If individual notice must be provided, then the business must first provide notice to the Maryland Office of the Attorney General ('AG'). Breaches affecting more than 1,000 individuals require notification to consumer reporting agencies. The data breach notification statute is enforced as an unfair and deceptive trade practice, which allows for privacy causes of action and for enforcement by the AG (Md. Code, Com. Law §14-3506). Entities and their affiliates subject to, and in compliance with, the Gramm–Leach–Bliley Act of 1999 ('GLBA'), the Fair and Accurate Credit Transactions Act of 2003 ('FACTA'), and the Health Insurance Portability and Accountability Act of 1996 ('HIPAA') are exempt (Md. Code, Com. Law §14-3507).
In addition, at the federal level, entities and their affiliates subject to the Interagency Guidelines Establishing Information Security Standards, and the Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice are also exempt.
Maryland places obligations on entities that handle 'protected health information' which is defined coextensively with the HIPAA Privacy Rule (45 Code of Federal Regulations Part 164) codified in the Maryland Medical Records Statute ('Medical Records Statute'), §4-301 et seq. of the Health-General Law of Maryland ('Md. Code, Health Law').
All medical records must be kept confidential or provided under specifically permitted circumstances, including if authorized by the 'person in interest' (that is, the person whose record it is or someone authorized to consent or who is otherwise an authorized representative), including explicitly on health care exchanges. Disclosures are also permitted:
- to a health care provider's authorized employees, legal counsel, medical staff, or consultants for purposes of providing, evaluating, or seeking payment for health care services;
- to another health care provider for the sole purpose of treatment;
- to an insurance carrier for coordinating care under certain prerequisites;
- immediate family members under certain prerequisites;
- to organ, tissue, or eye recovery agencies;
- for educational, research, health care delivery system evaluation, or faculty accreditation under certain prerequisites;
- if a health care provider determines immediate disclosure is necessary for emergency health care needs; or
- if there is a compulsory process (such as a subpoena) or a government investigation.
The Medical Records Statute allows for a private right of action, which allows an individual to recover actual damages. Healthcare providers who knowingly and willfully violate the provisions of the statute may be guilty of a misdemeanor and, if convicted, they can be subject to a fine of $1,000 for the first offense and not exceeding $5,000 for each subsequent conviction. Fraudulently obtaining a medical record can also lead to a criminal conviction, fines of up to $250,000, and imprisonment of up to ten years (Md. Code, Health Law §4-309). Further, beginning June 1, 2024, health care providers who knowingly violate the provisions of the Medical Records Statute involving abortion care and other 'sensitive health services' (as defined by the Secretary of the Maryland Department of Health) may be guilty of a misdemeanor and, if convicted, they can be subject to a fine up to $10,000 per day (Md. Code, Health Law §4-302.5).
While not yet expressly codified in Maryland law, recent guidance issued by the Office of Civil Rights ('OCR') of the Department of Health and Human Resources ('HHS'), responsible for enforcing HIPAA, issued guidance regarding the use of online tracking technologies (such as cookies) by regulated entities and their business associates. The use of tracking technologies in a manner that would result in impermissible disclosures of protected health information to tracking technology vendors, or any other violations of the HIPAA Rules, may result in a civil money penalty.
§1-301 et seq. of the Financial Institutions Law of the Code of Maryland ('Md. Code, Fin. Inst. Law') places certain restrictions on what 'fiduciary institutions' (primarily banks, credit unions, and savings and loans) may do with 'financial records' (statements, documents providing authority over accounts, checks, and other information relating to accounts).
Specifically, fiduciary institutions may not disclose financial records of customers unless one of seven enumerated exceptions apply, including the following (Md. Code, Fin. Inst. Law § 1-302):
- the customer has authorized the disclosure to that person;
- proceedings have been instituted for the appointment of a guardian of the property or of the person of the customer, and court-appointed counsel presents to the fiduciary institution an order of appointment or a certified copy of the order issued by, or under the direction or supervision of, the court or an officer of the court;
- the customer is disabled and a guardian is appointed or qualified by a court, and the guardian presents to the fiduciary institution an order of appointment or a certified copy of the order issued by, or under the direction or supervision of, the court or an officer of the court;
- the customer is deceased and a personal representative is appointed or qualified by a court, and the personal representative presents to the fiduciary institution letters of administration issued by or under the direction or supervision of the court or an officer of the court;
- the Department of Human Services ('DHS') requests the financial record in the course of verifying the individual's eligibility for public assistance;
- the institution received a request directly from an adult protective services program in a local department of social services that, under Title 14 of the Family Law Code of the Code of Maryland, is investigating a suspected financial abuse or financial exploitation of the customer;
- the institution received a request, notice, or subpoena for information directly from the Child Support Administration of the DHS or indirectly through the Federal Parent Locator Service; or
- the institution received a request, notice, or subpoena for information directly from the Comptroller.
The Md. Code, Fin. Inst. Law does not prohibit disclosures for the examination of bank records, reporting requirements, handling of records by fiduciary institution staff, or one of 13 other allowances (Md. Code, Fin. Inst. Law § 1-303):
- the preparation, examination, handling, or maintenance of financial records by any officer, employee, or agent of a fiduciary institution that has custody of the records;
- the examination of financial records by a certified public accountant while engaged by a fiduciary institution to perform an independent audit;
- the examination of financial records by, or the disclosure of financial records to, any officer, employee, or agent of a supervisory agency for use only in the exercise of that person's duties as an officer, employee, or agent;
- the publication of information derived from financial records if the information cannot be identified to any particular customer, deposit, or account;
- the making of reports or returns required or permitted by federal or state law;
- the disclosure of any information permitted to be disclosed under those provisions of the Md. Code, Com. Law that relate to the dishonor of a negotiable instrument;
- the exchange, in the regular course of business, of credit information between a fiduciary institution and any other fiduciary institution or commercial enterprise, if made directly or through a consumer reporting agency;
- the exchange, in the regular course of business, of a statement of a mortgage account on the subject property in connection with a sale, refinancing, or foreclosure, of real property, or the disclosure, in the regular course of business, of a statement of a mortgage account on the subject property to the holder of any subordinate mortgage or security interest;
- the disclosure to a state's attorney of any information in accordance with § 8-104(c) of the Criminal Law Code of the Code of Maryland ('Md. Code, Crim. Law') (regarding the presentation of a certificate under oath to prove insufficient funds and dishonor of checks);
- a fiduciary institution from disclosing to the Department of Human Services an individual's financial records that the department determines are necessary to verify or confirm the individual's eligibility or ineligibility for public assistance;
- in a prosecution outside the state for the crime of obtaining property or services by bad check, the presentation to the prosecutor of a certificate under oath by an authorized representative of a drawee that declares:
- the dishonor of the check by the drawee;
- the lack of an account with the drawee at the time of utterance; or
- the insufficiency of the drawer's funds at the time of presentation and utterance;
- the disclosure of the financial records of one of its customers by a fiduciary institution to an affiliate that extends credit for the sole purpose of evaluating a requested or existing extension of credit to that customer by an affiliate of the fiduciary institution; or
- a fiduciary institution from disclosing to the Comptroller an individual's financial records that the Comptroller determines are necessary to enforce the tax laws of the state.
Intentional violations are punishable as misdemeanors, potentially leading to a fine of up to $1,000 (Md. Code, Fin. Inst. Law § 1-305).
Maryland's law on username and privacy protections, codified under §3-712 of the Labor and Employment Law of the Code of Maryland, prohibits employers from requesting or requiring that an employee or prospective employee disclose login information accessing any personal account or service through an electronic communications device.
Employers may still enact workplace policies to limit and monitor the use of an employee's electronic equipment, including the use of social media and email use. Employers may also require disclosure of login information for access to an employment-related account, service, or electronic communications device. The AG may bring an enforcement action for injunctive relief or damages.
There is no specific law in Maryland regulating online privacy and behavioral advertising.
- relay or transmit multiple messages to deceive or mislead recipients;
- use materially false headings;
- register for 15 or more accounts in order to deceive others;
- falsely represent the right to use five or more IP addresses; and/or
- access a computer used in commerce without authorization and intentionally initiate transmission of multiple electronic mail advertisements.
Violations of the statute, depending on their severity, can lead to either a misdemeanor or felony, as well as forfeiture of any gains made as a result of the communications. Specifically,
- a person who violates Md. Code, Crim, Law §§3-805.1(b)(1), (2), (3), (4), or (5) is guilty of a misdemeanor and on conviction is subject to imprisonment not exceeding three years or a fine not exceeding $5,000 or both;
- a person who violates Md. Code, Crim, Law §§3-805.1(b)(1), (2), (3), (4), or (5) involving the transmission of more than 250 commercial electronic mail messages during a 24-hour period, 2,500 commercial electronic mail messages during any 30-day period, or 25,000 commercial electronic mail messages during any 1-year period is guilty of a misdemeanor and on conviction is subject to imprisonment not exceeding five years or a fine not exceeding $10,000 or both;
- a person who violates Md. Code, Crim, Law §3-805.1(b)(3) involving 20 or more electronic mail accounts or ten or more domain names and intentionally initiates the transmission of multiple commercial electronic mail messages from the accounts or using the domain names is guilty of a misdemeanor and on conviction is subject to imprisonment not exceeding five years or a fine not exceeding $10,000 or both;
- a person who violates Md. Code, Crim, Law §§3-805.1(b)(1), (2), (3), (4), or (5) that causes a loss of $500 or more during any 1-year period is guilty of a misdemeanor and on conviction is subject to imprisonment not exceeding five years or a fine not exceeding $10,000 or both;
- a person who violates Md. Code, Crim, Law §§3-805.1(b)(1), (2), (3), (4), or (5) in concert with three or more other persons as the leader or organizer of the action that constitutes the violation is guilty of a misdemeanor and on conviction is subject to imprisonment not exceeding five years or a fine not exceeding $10,000 or both;
- a person who violates Md. Code, Crim, Law §§3-805.1(b)(1), (2), (3), (4), or (5) in furtherance of a felony, or who has previously been convicted of an offense under the laws of Maryland, another state, or under any federal law involving the transmission of multiple commercial electronic mail messages is guilty of a felony and on conviction is subject to imprisonment not exceeding ten years or a fine not exceeding $25,000 or both; and
- a person who violates Md. Code, Crim, Law §§3-805.1(b)(6) or (7) is guilty of a misdemeanor and on conviction is subject to imprisonment not exceeding one year or a fine not exceeding $5,000 or both.
There is no general law in Maryland requiring the use of privacy policies or placing requirements on the content of privacy policies. §13-101 et seq. of the Md. Code, Com. Law, prohibits organizations from engaging in unfair or deceptive business practices. Such practices may include false or misleading representations in privacy policies.
The Data Breach Notification Law described above creates general disposal and security requirements.
For more information please see OneTrust DataGuidance's content on Maryland – Data Breach.
The Student Data Privacy Act of 2015, codified under §4-131 of the Education Law of the Code of Maryland ('Md. Code, Educ. Law'), protects information or material that personally identifies a PreK-12 student in Maryland, or is linked to information or material that personally identifies an individual student in the state, and is gathered by an operator who is, a third party acting by way of contract with a school system or department through the operation of a site, service, or application. Covered information includes 19 different categories of information, including the following:
- educational and disciplinary record;
- first and last name;
- home address and geolocation information;
- telephone number;
- electronic mail address or other information that allows physical or online contact;
- test results, grades, and student evaluations;
- special education data;
- criminal records;
- medical records and health records;
- social security number
- biometric information;
- socioeconomic information;
- food purchases;
- political and religious affiliations;
- text messages;
- student identifiers;
- search activity;
- voice recordings;
- online behavior or usage of applications;
- persistent unique identifiers; and
- 'confidential information' (defined by the Department of Information Technology).
Operators must protect covered information, implement, and maintain reasonable security procedures, and delete the information within a reasonable time period if a school or system requests deletion. Operators may not engage in targeted advertising, use information obtained other than for a school purpose, sell student information, or disclose covered information unless disclosure falls under one of ten specified reasons, including the following:
- if the disclosure is made only in furtherance of the PreK-12 school purpose of the site, service, or application and the recipient of the covered information:
- does not further disclose the information; and
- is legally required to comply with Md. Code, Educ. Law §4-131(c) and (d)(1);
- to ensure legal or regulatory compliance;
- to take precautions against liability;
- to respond to or participate in the judicial process;
- to protect the safety of users or others or the security or integrity of the site, service, or application;
- to a service provider, provided the operator contractually:
- prohibits the service provider from using any covered information for any purpose other than providing the contracted service to, or on behalf of, the operator;
- except for a purpose expressly permitted under this subsection, prohibits the service provider from disclosing covered information provided by the operator with a third party; and
- requires the service provider to comply with the requirements of Md. Code, Educ. Law §4-131(c) and (d)(1)(i) through (iii);
- if Md. Code, Educ. Law § 4-131(d)(1)(i) through (iii) is not violated;
- if federal or state law requires the operator to disclose the information, and the operator complies with the requirements of federal and state law in protecting and disclosing the information;
- for a legitimate research purpose as:
- required by federal or state law; or
- allowed by federal or state law if a student's covered information is not used for advertising or to make a profile on the student for a purpose other than a PreK-12 school purpose; or
- to a state or local education agency, including public schools and local school systems, for a PreK-12 school purpose, as permitted by federal and state law.
Operators may use aggregated or de-identified information to improve the site and products.