Data Privacy Regulations

Terms of Use

This summary of regulations is provided for information purposes only.
No action based on this summary alone should be undertaken.
Each individual or entity must obtain appropriate guidance for its specific circumstances.


Did You Know?

  • Comprehensive notification requirements;
  • Limited methods of notification delivery;
  • Data owners are responsible for reporting and notifications;
  • Reporting to consumer reporting agencies;
  • Laws cover PII data protection, retention and disposal;
  • Vendors must be contracted in writing guaranteeing protection of PII data;
  • Other state laws, federal laws, industry regulations, and/or out-of-country laws may apply.

Who Me?


Maryland breach and notification laws may apply if you are a business that: 

  • Owns or licenses computerized data that includes PII of a MD resident (MD Data Owner);
  • Maintains computerized data that includes PII but does not own or license it (vendor).

There are exemptions.

What is PII?


PII relevant to a breach in Maryland includes an individual’s name with one or more of the following:

  • Social security number;
  • Driver’s license or state identification card number;
  • Account or credit or debit card numbers, in combination with any required security code, etc. permitting access to an individual's financial account; or

An Individual Taxpayer Identification Number.



A few applicable statutes include, but are not limited to:

  • Commercial Law / Title 14. Miscellaneous Consumer Protection Provisions / Subtitle 35. MD Personal Information Protection Act / 14-3501, 14-3504 to 14-35-08; and, Title 13. Consumer Protection Act / Subtitle 4. Enforcement And Penalties / 13-401 to 13-411
  • State Government / Title 10. Governmental Procedures / Subtitle 13. Protection Of Information By Government Agencies / 10-1301 to 10-1302 and 10-1305 to 10-1308


A few relevant statutes include, but are not limited to:

  • Commercial Law / Title 14. Miscellaneous Consumer Protection Provisions: Subtitle 35. MD Personal Information Protection Act / 14-3501 to 14-3503 and Subtitle 34. The Social Security Number Privacy Act and Subtitle 13. Miscellaneous Provisions / 14-1318
  • Commercial Law / Title 13. Consumer Protection Act: Subtitle 4. Enforcement And Penalties

Commercial Law / Title 21. The MD Uniform Electronic Transaction Act



Failure to comply with the requirements constitutes an unfair trade practice.  Violations can incur cease and desist orders, arbitration, fines and penalties, injunctions or other relief.



When considering reporting requirements, it would include, but not be limited to:

  • The combination of personal information breached;
  • If the data was computerized;
  • If the data was encrypted or redacted;
  • If the data included any kind of key or password;
  • If it was acquired by an unauthorized person; and
  • If misuse of the individual’s personal information is likely.

If it is determined that notification of the breach will not be necessary, the decision must be documented and maintained for a minimum of three years.


The notification may be delayed if law enforcement indicates the notification may interfere with an investigation, otherwise, notification is required to be made in the most expedient time possible and without unreasonable delay.


Requires detailed information and potential provision of services

Attorney General notice is required.

There is a comprehensive list of information that must be included in the notifications.

The notification may only be provided in a written notice, telephone, or sent electronically, with stipulations.

A substitute notice, with specific requirements, may be sent if the cost of the notice exceeds $100,000 or the persons to be notified exceeds 175,000, or they do not have sufficient contact information.  

Contact the Privacy Experts at CSR