Maryland Data Privacy Laws
In 2023, the Maryland Attorney General’s office reported 1,693 data breaches. If you’re one of the many state residents who’ve gotten a breach notice recently, you may be rightly worried about your data and finances and concerned about your next step.
Fortunately, Maryland data privacy laws offer victims plenty of options. Class Action U has connected thousands of people nationwide with privacy lawyers to help them exercise their rights and recover their lost money. If you’re worried about your data, contact us today.
Overview of Maryland Data Privacy Laws
Maryland’s data privacy laws require organizations to take steps to protect personal data and promptly notify consumers in the event of a breach. A new state law coming into force in 2025 and 2026 will place additional requirements on businesses and provide consumers with more rights regarding their data.
Maryland’s Data Breach Notification Law
In Maryland law, a data breach is defined as any unauthorized access that affects the security of personal data. If that data could be misused to harm consumers, the organization must notify those affected.
All businesses and individuals who collect and retain the personal information of Maryland residents must notify those residents within 45 days if a data breach occurs. They also need to notify the Office of the Attorney General. The 45-day deadline may be extended upon the request of law enforcement or if a bit more time is needed to investigate the extent of the breach.
Data breach notifications must include a description of the breach and the information put at risk. They must also include contact information for the business, the major credit bureaus, relevant state and federal agencies, and steps consumers can take.
Maryland Personal Information Protection Act (PIPA)
Under PIPA, personal information refers to your first and last name in conjunction with your:
- Email address and password
- Social Security number, passport number, or driver’s license number
- Biometric data, including genetic information
- Personal medical information or information about your health insurance that could be used to access medical records
- Bank account information
If any personal information is compromised, an organization must inform affected consumers.
Maryland Online Data Privacy Act
The Maryland Online Data Privacy Act, or MODPA, was passed in 2024. It provides a comprehensive privacy framework and places more restrictions on organizations that store personal data. After the law takes effect on October 1, 2025, organizations must clearly post a privacy policy describing the personal data they collect.
New data processing requirements will kick in after April 1, 2026. Organizations must restrict the information they collect and store to only what’s necessary to fulfill consumer requests.
A violation under MODPA may result in a fine of up to $10,000 per violation or $25,000 for repeat violations.
Consumer Rights Under Maryland Data Privacy Laws
Maryland law requires you to be informed within 45 days when your personal data is compromised in a data breach. That notice must include contact information for the major credit bureaus and information on the next steps to take.
You are also entitled to take legal action against responsible parties if you suffered losses due to the data breach.
How Does Maryland’s Data Privacy Law Compare to Federal Regulations?
With the passage of MODPA, Maryland’s data privacy laws offer more comprehensive security for residents. These state laws provide important protections on top of existing federal laws such as HIPAA, which protects health information, and the Gramm-Leach-Biliey Act, which requires financial institutions to be transparent about their data policies.
Many of MODPA’s core principles, such as minimizing the data taken from consumers and allowing consumers the right to delete their data, align with the EU’s General Data Protection Regulation, or GDPR. MODPA also aligns with other state bills, such as the California Consumer Privacy Act, or CCPA.
Steps To Take If You’ve Been Affected by a Data Breach in Maryland
Knowing what to do after a data breach can help you protect yourself from further financial harm:
- Learn everything you can about the breach, including who’s responsible and what type of breach it was.
- If one of your online accounts was compromised, change your password for that account.
- Monitor your financial accounts for any transactions you don’t recognize.
- Request your credit report. Maryland residents can receive six free credit reports a year.
- Consider freezing your credit file. This will prevent anyone else from opening an account in your name.
- Contact a data breach lawyer to learn more about your legal options.
If you haven’t received a notice but suspect your data is compromised, you can look into whether a breach has occurred while taking some of these steps.
How To File a Complaint or Take Legal Action in Maryland
If you’ve been the victim of a data breach, you may file a complaint with the Maryland Attorney General’s office. You can submit the form through the online portal or download a printable version and mail it to the nearest Consumer Protection Division office. You can also contact the Consumer Protection Division via phone or fax.
Complete the form with all required information, including a description of what happened and copies of any documents that support your complaint. If the office decides they are the agency best equipped to follow your claim, they’ll contact both you and the business regarding mediation.
In addition to filing a complaint, you are also entitled to pursue a lawsuit against the responsible company. A lawsuit can recover economic damages such as direct financial losses and the cost of additional credit monitoring, as well as non-economic damages for emotional distress.
While you may file against a company as an individual, many data breach lawsuits are handled as class action suits. Consulting an experienced data breach attorney can help you understand how to join a class action lawsuit or start one yourself.
Frequently Asked Questions About Maryland Data Privacy
Get in touch with us if you have a question that isn’t answered here.
How Quickly Must a Business Notify Me of a Data Breach?
Under Maryland law, you must receive a data breach notification that includes a description of the breach and important contact information within 45 days. In some cases, businesses may delay notification if they need more time to understand the scope of the breach.
What Should I Do if I Receive a Breach Notification?
After you receive a data breach notification, read it carefully and consider reviewing your finances and freezing your credit. Talking with an experienced data breach lawyer can help you understand your options.
Does Maryland Have Laws Regulating How Companies Protect Data?
Yes, Maryland has several laws regulating how companies protect data. The most comprehensive is MODPA, which will become fully effective in 2026.
Can I Sue a Company for a Data Breach in Maryland?
Yes, you can sue a company for a Maryland data breach if they failed to meet their responsibilities under the law and you suffered financial loss or emotional distress. A data breach attorney can advise you on whether you have a compelling case.
How Class Action U Can Help
A data breach can lead to financial losses and leave you feeling less safe, but Maryland data privacy laws offer a way to fight back. You have a right to pursue an individual lawsuit or join a class action case against the company at fault to recoup your losses.
Talking to a lawyer can help you protect your finances. If you’ve received a data breach letter, contact us today to be connected with skilled privacy lawyers.
"*" indicates required fields
