Maryland
Code/Regulations
Effective Date: October 1, 2025
Details
Threshold
Conducts business in Maryland or provides products or services that are targeted to residents of the state and:
During the preceding calendar year, controlled or processed personal data of at least 35,000 consumers, excluding personal data controlled or processed solely to complete a payment transaction; or
Controlled or processed the personal data of at least 10,000 consumers and derived more than 20 percent of its gross revenue from the sale of personal data.
Definition of "Personal Data"
Any information that is linked or can be reasonably linked to an identified or identifiable consumer. "Personal Data" does not include de-Identified data or publicly available information.
Definition of "Sell" or "Sale"
"Sale of personal data" means the exchange of personal data to a third party for monetary or other valuable consideration.
Data Protection Assessments
Yes
Opt-In Consent Required for Processing Sensitive Data
No, but only because processing only permitted if "strictly necessary" to provide or maintain a product or service that the consumer requested.
Consumer Rights to Confirm Processing, Request Access, Correction, Deletion & Portability
Yes
Consumer Right to Opt Out of Sale
Yes
Consumer Right to Opt Out of Targeted Ads/Sharing
Yes
Consumer Right to Opt Out of Profiling
Yes
Consumer Right to Opt Out of Certain Profiling
Yes
Pseudonymous Data Exempt from Consumer Requests
No
Appeal Rights
Yes
Universal Opt-Out Mechanism Required Recognition/Date
Not required, but discretionary (on or before October 1, 2025)
Data of Minors
Process personal data of a known child in accordance with COPPA.
No sales or processing of personal data for targeted advertising if the controller "knew or should have known" the consumer was a minor. "Minor" means a person under the age of 18.
Data Minimization Requirements
Strict data minimization requirements:
- Limit personal data collection to what is reasonably necessary and proportionate to provide or maintain a product or service requested by the consumer, regardless of consumer consent.
- Collect, process, and share consumers' sensitive personal data only as strictly necessary to provide or maintain a specific product or service requested by the consumer, regardless of consumer consent.
- Collect, process, and share consumers' personal data only as reasonably necessary for the purposes disclosed to the consumer, or compatible with those purposes, unless the consumer consents.
GLBA Exemption
Yes, (both entity and data level)
HIPAA Exemption
Yes (only data level)
Applies/Does Not Apply to Personal Information in a Commercial or Employment Context
Does not apply to commercial or employment context; applies in an individual or household context only.
Nonprofit Exemption
Limited to certain non-profit organizations.
Private Right of Action
No
Cure Period
60 days
Cure Period Expiration
April 1, 2027
Enforcement Authority/Damages
Attorney General through the division of the consumer protection/up to $10,000 per violation (and up to $25,000 per subsequent violation)