Read the full stored bill text
EXPLANATION: CAPITALS INDICATE MATTER ADDED TO EXISTING LAW.
[Brackets] indicate matter deleted from existing law.
Underlining indicates amendments to bill.
Strike out indicates matter stricken from the bill by amendment or deleted from the law by
amendment.
*hb0264*
HOUSE BILL 264
S2 6lr0274
(PRE–FILED) CF 6lr0273
By: Chair, Government, Labor, and Elections Committee (By Request –
Departmental – Information Technology)
Requested: October 1, 2025
Introduced and read first time: January 14, 2026
Assigned to: Government, Labor, and Elections
Committee Report: Favorable
House action: Adopted
Read second time: March 7, 2026
CHAPTER ______
AN ACT concerning 1
Maryland Data Privacy and Protection Act of 2026 2
FOR the purpose of limiting the personal information that may be collected, maintained, 3
processed, and retained by units of State government under certain circumstances; 4
requiring certain personal information to b e deleted or de –identified under certain 5
circumstances; requiring each unit to post a certain privacy notice on its Internet 6
website and establishing certain requirements for privacy notices and privacy 7
policies; requiring each unit of State government to designate a Privacy Officer; 8
requiring the Department of Information Technology to establish certain 9
requirements to be included in certain contracts; altering the definition of “personal 10
information” as it relates to protection of information by governmen t agencies; and 11
generally relating to data privacy, protection, and transparency in State 12
government. 13
BY repealing and reenacting, without amendments, 14
Article – Commercial Law 15
Section 14–4701(gg) 16
Annotated Code of Maryland 17
(2025 Replacement Volume) 18
BY repealing and reenacting, with amendments, 19
Article – General Provisions 20
Section 4–501 21
2 HOUSE BILL 264
Annotated Code of Maryland 1
(2019 Replacement Volume and 2025 Supplement) 2
BY adding to 3
Article – State Finance and Procurement 4
Section 3.5–319 5
Annotated Code of Maryland 6
(2021 Replacement Volume and 2025 Supplement) 7
BY repealing and reenacting, with amendments, 8
Article – State Finance and Procurement 9
Section 13–115 10
Annotated Code of Maryland 11
(2021 Replacement Volume and 2025 Supplement) 12
BY repealing and reenacting, without amendments, 13
Article – State Government 14
Section 10–1301(a) 15
Annotated Code of Maryland 16
(2021 Replacement Volume and 2025 Supplement) 17
BY repealing and reenacting, with amendments, 18
Article – State Government 19
Section 10–1301(c) and 10–1702 20
Annotated Code of Maryland 21
(2021 Replacement Volume and 2025 Supplement) 22
SECTION 1. BE IT ENACTED BY THE GENERAL ASSEMBLY OF MARYLAND, 23
That the Laws of Maryland read as follows: 24
Article – Commercial Law 25
14–4701. 26
(gg) “Sensitive data” means personal data that includes: 27
(1) Data revealing: 28
(i) Racial or ethnic origin; 29
(ii) Religious beliefs; 30
(iii) Consumer health data; 31
(iv) Sex life; 32
(v) Sexual orientation; 33
HOUSE BILL 264 3
(vi) Status as transgender or nonbinary; 1
(vii) National origin; or 2
(viii) Citizenship or immigration status; 3
(2) Genetic data or biometric data; 4
(3) Personal data of a consumer that the controller knows or has reason to 5
know is a child; or 6
(4) Precise geolocation data. 7
Article – General Provisions 8
4–501. 9
(a) In this section, “personal record” means a public record that names or, with 10
reasonable certainty, otherwise identifies an individual by an identifying factor such as: 11
(1) an address; 12
(2) a description; 13
(3) a fingerprint or voice print; 14
(4) a number; or 15
(5) a picture. 16
(b) (1) Personal records may not be created unless the need for the information 17
has been clearly established by the unit collecting the records. 18
(2) Personal information collected for personal records: 19
(i) shall be appropriate and relevant to the [purposes] LEGITIMATE 20
GOVERNMENT PURPOSE for which it is collected; 21
(II) SHALL BE LIMITED TO THE MINIMUM AMOUNT O F 22
PERSONAL INFORMATION NECESSARY TO ACCOMPL ISH THE LEGITIMATE 23
GOVERNMENT PURPOSE FOR WHICH IT WAS COLLECTED; 24
[(ii)] (III) shall be accurate and current to the greatest extent 25
practicable; [and] 26
4 HOUSE BILL 264
(IV) SHALL NOT BE RETAINE D FOR LONGER THAN IS 1
REASONABLY NECESSARY TO FULFILL THE LEGIT IMATE GOVERNMENT PUR POSE 2
FOR WHICH IT WAS COLLECTED; 3
(V) IN ACCORDANCE WITH T HE UNIT’S RETENTION SCHEDULE 4
OR AS ALLOWED BY LAW , SHALL BE SECURELY DELETED OR DE–IDENTIFIED WHEN 5
NO LONGER NEEDED TO FULFILL THE LEGITIMA TE GOVERNMENT PURPOS E FOR 6
WHICH IT WAS COLLECTED; AND 7
[(iii)] (VI) may not be obtained by fraudulent means. 8
(c) (1) This subsection applies only to units of the State. 9
(2) Except as otherwise provided by law, an official custodian who keeps 10
personal records shall collect, to the greatest extent practicable, personal information from 11
the person in interest. 12
(3) An official custodian who requests personal information for personal 13
records shall provide the following information to each person in interest from whom 14
personal information is collected: 15
(i) the LEGITIMATE GOVERNMENT purpose for which the personal 16
information is collected; 17
(ii) any specific consequences to the person for refusal to provide the 18
personal information; 19
(iii) the person’s right to inspect, amend, or correct personal records, 20
if any; 21
(iv) whether the person al information is generally available for 22
public inspection; and 23
(v) whether the personal information is made available or 24
transferred to or shared with any entity other than the official custodian. 25
(4) (I) Each unit of the State shall post A PRIVACY NOTICE AND its 26
privacy policies on the collection of personal information, including the policies specified in 27
this subsection, on its Internet website. 28
(II) THE PRIVACY NOTICE AN D PRIVACY POLICIES P OSTED 29
UNDER SUBPARAGRAPH (I) OF THIS PARAGRAPH SHALL BE CONSISTENT WITH THE 30
GUIDELINES, STANDARDS, AND POLICIES ISSUED BY THE DEPARTMENT OF 31
INFORMATION TECHNOLOGY UNDER § 3.5–319 OF THE STATE FINANCE AND 32
PROCUREMENT ARTICLE. 33
HOUSE BILL 264 5
(5) The following personal records are exempt from the requirements of 1
this subsection: 2
(i) information concerning the enforcement of criminal laws or the 3
administration of the penal system; 4
(ii) information contained in investigative materials kept for the 5
purpose of investigating a specific violation of State law and maintained by a State agency 6
whose principal function may be other than law enforcement; 7
(iii) information contained in public records that are accepted by the 8
State Archivist for deposit in the Maryland Hall of Records; 9
(iv) information gathered as part of formal research projects 10
previously reviewed and approved by federally mandated institutional review boards; [and] 11
(V) INFORMATION CONTAINE D IN APPLICATION OR RENEWAL 12
MATERIALS RELATING T O THE LICENSING , REGISTRATION, OR CERTIFICATION OF 13
AN INDIVIDUAL FOR AN OCCUPATION OR PROFESSION; AND 14
[(v)] (VI) any other personal records exempted by regulations 15
adopted by the Secretary of Budget and Management, based on the recommendation of the 16
Secretary of Information Technology. 17
(d) (1) This subsection does not apply to: 18
(i) a unit in the Legislative Branch of the State government; 19
(ii) a unit in the Judicial Branch of the State government; or 20
(iii) a board of license commissioners. 21
(2) If a unit or an instrumentality of the State keeps personal records, the 22
unit or instrumentality shall submit an annual report to the Secretary of General Services. 23
(3) An annual report shall state: 24
(i) the name of the unit or instrumentality; 25
(ii) for each set of personal records: 26
1. the name of the set; 27
2. the location of the set; and 28
3. if a subunit keeps the set, the name of the subunit; 29
6 HOUSE BILL 264
(iii) for each set of personal records that has not been previously 1
reported: 2
1. the category of individuals to whom the set applies; 3
2. a brief description of the types of information that the set 4
contains; 5
3. the major uses and purposes of the information; 6
4. by category, the source of information for the set; and 7
5. the policies and procedures of the unit or instrumentality 8
as to: 9
A. access and challenges to the personal record by the person 10
in interest; and 11
B. storage, retrieval, retention, disposal, and security, 12
including controls on access; and 13
(iv) for each set of personal records that has been disposed of or 14
changed significantly since the unit or instrumentality last submitted a report, the 15
information required under item (iii) of this paragraph. 16
(4) A unit or an instrumentality that has two or more sets of personal 17
records may combine the personal records in the report only if the character of the personal 18
records is highly similar. 19
(5) The Secretary of General Services shall adopt regulations that govern 20
the form and method of reporting under this subsection. 21
(6) The annual report shall be available for public inspection. 22
(e) The official custodian may allow inspection of personal records for which 23
inspection otherwise is not authorized by a person who is engaged in a research project if: 24
(1) the researcher submits to the official custodian a written request that: 25
(i) describes the purpose of the research project; 26
(ii) describes the intent, if any, to publish the findings; 27
(iii) describes the nature of the requested personal records; 28
HOUSE BILL 264 7
(iv) describes the safeguar ds that the researcher would take to 1
protect the identity of the persons in interest; and 2
(v) states that persons in interest will not be contacted unless the 3
official custodian approves and monitors the contact; 4
(2) the official custodian is satisf ied that the proposed safeguards will 5
prevent the disclosure of the identity of persons in interest; and 6
(3) the researcher makes an agreement with the unit or instrumentality 7
that: 8
(i) defines the scope of the research project; 9
(ii) sets out the safeguards for protecting the identity of the persons 10
in interest; and 11
(iii) states that a breach of any condition of the agreement is a breach 12
of contract. 13
Article – State Finance and Procurement 14
3.5–319. 15
(A) EACH UNIT OF STATE GOVERNMENT SHALL DESIGNATE A PRIVACY 16
OFFICER TO OVERSEE CO MPLIANCE WITH THIS S UBTITLE AND COORDINATE WITH 17
THE DEPARTMENT AND THE OFFICE OF THE ATTORNEY GENERAL. 18
(B) THE DEPARTMENT SHALL ADOP T REGULATIONS , GUIDANCE, AND 19
MODEL TEMPLATES TO S UPPORT COMPLIANCE WI TH THI S SUBTITLE , INCLUDING 20
STANDARD PUBLIC INFORMATION ACT FORMATS AND DATA PROTECTION 21
PROTOCOLS. 22
13–115. 23
(a) The Department of Information Technology shall require basic security, DATA 24
COLLECTION, AND PRIVACY requirements to be included in a contract[: 25
(1) in] UNDER which a third–party contractor will: 26
(1) have access to and use State [telecommunication] INFORMATION 27
TECHNOLOGY equipment, systems, or services; [or] 28
(2) COLLECT, STORE, OR PROCESS PERSONAL INFORMATION AS 29
DEFINED IN § 10–1301 OF THE STATE GOVERNMENT ARTICLE; OR 30
8 HOUSE BILL 264
[(2)] (3) [for systems or devices that will ] connect to State 1
[telecommunication] INFORMATION TECHNOLOGY equipment, systems, or services. 2
(b) The security requirements developed under subsection (a) of this section shall 3
be consistent with a widely recognized security standard, including National Institute of 4
Standards and Technology SP 800 –171, ISO27001, or Cybersecurity Maturity Model 5
Certification. 6
(C) THE PRIVACY REQUIREMENTS DEVELOPED UNDER SUBSECTION (A) OF 7
THIS SECTION SHALL B E CONSISTENT WITH WI DELY RECOGNIZED PRIV ACY 8
STANDARDS, INCLUDING NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 9
(NIST) SP PRIVACY FRAMEWORK V1, NIST 800 SP 800–53 V5, AND NIST 800–207 10
SP ZERO TRUST ARCHITECTURE, AS THEY MAY BE UPDATED FROM TIME TO TIME. 11
Article – State Government 12
10–1301. 13
(a) In this subtitle the following words have the meanings indicated. 14
(c) (1) “Personal information” means an individual’s first name or first initial 15
and last name, personal mark, or unique biometric or genetic print or image, in combination 16
with one or more of the following data elements: 17
(i) a Social Security number , AN INDIVIDUAL TAXPAYER 18
IDENTIFICATION NUMBER, A PASSP ORT NUMBER , OR OTHER IDENTIFICAT ION 19
NUMBER ISSUED BY THE UNITED STATES GOVERNMENT; 20
(ii) a driver’s license number, state identification card number, or 21
other individual identification number issued by a unit; 22
[(iii) a passport number or other ident ification number issued by the 23
United States government; 24
(iv) an Individual Taxpayer Identification Number; or] 25
[(v)] (III) a financial or other account number, a credit card number, 26
or a debit card number that, in combination with any required sec urity code, access code, 27
or password, would permit access to an individual’s account; 28
(IV) A USERNAME OR E–MAIL ADDRESS IN COMBINATION WITH A 29
PASSWORD OR SECURITY QUESTION AND ANSWER THAT PERMITS ACCESS TO AN 30
INDIVIDUAL’S E–MAIL ACCOUNT; 31
HOUSE BILL 264 9
(V) GENETIC AND HEALTH –RELATED DATA , INCLUDING 1
MENTAL HEALTH, SUBSTANCE USE DISORDER, AND DISABILITY; OR 2
(VI) SENSITIVE DATA , AS DEFINED IN § 14–4701 OF THE 3
COMMERCIAL LAW ARTICLE. 4
(2) “Personal information” does not include a voter registration number. 5
10–1702. 6
(a) (1) In this section the following words have the meanings indicated. 7
(2) “Governmental entity” means a unit or instrumentality of State or local 8
government. 9
(3) “Personal record” has the meaning stated in § 4 –501 of the General 10
Provisions Article. 11
(4) “SENSITIVE DATA” HAS THE MEANING STAT ED IN § 14–4701 OF 12
THE COMMERCIAL LAW ARTICLE. 13
(b) (1) Subject to paragraph (2) of this subsection, on or before July 1, 2026, 14
each governmental entity, in consultation with the Department of Information Technology, 15
shall develop and publish procedures that prevent the sale and redisclosure of personal 16
records and geolocation data provided or made available by the governmental entity in a 17
way that harms the privacy of residents of the State. 18
(2) The procedures required and published under paragraph (1) of this 19
subsection shall address: 20
(i) any possible contractual limitations on the sale or redisclosure of 21
personal records or geolocation data that a governmental entity may place on a person who 22
receives personal records or geolocation data that are provided or made available by the 23
governmental entity; 24
(ii) considerations regarding: 25
1. the threat to privacy posed by data brokers who utilize 26
personal records or geolocation data for commercial purposes; 27
2. the risk that personal records or geolocation data may be 28
used for purposes other than the purposes for which the personal records or geolocation 29
data were developed or collected; and 30
3. geolocation, genetic, and other sensitive data; and 31
10 HOUSE BILL 264
(iii) any other considerations necessary to: 1
1. protect the privacy of residents of the State; 2
2. discourage the development of a secondary commercial 3
market for personal records or geolocation data that are provided or made available by a 4
governmental entity; and 5
3. limit a person who receives personal records or geolocation 6
data that are provided or made available by a governmental entity from selling or 7
redisclosing the data with other persons. 8
(c) On or before July 1, 2026, each governmental entity shall, in accordance with 9
§ 2–1257 of this article, submit to the General Assembly a copy of the procedures developed 10
under subsection (b) of this section. 11
SECTION 2. AND BE IT FURTHER ENACTED, That this Act shall take e ffect 12
October 1, 2026. 13
Approved:
________________________________________________________________________________
Governor.
________________________________________________________________________________
Speaker of the House of Delegates.
________________________________________________________________________________
President of the Senate.