You're reading the Maryland version.Change state →
MD

Data Privacy Rights in Maryland

Researched by , Lead Engineer

Primary sources cited; not legal advice.

Last verified:

Source: Federal: FTC Act § 5 (15 U.S.C. § 45), HIPAA (42 U.S.C. § 1320d), COPPA (15 U.S.C. §§ 6501–6506), FERPA (20 U.S.C. § 1232g), GLBA (15 U.S.C. §§ 6801–6809). State: California Consumer Privacy Act/CPRA (Cal. Civ. Code § 1798.100 et seq.), Colorado Privacy Act (C.R.S. § 6-1-1301 et seq.), Connecticut Data Privacy Act (Conn. Gen. Stat. § 42-515 et seq.), Virginia Consumer Data Protection Act (Va. Code § 59.1-575 et seq.), Texas Data Privacy and Security Act (Tex. Bus. & Com. Code Ch. 541).

About this article

Sourced from primary statutes (U.S. Code, CFR, state compiled statutes) and official government agency guidance. Written in plain language for general understanding — this is educational content, not legal advice. Our editorial standards

Maryland Law

How Maryland differs from federal law

Maryland has enacted consumer data privacy protections through several laws:

  • Maryland Online Data Privacy Act (2024): Maryland enacted a comprehensive consumer data privacy law giving residents the right to access, correct, delete, and port their personal data. It also restricts the sale of sensitive data and data of minors
  • Data breach notification (MD Code, Commercial Law § 14-3501 et seq.): Businesses must notify Maryland residents of data breaches involving personal information as quickly as possible, and notify the AG if the breach affects 1,000 or more residents
  • Student data privacy: Maryland has protections for student data collected by educational technology companies and schools
  • Maryland Genetic Information Nondiscrimination Act: Provides specific protections for genetic information beyond federal GINA requirements
  • AG enforcement: The Maryland Attorney General enforces data privacy and breach notification laws. Consumers can also bring private actions under the Maryland Consumer Protection Act for deceptive data practices

Additional Steps in Maryland

File data privacy complaints with the Maryland AG's Consumer Protection Division at (410) 528-8662 or (888) 743-0023 or marylandattorneygeneral.gov. For data breaches, also file with the FTC at identitytheft.gov.

Relevant Law: Maryland Online Data Privacy Act (2024). MD Code, Commercial Law § 14-3501 et seq. (data breach notification). Maryland Consumer Protection Act, MD Code, Commercial Law § 13-101 et seq.

Federal baseline: Data Privacy Rights nationwide

What is this right?

The United States is one of the only major economies without a single comprehensive federal data privacy law. Congress has come close several times — the American Data Privacy and Protection Act died in committee in 2022, and APRA stalled in 2024 — but never gotten over the line. The result is a patchwork: federal sector-specific laws (HIPAA for health data, FERPA for education records, COPPA for kids under 13, GLBA for financial data) plus a fast-growing list of state laws that look more like the EU's GDPR.

California led with the CCPA in 2018 (strengthened by the CPRA in 2020). Colorado, Connecticut, Virginia, Texas, Oregon, Montana, and a dozen other states have followed with their own comprehensive privacy laws, all with rolling effective dates through 2026. The rights vary, but the core is consistent: you can ask what data a company has, ask them to delete it, and opt out of the sale or sharing of it. Where you live decides what you can demand.

When does it apply?

Your data privacy rights kick in when:

  • A company collects, stores, or sells your personal data — name, email, phone, location, browsing history, purchase history.
  • You want to know what they have on you.
  • You want them to delete it.
  • You want to opt out of the sale or sharing.
  • You're notified of a data breach that exposed your information.

The state-by-state landscape, as of 2026:

  • California (CCPA/CPRA): Still the strongest. Rights to know, delete, opt out of sale and sharing, correct, and limit use of sensitive personal information. Enforced by the California Privacy Protection Agency, the only standalone state privacy regulator. Applies to businesses with $25M+ revenue, data on 100,000+ consumers, or 50%+ revenue from selling data.
  • Colorado, Connecticut, Virginia, Texas, Oregon, Montana, Delaware, Iowa, New Hampshire, New Jersey, Tennessee, Minnesota, and several more — comprehensive privacy laws, varying effective dates through 2026. Most cover access, deletion, correction, and opt-out.
  • States without comprehensive laws: Your main backstop is the FTC's general authority to chase "unfair or deceptive" data practices under Section 5 of the FTC Act, plus the federal sector-specific laws (HIPAA, COPPA, GLBA, FERPA).

Three myths:

  • "No federal law means no rights." The state laws now cover roughly half of all Americans, and the federal sectoral laws cover health, financial, education, and kids' data nationwide.
  • "Free service means they can do anything." They still owe you a privacy policy disclosure and, in CCPA-and-similar states, opt-out rights regardless of whether you paid.
  • "Deleting my account deletes my data." Not automatically. Companies retain data for legal, business, and analytics reasons. To force deletion, you generally have to submit a specific deletion request under your state law.

What to Do If a Company Is Collecting or Selling Your Personal Data

Step 1: Figure out which law covers you. Your residence usually controls. If you're in California, Colorado, Connecticut, Virginia, Texas, Oregon, or one of the newer states, you have specific statutory rights you can exercise.

Step 2: Submit access requests. Most companies have a "Privacy" or "Do Not Sell My Information" link in the footer. California residents can use the phrase "right to know"; the company has 45 days to respond (extendable to 90).

Step 3: Opt out of sale and sharing. Under CCPA-style laws, companies have to give you a clear opt-out mechanism. Look for "Do Not Sell or Share My Personal Information" links, and turn on Global Privacy Control in your browser — California-style laws now treat that signal as a binding opt-out.

Step 4: After a breach, take the steps. Most states require notification and many require offered credit monitoring. Use it. Change passwords, enable two-factor authentication, freeze your credit.

Step 5: Complain. State attorneys general enforce most state privacy laws. California has its dedicated CPPA. The FTC takes federal complaints at reportfraud.ftc.gov.

What should you NOT do?

Don't toss the breach notice. If a company tells you your data was compromised, the clock has already started. Change passwords, enable 2FA on the affected accounts and any account that reuses the password, and freeze your credit.

Don't auto-accept cookie banners. Most are designed to look like accepting all is the easy path — and "Reject All" is hidden behind two clicks. Take the two clicks.

Don't read privacy policies as protection. They're disclosures, not commitments. The interesting sections are usually "how we share your data with third parties," "data retention," and "your rights" — the rest is boilerplate.

Don't pay data-removal services upfront without comparison. Many of them charge $10–$30 a month to send the same opt-out requests you can send yourself for free. Try DIY first; the requests for the major data brokers are mostly automated forms.

You shouldn't have to hire a lawyer to assert your rights.

Answer a few questions. We generate a personalized letter citing your state's exact statutes, deadlines, and penalties — ready to print and send in minutes.

Lawyers charge $350+. Your letter: $19.

Privacy Deletion$19Debt Collector C&D$19Debt Validation$19Credit Dispute$19
See all 20 letter types →

Data Privacy Rights in other states

Same topic, different jurisdiction. Pick the one that applies to you.

More in Consumer Rights

Debt Collection (in Maryland)Before 1977, debt collectors could call your house at 2 a.m., tell your neighbors you were a deadbeat, threaten violence...Read more →Credit Report RightsFor most of the 20th century, credit bureaus were closed shops — they kept files on you, sold them to lenders, employers...Read more →Small Claims CourtSmall claims court is the part of the court system actually built for normal people. No lawyer required, simplified rule...Read more →

Related Topics

Workers' RightsWorkplace Harassment (nationwide)Tax RightsPenalty Abatement (nationwide)
← Browse all Consumer Rights

Legal Resources

We may earn a commission if you use these services — at no extra cost to you. This supports our mission to make legal information free for everyone.

Credit KarmaFree credit monitoring, dispute tools, and alerts. Know when your credit report changes.Check Your Credit FreeIdentityGuardIdentity theft protection and monitoring. Get notified if your personal information is misused.Protect Your Identity

Last verified:

You came here to know your rights — help someone else know theirs.

Support This Mission