Gov. Wes Moore signed the Maryland Data Privacy and Protection Act of 2026 into law Tuesday, signaling the state’s position that data it collects should only be used for the purpose it was gathered and that the right to privacy is inherent. The law also “incorporates data use agreements into procurement contracts with third-party contractors,” the Maryland Department of Information Technology (DoIT) said on LinkedIn, and requires “each unit of state government” to designate a privacy officer.
In the absence of a comprehensive federal privacy law, states have increasingly developed their own approaches to governing how personal information is collected, shared and protected, creating what privacy experts have described as a patchwork of requirements.
Maryland’s new law reflects that broader trend of states stepping in, but with a particular emphasis on how its government agencies themselves collect, retain and manage resident data. It is the latest step in a broader effort to modernize how its government manages data, cybersecurity and digital services.
The state wants to ensure that “our residents have retained control over their data, and we use it the way we’re supposed to, and we protect it,” state Chief Privacy Officer Caterina Pangilinan said in March.
The law limits agencies to collecting only the minimum amount of personal information needed to accomplish “legitimate government purposes,” requires the information to be relevant to its intended use, prohibits agencies from retaining it longer than “reasonably necessary,” and requires it to be securely deleted or de-identified when no longer needed.
Agencies are also required to tell residents why information is being collected, the consequences of not providing it, whether the information is publicly available and whether it is shared with outside entities. The law additionally requires agencies to post privacy notices and policies online and privacy officers to oversee compliance and work with DoIT and the state attorney general.
The law expands the definition of personal information to include taxpayer and other federal identification numbers; usernames or email addresses used with passwords or security questions; genetic and health-related information; mental health or substance use disorder information; disability data; and information already categorized as sensitive data.
The definition of sensitive data is also broadened to include racial or ethnic origin, religious beliefs, consumer health information, sexual orientation, transgender or nonbinary status, citizenship or immigration status, biometric and genetic data, children’s data and precise geolocation information.
And it extends state expectations to third-party vendors by incorporating privacy and data collection requirements into procurement processes for contractors that collect, store or process personal information on Maryland’s behalf.
