301.519.9237 exdirector@nesaus.org

11.16.22 – Southern Maryland Chronicle

As of January 1, 2008, the state of Maryland had a brand-new law regulating how businesses collect, use, and protect the personal information of Maryland residents. The Revised Personal Information Protection Act (PIPA) was modeled after the European Union’s General Data Protection Regulation (GDPR), which went into effect on October 1, 2022.

PIPA requires businesses to take reasonable steps to secure the personal data they collect from Marylanders. In addition, companies must provide customers with transparent notice of what personal data is being collected and why it is being collected. Customers must also be allowed to opt-out of having their data shared with third parties and manage their private data appropriately.

PIPA also gives customers the right to know what personal data a business has collected about them, request that inaccurate or incomplete data be corrected, and request that their data be deleted in certain circumstances.

What is “Personal Data?”

“Personal data” is defined very broadly under PIPA. It includes any information that can be used to identify an individual, either by itself or in combination with other information. This could consist of a:

  • Person’s name
  • Address
  • Date of birth
  • Email address
  • Social Security number
  • Driver’s license number
  • Biometric data like fingerprints or iris scans

In short, if there’s a possibility that someone could use the information you have about an individual to identify that person, then it counts as “personal data” under PIPA.

Does Maryland’s PIPA Apply to My Business?

If you’re a business owner in Maryland, you may wonder if the Personal Information Protection Act (PIPA) applies to your business. The answer is maybe. PIPA generally applies to companies that collect, use, or disclose personal information about Maryland residents. PIPA protects the confidentiality of personal data that state agencies maintain.

So, if your business collects or stores personal information on Maryland residents, PIPA will likely apply to you. However, there are a few exceptions. For example, PIPA does not apply to businesses subject to federal laws that provide similar protections for personal information.

In addition, PIPA does not apply to businesses that collect, use, or disclose personal information for specific purposes, such as journalistic activities or law enforcement. Besides, PIPA will not apply to you if your business does not collect or store any personal information on Maryland residents. However, even if PIPA does not apply to your business, you should still protect the personal information of your customers and employees.

Data breaches are becoming increasingly common, and it is crucial to do everything you can to protect your customers’ and employees’ personal information. You can check out the Maryland Attorney General’s office website for more information on data security best practices. Alternatively, if you’re unsure whether PIPA applies to your business, you can contact the Maryland Attorney General’s Office for more information.

How can I comply with PIPA?

The first step is to take inventory of the personal data you collect from Marylanders and determine what you do with that data. Once you have a good understanding of your current practices, you can start taking steps to come into compliance with PIPA. Here are some general tips:

  • Review your privacy policies and make sure they are accurate and up-to-date
  • Post your privacy policy in a conspicuous place on your website
  • Train your employees on PIPA and your company’s privacy policy
  • Implement reasonable security measures to protect the personal data you collect from Marylanders (e.g., encryption, firewalls).
  • If there is a security breach where personal information may have been compromised, and there could be a threat to a Maryland consumer if misused, businesses must notify the affected individuals.
  • Businesses must investigate whether the compromised information has been or is likely to be misused.
  • If it is determined that consumers’ data might be misused, businesses must notify those affected by the breach within 45 days.
  • Notice of a security breach can be given electronically over the internet if the company does most of its business online or if the number of consumers affected is over 175,000.
  • If providing notice electronically, businesses must instruct individuals affected by the security breach to change answers to security questions and passwords for other accounts in which they may have used the same usernames and passwords.

What Are the Penalties for Violating PIPA?

Violations of PIPA can result in civil penalties of up to $1,000 per violation. In addition, the Attorney General may bring a civil action against a business for injunctive relief or damages on behalf of individuals whose personal data was subject to a security breach resulting from the business’s failure to comply with PIPA. A business that violates PIPA may also be subject to criminal penalties of up to $5,000 per violation.

In Maryland, individuals have the right to bring a lawsuit against another party to recover damages for losses or injuries. Not only can they recoup their losses, but also their attorneys’ fees.

What Are the Requirements of The New Law?

The most significant change wrought by PIPA is the requirement that businesses notify individuals whose personal data has been compromised by a security breach. A “security breach” is defined as an unauthorized acquisition or access of personal data that compromises the security or confidentiality of such data.

If there is a security breach, businesses must notify affected individuals “in the most expedient time possible and without unreasonable delay.” In other words, businesses will have to act quickly to notify individuals whose personal data has been exposed to a security breach.

In addition to requiring notification of individuals following a security breach, PIPA imposes several other obligations on businesses subject to the law. For example, PIPA prohibits businesses from collecting more personal data than is necessary for a legitimate business purpose; requiring individuals to provide more personal data could increase the risk of a security breach.

PIPA also requires businesses to take reasonable steps to protect the personal data they collect from unauthorized access and disclosure. These steps will vary depending on the sensitivity of the information and the size and resources of the business. However, all businesses should have some written policy or procedures in place regarding their collection and handling of personal data.


The new Maryland, Personal Information Protection Act, imposes significant obligations on businesses that collect, process, store, or have access to the personal data of Maryland residents.

Businesses subject to PIPA must take reasonable steps to protect against unauthorized disclosure of personal data and must notify affected individuals following a security breach. The law went into effect on October 1, 2018, so now is the time for businesses that may be affected by this law to comply with its provisions.

Failure to comply with PIPA can result in significant fines and legal problems for your business. But don’t despair. There are many steps you can take to come into compliance with this new law. Please consult a qualified attorney for more information on how to comply with PIPA.