Maryland Biometric Privacy Laws: Collection, Consent & Penalties (2026)
Maryland takes a different approach to biometric privacy than states with standalone biometric statutes like Illinois or Texas. Rather than creating a separate biometric privacy law, Maryland folded strong biometric protections into its comprehensive Maryland Online Data Privacy Act (MODPA), signed by Governor Wes Moore on May 9, 2024.
What makes Maryland's framework notable is the strict necessity standard. Businesses cannot collect biometric data just because a consumer clicks "I agree." They must prove the data is essential to delivering a specific product or service the consumer requested. Combined with an outright ban on selling biometric data, this puts Maryland among the most protective states in the country for biometric privacy.
Here is how the law works and what it means for Maryland residents, employers, and businesses.
How Maryland Defines Biometric Data
MODPA defines "biometric data" as data generated by automatic measurements of a consumer's biological characteristics that can be used to uniquely authenticate that consumer's identity. The enrolled bill text lists specific examples:
- Fingerprints
- Voiceprints
- Retina or iris images
- Other unique biological characteristics used for authentication
Maryland's breach notification statute (Md. Code Com. Law 14-3504) uses a slightly different but overlapping definition, adding "genetic print" to the list of protected biometric identifiers.
What Is Not Biometric Data
MODPA excludes certain data from the biometric definition:
- Digital or physical photographs
- Audio or video recordings
- Data generated from photographs or recordings, unless generated specifically to identify a particular consumer
This means a security camera recording alone does not qualify as biometric data. However, if a business runs that footage through facial recognition software to identify specific people, the extracted data becomes biometric data under the law.
The Broader Definition Problem
Maryland's biometric data definition is notably broader than most other states. MODPA covers biological characteristics that "can be used" to authenticate identity, not just those that "are used" or "are intended to be used" for that purpose. This distinction matters. A business that collects data capable of identifying someone but never actually deploys it for authentication still holds biometric data under MODPA.
Sensitive Data Classification and the Strict Necessity Standard
Under MODPA, biometric data is classified as sensitive personal data. This places it in the highest protection tier alongside genetic data, precise geolocation, data about children, and information revealing racial or ethnic origin, religious beliefs, or sexual orientation.
The sensitive data classification triggers MODPA's strict necessity requirement. Controllers may only collect, process, or share biometric data when it is "strictly necessary to provide or maintain a specific product or service requested by the consumer."
This is a higher bar than most state privacy laws set. In California, for example, businesses can process sensitive data with notice and the option for consumers to limit use. In Maryland, the question is whether the biometric data collection is essential to delivering what the consumer asked for.
Practical examples:
- A bank that uses fingerprint authentication for mobile app login can collect fingerprints because the consumer requested the service
- A retail store that scans customer faces for marketing analytics likely fails the strict necessity test because facial recognition is not necessary to sell products
- An employer that uses fingerprint time clocks may face scrutiny over whether biometric collection is truly the only way to track attendance
Prohibition on Selling Biometric Data
MODPA contains what the Maryland Attorney General's office describes as a blanket prohibition: businesses cannot sell biometric data. Period.
This is the first prohibition of its kind under any state comprehensive privacy law. Other states allow the sale of sensitive data if the consumer provides opt-in consent. Maryland does not. Even if a consumer explicitly agrees, a business still cannot sell their biometric information.
The ban extends to leasing, trading, or otherwise transferring biometric data for monetary or other valuable consideration. Transfers to processors acting on the controller's behalf under a valid contract are permitted, but transfers to independent third parties for their own purposes are not.
Consumer Rights Over Biometric Data
Maryland residents have several rights regarding their biometric data under MODPA:
Right to Access. Consumers can request confirmation of whether a business is processing their biometric data and obtain a copy of that data.
Right to Deletion. Consumers can request that a business delete their biometric data. The business must comply and direct any processors to delete it as well.
Right to Correction. Consumers can request correction of inaccurate biometric data.
Right to Opt Out. Consumers can opt out of targeted advertising and the sale of personal data. Businesses must honor universal opt-out preference signals.
Right to Data Portability. Consumers can request their biometric data in a portable, readily usable format.
Businesses must provide a clear and conspicuous link on their websites allowing consumers to exercise these rights. They cannot retaliate against consumers who use them.
Breach Notification Requirements for Biometric Data
Maryland's Personal Information Protection Act (Md. Code Com. Law 14-3501 through 14-3508) imposes specific requirements when biometric data is compromised in a security breach. For a detailed breakdown, see our Maryland Data Breach Notification Laws guide.
Key requirements:
- 45-day deadline. Businesses must notify affected individuals as soon as reasonably practicable, but no later than 45 days after discovering or being notified of the breach
- AG notification first. The Maryland Attorney General must be notified before individual consumers receive notice
- 10-day rule for service providers. Third-party service providers that maintain biometric data on behalf of another business must notify the data owner within 10 days of discovering the breach
- Biometric data in the PI definition. The statute specifically includes biometric data generated by automatic measurements of biological characteristics (fingerprint, voiceprint, genetic print, retina or iris image) in the definition of personal information
Required Notice Content
Breach notifications involving biometric data must include:
- A description of the compromised information
- Business contact information and a toll-free number
- Contact details for the three major credit bureaus
- FTC and Maryland Attorney General contact information
- Identity theft prevention resources
The Attorney General's guidelines specify that notifications can be sent by mail, telephone, email (if the consumer consented), or substitute notice if costs exceed $100,000 or more than 175,000 residents are affected.
Employer Obligations
MODPA applies to any "controller" that conducts business in Maryland or provides products or services targeted to Maryland residents. This includes employers that collect biometric data from workers.
Employers using biometric systems should consider the following:
Biometric time clocks. Fingerprint or hand-geometry scanners used for attendance tracking collect biometric data under MODPA. Employers must demonstrate that biometric collection is strictly necessary and cannot rely on consent alone to justify it.
Facial recognition access control. Systems that scan employee faces for building entry generate biometric data. Employers should evaluate whether less invasive alternatives (key cards, PIN codes) would serve the same purpose.
No sale of employee biometric data. The ban on selling biometric data applies to employee data without exception. Employers cannot sell, lease, or trade worker fingerprints, facial templates, or other biometric identifiers.
Reasonable security. Employers must implement and maintain reasonable security procedures appropriate to the type and volume of biometric data they hold. Contractors handling employee biometric data must contractually commit to comparable security standards.
Enforcement and Penalties
The Maryland Office of the Attorney General, through the Consumer Protection Division, has exclusive enforcement authority over MODPA. There is no private right of action, meaning individual consumers cannot sue businesses directly for biometric data violations.
Penalty Structure
- First violation: Up to $10,000 per violation
- Subsequent violations: Up to $25,000 per violation
- Additional remedies: Injunctive relief, restitution, economic damages, and disgorgement of profits
Cure Period
Before initiating a formal enforcement action, the Attorney General may issue a notice of violation if the problem is curable. The controller or processor then has 60 days to fix the issue. If they cure the violation within that window, the AG may not pursue penalties for that specific issue.
This cure period applies during the initial enforcement phase. Over time, the AG may adopt a stricter approach for repeat offenders or particularly egregious violations.
Enforcement Timeline
MODPA took effect on October 1, 2025, but full enforcement application begins April 1, 2026. This gives businesses a compliance runway. After April 1, 2026, the AG can pursue violations without the transitional grace period.
For breach notification violations, enforcement runs through the Maryland Consumer Protection Act. Violations are treated as unfair or deceptive trade practices, which carry their own penalty structure.
Pending and Related Legislation
Maryland continues to consider additional biometric privacy protections beyond MODPA.
SB 169 (Biometric Identifiers). Introduced in a prior session, this bill would have created a standalone biometric privacy law similar to Illinois BIPA, including a private right of action. While it did not pass, it signals legislative interest in going further than MODPA's AG-only enforcement model.
HB 264 (Maryland Data Privacy and Protection Act of 2026). This 2026 bill limits the personal information that state government units can collect and requires each unit to designate a Privacy Officer. It received a favorable committee report in March 2026.
SB 182 (Facial Recognition Technology). This bill establishes requirements and prohibitions for law enforcement use of facial recognition technology and mandates training programs through the Department of Public Safety and Correctional Services. It was approved by the Governor in the 2025 session.
These bills reflect a broader trend in Maryland toward layered biometric protections, with MODPA as the foundation and targeted legislation addressing specific use cases.
How Maryland Compares to Other States
Maryland's biometric protections sit in the middle tier among U.S. states, but with some uniquely strong features.
| Feature | Maryland (MODPA) | Illinois (BIPA) | California (CCPA/CPRA) |
|---|---|---|---|
| Law Type | Comprehensive privacy law | Standalone biometric statute | Comprehensive privacy law |
| Consent Model | Strict necessity (no consent override) | Written informed consent before collection | Notice + right to limit use |
| Sale of Biometric Data | Banned entirely | Prohibited | Opt-out available |
| Private Right of Action | No | Yes ($1,000-$5,000 per violation) | Data breaches only ($100-$750) |
| Enforcement | AG only | Private lawsuits + AG | CPPA + AG + limited private |
| Penalties | $10,000-$25,000 per violation | $1,000-$5,000 per violation (private) | $2,663-$7,988 per violation |
| Cure Period | 60 days | None | 30 days (AG actions) |
Maryland's strict necessity standard and absolute ban on biometric data sales are stronger than California's framework. However, the lack of a private right of action means enforcement depends entirely on the Attorney General's priorities and resources.
More Maryland Laws
- Maryland Data Privacy Laws
- Maryland Recording Laws
- Maryland Recording Laws
- Maryland Recording Laws
- Maryland Recording Laws
- Maryland Recording Laws
- Maryland Recording Laws
- Maryland Recording Laws
Sources and References
This article references Maryland statutes, enrolled bill text, and official state government publications. For the full text of MODPA, visit the Maryland General Assembly website. For AG enforcement guidance and complaint filing, visit the Maryland Attorney General's data privacy page.
This article provides general legal information about Maryland data privacy laws. It is not legal advice. Consult a qualified attorney for guidance on your specific situation. Laws and regulations change frequently. Verify current requirements through official Maryland government sources.
Sources and References
- Maryland Online Data Privacy Act (SB 541)(mgaleg.maryland.gov).gov
- MODPA Enrolled Bill Text (Ch. 455)(mgaleg.maryland.gov).gov
- Maryland Breach Notification Statute (14-3504)(mgaleg.maryland.gov).gov
- Maryland AG Data Privacy Page(oag.maryland.gov).gov
- Maryland AG PIPA Business Guidelines(oag.maryland.gov).gov
- Maryland Biometrics Subject Index (2025 Session)(mgaleg.maryland.gov).gov
- HB 264 - Maryland Data Privacy and Protection Act of 2026(mgaleg.maryland.gov).gov