Last updated on 12 August 2022 by William Blesch (Legal and data protection research writer at TermsFeed)
Maryland's Personal Information Protection Act ("PIPA") is a privacy law that became effective on January 1, 2008. It's also known as Maryland's Data Breach Notification Law. Since 2008, a series of amendments were passed that revised and enhanced the definitions of private information to include biometric data.
Maryland's privacy laws are not comprehensive. They are certainly nowhere near as all encompassing as California's consumer privacy laws, which are by de facto becoming the American standard.
However, with public awareness of the dangers of stolen or leaked data growing, Maryland has been working to keep up with data privacy laws that are now trending throughout America.
State legislators wrote PIPA to ensure that the personal, identifying information of Maryland consumers was "reasonably protected." If that data is compromised, PIPA demands that businesses notify consumers in case of a security breach so that they can protect themselves.
In essence, PIPA places legislative obligations on businesses to keep the personal information of Maryland consumers secure and private.
In order to know whether your business falls under the regulations outlined in PIPA and whether you have to abide by its rules concerning biometric data, it's important to understand the law's definitions.
This is because House Bill 1154 went into effect on October 1, 2019 and amended PIPA's rules regarding covered businesses. See below for PIPA's current definition of a "business:"
(b)(1) "Business" means a sole proprietorship, partnership, corporation, association, or any other business entity, whether or not organized to operate at a profit.
(2) "Business" includes a financial institution organized, chartered, licensed, or otherwise authorized under the laws of this State, any other state, the United States, or any other country, and the parent or subsidiary of a financial institution.
Before House Bill 1554 came into effect, businesses that licensed or owned the private information of Maryland residents were required to carry out a good faith investigation that was both prompt and reasonable. This investigation was to establish the likelihood of whether personal information might have been taken and misused as the result of a data security breach.
Now, however, businesses that license, own, or maintain the personal information of Maryland residents are subject to PIPA's regulations, regardless of the size of the business.
To sum it up, if your company does business in the state of Maryland (whether or not your business is located in the state) and you own, license, or maintain the private information of Maryland based consumers then you must abide by PIPA's statutes.
In 2017, PIPA was amended by House Bill 974. The amendment updated and added to PIPA's definitions of private information.
The current definition of personal information includes:
It's possible that a business may obtain and use information that isn't covered by PIPA and thus has no obligations concerning it when it comes to security breaches.
This kind of data includes:
Under Maryland's biometric data protection law, a security breach is defined as the acquisition of computerized information in an unauthorized fashion. This means the data is compromised by a breach in the confidentiality, integrity, and security of that personal information.
If there is a security breach where personal information may have been compromised, and there could be a threat to a Maryland consumer if misused, a business must notify the affected individuals.
Additionally, businesses must:
In order to be compliant, businesses must include the following in notices of a security breach:
Before sending notices to Maryland consumers, businesses must:
It should be noted that if a business is compliant with the Gramm-Leach-Bliley Act, it is also considered compliant with PIPA.
Any violations of PIPA are considered to be deceptive or unfair trade practices under Maryland's Consumer Protection Act. This makes violations a criminal offense.
Consumers who feel that a business has violated PIPA may file a complaint with Maryland's Attorney General. A cease and desist order may be issued, and the Attorney General may also levy civil penalties up to $1,000 for the first violation. Any violations after that could result in financial penalties of up to $5,000.
Maryland also allows a private right of action wherein they can sue to recover their injuries or losses. They can also recover the fees of their attorneys.
A major lawsuit brought before the United States District Court for the District of Maryland was filed by consumers against the Marriott International, Inc. after one of the largest data breaches in history.
In November of 2018, a data breach was reported by Marriott wherein almost 400 million guest records were exposed worldwide. It was discovered that over the course of four years, hackers stole personal information such as passport numbers and contact information from Marriott's database.
In Maryland, the lawsuit was brought by consumers alleging violations of PIPA. The lawsuit was filed on February 21, 2020.
The plaintiffs in the case alleged that the Marriott was irresponsible and neglected to take the necessary steps to protect their personal data from a cyber-attack, which could have been prevented.
The US District Court in Maryland hasn't ruled on the case yet, but the Marriott has already been fined by the UK's Information Commissioner's Office (ICO). The Marriott was forced to pay £18.4 (approximately $23.9 million) for violations of the EU General Data Protection Regulation (GDPR).
Biometric data is listed as just one aspect of personal information that must be protected under PIPA.
However, there are two new laws, which specifically focus on biometric information in Maryland's pipeline.
The first is called "Commercial Law - Consumer Protection - Biometric Identifiers and Biometric Information Privacy." It made its way through Maryland's House of Representatives at the beginning of 2020.
House Bill 307 requires:
"...private entities in possession of biometric identifiers or biometric information to develop a written policy, made available to the public, establishing a certain retention schedule and guidelines for permanently destroying biometric identifiers and biometric information; prohibiting a private entity from being required to make publicly available a certain policy; requiring each private entity in possession of biometric identifiers or biometric information to comply with certain schedules and guidelines; etc.
House Bill 307 is now pending in the state senate's finance committee.
The second is House Bill 1202 and is called "Labor and Employment - Use of Facial Recognition Services - Prohibition." This legislation has already passed and went into effect on October 1, 2020.
The new law forbids employers from using a facial recognition service to create facial templates during a job applicant's interview unless the business has gained the applicant's consent.
The definition of "facial recognition service" is "technology that analyzes facial features and is used for recognition or persistent tracking of individuals in still or video images."
The definition of "facial template" is "the machine-interpretable pattern of facial features that is extracted from one or more images of an individual by a facial recognition service."
Interestingly, surveillance footage of an applicant's face or images taken with security-badge cameras go unmentioned.
In any case, as suggested above, employers may use this biometric technology if they acquire the consent of the applicant. Applicants give consent by signing a waiver.
The waiver must provide in "in plain language" the following:
Many businesses across America now use facial recognition technology and artificial intelligence to evaluate job applicants. Maryland's new law aims to make sure that applicants are aware when employers plan to use facial recognition technology.
The reasoning behind the legislation is that while those selling the technology promote it as a means of removing bias from the hiring process, others suggest that the technology is error prone and reinforces privilege.
With the above information in mind, businesses that plan to use biometric based technologies such as facial recognition must ensure that they acquire the consent they need from job applicants.
Want to read more about privacy laws in the USA? Start here:
|COPPA: Children's Online Privacy Protection Act||Federal law that protects the privacy of children under 13 years of age when online or using a mobile app.|
|HIPAA: Health Insurance Portability and Accountability Act||Federal law that protects the privacy of health information of individuals.|
|California CCPA: California's Consumer Privacy Act||California law that gives consumers many privacy rights while putting transparency obligations on businesses.|
|California CPRA: California's Privacy Rights Act||California law that expands the CCPA and gives consumers additional rights.|
|Virginia CDPA: Virginia's Consumer Data Protection Act||Virginia law that allows users to opt out of the sale of their personal data.|
|Maryland PIPA: Maryland's Personal Information Protection Act||Maryland law that requires businesses to keep personal information private and secured.|
|Utah UCPA: Utah's Consumer Privacy Act||Utah law that provides a range of consumer privacy rights, including the right to data portability.|
|Connecticut CTDPA: Connecticut's Personal Data Privacy and Online Monitoring||Connecticut law that places transparency requirements on businesses while granting consumers rights over their personal data.|
|Colorado CPA: Colorado's Privacy Act||Colorado law that grants privacy rights to consumers while dictating how businesses can collect and process personal data.|
|Florida FPPA: Florida's Privacy Protection Act||Florida law that lets consumers control how their personal data is used, while requiring businesses to be more transparent.|
This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.
12 August 2022