Maryland Expands Privacy Rules for State Agencies, Vendors

Source Domain: www.govtech.com

A new Maryland law reshapes how the state collects, uses, keeps and protects residents’ personal information, expanding how it is defined, setting clearer expectations for agencies, and adding security requirements around data use and privacy in third-party contracts.

Gov. Wes Moore signed the Maryland Data Privacy and Protection Act of 2026 into law Tuesday, signaling the state’s position that data it collects should only be used for the purpose it was gathered and that the right to privacy is inherent. The law also “incorporates data use agreements into procurement contracts with third-party contractors,” the Maryland Department of Information Technology (DoIT) said on LinkedIn, and requires “each unit of state government” to designate a privacy officer.

In the absence of a comprehensive federal privacy law, states have increasingly developed their own approaches to governing how personal information is collected, shared and protected, creating what privacy experts have described as a patchwork of requirements.

Maryland’s new law reflects that broader trend of states stepping in, but with a particular emphasis on how its government agencies themselves collect, retain and manage resident data. It is the latest step in a broader effort to modernize how its government manages data, cybersecurity and digital services.

The state wants to ensure that “our residents have retained control over their data, and we use it the way we’re supposed to, and we protect it,” state Chief Privacy Officer Caterina Pangilinan said in March.

The law limits agencies to collecting only the minimum amount of personal information needed to accomplish “legitimate government purposes,” requires the information to be relevant to its intended use, prohibits agencies from retaining it longer than “reasonably necessary,” and requires it to be securely deleted or de-identified when no longer…

Source