Md. Code Ann., Com. Law § 14-4712
Construction of subtitle
Effective Oct 1, 2025Added by Acts 2024, c. 454, § 1, eff. Oct. 1, 2025; Acts 2024, c. 455, § 1, eff. Oct. 1, 2025. Amended by Acts 2024, c. 382, § 5.State of Maryland
(a) Nothing in this subtitle may be construed to restrict a controller's or processor's ability to:
- (1) Comply with federal, State, or local laws or regulations;
- (2) Comply with a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by a federal, State, local, or other governmental authority;
- (3) Cooperate with law enforcement agencies concerning conduct or activity that the controller or processor reasonably and in good faith believes may violate federal, State, or local laws or regulations;
- (4) Investigate, establish, exercise, prepare for, or defend a legal claim;
- (5) Provide a product or service specifically requested by a consumer;
- (6) Perform under a contract to which a consumer is a party, including fulfilling the terms of a written warranty;
- (7) Take steps at the request of a consumer before entering into a contract;
- (8) Take immediate steps to protect an interest that is essential for the life or physical safety of a consumer or another individual and when the processing cannot be manifestly based on another legal basis;
- (9) Prevent, detect, protect against, investigate, prosecute those responsible, or otherwise respond to a security incident, identity theft, fraud, harassment, malicious or deceptive activity, or any other type of illegal activity;
- (10) Preserve the integrity or security of systems; or
- (11) Assist another controller, processor, or third party with an obligation under this subtitle.
(b)
- (1) This subsection does not apply to an obligation required under § 14-4711 of this subtitle.
(2) An obligation imposed on a controller or processor under this subtitle may not restrict a controller's or processor's ability to collect, use, or retain personal data for internal use to:
- (i) Effectuate a product recall;
- (ii) Identify and repair technical errors that impair existing or intended functionality; or
(iii) Perform internal operations that are:
- 1. Reasonably aligned with the expectations of the consumer or can be reasonably anticipated based on the consumer's existing relationship with the controller; or
2. Otherwise compatible with processing data in furtherance of:
- A. The provision of a product or service specifically requested by a consumer; or
- B. The performance of a contract to which the consumer is a party.
(c)
- (1) An obligation imposed on a controller or a processor under this subtitle does not apply when compliance by the controller or processor with the subtitle would violate an evidentiary privilege under State law.
- (2) Nothing in this subtitle may be construed to prevent a controller or processor from providing personal data concerning a consumer to a person covered by an evidentiary privilege under State law as part of a privileged communication.
(d)
(1) A controller or processor that discloses personal data to a processor or a third-party controller in compliance with this subtitle is not in violation of this subtitle if the processor or third-party controller that receives the personal data violates this subtitle and:
- (i) at the time the disclosing controller or processor disclosed the personal data, the disclosing controller or processor did not have actual knowledge that the receiving processor or third-party controller would violate this subtitle; and
- (ii) the disclosing controller was, and remained, in compliance with its obligations as the discloser of the personal data.
- (2) A third-party controller or processor that receives personal data from a controller or processor in compliance with this subtitle is not in violation of this subtitle for the independent misconduct of the controller or processor from which the third-party controller or processor received the personal data.
(e) Nothing in this subtitle may be construed to:
- (1) Impose an obligation on a controller or a processor that adversely affects the rights or freedoms of any person, including the rights of a person to freedom of speech or freedom of the press as guaranteed in the First Amendment to the U.S. Constitution; or
- (2) Apply to a person's processing of personal data during the person's personal or household activities.
(f) If a controller or processor processes personal data in accordance with an exemption under this section, the controller or processor shall demonstrate that the processing:
- (1) Qualifies for an exemption; and
- (2) Complies with the requirements of subsection (g) of this section.
(g) Personal data processed by a controller or processor in accordance with this section:
(1) Shall be subject to reasonable administrative, technical, and physical measures to:
- (i) Protect the confidentiality, integrity, and accessibility of the personal data; and
- (ii) Reduce reasonably foreseeable risks of harm to consumers relating to the collection, use, or retention of personal data; and
(2) May be processed to the extent that the processing is:
- (i) Reasonably necessary and proportionate to the purposes listed in this section; and
- (ii) Adequate, relevant, and limited to what is necessary in relation to the specific purposes listed in this section.
- (h) A person that processes personal data for a purpose expressly identified in this section may not be considered a controller solely based on the processing of personal data.
Added by Acts 2024, c. 454, § 1, eff. Oct. 1, 2025; Acts 2024, c. 455, § 1, eff. Oct. 1, 2025. Amended by Acts 2024, c. 382, § 5.