Hospitality & Retail -


Are mandatory arbitration provisions recognized in your state? If so, are there any limitations to its enforcement?

In Maryland, mandatory arbitration provisions in agreements are not only recognized, but favored.[i] There is a strong policy in Maryland favoring arbitration, with our legislature even enacting a law, the Maryland Uniform Arbitration Act (MUAA), to promote a public policy that supports arbitration agreements and enforces them.[ii]

The MUAA gives Maryland courts the jurisdiction to “enforce arbitration agreements and enter judgements on arbitration awards,” encouraging parties to seek arbitration.[iii] Under the MUAA, a mandatory arbitration provision in a written agreement is valid, enforceable, and irrevocable.[iv]

There is a limitation, however, if there are grounds that exist which would render the agreement itself revocable as a contract.[v] This means that if there is evidence of fraud, duress, waiver, unconscionability, or any other defenses that prevents the formation of a contract, an arbitration provision can be challenged.[vi]

Additionally, employment contracts that feature arbitration provisions are exempted from the MUAA unless the agreement expressly states that the MUAA does apply.[vii] For construction surety bonds, an arbitration provision is required to be included in the bond, and not just incorporated by a reference to agreement that has the arbitration provision.[viii]

What is your state’s law, if any, regarding gift cards, subscription services and loyalty programs?

Gift Cards:

For gift cards, Maryland has enacted legislation to provide some consumer protection for the purchasers of gift cards to protect against unfair or deceptive practices.[ix] This law provides that:

  • If there is an expiration date or post sale fees associated with the gift card, the information must be clearly visible on the front or back of the card in at least a 10-point typeface.[x]
  • If there is a post-sale fee, the information needs to include the amount of the fee, circumstances where the fee is imposed, the frequency of the fee, as well as if the fee is triggered by inactivity.[xi]
  • The issuer of the gift card is required to provide a written statement of those disclosures before the gift card is sold or issued if the discourse is hidden by packaging.[xii]
  • If the gift card is sold or issued electronically, the issuer is required to provide the disclosures in a written statement, and if it is sold or offered over the telephone, the information should be verbally given.[xiii]

Regarding subscription services and loyalty programs, Maryland has not previously tackled either issue in the courts or the legislature.

What is your state’s law, if any, regarding safeguarding consumer credit card or other private data (i.e., cyber security)?

The Personal Information Protection Act (PIPA) was enacted to ensure that Maryland consumers’ personal identifying information is reasonably protected, and if it is compromised, they are notified so that they can take steps to protect themselves.[i] The PIPA applies to all commercial businesses, including those in the hospitality and retail industries, who manage the personal data of Maryland consumers.[ii]

Under the PIPA, a business must maintain “reasonable security procedures and practices that are appropriate to the nature of the personal information” collected.[iii] The upper and lower limits of “reasonable security procedures and practices” has not been tested in Maryland courts, however, other jurisdictions have cited Maryland’s law when handling similar claims.[iv]

The PIPA defines “personal information” as an individual’s:

  • First and last name in combination with:
    • A Social Security number, an individual taxpayer identification number, a passport number, or other identification number issued by the federal government; [v]
    • A driver’s license number or state identification card number;[vi]
    • An account number, a credit card number, or a debit card number, in combination with any required security code, access code, or password, that permits access to an individual’s financial account;[vii]
    • Health information, including information about an individual’s mental health;[viii]
    • A health insurance policy or certificate number or health insurance subscriber identification number, in combination with a unique identifier used by an insurer or an employer that is self-insured, that permits access to an individual’s health information;[ix] or
    • Biometric data of an individual generated by automatic measurements of an individual’s biological characteristics such as a fingerprint, voice print, genetic print, retina or iris image, or other unique biological characteristic, that can be used to uniquely authenticate the individual’s identity when the individual accesses a system or account;[x]


  • Username or email address in combination with a password or security question and answer that permits access to an individual’s email account.[xi]

If a Maryland retail or hospitality business collects the above information from a consumer, then they must adhere to the PIPA.[xii] If a hospitality or retail business works with a third-party service provider to perform services which involve private consumer data, then the business must ensure that the third-party implement and maintain reasonable security procedures in compliance with the PIPA.[xiii]

What is your state’s law, if any, regarding the collection and handling of financial information?

Financial information collection and management remain regulated by the PIPA at present. Essentially, Maryland law does not specifically address the “collection and management” of consumer financial data through a distinct statute. Regarding financial data, the PIPA mandates specific procedures for both the disposal of financial information and measures that must be taken in response to data breaches.

When a business is destroying a customer’s data/record that includes financial information, the business must take reasonable steps to protect against unauthorized access.[xiv] If a breach in a company’s security occurs, whether or not data was actually removed, the law requires a Maryland business to conduct in good faith a “reasonable and prompt investigation to determine the likelihood that personal information has been or will be misused as a result of the breach.”[xv] When the investigation indicates that the information has (or will likely be) misused, then the business must give notice of the breach to the consumer no later than forty-five (45) days after the business discovers the breach. [xvi] Finally, the business must send a report to the Office of the Attorney General of Maryland.[xvii]

Notification of a security breach to consumers must include specific data:

  • A description of the categories of information that were acquired by an unauthorized person.[xviii]
  • Contact information for the business making the notification, including the address, telephone number, and toll-free telephone number if one is maintained.[xix]
  • The toll-free telephone number and addresses for the major consumer reporting agencies.[xx]
  • The toll-free telephone number of the Federal Trade Commission and the Office of the Attorney General for Maryland, along with a statement that the individual can obtain information from theses sources about steps to take to avoid identity theft.[xxi]

If the investigation does not indicate that the security breach will result in violations of consumer data, then the business must maintain records that reflect its determination for three (3) years after such decision is made.[xxii]

While the PIPA lays out the current requirements in Maryland for the On April 6, 2024, the Maryland Legislature passed a comprehensive privacy bill: The Maryland Online Privacy Act of 2024. The law has not yet been signed by governor West Moore, however, if it does become law then it will likely require hospitality and retail companies to adjust their state law compliance before April 1, 2026.[xxiii]

[i] Com. Law § 14-3503.

[ii] Id.

[iii] Id.

[iv] See, e.g., Attias v. CareFirst, Inc., 365 F.Supp3d. 1, 227 (D.D.C. 2019).

[v] Com. Law § 14-3501(e).

[vi] Id.

[vii] Id.

[viii] Id.

[ix] Id.

[x] Id.

[xi] Id.

[xii] Com. Law § 14-3503(a).

[xiii] Com. Law § 14-3503(b).

[xiv] Com. Law § 14-3502.

[xv] Com. Law § 14-3504(b)(1).

[xvi] Id. at (b)(2).

[xvii] Id. at (b)(2).

[xviii] Com. Law § 14-3504(g)(1).

[xix] Id. at (g)(2).

[xx] Id. at (g)(3)

[xxi] Id. at (g)(4)

[xxii] Id. at (b)(4).

[xxiii]  See Senate Bill 541, (last accessed April 24, 2024).

[i] Doyle v. Fin. Am., LLC, 173 Md. App. 370, 382, 918 A.2d 1266, 1273 (2007).

[ii] Rankin v. Brinton Woods of Frankford, LLC, 241 Md. App. 604, 619, 211 A.3d 645, 654 (2019); Md. Code Ann., Cts. & Jud. Proc. §§ 3-201- 3-234 (West 2022).

[iii] Fraternal Order of Police, Montgomery Cnty. Lodge 35 v. Montgomery Cnty., 216 Md. App. 634, 641, 88 A.3d 887, 892 (2014).

[iv] Cts. & Jud. Proc. § 3-206 (a).

[v] Id.

[vi] See Doyle, 173 Md. App. at 382, 918 A.2d at 1273; Rankin, 241 Md. App. at 619, 211 A.3d at 654; Holloman v. Circuit City Stores, Inc., 391 Md. 580, 598, 894 A.2d 547, 557 (2006).

[vii] Cts. & Jud. Proc. § 3-206 (b).

[viii] Hartford Acc. & Indem. Co. v. Scarlett Harbor Associates Ltd. P’ship, 346 Md. 122, 129, 695 A.2d 153, 156 (1997).

[ix] Md. Code Ann., Com. Law § 14-1320 (West 2022).

[x] Com. Law § 14-1320 (b).

[xi] Com. Law § 14-1320 (b)(2).

[xii] Com. Law § 14-1320 (c).

[xiii] Com. Law §§ 14-1320 (d)(1), 14-1320 (d)(2).