AI Compliance Requirements in Maryland: What Small Businesses Need to Know in 2026

What Maryland Business Owners Need to Know About AI Compliance in 2026

If you're running a small business in Maryland and using AI tools—whether that's ChatGPT for customer service, an AI-powered applicant tracking system, or automated marketing software—you're now subject to specific legal requirements that went into effect under Maryland House Bill 1202.

This isn't theoretical. Maryland has joined a handful of states actively regulating artificial intelligence, particularly when it comes to hiring practices and biometric data like facial recognition. And unlike some vague regulatory frameworks that only affect tech giants, Maryland's rules directly impact small and medium-sized businesses that use everyday AI tools.

This guide breaks down exactly what you need to know, what you need to do, and how to stay compliant without hiring a legal team.

Maryland's AI Regulatory Landscape: What Changed

Maryland House Bill 1202 introduced targeted restrictions on how businesses can use artificial intelligence, with a particular focus on two areas: employment decisions and facial recognition technology.

The law recognizes that AI is now embedded in routine business operations—from resume screening software to customer identification systems. Rather than banning these technologies outright, Maryland has established transparency and disclosure requirements that give individuals more control and awareness over how AI affects them.

Key provisions include:

• Restrictions on facial recognition in hiring: Employers cannot use facial recognition technology to make hiring, promotion, or termination decisions without specific safeguards
• Mandatory disclosure of AI screening tools: If you use AI to evaluate job applicants, you must inform candidates that automated systems are part of your decision-making process
• Biometric data protections: Special handling requirements for any AI system that processes facial geometry, fingerprints, or other biometric identifiers
• Adverse action notifications: If an AI system contributes to rejecting a candidate, specific disclosure obligations apply

Maryland's approach follows Illinois (with its Biometric Information Privacy Act) and New York City (with its AI hiring law) in recognizing that automated decision-making deserves regulatory attention, but Maryland's version is specifically tailored to protect workers and job seekers. Nearby states like Delaware and Virginia have taken different but complementary approaches to AI regulation, making regional compliance a key consideration for mid-Atlantic businesses.

Who These Laws Apply To

Maryland's AI compliance requirements primarily affect employers and hiring entities, but the practical reality is broader than that.

You're definitely covered if you:

• Hire employees in Maryland: Even if your business is headquartered elsewhere, if you're hiring Maryland residents, you're subject to HB 1202
• Use AI in your hiring process: This includes applicant tracking systems (ATS) with AI features, resume screening tools, automated video interview platforms, or any system that ranks or filters candidates using algorithms
• Operate biometric systems: If you use facial recognition for timekeeping, building access, or customer verification in Maryland locations
• Have 15 or more employees: While some provisions apply broadly, certain requirements specifically target employers meeting minimum size thresholds

You might be covered if you:

• Use AI customer service tools that collect biometric data: Chatbots are generally fine, but if you're using voice analysis or facial recognition for customer interactions, compliance obligations may apply
• Deploy AI-powered surveillance: Retail businesses using AI-enhanced security cameras with facial recognition capabilities
• Contract with staffing agencies: If your staffing partners use AI screening on your behalf, you may share compliance responsibility

You're probably not covered if you:

• Only use general AI writing or productivity tools: Using ChatGPT to draft emails, Grammarly for editing, or AI design tools without processing Maryland residents' biometric data doesn't trigger HB 1202
• Don't hire in Maryland and don't process biometric data: Out-of-state businesses with no Maryland hiring activity or physical presence

The important distinction is between AI tools that process personal data or make employment decisions versus those that simply help you work more efficiently.

Specific Compliance Requirements Under Maryland Law

Maryland's requirements are specific and actionable. Here's what you actually need to do.

For AI in Hiring and Employment

1. Pre-use disclosure to candidates

Before using any AI tool to screen, evaluate, or rank job applicants, you must clearly inform candidates. This disclosure should:

• Identify that AI or automated decision-making systems are being used
• Explain, in plain language, what the AI evaluates (skills, experience, personality traits, speech patterns, etc.)
• Be provided before or at the start of the application process
• Appear in a conspicuous location (not buried in 50 pages of terms and conditions)

2. Human review requirement

Maryland law emphasizes that AI should assist, not replace, human judgment in employment decisions. You must:

• Ensure a human reviews AI-generated recommendations before making final hiring decisions
• Document that human review occurred
• Provide a process for applicants to question or appeal AI-driven decisions

3. Adverse action notices

If you decline a candidate and AI played a role in that decision, you must:

• Notify the applicant that an automated system was used
• Provide information about the factors the AI considered
• Explain how the applicant can request human review of the decision

For Facial Recognition and Biometric Data

1. Consent requirements

You cannot collect or use facial recognition data for employment purposes without:

• Clear written notice describing what biometric data you're collecting
• Explicit opt-in consent from the individual
• A stated retention policy (how long you'll keep the data)

2. Data protection obligations

Any biometric data collected must be:

• Stored using reasonable security measures (encryption, access controls)
• Protected at least as securely as other confidential business information
• Deleted when the original purpose is fulfilled or within a specified timeframe

3. Use limitations

Facial recognition data cannot be:

• Sold or shared with third parties without consent
• Used for purposes beyond what was disclosed at collection
• Retained indefinitely without a legitimate business need

Documentation Requirements

While HB 1202 doesn't explicitly mandate specific documentation formats, practical compliance requires:

• AI tool inventory: List of all AI systems used in hiring or that process biometric data
• Disclosure templates: Standardized language for informing candidates about AI use
• Consent forms: Written documentation of individual consent for biometric data collection
• Training records: Evidence that HR staff and hiring managers understand AI compliance requirements
• Vendor due diligence: Documentation that third-party AI tools meet Maryland requirements

Common AI Tools That Trigger Compliance

Many small businesses use AI without fully recognizing it. Here are common tools and whether they create compliance obligations under Maryland law.

Tools That Definitely Trigger Requirements

HireVue, Paradox, Modern Hire (AI video interviewing platforms): These analyze facial expressions, speech patterns, and word choice. Full disclosure and consent requirements apply.

LinkedIn Recruiter with AI filters: When using AI-powered candidate matching or ranking, disclosure obligations apply.

Workday, Greenhouse, Lever (ATS with AI screening): If you enable AI resume screening or candidate ranking features, you must disclose this to applicants.

Time clocks with facial recognition (like TouchBio or FaceMetrics): These collect biometric data and require explicit consent and data protection measures.

AI-powered background check services: Tools that use AI to analyze social media, predict behavior, or assess "cultural fit" require disclosure.

Tools That Might Trigger Requirements (Context-Dependent)

Calendly, Zoom AI features: Generally fine for scheduling and meeting transcription, but if you're using AI meeting analysis to evaluate job interviews, disclosure requirements apply.

HubSpot, Salesforce with AI: CRM AI features for lead scoring don't typically implicate HB 1202 unless you're using them to screen job applicants.

Chatbots for recruiting: Text-based chatbots that simply answer FAQs are generally fine. If they screen or qualify candidates using AI, disclosure required.

Tools That Don't Trigger Requirements

ChatGPT, Claude, Gemini (for content creation): Using AI to write job descriptions, emails, or marketing content doesn't trigger compliance obligations.

Grammarly, Jasper, Copy.ai: Writing assistance tools without personal data processing.

Canva AI, Midjourney, DALL-E: Design and image generation tools.

QuickBooks AI features, expense categorization: Financial AI tools that don't process biometric data or make employment decisions.

The key question: Does the tool process Maryland residents' personal/biometric data or contribute to employment decisions? If yes, compliance applies. If it's just helping you work more efficiently without processing individual data, you're likely clear. For a broader overview of whether your business needs compliance documentation, check out our guide on what an AI disclosure policy is and why it matters.

Step-by-Step Compliance Checklist for Maryland Businesses

Here's your practical roadmap to compliance.

Step 1: Inventory Your AI Tools (Week 1)

• List every software tool your business uses
• Identify which ones have AI or "smart" features
• Flag any used in hiring or that collect biometric data
• Check vendor documentation to understand what data is processed

Step 2: Review Hiring Processes (Week 1-2)

• Document your current hiring workflow from job posting to offer letter
• Identify where AI tools appear in the process (resume screening, interview scheduling, assessment tools)
• Determine if your ATS or recruiting software uses AI ranking or filtering
• Check if your background check provider uses AI analysis

Step 3: Create Disclosure Documents (Week 2)

Draft clear, plain-language statements for:

• Job postings (if AI is used in initial screening)
• Application pages ("This employer uses AI-assisted tools to review applications")
• Interview processes (if using AI video or analysis tools)
• Consent forms (for any biometric data collection)

Step 4: Update Job Application Materials (Week 2-3)

• Add AI disclosure language to your careers page
• Include disclosure in job posting templates
• Update application forms with consent checkboxes where needed
• Revise rejection email templates to include AI disclosure when applicable

Step 5: Implement Human Review (Week 3)

• Establish a policy that humans must review AI recommendations before decisions
• Train hiring managers on their review responsibilities
• Create a simple documentation process (even a checkbox log works)
• Set up an appeal process for candidates who question AI-driven decisions

Step 6: Audit Biometric Data Systems (Week 3-4)

• If using facial recognition time clocks or access systems, verify explicit consent exists
• Review data storage and security practices
• Establish a retention schedule (delete data when no longer needed)
• Confirm you're not selling or sharing biometric data

Step 7: Train Your Team (Week 4)

• Educate HR staff and hiring managers on Maryland AI requirements
• Explain disclosure obligations and when they apply
• Review the human oversight requirement
• Provide scripts for responding to candidate questions about AI

Step 8: Document Everything (Ongoing)

• Maintain records of AI disclosures provided to candidates
• Keep consent forms for biometric data collection
• Log human reviews of AI hiring recommendations
• Update documentation when you add new AI tools

Step 9: Review Vendor Contracts (Week 4-5)

• Contact AI tool vendors to confirm their Maryland compliance
• Request vendor documentation of compliance measures
• Clarify who's responsible for various compliance obligations
• Consider adding indemnification language to contracts

Step 10: Establish Ongoing Compliance (Ongoing)

• Set quarterly reviews of AI tool inventory
• Monitor for Maryland regulatory updates
• Update disclosures when changing AI tools
• Train new HR staff on compliance requirements

Penalties and Enforcement

Maryland enforces AI compliance requirements through multiple mechanisms, and violations can be costly for small businesses.

Potential Penalties

Private right of action: HB 1202 allows individuals to sue employers directly for violations. This means rejected job candidates or employees could bring lawsuits if:

• They weren't informed about AI use in hiring
• Their biometric data was collected without consent
• AI-driven adverse decisions weren't properly disclosed

Damages can include:

• Actual damages (lost wages, emotional distress)
• Statutory damages (fixed amounts per violation, often $1,000-$5,000)
• Attorney's fees and costs (making lawsuits economically viable even for smaller claims)

Regulatory enforcement: The Maryland Attorney General can investigate complaints and bring enforcement actions for systemic violations, with civil penalties of up to $10,000 per violation.

Employment discrimination claims: If AI hiring tools produce discriminatory outcomes and proper disclosures weren't made, this could compound liability under existing employment discrimination laws.

Real-World Risk Factors

Small businesses face particular risks because:

• Limited HR resources mean compliance details get overlooked
• Off-the-shelf software often comes with AI features enabled by default
• Vendor reliance creates false confidence that someone else is handling compliance
• Rapid AI adoption without legal review

The most common violation scenarios:

• Using an ATS with AI features without adding required disclosures to applications
• Implementing facial recognition time tracking without explicit written consent
• Relying entirely on AI screening without documenting human review
• Failing to update rejection notices when AI influences decisions

Enforcement Reality

As of February 2026, Maryland enforcement is still emerging. The Attorney General's office has issued guidance clarifying requirements, and several complaints have been filed, though major penalty assessments are still limited.

However, the trend is clear: AI compliance enforcement is ramping up. Early violations may receive warning letters, but repeat or egregious violations will face financial penalties. More concerning for small businesses: employee lawsuits are becoming more common as workers become aware of their rights.

How Maryland Compares to Other States

Maryland's approach sits in the middle of the spectrum between states with no AI regulation and those with comprehensive frameworks.

More restrictive than Maryland:

• Illinois (BIPA): Broader biometric privacy law with stricter consent requirements and higher statutory damages ($1,000-$5,000 per violation)
• New York City (Local Law 144): More detailed AI hiring audit and disclosure requirements, including annual bias audits by independent third parties

Similar to Maryland:

• California (multiple bills): Similar disclosure and consent requirements for AI in hiring and biometric data
• Colorado (SB 24-205): Requires AI impact assessments and disclosures, though implemented differently

Less restrictive than Maryland:

• Texas: Some biometric data protections but fewer hiring-specific AI requirements
• Most other states: No comprehensive AI-specific employment laws (yet)

Key differences in Maryland's approach:

Maryland focuses specifically on hiring decisions and facial recognition rather than attempting to regulate all AI use. This makes compliance more manageable for small businesses—you're primarily concerned with HR and biometric systems, not every AI tool in your tech stack.

Maryland also emphasizes transparency over prohibition. You can use AI tools, but you must be upfront about it. This is more practical than outright bans but requires operational discipline to maintain proper disclosures.

The multistate compliance challenge:

If you hire across multiple states, you'll need to meet the requirements of each state where candidates or employees are located. This often means:

• Designing compliance processes around the strictest applicable standard
• Using disclosure language that satisfies all relevant jurisdictions
• Implementing systems that can track which requirements apply to which individuals

Maryland's requirements are moderate enough that complying with them generally won't conflict with other states' laws, but if you're also hiring in New York City or Illinois, you'll need to layer on additional requirements.

What Maryland Businesses Should Do Right Now

Compliance doesn't have to be overwhelming. Here are your immediate action items, prioritized by urgency.

This Week

1. Check your hiring tools: Log into your ATS, recruiting software, and any video interviewing platforms. Look for AI, "smart," or "automated" features. Check if they're enabled.

2. Add basic disclosures: Even if you need to refine language later, add a simple statement to your careers page and job application: "This employer uses AI-assisted tools as part of the hiring process. All final decisions are made by human reviewers."

3. Review time tracking systems: If you use biometric time clocks or access systems, verify you have written consent from everyone using them.

This Month

4. Draft comprehensive disclosures: Create clear, specific language explaining how you use AI in hiring. Include this in job postings, application pages, and rejection emails.

5. Implement documentation: Set up a simple system to log that human review occurs for AI-assisted hiring decisions. This can be as simple as a checkbox in your ATS or a spreadsheet.

6. Train your team: Spend 30 minutes with everyone involved in hiring to explain Maryland requirements. Make sure they know to disclose AI use and document their review of AI recommendations.

Next Quarter

7. Conduct a full AI audit: Systematically review every business system for AI features and assess compliance implications.

8. Review vendor contracts: Contact AI tool providers to discuss Maryland compliance. Get written confirmation of their compliance measures.

9. Develop policies: Create written AI use policies for hiring and biometric data. This doesn't need to be complex—one to two pages of clear guidelines is sufficient.

10. Set up ongoing monitoring: Establish a quarterly calendar reminder to review AI compliance, update disclosures as tools change, and train new staff.

Ongoing

11. Stay informed: Maryland's AI regulatory environment will continue evolving. Set up Google Alerts for "Maryland AI regulation" or "Maryland HB 1202."

12. Document consistently: Make compliance documentation a routine part of your hiring process, not something you try to reconstruct later.

13. Be prepared to adjust: As enforcement precedents emerge and regulations evolve, be ready to refine your approach.

Practical Compliance Without the Overhead

The reality is that most small businesses don't have dedicated compliance staff, and hiring a law firm to create custom AI policies can cost thousands of dollars.

But compliance doesn't have to be complicated or expensive. The key is having the right documentation framework—clear disclosures, consent forms, and policies written in plain language that actually matches how your business operates.

Attestly helps Maryland small businesses generate customized AI compliance documents in minutes, not weeks. Answer a few questions about your business and the AI tools you use, and get disclosure templates, consent forms, and policies specifically tailored to Maryland's requirements under HB 1202.

Whether you're just starting to think about AI compliance or you've been meaning to formalize your approach, having the right documentation foundation makes ongoing compliance manageable. Visit attestly.io to generate your Maryland AI compliance documents and get peace of mind that you're meeting your legal obligations without the legal bills.

Frequently Asked Questions