EXPLANATION: CAPITALS INDICATE MAT TER ADDED TO EXISTIN G LAW.
[Brackets] indicate matter deleted from existing law.
*hb0901*
HOUSE BILL 901
I3, S1 3lr1083
CF SB 844
By: Delegates Solomon and Wilson
Introduced and read first time: February 9, 2023
Assigned to: Economic Matters
A BILL ENTITLED
AN ACT concerning 1
Consumer Protection – Online Products and Services – Children’s Data 2
FOR the purpose of requiring a business that offers an online product likely to be accessed 3
by children to complete a certain data protection impact assessment under certain 4
circumstances; prohibiting a business from offering a certain online product before 5
completing a data protection impact assessment; requiring businesses to document 6
certain risks associated with certain online products; requiring certain privacy 7
protections for certain online products; prohibiting certain data collection and 8
sharing practices; providing certain exemptions; and generally relating to the 9
protection of online privacy of children. 10
BY adding to 11
Article – Commercial Law 12
Section 14–4501 through 14–4513 to be under the new subtitle “Subtitle 45. 13
Maryland Age–Appropriate Design Code Act” 14
Annotated Code of Maryland 15
(2013 Replacement Volume and 2022 Supplement) 16
Preamble 17
WHEREAS, The United Nations Convention on the Rights of the Child recognizes 18
that children need special safeguards and care in all aspects of their lives, specifying how 19
children’s rights apply in the digital environment in General Comment No. 25; and 20
WHEREAS, As children spend more of their time interacting with the online world, 21
the impact of the design of online products on their well–being has become a focus of 22
significant concern; and 23
WHEREAS, There is widespread agreement at the international leve l, and 24
bipartisan agreement in the United States, that more needs to be done to create a safer 25
online space for children to learn, explore, and play; and 26 2 HOUSE BILL 901
WHEREAS, Lawmakers around the globe have taken steps to enhance privacy 1
protections for children based on the understanding that, in relation to data protection, 2
greater privacy necessarily means greater security and well–being; and 3
WHEREAS, Children should be afforded protections not only by online products and 4
services specifically directed at them, but by all online products they are likely to access, 5
and thus businesses should take into account the unique needs of different age ranges, 6
including the following developmental stages: 0 to 5 years of age, or “preliterate and early 7
literacy”; 6 to 9 years of age, or “core primary school years”; 10 to 12 years of age, or 8
“transition years”; 13 to 15 years of age, or “early teens”; and 16 to 17 years of age, or 9
“approaching adulthood”; and 10
WHEREAS, While it is clear that the same data protection regime may not be 11
appropriate for children of all ages, children of all ages should nonetheless be afforded 12
privacy and protection, and online products should adopt data protection regimes 13
appropriate for children of the ages likely to access those products; and 14
WHEREAS, According to the Pew Research Center, in 2022, 97% of American 15
teenagers aged 13–17 used the Internet every day, with 46% responding they used the 16
Internet almost constantly; and, additionally, 36% of teens reported being concerned about 17
their social media use, while an earlier Pew Research Center study found that 59% of teens 18
have been bullied or harassed online; and 19
WHEREAS, The findings of the Pew Research Center are not surprising, given what 20
is known about controllers’ use of personal data and how it is utilized to inform 21
manipulative practices, to which children are particularly vulnerable; and 22
WHEREAS, Online products that are likely to be accessed by children should offer 23
strong privacy protections by design and by default, including by disabling features that 24
profile children using their previous behavior, browsing history, or assumptions of their 25
similarity to other children in order to offer them detrimental material; and 26
WHEREAS, Ensuring robust privacy, and thus safety, protections for children by 27
design is consistent with federal safety laws and policies applied to children’s products, 28
regulating everything from toys to clothing to furniture and games; and 29
WHEREAS, The consumer protections that federal safety laws apply to children’s 30
products require these products to comply with certain safety standards by their very 31
design, so that harms to children, and in some cases other consumers, are prevented; and 32
WHEREAS, It is the intent of the Maryland General Assembly that the Maryland 33
Age–Appropriate Design Code Act promote innovation by businesses whose online products 34
are likely to be accessed by children by ensuring that those online products are designed in 35
a manner that recognizes the distinct needs of children within different age ranges; and 36
HOUSE BILL 901 3
WHEREAS, It is the intent of the Maryland General Assembly that businesses 1
covered by the Maryland Age–Appropriate Design Code Act may look to guidance and 2
innovation in response to the Age–Appropriate Design Code established in the United 3
Kingdom and California when developing online products that are likely to be accessed by 4
children; now, therefore, 5
SECTION 1. BE IT ENACTED BY THE GENERAL ASSEMBLY OF MARYLAND, 6
That the Laws of Maryland read as follows: 7
Article – Commercial Law 8
SUBTITLE 45. MARYLAND AGE–APPROPRIATE DESIGN CODE ACT. 9
14–4501. 10
(A) IN THIS SUBTITLE THE FOLLOWING WORDS HAVE THE MEANINGS 11
INDICATED. 12
(B) (1) “AGGREGATE CONSUMER INFORMATION ” MEANS INFORMATION : 13
(I) THAT RELATES TO A GROUP O R CATEGORY OF CONSUM ERS; 14
(II) FROM WHICH INDIVIDUAL CON SUMER IDENTITIES HAV E 15
BEEN REMOVED ; AND 16
(III) THAT IS NOT LINKED OR REA SONABLY LINKABLE TO ANY 17
CONSUMER OR HOUSEHOL D, INCLUDING BY A DEVIC E. 18
(2) “AGGREGATE CONSUMER INFORMATION ” DOES NOT INCLUDE 19
INDIVIDUAL CONSUMER RECORDS THAT HAVE BE EN DEIDENTIFIED . 20
(C) (1) “BUSINESS” MEANS A SOLE PROPRIETORSHIP , LIMITED LIABILITY 21
COMPANY, CORPORATION , ASSOCIATION, OR OTHER LEGAL ENTIT Y THAT: 22
(I) IS ORGANIZED OR OPERA TED FOR T HE PROFIT OR 23
FINANCIAL BENEFIT OF ITS SHAREHOLDERS OR OTHER OWNERS ; 24
(II) COLLECTS CONSUMERS ’ PERSONAL INFORMATION , OR ON 25
THE BEHALF OF WHICH ANOTHER COLLECTS CONSUMERS ’ PERSONAL 26
INFORMATION ; 27
(III) ALONE, OR JOINTLY WITH ITS AFFILIATES OR 28
SUBSIDIARIES, DETERMINES THE PURPO SES AND MEANS OF THE PROCESSING OF 29
CONSUMERS ’ PERSONAL INFORMATION ; 30 4 HOUSE BILL 901
(IV) DOES BUSINESS IN THE STATE; AND 1
(V) SATISFIES AT LEAST ON E OF THE FOLLOWING CRITERIA: 2
1. THE BUSINESS HAS ANNUAL GROSS REVENUE S IN 3
EXCESS OF $25,000,000, ADJUSTED EVERY ODD –NUMBERED YEAR TO REF LECT 4
ADJUSTMENTS IN THE CONSUMER PRICE INDEX; 5
2. THE BUSINESS ANNUALLY BUYS, RECEIVES, SELLS, 6
OR SHARES THE PERSON AL INFORMATION OF 50,000 OR MORE CONSUMERS , 7
HOUSEHOLDS , OR DEVICES, ALONE OR IN COMBINATION WITH ITS AFFILIATES OR 8
SUBSIDIARIES, AND FOR THE BUSINESS ’S COMMERCIAL PURPOSE S; OR 9
3. THE BUSINESS DERIVES AT LEAST 50% OF ITS 10
ANNUAL REVENUES FROM THE SALE OF CONSUMER S’ PERSONAL INFORMATION . 11
(2) “BUSINESS” INCLUDES: 12
(I) AN ENTITY THAT CONTRO LS OR IS CONTROLLED BY A 13
BUSINESS AND THAT SH ARES COMMON BRANDING WITH THAT BUSINESS ; AND 14
(II) A JOINT VENTURE OR PAR TNERSHIP COMPOSED OF 15
BUSINESSES IN WHICH EACH HAS AT LEAST A 40% INTEREST IN THE JOINT VENTURE 16
OR PARTNERSHIP . 17
(D) “CHILD” MEANS A CONSUMER THA T IS UNDER THE AGE OF 18 YEARS. 18
(E) “COLLECT” MEANS TO ACTIVELY OR PASSIVEL Y BUY, RENT, GATHER, 19
OBTAIN, RECEIVE, OR ACCESS ANY PERSON AL INFORMATION PERTA INING TO A 20
CONSUMER OR OBSERVE A CONSUME R’S BEHAVIOR, BY ANY MEANS. 21
(F) “COMMON BRANDING” MEANS A SHARED NAME , SERVICE MARK , OR 22
TRADEMARK THAT WOULD CAUSE A REASONABLE C ONSUMER TO UNDERSTAN D 23
THAT TWO OR MORE ENT ITIES ARE COMMONLY O WNED. 24
(G) “CONSUMER” MEANS AN INDIVIDUAL WHO IS A RESIDENT OF THE 25
STATE, HOWEVER IDENTIFIE D, INCLUDING BY ANY UNI QUE IDENTIFIER. 26
(H) “CONTROL” MEANS: 27
(1) OWNERSHIP OF OR THE P OWER TO VOTE MORE TH AN 50% OF THE 28
OUTSTANDING SHARES O F ANY CLASS OF VOTIN G SECURITY OF A BUSI NESS; 29 HOUSE BILL 901 5
(2) ANY MANNER OF CONTROL OVER THE ELECTION OF A MAJORITY 1
OF THE DIRECTORS OF A BUSINESS , OR INDIVIDUALS EXERC ISING SIMILAR 2
FUNCTIONS; OR 3
(3) THE POWER TO EXERCISE A CONTROLLING INFLUE NCE OVER THE 4
MANAGEMENT OF A BUSINESS. 5
(I) “DARK PATTERN” MEANS A USER INTERFA CE DESIGNED OR 6
MANIPULATED WITH THE SUBSTANTIAL EFFECT OF SUBVERTING OR IMPAIRING 7
USER AUTONOMY , DECISION MAKING, OR CHOICE. 8
(J) “DATA PROTECTION IMPACT AS SESSMENT” OR “ASSESSMENT” MEANS A 9
SYSTEMATIC SURVEY TO ASSESS AND MITIGATE RISKS TO CHILDREN WH O ARE 10
REASONABLY LIKELY TO ACCESS THE ONLINE PR ODUCT AT ISSUE THAT ARISE FROM 11
THE DATA MANAGEMENT PRACTICES OF THE BUS INESS AND THE PROVIS ION OF THE 12
ONLINE PRODUCT . 13
(K) “DEFAULT” MEANS A PRESELECTED OPTION ADOPTED BY TH E 14
BUSINESS FOR AN ONLINE PRODUCT . 15
(L) “DEIDENTIFIED INFORMATION ” MEANS INFORMATION TH AT CANNOT 16
BE USED TO REASONABL Y INFER INFORMATION ABOUT, OR OTHERWISE BE LINK ED 17
TO, A PARTICULAR CONSUME R, IF THE BUSINESS THAT PO SSESSES THE 18
INFORMATION : 19
(1) TAKES REASONABLE MEAS URES TO ENSURE THAT THE 20
INFORMATION CANNOT B E ASSOCIATED WITH A CONSUMER OR HOUSEHOLD ; 21
(2) COMMITS IN PUBLICLY AVAILABL E TERMS AND CONDITIO NS OR IN 22
A PUBLICLY AVAILABLE P RIVACY POLICY TO: 23
(I) MAINTAIN AND USE THE INFORMAT ION IN DEIDENTIFIED 24
FORM; AND 25
(II) NOT ATTEMPT TO REIDENTIF Y THE INFORMATION , EXCEPT 26
FOR THE SOLE PURPOSE OF DETERMINI NG WHETHER THE BUSIN ESS’S 27
DEIDENTIFICATION PRO CESS SATISFIES THE R EQUIREMENTS OF THIS SUBSECTION; 28
AND 29
(3) CONTRACTUALLY OBLIGAT ES ANY RECIPIENTS OF THE 30
INFORMATION TO COMPL Y WITH ALL PROVISION S OF THIS SUBSECTION . 31
6 HOUSE BILL 901
(M) “LIKELY TO B E ACCESSED BY CHILDREN ” MEANS REASONABLY 1
EXPECTED THAT THE ONLINE SERV ICE, PRODUCT, OR FEATURE WOULD BE 2
ACCESSED BY CHILDREN , BASED ON SATISFYING ANY OF THE FOLLOWING CRITERIA: 3
(1) THE ONLINE PRODUCT IS DIRECTED TO CHILDREN AS DEFINED IN 4
THE FEDERAL CHILDREN’S ONLINE PRIVACY PROTECTION ACT; 5
(2) THE ONLINE PRODUCT IS DETERMINED , BASED ON COMPETENT 6
AND RELIABLE EVIDENC E REGARDING AUDIENCE COMPOSITION , TO BE ROUTINELY 7
ACCESSED BY A SIGNIF ICANT NUMBER OF CHIL DREN; 8
(3) THE ONLINE PRODUCT IS SUBSTANTIALLY SIMILAR OR THE SAME 9
AS AN ONLINE PRODUCT TH AT SATISFIES ITEM (2) OF THIS SUBSECTION ; 10
(4) THE ONLINE PRODUCT FE ATURES ADVERTISEMENT S MARKETED 11
TO CHILDREN; 12
(5) THE ONLINE PRODUCT HA S DESIGN ELEMENTS TH AT ARE KNOWN 13
TO BE OF INTEREST TO CHILDREN, SUCH AS GAMES , CARTOONS, MUSIC, AND 14
CELEBRITIES WHO APPE AL TO CHILDREN ; OR 15
(6) THE BUSINESS KNOWS , BASED ON INTERNAL RE SEARCH, THAT A 16
SIGNIFICANT AMOUNT O F THE ONLINE PRODUCT ’S AUDIENCE IS CHILDR EN. 17
(N) (1) “ONLINE PRODUCT ” MEANS AN ONLINE SERV ICE, PRODUCT, OR 18
FEATURE. 19
(2) “ONLINE PRODUCT ” DOES NOT INCLUDE : 20
(I) A TELECOMMUNICATIONS S ERVICE, AS DEFINED IN 47 21
U.S.C. § 153; OR 22
(II) THE DELIVERY OR USE O F A PHYSICAL PRODUCT SOLD BY 23
AN ONLINE RETAILER . 24
(O) (1) “PERSONAL INFORMATION ” MEANS INFORMATION THAT 25
IDENTIFIES, RELATES TO , DESCRIBES, IS REASONABLY CAPABL E OF BEING 26
ASSOCIATED WITH, OR COULD REASONABLY BE LINKED, DIRECTLY OR INDIRECT LY, 27
WITH A PARTICULAR CO NSUMER OR HOUSEHOLD . 28
(2) “PERSONAL INFORMATION ” DOES NOT INCLUDE : 29
HOUSE BILL 901 7
(I) PUBLICLY AVAILABLE INFORMATIO N OR LAWFULLY 1
OBTAINED, TRUTHFUL INFORMATION THAT IS OF PUBLIC CO NCERN; OR 2
(II) CONSUMER INFORMATION THAT IS DEIDENTIFIED OR 3
AGGREGATE CONSUMER I NFORMATION . 4
(P) “PRECISE GEOLOCATION ” MEANS ANY DATA THAT IS: 5
(1) DERIVED FROM A DEVICE ; AND 6
(2) USED OR INTENDED TO BE US ED TO LOCATE A CONSU MER WITHIN 7
A GEOGRAPHIC AREA TH AT IS LESS THAN OR E QUAL TO THE AREA OF A CIRCLE WITH 8
A RADIUS OF 1,850 FEET. 9
(Q) (1) “PROFILING” MEANS ANY FORM OF AU TOMATED PROCESSING O F 10
PERSONAL IN FORMATION THAT USES PERSONAL INFORMATION TO EVALUATE 11
CERTAIN ASPECTS RELA TING TO AN INDIVIDUA L. 12
(2) “PROFILING” INCLUDES ANALYZING OR PREDICT ING ASPECTS 13
CONCERNING AN INDIVI DUAL’S PERFORMANCE AT WOR K, ECONOMIC SITUATION , 14
HEALTH, PERSONAL PREFERENCES , INTERESTS, RELIABILITY, BEHAVIOR, 15
LOCATION, OR MOVEMENTS . 16
(R) (1) “PUBLICLY AVAILABLE INFORMATIO N” MEANS INFORMATION 17
THAT: 18
(I) IS LAWFULLY MADE AVAILA BLE FROM FEDERAL , STATE, OR 19
LOCAL GOVERNMENT REC ORDS; OR 20
(II) A BUSINESS HAS A REASO NABLE BASIS TO BELIEVE IS 21
LAWFULLY MADE AVAILA BLE TO THE GENERAL P UBLIC BY THE CONSUME R OR BY 22
WIDELY DISTRIBUTED M EDIA. 23
(2) “PUBLICLY AVAILABLE INFORMATIO N” DOES NOT INCLUDE 24
BIOMETRIC INFORMATIO N COLLECTED BY A BUS INESS ABOUT A CONSUM ER 25
WITHOUT THE CONSUMER ’S KNOWLEDGE . 26
(S) “SELL” MEANS TO TRANSFER , RENT, RELEASE, DISCLOSE, 27
DISSEMINAT E, MAKE AVAILABLE, OR OTHERWISE COMMUNICATE , WHETHER 28
ORALLY, IN WRITING, OR BY ELECTRONIC OR OTHER MEANS , A CONSUMER ’S 29
PERSONAL INFORMATION BY THE BUSINESS TO A THIRD PARTY FOR M ONETARY OR 30
OTHER VALUABLE CONSI DERATION. 31
8 HOUSE BILL 901
(T) (1) “SENSITIVE PERSONAL INFORMATION ” MEANS: 1
(I) PERSONAL INFORMATION THAT REVEALS A CONSU MER’S: 2
1. SOCIAL SECURITY NUMBER, DRIVER’S LICENSE 3
NUMBER, STATE IDENTIFICATION CARD NUMBER , OR PASSPORT NUMBER ; 4
2. ACCOUNT LOGIN INFORMA TION, FINANCIAL 5
ACCOUNT NUMBER , DEBIT CARD NUMBER , OR CREDIT CARD NUMBE R, IN 6
COMBINATION WITH ANY REQUIRED SECURITY OR ACCESS CODE , PASSWORD, OR 7
CREDENTIALS THAT ALL OW ACCESS TO AN ACCO UNT; 8
3. PRECISE GEOLOCATION ; 9
4. RACIAL OR ETHNIC ORIG IN OR RELIGIOUS OR 10
PHILOSOPHICAL BELIEF S; 11
5. UNION MEMBERSHIP STAT US; 12
6. MAIL, E–MAIL, TEXT, OR MESSAGE CONTENTS , 13
UNLESS THE BUSINESS IS THE INTENDED RECI PIENT; OR 14
7. GENETIC DATA; 15
(II) BIOMETRIC INFORMATION THAT IS OR MAY BE PROCESS ED 16
FOR THE PURPOSE OF U NIQUELY IDENTIFYING A CONSUMER ; 17
(III) PERSONAL INFORMATION COLLECTED AND ANALYZ ED 18
CONCERNING A CONSUME R’S HEALTH; OR 19
(IV) PERSONAL INFORMATION COLLECTED AND ANALYZ ED 20
CONCERNING A CONSUME R’S SEX LIFE OR SEXUAL ORIENTATION . 21
(2) “SENSITIVE PERSONAL INFORMATION ” DOES NOT INCLUDE 22
PUBLICLY AVAILABLE I NFORMATION . 23
(U) “SHARE” MEANS TO RENT, RELEASE, DISCLOSE, DISSEMINAT E, MAKE 24
AVAILABLE, TRANSFER, OR OTHERWISE COMMUNI CATE, WHETHER ORALLY , IN 25
WRITING, OR BY ELECTRONIC OR OTH ER MEANS, A CONSUMER ’S PERSONAL 26
INFORMATION TO A THI RD PARTY FOR CROSS –CONTEXT BEHAVIORAL A DVERTISING 27
WHETHER OR NOT FOR MONETARY OR OTHE R VALUABLE CONSIDERA TION, 28
INCLUDING IN A TRANSACTION BETWEEN A BUSINESS AND A THI RD PARTY FOR 29 HOUSE BILL 901 9
CROSS–CONTEXT BEHAVIORAL A DVERTISING FOR THE B ENEFIT OF A BUSINESS IN 1
WHICH NO MONEY IS EX CHANGED. 2
(V) “THIRD PARTY” MEANS A PERSON WHO I S NOT: 3
(1) THE BUSINESS WITH WHICH THE CONSUMER INTENTI ONALLY 4
INTERACTS AND THAT C OLLECTS PERSONAL INF ORMATION FROM THE CONSUMER 5
AS PART OF THE CONSU MER’S INTERACTION WITH T HE BUSINESS; OR 6
(2) A SERVICE PROVIDER FOR THE BUSINESS. 7
14–4502. 8
THIS SUBTITLE DOES NO T APPLY TO: 9
(1) PROTECTED HEALTH INFO RMATION THAT IS COLL ECTED BY A 10
COVERED ENTITY OR BU SINESS ASSOCIATION G OVERNED BY THE PRIVA CY 11
SECURITY AND BREACH NOTIFICATION RULES I N 45 C.F.R. PARTS 160 AND 164, 12
ESTABLISHED UNDER THE FEDERAL HEALTH INSURANCE PORTABILITY AND 13
ACCOUNTABILITY ACT OF 1996 AND THE FEDERAL HEALTH INFORMATION 14
TECHNOLOGY FOR ECONOMIC AND CLINICAL HEALTH ACT; 15
(2) A HEALTH PROVIDER OR C OVERED ENTITY GOVERN ED BY THE 16
PRIVACY SECURITY AND BREACH NOTIFICATION RULES IN 45 C.F.R. PARTS 160 AND 17
164, ESTABLISHED UNDER THE FEDERAL HEALTH INSURANCE PORTABILITY AND 18
ACCOUNTABILITY ACT OF 1996 AND THE FEDERAL HEALTH INFORMATION 19
TECHNOLOGY FOR ECONOMIC AND CLINICAL HEALTH ACT, TO THE EXTENT THAT 20
THE PROVIDER OR COVE RED ENTITY MAINTAINS PATIENT INFORMATION IN THE 21
SAME MANN ER AS MEDICAL INFORM ATION OR PROTECTED H EALTH INFORMATION 22
AS DESCRIBED IN ITEM (1) OF THIS SECTION; OR 23
(3) INFORMATION COLLECTED AS PART OF A CLINICA L TRIAL 24
SUBJECT TO THE FEDERAL POLICY FOR THE PROTECTION OF HUMAN SUBJECTS, 25
IN ACCORDANCE WITH : 26
(I) GOOD CLINICAL PRACTIC E GUIDELINES ISSUED BY THE 27
INTERNATIONAL COUNCIL FOR HARMONISATION OF TECHNICAL REQUIREMENTS 28
FOR PHARMACEUTICALS FOR HUMAN USE; OR 29
(II) HUMAN SUBJECT PROTECT ION REQUIREMENTS OF THE 30
U.S. FOOD AND DRUG ADMINISTRATION . 31
14–4503. 32 10 HOUSE BILL 901
IT IS THE INTENT OF THE GENERAL ASSEMBLY THAT : 1
(1) CHILDREN SHOULD BE AF FORDED PROTECTIONS N OT ONLY BY 2
ONLINE PRODUCTS SPEC IFICALLY DIRECTED AT THEM, BUT BY ALL ONLINE 3
PRODUCTS THEY ARE LI KELY TO ACCESS ; 4
(2) BUSINESSES THAT DEVEL OP AND PROVIDE ONLIN E SERVICES 5
THAT CHILDREN ARE LI KELY TO ACCESS SHOUL D CONSIDER THE BEST INTERESTS 6
OF CHILDREN WHEN DES IGNING, DEVELOPING , AND PROVIDING THOSE ONLINE 7
PRODUCT S; AND 8
(3) IF A CONFLICT ARISES BETWEEN COMMERCIAL I NTERESTS AND 9
THE BEST INTERESTS O F CHILDREN, COMPANIES THAT DEVELOP ONLINE PRODUCTS 10
LIKELY TO BE ACCESSE D BY CHILDREN SHALL GIVE PRIORITY TO THE PRIVACY, 11
SAFETY, AND WELL–BEING OF CHILDREN OV ER THOSE COMMERCIAL INTERESTS. 12
14–4504. 13
(A) THIS SECTION APPLIES ONLY TO AN ONLINE PR ODUCT THAT IS 14
OFFERED TO THE PUBLIC ON OR AFT ER JULY 1, 2024. 15
(B) A BUSINESS THAT PROVID ES AN ONLINE PRODUCT LIKELY TO BE 16
ACCESSED BY CHILDREN SHALL PREPARE A DATA PROTECTION IM PACT 17
ASSESSMENT FOR THE O NLINE PRODUCT . 18
(C) THE DATA PROTECTION IMPA CT ASSESSMENT SHALL : 19
(1) IDENTIFY THE PURPOSE OF THE O NLINE PRODUCT ; 20
(2) IDENTIFY HOW THE ONLI NE PRODUCT USES CHIL DREN’S 21
PERSONAL INFORMATION ; 22
(3) IDENTIFY THE RISKS OF MATERIAL DETRIMENT T O CHILDREN 23
THAT ARISE FROM THE DATA MANAGEMENT PRAC TICES OF THE BUSINES S; AND 24
(4) ADDRESS, TO THE EXTENT APPLIC ABLE: 25
(I) WHETHER THE DESIGN OF THE ONLINE PRODUCT C OULD 26
HARM CHILDREN , INCLUDING BY EXPOSIN G THEM TO HARMFUL OR POTENTIALLY 27
HARMFUL CONTENT ON T HE ONLINE PRODUCT ; 28
HOUSE BILL 901 11
(II) WHETHER THE DESIGN OF THE ONLINE PRODUCT C OULD 1
LEAD TO CHILDREN EXPERIEN CING OR BEING TARGET ED BY HARMFUL , OR 2
POTENTIALLY HARMFUL , CONTACTS ON THE ONLI NE PRODUCT; 3
(III) WHETHER THE DESIGN OF THE ONLINE PRODUCT C OULD 4
ALLOW CHILDREN TO WI TNESS, PARTICIPATE IN, OR BE SUBJECT TO HAR MFUL OR 5
POTENTIALLY HARMFUL CONDUCT ON T HE ONLINE PRODUCT ; 6
(IV) WHETHER THE DESIGN OF THE ONLINE PRODUCT C OULD 7
ALLOW CHILDREN TO BE PARTY TO OR BE EXPLO ITED BY A HARMFUL , OR 8
POTENTIALLY HARMFUL , CONTACT ON THE ONLIN E PRODUCT; 9
(V) WHETHER ALGORITHMS US ED BY THE ONLINE PRODUCT 10
COULD HARM CHILDREN ; 11
(VI) WHETHER TARGETED ADVE RTISING SYSTEMS USED BY THE 12
ONLINE PRODUCT COULD HARM CHILDREN ; 13
(VII) WHETHER AND HOW THE O NLINE PRODUCT USES S YSTEM 14
DESIGN FEATURES TO I NCREASE, SUSTAIN, OR EXTEND USE BY CHI LDREN, 15
INCLUDING: 16
1. THE AUTOMATIC PLAYING OF MEDIA; 17
2. REWARDS FOR TIME SPEN T; AND 18
3. NOTIFICATIONS; AND 19
(VIII) WHETHER, HOW, AND FOR WHAT PURPOSE THE ONLINE 20
PRODUCT COLLECTS OR PROCESSES SENSITIVE PERSONAL INFORMATION OF 21
CHILDREN. 22
(D) (1) A DATA PROTE CTION IMPACT ASSESSM ENT PREPARED BY A 23
BUSINESS FOR THE PUR POSE OF COMPLIANCE W ITH ANY OTHER LAW CO MPLIES 24
WITH THIS SECTION IF THE ASSESSMENT MEETS THE REQUIREMEN TS OF THIS 25
SECTION. 26
(2) A SINGLE DATA PROTECTI ON IMPACT ASSESSMENT MAY CONTAIN 27
MULTIPLE SIMI LAR PROCESSING OPERA TIONS THAT PRESENT S IMILAR RISKS, ONLY 28
IF EACH RELEVANT ONL INE PRODUCT IS ADDRE SSED. 29
12 HOUSE BILL 901
(E) A BUSINESS SHALL COMPL ETE A DATA PROTECTIO N IMPACT 1
ASSESSMENT ON OR BEF ORE JUNE 30, 2024, FOR ANY ONLINE PRODU CT OFFERED 2
TO THE PUBLIC THAT I S LIKELY TO BE ACCESSED BY CHILDREN BEFORE T HAT DATE. 3
14–4505. 4
(A) A BUSINESS THAT PROVID ES AN ONLINE PRODUCT LIKELY TO BE 5
ACCESSED BY CHILDREN MAY NOT OFFER THE PRODUCT TO THE PUBLI C BEFORE 6
COMPLETING A DATA PROTECTION IMPA CT ASSESSMENT . 7
(B) A BUSINESS THAT COMPLETES A DAT A PROTECTION IMPACT 8
ASSESSMENT REQUIRED BY THIS SEC TION SHALL: 9
(1) MAINTAIN DOCUMENTATIO N OF THE ASSESSMENT FOR AS LONG 10
AS THE ONLINE PRODUC T IS LIKELY TO BE AC CESSED BY CHILDREN ; 11
(2) REVIEW EACH DATA PROTECTION IMPA CT ASSESSMENT EVERY 2 12
YEARS; 13
(3) DOCUMENT ANY RISK OF MATERIAL DETRIMENT T O CHILDREN 14
THAT ARISES FROM THE DATA MANAGEMENT PRAC TICE OF THE BUSINESS 15
IDENTIFIED IN THE ASSESSMENT ; 16
(4) CREATE A PLAN TO MITI GATE OR ELIMINATE TH E RISK BEFORE 17
THE ONLINE PRODUCT I S MADE AVAILABLE TO CHILDREN; 18
(5) (I) ESTIMATE THE AGE OF C HILD USERS WITH A REASONA BLE 19
LEVEL OF CERTAINTY A PPROPRIATE TO THE RI SKS THAT ARISE FROM THE DATA 20
MANAGEMENT PRACTICES OF THE BUSINESS ; OR 21
(II) APPLY TO ALL CONSUMERS THE PRIVACY AND DATA 22
PROTECTIONS AFFORDED TO CHILDREN; 23
(6) CONFIGURE ALL DEFAULT PRIVACY SETTINGS PRO VIDED TO 24
CHILDREN BY THE ONLI NE PRODUCT TO OFFER A HIGH LEVEL OF PRIV ACY, UNLESS 25
THE BUSINESS CAN DEM ONSTRATE A COMPELLIN G REASON THAT A DIFF ERENT 26
SETTING IS IN THE BEST INTEREST OF CHILDREN ; 27
(7) PROVIDE ANY PRIVACY I NFORMATION , TERMS OF SERVICE , 28
POLICIES, AND COMMUNITY STANDA RDS CONCISELY , PROMINENTLY , AND USING 29
CLEAR LANGUAGE SUITE D TO THE AGE OF CHIL DREN LIKELY TO ACCES S THE 30
ONLINE PRODUCT ; 31
HOUSE BILL 901 13
(8) PROVIDE AN OBVIOUS SI GNAL TO THE CHILD WH EN THE CHILD’S 1
LOCATION IS BEING MONITORED O R TRACKED, IF THE ONLINE PRODUC T ALLOWS 2
THE CHILD’S PARENT, GUARDIAN, OR ANY OTHER CONSUME R TO TRACK THE CHILD ’S 3
LOCATION; 4
(9) ENFORCE PUBLISHED TER MS, POLICIES, AND CO MMUNITY 5
STANDARDS ESTABLISHE D BY THE BUSINESS , INCLUDING PRIVACY PO LICIES, AND 6
THOSE REGARDING CHIL DREN; AND 7
(10) PROVIDE PROMINENT , ACCESSIBLE, AND RESPONSIVE TOOLS TO 8
HELP CHILDREN OR THE IR PARENTS OR GUARDI ANS, IF APPLICABLE, EXERCISE 9
THEIR PRIVACY R IGHTS AND REPORT CON CERNS. 10
14–4506. 11
A BUSINESS THAT PROVID ES AN ONLINE PRODUCT LIKELY TO BE ACCESSE D 12
BY CHILDREN MAY NOT : 13
(1) USE THE PERSONAL INFO RMATION OF A CHILD I N A WAY THAT 14
THE BUSINESS KNOWS , OR HAS REASON TO KNO W, IS MATERIALLY DETRIM ENTAL TO 15
THE PHYSICAL HEALTH , MENTAL HEALTH , OR WELL–BEING OF A CHILD; 16
(2) PROFILE A CHILD BY DE FAULT, UNLESS: 17
(I) THE BUSINESS CAN DEMO NSTRATE, TO THE ATTORNEY 18
GENERAL’S SATISFACTION, THAT THE BUSINESS HAS APPROPRIATE SAFE GUARDS IN 19
PLACE TO PROTECT CHI LDREN; AND 20
(II) 1. PROFILING IS NECESSAR Y TO PROVIDE THE ONL INE 21
PRODUCT REQUEST , AND IS DONE ONLY WITH RESPECT TO THE ASPECTS OF THE 22
ONLINE PRODUCT WITH WHICH THE CHILD IS A CTIVELY AND KNOWINGL Y ENGAGED; 23
OR 24
2. THE BUSINESS CAN DEMO NSTRATE A COMPELLI NG 25
REASON THAT PROFILIN G IS IN THE BEST INTERESTS OF CHILDREN ; 26
(3) COLLECT, SELL, SHARE, OR RETAIN ANY PERSON AL 27
INFORMATION THAT IS UNNECESSARY TO PROVIDE AN ONLINE PRODUCT TH AT A 28
CHILD IS ACTIVELY AN D KNOWINGLY ENGAGED WITH, UNLESS THE BUSINESS CAN 29
DEMONSTRATE A COMPEL LING REASON THAT THE COLLECTION, SALE, SHARING, OR 30
RETENTION OF THE PER SONAL INFORMATION IS IN THE BEST INTEREST S OF 31
CHILDREN LIKELY TO A CCESS THE ONLINE PRO DUCT; 32
14 HOUSE BILL 901
(4) USE THE PERSONAL INFO RMATION OF A CHILD E ND–USER FOR 1
ANY REASON OT HER THAN THAT FOR WH ICH THE PERSONAL INF ORMATION WAS 2
COLLECTED, UNLESS THE BUSINESS CAN DEMONSTRATE A CO MPELLING REASON 3
THAT THE USE OF THE PERSONAL INFORMATION IS IN THE BEST INTER ESTS OF 4
CHILDREN LIKELY TO ACCESS THE ONLINE PRODUCT ; 5
(5) COLLECT, SELL, OR SHARE ANY PRECISE GEOLOCATION 6
INFORMATION OF CHILD REN BY DEFAULT , UNLESS THE COLLECTIO N OF THAT 7
INFORMATION IS STRIC TLY NECESSARY IN ORD ER FOR THE BUSINESS TO PROVIDE 8
THE ONLINE PRODUCT R EQUESTED, AND THEN MAY ONLY DO SO FOR THE LIMITED 9
TIME THAT THE C OLLECTION OF PRECISE GEOLOCATION INFORMAT ION IS 10
NECESSARY TO PROVIDE THE ONLINE PRODUCT ; 11
(6) COLLECT ANY PRECISE G EOLOCATION INFORMATI ON OF A CHILD 12
WITHOUT PROVIDING AN OBVIOUS SIGN TO THE CHILD FOR THE DURATI ON THAT 13
THE PRECISE GEOLOCAT ION INFORMATION IS BEING COLLECTED ; 14
(7) USE DARK PATTERNS TO : 15
(I) LEAD OR ENCOURAGE CHI LDREN TO PROVIDE PER SONAL 16
INFORMATION BEYOND W HAT IS REASONABLY EX PECTED TO PROVIDE THE ONLINE 17
PRODUCT; 18
(II) CIRCUMVENT PRIVACY PROTECTIONS ; OR 19
(III) TAKE ANY ACTION THAT THE BUSINESS KNOWS , OR HAS 20
REASON TO KNOW , IS MATERIALLY DETRIM ENTAL TO THE CHILD ’S PHYSICAL 21
HEALTH, MENTAL HEALTH , OR WELL–BEING; OR 22
(8) USE ANY PERSONAL INFO RMATION COLLECTED TO ESTIMATE AGE 23
OR AGE RANGE FOR ANY OTHER PURPOSE , RETAIN THE PERSONAL INF ORMATION 24
LONGER THAN NECESSAR Y TO ESTIMATE AGE , OR ATTEMPT AGE ASSUR ANCE IN A 25
WAY THAT IS DISPROPO RTIONATE TO THE RISK S AND DATA PRACTICE OF AN ONLINE 26
PRODUCT. 27
14–4507. 28
(A) WITHIN 3 BUSINESS DAYS AFTER RECEIVING A WRITTEN REQUEST FROM 29
THE ATTORNEY GENERAL, A BUSINESS THAT PROV IDES AN ONLINE PRODU CT 30
LIKELY TO BE ACCESSE D BY CHILDREN SHALL PROVIDE TO THE ATTORNEY 31
GENERAL A LIST OF ALL DATA PROTECTION IMPA CT ASSESSMENTS THE BUSINESS 32
HAS COMPLETED UNDER § 14–4504 OF THIS SUBTITLE. 33
HOUSE BILL 901 15
(B) WITHIN 5 BUSINESS DAYS AFTER RECEIVING A WRITTEN REQUEST FROM 1
THE ATTORNEY GENERAL, THE BUSINESS SHALL PROVIDE TO THE ATTORNEY 2
GENERAL ANY DATA PROTECTION IMPA CT ASSESSMENT COMPLETED UNDER § 3
14–4504 OF THIS SUBTITLE. 4
(C) TO THE EXTENT THAT AN Y DISCLOSURE R EQUIRED UNDER SUBSECTION 5
(B) OF THIS SECTION INCL UDES INFORMATION SUB JECT TO ATTORNEY –CLIENT 6
PRIVILEGE OR WORK PR ODUCT PROTECTION , THE DISCLOSURE MAY NOT 7
CONSTITUTE A WAIVER OF THAT PRIVILEGE OR PROTECTION. 8
14–4508. 9
(A) THE ATTORNEY GENERAL MAY FILE A CIVIL ACTION IN A CO URT OF 10
COMPETENT JURISDICTI ON AGAINST A BUSINES S THAT VIOLATES THIS SUBTITLE 11
FOR RECOVERY OF A CI VIL PENALTY OR INJUN CTION OR BOTH . 12
(B) A BUSINESS THAT VIOLAT ES THIS SUBTITLE SHA LL BE LIABLE FOR A 13
CIVIL PENALTY OF NOT MORE THAN: 14
(1) $2,500 PER AFFECTED CHILD F OR EACH NEGLIGENT VI OLATION; 15
OR 16
(2) $7,500 PER AFFECTED CHILD F OR EACH INTENTIONAL 17
VIOLATION. 18
(C) IN ADDITION TO A CIVIL PENALTY UNDER SUBSECTION (B) OF THIS 19
SECTION, A BUSINESS THAT VIOL ATES THIS SUBTITLE I S SUBJECT TO INJUNCTION 20
AND OTHER APPROPRIAT E RELIEF. 21
(D) CIVIL PENALTIES , FEES, AND EXPENSES RECOVER ED UNDER THIS 22
SECTION SHALL BE DEPOSITED I N THE GENERAL FUND WITH THE INTENT THAT 23
THEY BE USED TO FULL Y OFFSET COSTS INCUR RED BY THE ATTORNEY GENERAL IN 24
CONNECTION WI TH THIS SUBTITLE. 25
14–4509. 26
(A) IF A BUSINESS IS IN S UBSTANTIAL COMPLIANC E WITH THE 27
REQUIREMENTS OF §§ 14–4504 THROUGH 14–4506 OF THIS SUBTITLE , THE 28
ATTORNEY GENERAL SHALL PROVIDE WRITTEN NOTICE TO TH E BUSINESS BEFORE 29
FILING AN ACTION UNDER § 14–4508 OF THIS SUBTITLE. 30
16 HOUSE BILL 901
(B) NOTICE GIVEN UNDER SUBSECTION (A) OF THIS SECTION SHALL 1
IDENTIFY THE SPECIFI C PROVISIONS OF THIS SUBTITLE THAT THE ATTORNEY 2
GENERAL ALLEGES HAVE BEEN OR ARE BEING VI OLATED. 3
(C) A BUSINESS MAY NOT BE LIABLE FOR A CIVIL PENALTY FOR AN Y 4
VIOLATION FOR WHICH NOTICE IS GIVEN UNDER SUBSECTION (A) OF THIS SECTION 5
IF THE BUSINESS: 6
(1) CURES ANY VIOLATION S PECIFIED IN THE ATTORNEY GENERAL’S 7
NOTICE WITHIN 90 DAYS AFTER RECEIVING NOTICE UNDER SUBSECTION (A) OF THIS 8
SECTION; 9
(2) PROVIDES THE ATTORNEY GENERAL WITH A WRITTE N 10
STATEMENT THAT THE A LLEGED VIOLATIONS HA VE BEEN CURED ; AND 11
(3) TAKES MEASURES TO PREVENT FUTURE VI OLATIONS THAT THE 12
ATTORNEY GENERAL AGREES TO BE SUFFICIENT. 13
14–4510. 14
NOTHING IN THIS SUBTI TLE MAY BE INTERPRETED TO PROVIDE A PRIVATE 15
RIGHT OF ACTION UNDE R THIS SUBTITLE OR A NY OTHER LAW . 16
14–4511. 17
THE SHARING OF PERSONAL INFORMAT ION WITHIN A JOINT V ENTURE OR 18
PARTNERSHIP IS SUBJECT TO THE RE QUIREMENTS OF THIS SUBTITLE AS THOUGH 19
THE JOINT VENTURE OR PAR TNERSHIP DOES NOT EXIST. 20
14–4512. 21
NOTWITHSTANDING ANY O THER LAW , A DATA PROTECTION IMPA CT 22
ASSESSMENT IS PROTECTED AS CONF IDENTIAL AND SHALL B E EXEMPT FROM 23
PUBLIC DISCLOSURE , INCLUDING UNDER THE MARYLAND PUBLIC INFORMATION 24
ACT. 25
14–4513. 26
THIS SUBTITLE MAY BE CITED AS THE MARYLAND AGE–APPROPRIATE 27
DESIGN CODE ACT. 28
SECTION 2. AND BE IT FURTHER ENACTED, That this Act shall take effect 29
October 1, 2023. 30