Maryland 2023 Regular Session

Maryland House Bill HB901 Compare Versions

Version 1 (Old)

Version 2 (New)

Old	New		Differences
1	1
2	2
3	3		EXPLANATION: CAPITALS INDICATE MAT TER ADDED TO EXISTIN G LAW.
4	4		[Brackets] indicate matter deleted from existing law.
5		-	Underlining indicates amendments to bill.
6		-	Strike out indicates matter stricken from the bill by amendment or deleted from the law by
7		-	amendment.
8	5		hb0901
9	6
10	7		HOUSE BILL 901
11	8		I3, S1 3lr1083
12	9		CF SB 844
13	10		By: Delegates Solomon and Wilson
14	11		Introduced and read first time: February 9, 2023
15	12		Assigned to: Economic Matters
16		-	Committee Report: Favorable with amendments
17		-	House action: Adopted
18		-	Read second time: March 11, 2023
19	13
20		-	~~CHAPTER ______~~
	14	+	A BILL ENTITLED
21	15
22	16		AN ACT concerning 1
23	17
24	18		Consumer Protection – Online Products and Services – Children’s Data 2
25	19
26	20		FOR the purpose of requiring a business that offers an online product likely to be accessed 3
27	21		by children to complete a certain data protection impact assessment under certain 4
28	22		circumstances; prohibiting a business from offering a certain online product before 5
29	23		completing a data protection impact assessment; requiring businesses to document 6
30	24		certain risks associated with certain online products; requiring certain privacy 7
31	25		protections for certain online products; prohibiting certain data collection and 8
32	26		sharing practices; providing certain exemptions; and generally relating to the 9
33	27		protection of online privacy of children. 10
34	28
35		-	BY ~~repealing and reenacting, with amendments,~~ 11
	29	+	BY adding to 11
36	30		Article – Commercial Law 12
37		-	Section 13–301(14)(xxxv) 13
38		-	Annotated Code of Maryland 14
39		-	(2013 Replacement Volume and 2022 Supplement) 15
	31	+	Section 14–4501 through 14–4513 to be under the new subtitle “Subtitle 45. 13
	32	+	Maryland Age–Appropriate Design Code Act” 14
	33	+	Annotated Code of Maryland 15
	34	+	(2013 Replacement Volume and 2022 Supplement) 16
40	35
41		-	BY repealing and reenacting, without amendments, 16
42		-	Article – Commercial Law 17
43		-	Section 13–301(14)(xxxvi) 18
44		-	Annotated Code of Maryland 19
45		-	(2013 Replacement Volume and 2022 Supplement) 20
	36	+	Preamble 17
46	37
47		-	BY adding to 21
48		-	Article – Commercial Law 22 2 HOUSE BILL 901
	38	+	WHEREAS, The United Nations Convention on the Rights of the Child recognizes 18
	39	+	that children need special safeguards and care in all aspects of their lives, specifying how 19
	40	+	children’s rights apply in the digital environment in General Comment No. 25; and 20
	41	+
	42	+	WHEREAS, As children spend more of their time interacting with the online world, 21
	43	+	the impact of the design of online products on their well–being has become a focus of 22
	44	+	significant concern; and 23
	45	+
	46	+	WHEREAS, There is widespread agreement at the international leve l, and 24
	47	+	bipartisan agreement in the United States, that more needs to be done to create a safer 25
	48	+	online space for children to learn, explore, and play; and 26 2 HOUSE BILL 901
49	49
50	50
51		-	Section 13–301(14)(xxxvii); and 14–4501 through 14–4513 to be under the new 1
52		-	subtitle “Subtitle 45. Maryland Age–Appropriate Design Code Act” 2
53		-	Annotated Code of Maryland 3
54		-	(2013 Replacement Volume and 2022 Supplement) 4
55	51
56		-	Preamble 5
	52	+	WHEREAS, Lawmakers around the globe have taken steps to enhance privacy 1
	53	+	protections for children based on the understanding that, in relation to data protection, 2
	54	+	greater privacy necessarily means greater security and well–being; and 3
57	55
58		-	WHEREAS, The United Nations Convention on the Rights of the Child recognizes 6
59		-	that children need special safeguards and care in all aspects of their lives, specifying how 7
60		-	children’s rights apply in the digital environment in General Comment No. 25; and 8
	56	+	WHEREAS, Children should be afforded protections not only by online products and 4
	57	+	services specifically directed at them, but by all online products they are likely to access, 5
	58	+	and thus businesses should take into account the unique needs of different age ranges, 6
	59	+	including the following developmental stages: 0 to 5 years of age, or “preliterate and early 7
	60	+	literacy”; 6 to 9 years of age, or “core primary school years”; 10 to 12 years of age, or 8
	61	+	“transition years”; 13 to 15 years of age, or “early teens”; and 16 to 17 years of age, or 9
	62	+	“approaching adulthood”; and 10
61	63
62		-	WHEREAS, As children spend more of their time interacting with the online world, 9
63		-	the impact of the design of online products on their well–being has become a focus of 10
64		-	significant concern; and 11
	64	+	WHEREAS, While it is clear that the same data protection regime may not be 11
	65	+	appropriate for children of all ages, children of all ages should nonetheless be afforded 12
	66	+	privacy and protection, and online products should adopt data protection regimes 13
	67	+	appropriate for children of the ages likely to access those products; and 14
65	68
66		-	WHEREAS, There is widespread agreement at the international level, and 12
67		-	bipartisan agreement in the United States, that more needs to be done to create a safer 13
68		-	online space for children to learn, explore, and play; and 14
	69	+	WHEREAS, According to the Pew Research Center, in 2022, 97% of American 15
	70	+	teenagers aged 13–17 used the Internet every day, with 46% responding they used the 16
	71	+	Internet almost constantly; and, additionally, 36% of teens reported being concerned about 17
	72	+	their social media use, while an earlier Pew Research Center study found that 59% of teens 18
	73	+	have been bullied or harassed online; and 19
69	74
70		-	WHEREAS, ~~Lawmakers around~~ the ~~globe have taken steps to enhance privacy 15~~
71		-	~~protections for children based on the understanding that,~~ ~~in relation~~ to ~~data protection,~~ 16
72		-	~~greater privacy necessarily means greater security and well–being~~; and 17
	75	+	WHEREAS, The findings of the Pew Research Center are not surprising, given what 20
	76	+	is known about controllers’ use of personal data and how it is utilized to inform 21
	77	+	manipulative practices, to which children are particularly vulnerable; and 22
73	78
74		-	WHEREAS, Children should be afforded protections not only by online products and 18
75		-	services specifically directed at them, but by all online products they are likely to access, 19
76		-	and thus businesses should take into account the unique needs of different age ranges, 20
77		-	including the following developmental stages: 0 to 5 years of age, or “preliterate and early 21
78		-	literacy”; 6 to 9 years of age, or “core primary school years”; 10 to 12 years of age, or 22
79		-	“transition years”; 13 to 15 years of age, or “early teens”; and 16 to 17 years of age, or 23
80		-	“approaching adulthood”; and 24
	79	+	WHEREAS, Online products that are likely to be accessed by children should offer 23
	80	+	strong privacy protections by design and by default, including by disabling features that 24
	81	+	profile children using their previous behavior, browsing history, or assumptions of their 25
	82	+	similarity to other children in order to offer them detrimental material; and 26
81	83
82		-	WHEREAS, While it is clear that the same data protection regime may not be 25
83		-	appropriate for children of all ages, children of all ages should nonetheless be afforded 26
84		-	privacy and protection, and online products should adopt data protection regimes 27
85		-	appropriate for children of the ages likely to access those products; and 28
	84	+	WHEREAS, Ensuring robust privacy, and thus safety, protections for children by 27
	85	+	design is consistent with federal safety laws and policies applied to children’s products, 28
	86	+	regulating everything from toys to clothing to furniture and games; and 29
86	87
87		-	WHEREAS, According to the Pew Research Center, in 2022, 97% of American 29
88		-	teenagers aged 13–17 used the Internet every day, with 46% responding they used the 30
89		-	Internet almost constantly; and, additionally, 36% of teens reported being concerned about 31
90		-	their social media use, while an earlier Pew Research Center study found that 59% of teens 32
91		-	have been bullied or harassed online; and 33
	88	+	WHEREAS, The consumer protections that federal safety laws apply to children’s 30
	89	+	products require these products to comply with certain safety standards by their very 31
	90	+	design, so that harms to children, and in some cases other consumers, are prevented; and 32
92	91
93		-	WHEREAS, The findings of the Pew Research Center are not surprising, given what 34
94		-	is known about controllers’ use of personal data and how it is utilized to inform 35
95		-	manipulative practices, to which children are particularly vulnerable; and 36
	92	+	WHEREAS, It is the intent of the Maryland General Assembly that the Maryland 33
	93	+	Age–Appropriate Design Code Act promote innovation by businesses whose online products 34
	94	+	are likely to be accessed by children by ensuring that those online products are designed in 35
	95	+	a manner that recognizes the distinct needs of children within different age ranges; and 36
96	96		HOUSE BILL 901 3
97	97
98	98
99		-	WHEREAS, Online products that are likely to be accessed by children should offer 1
100		-	strong privacy protections by design and by default, including by disabling features that 2
101		-	profile children using their previous behavior, browsing history, or assumptions of their 3
102		-	similarity to other children in order to offer them detrimental material; and 4
	99	+	WHEREAS, It is the intent of the Maryland General Assembly that businesses 1
	100	+	covered by the Maryland Age–Appropriate Design Code Act may look to guidance and 2
	101	+	innovation in response to the Age–Appropriate Design Code established in the United 3
	102	+	Kingdom and California when developing online products that are likely to be accessed by 4
	103	+	children; now, therefore, 5
103	104
104		-	WHEREAS, Ensuring robust privacy, and thus safety, protections for children by 5
105		-	design is consistent with federal safety laws and policies applied to children’s products, 6
106		-	regulating everything from toys to clothing to furniture and games; and 7
	105	+	SECTION 1. BE IT ENACTED BY THE GENERAL ASSEMBLY OF MARYLAND, 6
	106	+	That the Laws of Maryland read as follows: 7
107	107
108		-	WHEREAS, The consumer protections that federal safety laws apply to children’s 8
109		-	products require these products to comply with certain safety standards by their very 9
110		-	design, so that harms to children, and in some cases other consumers, are prevented; and 10
	108	+	Article – Commercial Law 8
111	109
112		-	WHEREAS, It is the intent of the Maryland General Assembly that the Maryland 11
113		-	Age–Appropriate Design Code Act promote innovation by businesses whose online products 12
114		-	are likely to be accessed by children by ensuring that those online products are designed in 13
115		-	a manner that recognizes the distinct needs of children within different age ranges; and 14
	110	+	SUBTITLE 45. MARYLAND AGE–APPROPRIATE DESIGN CODE ACT. 9
116	111
117		-	WHEREAS, It is the intent of the Maryland General Assembly that businesses 15
118		-	covered by the Maryland Age–Appropriate Design Code Act may look to guidance and 16
119		-	innovation in response to the Age–Appropriate Design Code established in the United 17
120		-	Kingdom and California when developing online products that are likely to be accessed by 18
121		-	children; now, therefore, 19
	112	+	14–4501. 10
122	113
123		-	~~SECTION 1.~~ ~~BE IT ENACTED BY~~ THE ~~GENERAL ASSEMBLY OF MARYLAND,~~ 20
124		-	~~That the Laws of Maryland read as follows: 21~~
	114	+	(A) IN THIS SUBTITLE THE FOLLOWING WORDS HAVE THE MEANINGS 11
	115	+	INDICATED. 12
125	116
126		-	~~Article – Commercial Law 22~~
	117	+	(B) (1) “AGGREGATE CONSUMER INFORMATION ” MEANS INFORMATION : 13
127	118
128		-	~~13–301. 23~~
	119	+	(I) THAT RELATES TO A GROUP O R CATEGORY OF CONSUM ERS; 14
129	120
130		-	Unfair, abusive, or deceptive trade practices include any: 24
	121	+	(II) FROM WHICH INDIVIDUAL CON SUMER IDENTITIES HAV E 15
	122	+	BEEN REMOVED ; AND 16
131	123
132		-	(14) Violation of a provision of: 25
	124	+	(III) THAT IS NOT LINKED OR REA SONABLY LINKABLE TO ANY 17
	125	+	CONSUMER OR HOUSEHOL D, INCLUDING BY A DEVIC E. 18
133	126
134		-	(xxxv) Section 11–210 of the Education Article; [or] 26
	127	+	(2) “AGGREGATE CONSUMER INFORMATION ” DOES NOT INCLUDE 19
	128	+	INDIVIDUAL CONSUMER RECORDS THAT HAVE BE EN DEIDENTIFIED . 20
135	129
136		-	(xxxvi) Title 14, Subtitle 44 of this article; or 27
	130	+	(C) (1) “BUSINESS” MEANS A SOLE PROPRIETORSHIP , LIMITED LIABILITY 21
	131	+	COMPANY, CORPORATION , ASSOCIATION, OR OTHER LEGAL ENTIT Y THAT: 22
137	132
138		-	(XXXVII) TITLE 14, SUBTITLE 45 OF THIS ARTICLE; OR 28
	133	+	(I) IS ORGANIZED OR OPERA TED FOR T HE PROFIT OR 23
	134	+	FINANCIAL BENEFIT OF ITS SHAREHOLDERS OR OTHER OWNERS ; 24
139	135
140		-	SUBTITLE 45. MARYLAND AGE–APPROPRIATE DESIGN CODE ACT. 29
	136	+	(II) COLLECTS CONSUMERS ’ PERSONAL INFORMATION , OR ON 25
	137	+	THE BEHALF OF WHICH ANOTHER COLLECTS CONSUMERS ’ PERSONAL 26
	138	+	INFORMATION ; 27
141	139
142		-	14–4501. 30
143		-	4 HOUSE BILL 901
144		-
145		-
146		-	(A) IN THIS SUBTITLE THE FOLLOWING WORDS HAVE THE MEANINGS 1
147		-	INDICATED. 2
148		-
149		-	(B) (1) “AGGREGATE CONSUMER IN FORMATION” MEANS INFORMATION : 3
150		-
151		-	(I) THAT RELATES TO A GRO UP OR CATEGORY OF CO NSUMERS; 4
152		-
153		-	(II) FROM WHICH INDIVIDUAL CONSUMER IDENTITIES HAVE 5
154		-	BEEN REMOVED ; AND 6
155		-
156		-	(III) THAT IS NOT LINKED OR REASONABLY LINKABLE TO ANY 7
157		-	CONSUMER OR HOUSEHOL D, INCLUDING BY A DEVIC E. 8
158		-
159		-	(2) “AGGREGATE CONSUMER IN FORMATION” DOES NOT INCLUDE 9
160		-	INDIVIDUAL CONSUMER RECORDS THAT HAVE BE EN DEIDENTIFIED . 10
161		-
162		-	(C) (1) “BIOMETRIC INFORMATION ” MEANS INFORMATION GE NERATED 11
163		-	BY AUTOMATIC MEASURE MENTS OF AN INDIVIDU AL’S BIOLOGICAL 12
164		-	CHARACTERISTICS . 13
165		-
166		-	(2) “BIOMETRIC INFORMATION ” INCLUDES: 14
167		-
168		-	(I) A FINGERPRINT ; 15
169		-
170		-	(II) A VOICEPRINT; 16
171		-
172		-	(III) EYE RETINA OR IRIS PA TTERN; OR 17
173		-
174		-	(IV) ANY OTHER UNIQUE BIOL OGICAL PATTERNS OR 18
175		-	CHARACTERISTICS THAT ARE USED TO IDENTIFY A SPECIFIC INDIVIDUA L. 19
176		-
177		-	(3) “BIOMETRIC INFORMATION ” DOES NOT INCLUDE : 20
178		-
179		-	(I) A DIGITAL OR PHYSICAL PHOTOGRAPH ; 21
180		-
181		-	(II) AN AUDIO OR VIDEO RECORDING ; OR 22
182		-
183		-	(III) ANY DATA GENERATED FR OM A DIGITAL OR PHYS ICAL 23
184		-	PHOTOGRAPH , OR AN AUDIO OR VIDEO RECORDING, UNLESS THE DATA IS 24
185		-	GENERATED TO IDENTIF Y A SPECIFIC INDIVID UAL. 25
186		-
187		-	(C) (D) (1) “BUSINESS” MEANS A SOLE PROPRIE TORSHIP, LIMITED 26
188		-	LIABILITY COMPANY, CORPORATION , ASSOCIATION, OR OTHER LEGAL ENTIT Y THAT: 27
189		-	HOUSE BILL 901 5
190		-
191		-
192		-	(I) IS ORGANIZED OR OPERA TED FOR THE PROFIT O R 1
193		-	FINANCIAL BENEFIT OF ITS SHAREHOLDERS OR OTHER OWNERS ; 2
194		-
195		-	(II) COLLECTS CONSUMERS ’ PERSONAL INFORMATION , OR ON 3
196		-	THE BEHALF OF WHICH ANOTHER COLLECTS CON SUMERS’ PERSONAL 4
197		-	INFORMATION ; 5
198		-
199		-	(III) ALONE, OR JOINTLY WITH ITS AFFILIATES OR 6
200		-	SUBSIDIARIES, DETERMINES THE PURPO SES AND MEANS OF THE PROCESSING OF 7
201		-	CONSUMERS ’ PERSONAL INFORMATION ; 8
202		-
203		-	(IV) DOES BUSINESS IN THE STATE; AND 9
204		-
205		-	(V) SATISFIES AT LEAST ONE O F THE FOLLOWING CRIT ERIA: 10
206		-
207		-	1. THE BUSINESS HAS ANNU AL GROSS REVENUES IN 11
208		-	EXCESS OF $25,000,000, ADJUSTED EVERY ODD –NUMBERED YEAR TO REF LECT 12
209		-	ADJUSTMENTS IN THE CONSUMER PRICE INDEX; 13
210		-
211		-	2. THE BUSINESS ANNUALLY BUYS, RECEIVES, SELLS, 14
212		-	OR SHARES THE PERSON AL INFORMATION OF 50,000 OR MORE CONSUMERS , 15
213		-	HOUSEHOLDS , OR DEVICES, ALONE OR IN COMBINAT ION WITH ITS AFFILIA TES OR 16
214		-	SUBSIDIARIES, AND FOR THE BUSINESS ’S COMMERCIAL PURPOSE S; OR 17
215		-
216		-	3. THE BUSINESS DERIVES AT LEAST 50% OF ITS 18
217		-	ANNUAL REV ENUES FROM THE SALE OF CONSUMERS ’ PERSONAL INFORMATION . 19
218		-
219		-	(2) “BUSINESS” INCLUDES: 20
220		-
221		-	(I) AN ENTITY THAT CONTRO LS OR IS CONTROLLED BY A 21
222		-	BUSINESS AND THAT SH ARES COMMON BRANDING WITH THAT BUSINESS ; AND 22
223		-
224		-	(II) A JOINT VENTURE OR PAR TNERSHIP COMPOSED OF 23
225		-	BUSINESSES IN WHICH EACH HAS AT LEAST A 40% INTEREST IN THE JOIN T VENTURE 24
226		-	OR PARTNERSHIP . 25
227		-
228		-	(D) (E) “CHILD” MEANS A CONSUMER THA T IS UNDER THE AGE O F 18 26
229		-	YEARS. 27
230		-
231		-	(E) (F) “COLLECT” MEANS TO ACTIVELY OR PASSIVEL Y BUY, RENT, 28
232		-	GATHER, OBTAIN, RECEIVE, OR ACCESS ANY PERSONAL INFORMA TION PERTAINING 29
233		-	TO A CONSUMER OR OBSERVE A CONSUMER ’S BEHAVIOR, BY ANY MEANS BUY, RENT, 30
234		-	GATHER, OBTAIN, RECEIVE, OR ACCESS ANY PERSON AL INFORMATION RELAT ING TO 31
235		-	A CONSUMER . 32 6 HOUSE BILL 901
	140	+	(III) ALONE, OR JOINTLY WITH ITS AFFILIATES OR 28
	141	+	SUBSIDIARIES, DETERMINES THE PURPO SES AND MEANS OF THE PROCESSING OF 29
	142	+	CONSUMERS ’ PERSONAL INFORMATION ; 30 4 HOUSE BILL 901
236	143
237	144
238	145
239		-	(F) (G) “COMMON BRANDING ” MEANS A SHARED NAME , SERVICE MARK , 1
240		-	OR TRADEMARK THAT WO ULD CAUSE A REASONAB LE CONSUMER TO UNDER STAND 2
241		-	THAT TWO OR MORE ENT ITIES ARE COMMONLY O WNED. 3
	146	+	(IV) DOES BUSINESS IN THE STATE; AND 1
242	147
243		-	(G) (H) (1) “CONSUMER” MEANS AN INDIVIDUAL WHO IS A RESIDENT 4
244		-	OF THE STATE, HOWEVER IDENTIFIED , INCLUDING BY ANY UNI QUE IDENTIFIER. 5
	148	+	(V) SATISFIES AT LEAST ON E OF THE FOLLOWING CRITERIA: 2
245	149
246		-	(2) “CONSUMER” DOES NOT INCLUDE AN INDIVIDUAL ACTING IN A 6
247		-	COMMERCIAL OR EMPLOY MENT CONTEXT OR AS A N EMPLOYEE, OWNER, DIRECTOR, 7
248		-	OFFICER, OR CONTRACTOR OF A C OMPANY, PARTNERSHIP , SOLE PROPRIETORSHIP , 8
249		-	NONPROFIT ORGANIZATI ON, OR GOVERNMENT AGENCY WHOSE COMMUNICATIO NS 9
250		-	OR TRANSACTIONS WITH THE BUSINESS OCCUR S OLELY WITHIN THE CON TEXT OF 10
251		-	THAT INDIVIDUAL ’S ROLE WITH THE COMP ANY, PARTNERSHIP , SOLE 11
252		-	PROPRIETORSHIP , NONPROFIT, OR GOVERNMENT AGENCY . 12
	150	+	1. THE BUSINESS HAS ANNUAL GROSS REVENUE S IN 3
	151	+	EXCESS OF $25,000,000, ADJUSTED EVERY ODD –NUMBERED YEAR TO REF LECT 4
	152	+	ADJUSTMENTS IN THE CONSUMER PRICE INDEX; 5
253	153
254		-	(H) (I) “CONTROL” MEANS: 13
	154	+	2. THE BUSINESS ANNUALLY BUYS, RECEIVES, SELLS, 6
	155	+	OR SHARES THE PERSON AL INFORMATION OF 50,000 OR MORE CONSUMERS , 7
	156	+	HOUSEHOLDS , OR DEVICES, ALONE OR IN COMBINATION WITH ITS AFFILIATES OR 8
	157	+	SUBSIDIARIES, AND FOR THE BUSINESS ’S COMMERCIAL PURPOSE S; OR 9
255	158
256		-	~~(1) OWNERSHIP OF OR~~ THE ~~P OWER TO VOTE MORE TH AN~~ 50% OF ~~THE 14~~
257		-	~~OUTSTANDING SHARES O F ANY CLASS~~ OF ~~VOTIN G SECURITY OF A BUSI NESS; 15~~
	159	+	3. THE BUSINESS DERIVES AT LEAST 50% OF ITS 10
	160	+	ANNUAL REVENUES FROM THE SALE OF CONSUMER S’ PERSONAL INFORMATION . 11
258	161
259		-	(2) ANY MANNER OF CONTROL OVER THE ELECTION OF A MAJORITY 16
260		-	OF THE DIRECTORS OF A BUSINESS, OR INDIVIDUALS EXERC ISING SIMILAR 17
261		-	FUNCTIONS; OR 18
	162	+	(2) “BUSINESS” INCLUDES: 12
262	163
263		-	(3) ~~THE POWER TO EXERCISE~~ A ~~CONTROLLING INFLUENCE OV ER THE 19~~
264		-	~~MANAGEMENT OF A BUSI NESS.~~ 20
	164	+	(I) AN ENTITY THAT CONTRO LS OR IS CONTROLLED BY A 13
	165	+	BUSINESS AND THAT SH ARES COMMON BRANDING WITH THAT BUSINESS ; AND 14
265	166
266		-	(I) ~~(J) “DARK PATTERN ” MEANS~~ A ~~USER INTERFA CE DESIGNED~~ OR 21
267		-	~~MANIPULATED WITH~~ THE ~~SUBSTANTIAL EFFECT O F SUBVERTING OR IMPA IRING 22~~
268		-	~~USER AUTONOMY , DECISION MAKING ,~~ OR ~~CHOICE~~. 23
	167	+	(II) A JOINT VENTURE OR PAR TNERSHIP COMPOSED OF 15
	168	+	BUSINESSES IN WHICH EACH HAS AT LEAST A 40% INTEREST IN THE JOINT VENTURE 16
	169	+	OR PARTNERSHIP . 17
269	170
270		-	(J) (K) “DATA PROTECTION IMPAC T ASSESSMENT ” OR “ASSESSMENT” 24
271		-	MEANS A SYSTEMATIC S URVEY TO ASSESS AND MITIGATE RISKS TO CH ILDREN WHO 25
272		-	ARE REASONABLY LIKEL Y TO ACCESS THE ONLI NE PRODUCT AT ISSUE THAT ARISE 26
273		-	FROM THE DATA MANAGE MENT PRACTICES OF TH E BUSINESS AND THE P ROVISION 27
274		-	OF THE ONLINE P RODUCT. 28
	171	+	(D) “CHILD” MEANS A CONSUMER THA T IS UNDER THE AGE OF 18 YEARS. 18
275	172
276		-	(K) (L) “DEFAULT” MEANS A PRESELECTED OPTION ADOPTED BY TH E 29
277		-	BUSINESS FOR AN ONLI NE PRODUCT. 30
	173	+	(E) “COLLECT” MEANS TO ACTIVELY OR PASSIVEL Y BUY, RENT, GATHER, 19
	174	+	OBTAIN, RECEIVE, OR ACCESS ANY PERSON AL INFORMATION PERTA INING TO A 20
	175	+	CONSUMER OR OBSERVE A CONSUME R’S BEHAVIOR, BY ANY MEANS. 21
278	176
279		-	(L) (M) “DEIDENTIFIED INFORMAT ION” MEANS INFORMATION TH AT 31
280		-	CANNOT REASONABLY BE USED TO REASONABLY INFER INFORMATION AB OUT, OR 32 HOUSE BILL 901 7
	177	+	(F) “COMMON BRANDING” MEANS A SHARED NAME , SERVICE MARK , OR 22
	178	+	TRADEMARK THAT WOULD CAUSE A REASONABLE C ONSUMER TO UNDERSTAN D 23
	179	+	THAT TWO OR MORE ENT ITIES ARE COMMONLY O WNED. 24
	180	+
	181	+	(G) “CONSUMER” MEANS AN INDIVIDUAL WHO IS A RESIDENT OF THE 25
	182	+	STATE, HOWEVER IDENTIFIE D, INCLUDING BY ANY UNI QUE IDENTIFIER. 26
	183	+
	184	+	(H) “CONTROL” MEANS: 27
	185	+
	186	+	(1) OWNERSHIP OF OR THE P OWER TO VOTE MORE TH AN 50% OF THE 28
	187	+	OUTSTANDING SHARES O F ANY CLASS OF VOTIN G SECURITY OF A BUSI NESS; 29 HOUSE BILL 901 5
281	188
282	189
283		-	OTHERWISE BE LINKED TO, A PARTICULAR AN IDENTIFIED OR IDE NTIFIABLE 1
284		-	CONSUMER , IF THE BUSINESS THAT POSSESSES THE INFORM ATION: 2
285	190
286		-	(1) TAKES REASONABLE MEAS URES TO ENSURE THAT THE 3
287		-	INFORMATION CANNOT B E ASSOCIATED LINKED WITH A CONSUMER OR H OUSEHOLD; 4
	191	+	(2) ANY MANNER OF CONTROL OVER THE ELECTION OF A MAJORITY 1
	192	+	OF THE DIRECTORS OF A BUSINESS , OR INDIVIDUALS EXERC ISING SIMILAR 2
	193	+	FUNCTIONS; OR 3
288	194
289		-	(2) ~~COMMITS IN PUBLICLY~~ A ~~VAILABLE TERMS AND CONDITIO NS OR IN 5~~
290		-	A ~~PUBLICLY AVAILABLE PRIVACY POLICY TO : 6~~
	195	+	(3) THE POWER TO EXERCISE A CONTROLLING INFLUE NCE OVER THE 4
	196	+	MANAGEMENT OF A BUSINESS. 5
291	197
292		-	(I) MAINTAIN AND USE THE INFORMATION IN DEIDE NTIFIED 7
293		-	FORM; AND 8
	198	+	(I) “DARK PATTERN” MEANS A USER INTERFA CE DESIGNED OR 6
	199	+	MANIPULATED WITH THE SUBSTANTIAL EFFECT OF SUBVERTING OR IMPAIRING 7
	200	+	USER AUTONOMY , DECISION MAKING, OR CHOICE. 8
294	201
295		-	(II) NOT ATTEMPT TO REIDEN TIFY THE INFORMATION , EXCEPT 9
296		-	FOR THE SOLE PURPOSE OF DETERMINING WHETH ER THE BUSINESS ’S 10
297		-	DEIDENTIFICATION PROCE SS SATISFIES THE REQ UIREMENTS OF THIS SU BSECTION; 11
298		-	AND 12
	202	+	(J) “DATA PROTECTION IMPACT AS SESSMENT” OR “ASSESSMENT” MEANS A 9
	203	+	SYSTEMATIC SURVEY TO ASSESS AND MITIGATE RISKS TO CHILDREN WH O ARE 10
	204	+	REASONABLY LIKELY TO ACCESS THE ONLINE PR ODUCT AT ISSUE THAT ARISE FROM 11
	205	+	THE DATA MANAGEMENT PRACTICES OF THE BUS INESS AND THE PROVIS ION OF THE 12
	206	+	ONLINE PRODUCT . 13
299	207
300		-	(3) ~~CONTRACTUALLY OBLIGAT ES ANY RECIPIENTS OF THE 13~~
301		-	~~INFORMATION TO COMPL Y WITH ALL PROVISION S OF THIS SUBSECTION~~ . 14
	208	+	(K) “DEFAULT” MEANS A PRESELECTED OPTION ADOPTED BY TH E 14
	209	+	BUSINESS FOR AN ONLINE PRODUCT . 15
302	210
303		-	(M) (N) “LIKELY TO BE ACCESSED BY CHILDREN ” MEANS REASONABLY 15
304		-	EXPECTED THAT THE ON LINE SERVICE , PRODUCT, OR FEATURE WOULD BE 16
305		-	ACCESSED BY CHILDREN , BASED ON SATISFYING ANY OF THE FOLLOWING CRITERIA: 17
	211	+	(L) “DEIDENTIFIED INFORMATION ” MEANS INFORMATION TH AT CANNOT 16
	212	+	BE USED TO REASONABL Y INFER INFORMATION ABOUT, OR OTHERWISE BE LINK ED 17
	213	+	TO, A PARTICULAR CONSUME R, IF THE BUSINESS THAT PO SSESSES THE 18
	214	+	INFORMATION : 19
306	215
307		-	(1) ~~THE ONLINE PRODUCT IS DIRECTED~~ TO ~~CHILDREN AS DEFINED IN 18~~
308		-	~~THE FEDERAL CHILDREN’S ONLINE PRIVACY PROTECTION ACT~~; 19
	216	+	(1) TAKES REASONABLE MEAS URES TO ENSURE THAT THE 20
	217	+	INFORMATION CANNOT B E ASSOCIATED WITH A CONSUMER OR HOUSEHOLD ; 21
309	218
310		-	(2) THE ONLINE PRODUCT IS DETERMINED , BASED ON COMPETENT 20
311		-	AND RELIABLE EVIDENC E REGARDING AUDIENCE COMPOSITION , TO BE ROUTINELY 21
312		-	ACCESSED BY A SIGNIF ICANT NUMBER OF CHIL DREN; 22
	219	+	(2) COMMITS IN PUBLICLY AVAILABL E TERMS AND CONDITIO NS OR IN 22
	220	+	A PUBLICLY AVAILABLE P RIVACY POLICY TO: 23
313	221
314		-	(3) THE ~~ONLINE PRODUCT IS SUBSTANTIALLY SIMILA R OR THE SAME 23~~
315		-	~~AS AN ONLINE PRODUC T THAT SATISFIES ITE M (2) OF THIS SUBSECTION~~ ; 24
	222	+	(I) MAINTAIN AND USE THE INFORMAT ION IN DEIDENTIFIED 24
	223	+	FORM; AND 25
316	224
317		-	(4) THE ONLINE PRODUCT FE ATURES ADVERTISEMENT S MARKETED 25
318		-	TO CHILDREN; 26
	225	+	(II) NOT ATTEMPT TO REIDENTIF Y THE INFORMATION , EXCEPT 26
	226	+	FOR THE SOLE PURPOSE OF DETERMINI NG WHETHER THE BUSIN ESS’S 27
	227	+	DEIDENTIFICATION PRO CESS SATISFIES THE R EQUIREMENTS OF THIS SUBSECTION; 28
	228	+	AND 29
319	229
320		-	(5) THE ~~ONLINE PRODUCT HA S DESIGN ELEMENTS TH AT ARE KNOWN 27~~
321		-	TO BE OF ~~INTEREST TO CHILDREN,~~ ~~SUCH AS GAMES , CARTOONS, MUSIC, AND 28~~
322		-	~~CELEBRITIES WHO APPEAL TO CHIL DREN;~~ ~~OR 29~~
	230	+	(3) CONTRACTUALLY OBLIGAT ES ANY RECIPIENTS OF THE 30
	231	+	INFORMATION TO COMPL Y WITH ALL PROVISION S OF THIS SUBSECTION . 31
	232	+	6 HOUSE BILL 901
323	233
324		-	(6) THE BUSINESS KNOWS , BASED ON INTERNAL RE SEARCH, THAT A 30
325		-	SIGNIFICANT AMOUNT O F THE ONLINE PRODUCT ’S AUDIENCE IS CHILDR EN. 31
	234	+
	235	+	(M) “LIKELY TO B E ACCESSED BY CHILDREN ” MEANS REASONABLY 1
	236	+	EXPECTED THAT THE ONLINE SERV ICE, PRODUCT, OR FEATURE WOULD BE 2
	237	+	ACCESSED BY CHILDREN , BASED ON SATISFYING ANY OF THE FOLLOWING CRITERIA: 3
	238	+
	239	+	(1) THE ONLINE PRODUCT IS DIRECTED TO CHILDREN AS DEFINED IN 4
	240	+	THE FEDERAL CHILDREN’S ONLINE PRIVACY PROTECTION ACT; 5
	241	+
	242	+	(2) THE ONLINE PRODUCT IS DETERMINED , BASED ON COMPETENT 6
	243	+	AND RELIABLE EVIDENC E REGARDING AUDIENCE COMPOSITION , TO BE ROUTINELY 7
	244	+	ACCESSED BY A SIGNIF ICANT NUMBER OF CHIL DREN; 8
	245	+
	246	+	(3) THE ONLINE PRODUCT IS SUBSTANTIALLY SIMILAR OR THE SAME 9
	247	+	AS AN ONLINE PRODUCT TH AT SATISFIES ITEM (2) OF THIS SUBSECTION ; 10
	248	+
	249	+	(4) THE ONLINE PRODUCT FE ATURES ADVERTISEMENT S MARKETED 11
	250	+	TO CHILDREN; 12
	251	+
	252	+	(5) THE ONLINE PRODUCT HA S DESIGN ELEMENTS TH AT ARE KNOWN 13
	253	+	TO BE OF INTEREST TO CHILDREN, SUCH AS GAMES , CARTOONS, MUSIC, AND 14
	254	+	CELEBRITIES WHO APPE AL TO CHILDREN ; OR 15
	255	+
	256	+	(6) THE BUSINESS KNOWS , BASED ON INTERNAL RE SEARCH, THAT A 16
	257	+	SIGNIFICANT AMOUNT O F THE ONLINE PRODUCT ’S AUDIENCE IS CHILDR EN. 17
	258	+
	259	+	(N) (1) “ONLINE PRODUCT ” MEANS AN ONLINE SERV ICE, PRODUCT, OR 18
	260	+	FEATURE. 19
	261	+
	262	+	(2) “ONLINE PRODUCT ” DOES NOT INCLUDE : 20
	263	+
	264	+	(I) A TELECOMMUNICATIONS S ERVICE, AS DEFINED IN 47 21
	265	+	U.S.C. § 153; OR 22
	266	+
	267	+	(II) THE DELIVERY OR USE O F A PHYSICAL PRODUCT SOLD BY 23
	268	+	AN ONLINE RETAILER . 24
	269	+
	270	+	(O) (1) “PERSONAL INFORMATION ” MEANS INFORMATION THAT 25
	271	+	IDENTIFIES, RELATES TO , DESCRIBES, IS REASONABLY CAPABL E OF BEING 26
	272	+	ASSOCIATED WITH, OR COULD REASONABLY BE LINKED, DIRECTLY OR INDIRECT LY, 27
	273	+	WITH A PARTICULAR CO NSUMER OR HOUSEHOLD . 28
	274	+
	275	+	(2) “PERSONAL INFORMATION ” DOES NOT INCLUDE : 29
	276	+	HOUSE BILL 901 7
	277	+
	278	+
	279	+	(I) PUBLICLY AVAILABLE INFORMATIO N OR LAWFULLY 1
	280	+	OBTAINED, TRUTHFUL INFORMATION THAT IS OF PUBLIC CO NCERN; OR 2
	281	+
	282	+	(II) CONSUMER INFORMATION THAT IS DEIDENTIFIED OR 3
	283	+	AGGREGATE CONSUMER I NFORMATION . 4
	284	+
	285	+	(P) “PRECISE GEOLOCATION ” MEANS ANY DATA THAT IS: 5
	286	+
	287	+	(1) DERIVED FROM A DEVICE ; AND 6
	288	+
	289	+	(2) USED OR INTENDED TO BE US ED TO LOCATE A CONSU MER WITHIN 7
	290	+	A GEOGRAPHIC AREA TH AT IS LESS THAN OR E QUAL TO THE AREA OF A CIRCLE WITH 8
	291	+	A RADIUS OF 1,850 FEET. 9
	292	+
	293	+	(Q) (1) “PROFILING” MEANS ANY FORM OF AU TOMATED PROCESSING O F 10
	294	+	PERSONAL IN FORMATION THAT USES PERSONAL INFORMATION TO EVALUATE 11
	295	+	CERTAIN ASPECTS RELA TING TO AN INDIVIDUA L. 12
	296	+
	297	+	(2) “PROFILING” INCLUDES ANALYZING OR PREDICT ING ASPECTS 13
	298	+	CONCERNING AN INDIVI DUAL’S PERFORMANCE AT WOR K, ECONOMIC SITUATION , 14
	299	+	HEALTH, PERSONAL PREFERENCES , INTERESTS, RELIABILITY, BEHAVIOR, 15
	300	+	LOCATION, OR MOVEMENTS . 16
	301	+
	302	+	(R) (1) “PUBLICLY AVAILABLE INFORMATIO N” MEANS INFORMATION 17
	303	+	THAT: 18
	304	+
	305	+	(I) IS LAWFULLY MADE AVAILA BLE FROM FEDERAL , STATE, OR 19
	306	+	LOCAL GOVERNMENT REC ORDS; OR 20
	307	+
	308	+	(II) A BUSINESS HAS A REASO NABLE BASIS TO BELIEVE IS 21
	309	+	LAWFULLY MADE AVAILA BLE TO THE GENERAL P UBLIC BY THE CONSUME R OR BY 22
	310	+	WIDELY DISTRIBUTED M EDIA. 23
	311	+
	312	+	(2) “PUBLICLY AVAILABLE INFORMATIO N” DOES NOT INCLUDE 24
	313	+	BIOMETRIC INFORMATIO N COLLECTED BY A BUS INESS ABOUT A CONSUM ER 25
	314	+	WITHOUT THE CONSUMER ’S KNOWLEDGE . 26
	315	+
	316	+	(S) “SELL” MEANS TO TRANSFER , RENT, RELEASE, DISCLOSE, 27
	317	+	DISSEMINAT E, MAKE AVAILABLE, OR OTHERWISE COMMUNICATE , WHETHER 28
	318	+	ORALLY, IN WRITING, OR BY ELECTRONIC OR OTHER MEANS , A CONSUMER ’S 29
	319	+	PERSONAL INFORMATION BY THE BUSINESS TO A THIRD PARTY FOR M ONETARY OR 30
	320	+	OTHER VALUABLE CONSI DERATION. 31
326	321		8 HOUSE BILL 901
327	322
328	323
329		-	(N) (O) (1) “ONLINE PRODUCT ” MEANS AN ONLINE SERV ICE, PRODUCT, 1
330		-	OR FEATURE. 2
	324	+	(T) (1) “SENSITIVE PERSONAL INFORMATION ” MEANS: 1
331	325
332		-	(2) ~~“ONLINE PRODUCT ” DOES NOT INCLUDE~~ : 3
	326	+	(I) PERSONAL INFORMATION THAT REVEALS A CONSU MER’S: 2
333	327
334		-	~~(I) A TELECOMMUNICATIONS~~ S ~~ERVICE, AS DEFINED IN 47 4~~
335		-	~~U.S.C. § 153;~~ OR 5
	328	+	1. SOCIAL SECURITY NUMBER, DRIVER’S LICENSE 3
	329	+	NUMBER, STATE IDENTIFICATION CARD NUMBER , OR PASSPORT NUMBER ; 4
336	330
337		-	(II) THE DELIVERY SALE, DELIVERY, OR USE OF A PHYSICAL 6
338		-	PRODUCT SOLD BY AN O NLINE RETAILER ; OR 7
	331	+	2. ACCOUNT LOGIN INFORMA TION, FINANCIAL 5
	332	+	ACCOUNT NUMBER , DEBIT CARD NUMBER , OR CREDIT CARD NUMBE R, IN 6
	333	+	COMBINATION WITH ANY REQUIRED SECURITY OR ACCESS CODE , PASSWORD, OR 7
	334	+	CREDENTIALS THAT ALL OW ACCESS TO AN ACCO UNT; 8
339	335
340		-	(III) A BROADBAND INTERNET ACCESS SERVI CE, AS DEFINED IN 8
341		-	47 C.F.R. § 8.1(B). 9
	336	+	3. PRECISE GEOLOCATION ; 9
342	337
343		-	(O) (P) (1) “PERSONAL INFORMATION ” MEANS INFORMATION TH AT 10
344		-	IDENTIFIES, RELATES TO , DESCRIBES, IS REASONABLY CAPABL E OF BEING 11
345		-	ASSOCIATED WITH , OR COULD REASONABLY BE LINKED, DIRECTLY OR INDIRECT LY, 12
346		-	WITH A PARTICULAR CO NSUMER OR HOUSEHOLD . 13
	338	+	4. RACIAL OR ETHNIC ORIG IN OR RELIGIOUS OR 10
	339	+	PHILOSOPHICAL BELIEF S; 11
347	340
348		-	~~(2) “PERSONAL~~ ~~INFORMATION ” DOES NOT INCLUDE : 14~~
	341	+	5. UNION MEMBERSHIP STAT US; 12
349	342
350		-	~~(I) PUBLICLY AVAILABLE IN FORMATION~~ OR ~~LAWFULL Y 15~~
351		-	~~OBTAINED, TRUTHFUL INFORMATION THAT~~ IS ~~OF PUBLIC CO NCERN~~; OR 16
	343	+	6. MAIL, E–MAIL, TEXT, OR MESSAGE CONTENTS , 13
	344	+	UNLESS THE BUSINESS IS THE INTENDED RECI PIENT; OR 14
352	345
353		-	(II) CONSUMER INFORMATION THAT IS DEIDENTIFIED OR 17
354		-	AGGREGATE CONSUMER I NFORMATION . 18
	346	+	7. GENETIC DATA; 15
355	347
356		-	(P) (Q) “PRECISE GEOLOCATION ” MEANS ANY DATA THAT IS: 19
	348	+	(II) BIOMETRIC INFORMATION THAT IS OR MAY BE PROCESS ED 16
	349	+	FOR THE PURPOSE OF U NIQUELY IDENTIFYING A CONSUMER ; 17
357	350
358		-	(1) DERIVED FROM A DEVICE ; AND 20
	351	+	(III) PERSONAL INFORMATION COLLECTED AND ANALYZ ED 18
	352	+	CONCERNING A CONSUME R’S HEALTH; OR 19
359	353
360		-	(2) USED OR INTENDED TO B E USED TO LOCATE A C ONSUMER WITHIN 21
361		-	A GEOGRAPHIC AREA TH AT IS LESS THAN OR E QUAL TO THE AREA OF A CIRCLE WITH 22
362		-	A RADIUS OF 1,850 FEET. 23
	354	+	(IV) PERSONAL INFORMATION COLLECTED AND ANALYZ ED 20
	355	+	CONCERNING A CONSUME R’S SEX LIFE OR SEXUAL ORIENTATION . 21
363	356
364		-	(Q) (R) (1) “PROFILING” MEANS ANY FORM OF AU TOMATED 24
365		-	PROCESSING OF PERSON AL INFORMATION THAT USES PERSONAL INFORM ATION TO 25
366		-	EVALUATE OR PREDICT CERTAIN ASPECTS RELA TING TO AN INDIVIDUA L. 26
	357	+	(2) “SENSITIVE PERSONAL INFORMATION ” DOES NOT INCLUDE 22
	358	+	PUBLICLY AVAILABLE I NFORMATION . 23
367	359
368		-	(2) “PROFILING” INCLUDES ANALYZING O R PREDICTING ASPECTS 27
369		-	CONCERNING , INCLUDING AN INDIVIDUAL’S PERFORMANCE AT WOR K, ECONOMIC 28
370		-	SITUATION, HEALTH, PERSONAL PREFERENCES , INTERESTS, RELIABILITY, 29
371		-	BEHAVIOR, LOCATION, OR MOVEMENTS . 30
372		-	HOUSE BILL 901 9
	360	+	(U) “SHARE” MEANS TO RENT, RELEASE, DISCLOSE, DISSEMINAT E, MAKE 24
	361	+	AVAILABLE, TRANSFER, OR OTHERWISE COMMUNI CATE, WHETHER ORALLY , IN 25
	362	+	WRITING, OR BY ELECTRONIC OR OTH ER MEANS, A CONSUMER ’S PERSONAL 26
	363	+	INFORMATION TO A THI RD PARTY FOR CROSS –CONTEXT BEHAVIORAL A DVERTISING 27
	364	+	WHETHER OR NOT FOR MONETARY OR OTHE R VALUABLE CONSIDERA TION, 28
	365	+	INCLUDING IN A TRANSACTION BETWEEN A BUSINESS AND A THI RD PARTY FOR 29 HOUSE BILL 901 9
373	366
374	367
375		-	~~(R) (S) (1) “PUBLICLY~~ ~~AVAILABLE~~ IN ~~FORMATION” MEANS~~ 1
376		-	~~INFORMATION THAT :~~ 2
	368	+	CROSS–CONTEXT BEHAVIORAL A DVERTISING FOR THE B ENEFIT OF A BUSINESS IN 1
	369	+	WHICH NO MONEY IS EX CHANGED. 2
377	370
378		-	(I) IS LAWFULLY MADE AVAI LABLE FROM FED ERAL, STATE, OR 3
379		-	LOCAL GOVERNMENT REC ORDS; OR 4
	371	+	(V) “THIRD PARTY” MEANS A PERSON WHO I S NOT: 3
380	372
381		-	(II) A BUSINESS ~~HAS A REASO NABLE BASIS TO BELIE VE IS 5~~
382		-	~~LAWFULLY MADE AVAILA BLE TO~~ THE ~~GENERAL P UBLIC BY THE CONSUME R OR BY 6~~
383		-	~~WIDELY DISTRIBUTED M EDIA.~~ 7
	373	+	(1) THE BUSINESS WITH WHICH THE CONSUMER INTENTI ONALLY 4
	374	+	INTERACTS AND THAT C OLLECTS PERSONAL INF ORMATION FROM THE CONSUMER 5
	375	+	AS PART OF THE CONSU MER’S INTERACTION WITH T HE BUSINESS; OR 6
384	376
385		-	(2) “PUBLICLY AVAILABLE IN FORMATION” DOES NOT INCLUDE 8
386		-	BIOMETRIC INFORMATIO N COLLECTED BY A BUS INESS ABOUT A CONSUM ER 9
387		-	WITHOUT THE CONSUMER ’S KNOWLEDGE . 10
	377	+	(2) A SERVICE PROVIDER FOR THE BUSINESS. 7
388	378
389		-	(S) (T) (1) “SELL” MEANS TO TRANSFER , RENT, RELEASE, DISCLOSE, 11
390		-	DISSEMINATE, MAKE AVAILABLE , OR OTHERWISE COMMUNI CATE, WHETHER 12
391		-	ORALLY, IN WRITING, OR BY ELECT RONIC OR OTHER MEANS , A CONSUMER ’S 13
392		-	PERSONAL INFORMATION BY THE BUSINESS TO A THIRD PARTY FOR MONE TARY OR 14
393		-	OTHER VALUABLE CONSI DERATION. 15
	379	+	14–4502. 8
394	380
395		-	~~(2) “SELL”~~ DOES ~~NOT INCLUDE~~ : 16
	381	+	THIS SUBTITLE DOES NO T APPLY TO: 9
396	382
397		-	(I) THE DISCLOSURE OF PER SONAL INFORMATION TO A 17
398		-	SERVICE PROVIDER THA T PROCESSES PERSO NAL INFORMATION ON B EHALF OF THE 18
399		-	BUSINESS; 19
	383	+	(1) PROTECTED HEALTH INFO RMATION THAT IS COLL ECTED BY A 10
	384	+	COVERED ENTITY OR BU SINESS ASSOCIATION G OVERNED BY THE PRIVA CY 11
	385	+	SECURITY AND BREACH NOTIFICATION RULES I N 45 C.F.R. PARTS 160 AND 164, 12
	386	+	ESTABLISHED UNDER THE FEDERAL HEALTH INSURANCE PORTABILITY AND 13
	387	+	ACCOUNTABILITY ACT OF 1996 AND THE FEDERAL HEALTH INFORMATION 14
	388	+	TECHNOLOGY FOR ECONOMIC AND CLINICAL HEALTH ACT; 15
400	389
401		-	(II) THE DISCLOSURE OF PER SONAL INFORMATION TO A THIRD 20
402		-	PARTY FOR PURPOSES O F PROVIDING A PRODUC T OR SERVICE REQUEST ED BY THE 21
403		-	CONSUMER ; 22
	390	+	(2) A HEALTH PROVIDER OR C OVERED ENTITY GOVERN ED BY THE 16
	391	+	PRIVACY SECURITY AND BREACH NOTIFICATION RULES IN 45 C.F.R. PARTS 160 AND 17
	392	+	164, ESTABLISHED UNDER THE FEDERAL HEALTH INSURANCE PORTABILITY AND 18
	393	+	ACCOUNTABILITY ACT OF 1996 AND THE FEDERAL HEALTH INFORMATION 19
	394	+	TECHNOLOGY FOR ECONOMIC AND CLINICAL HEALTH ACT, TO THE EXTENT THAT 20
	395	+	THE PROVIDER OR COVE RED ENTITY MAINTAINS PATIENT INFORMATION IN THE 21
	396	+	SAME MANN ER AS MEDICAL INFORM ATION OR PROTECTED H EALTH INFORMATION 22
	397	+	AS DESCRIBED IN ITEM (1) OF THIS SECTION; OR 23
404	398
405		-	(~~III~~) ~~THE DISCLOSURE~~ OF ~~PER SONAL INFORMATION WH ERE THE 23~~
406		-	~~CONSUMER DIRECT S~~ THE ~~BUSINESS TO DI SCLOSE~~ THE ~~PERSONAL INFORMATION OR 24~~
407		-	~~INTENTIONALLY USES T HE BUSINESS TO INTER ACT~~ WITH ~~A THIRD PAR TY; OR 25~~
	399	+	(3) INFORMATION COLLECTED AS PART OF A CLINICA L TRIAL 24
	400	+	SUBJECT TO THE FEDERAL POLICY FOR THE PROTECTION OF HUMAN SUBJECTS, 25
	401	+	IN ACCORDANCE WITH : 26
408	402
409		-	(IV) THE DISCLOSURE OR TRA NSFER OF PERSONAL 26
410		-	INFORMATION TO A THI RD PARTY AS AN ASSET THAT IS PART OF AN A CTUAL OR 27
411		-	PROPOSED MERGER , ACQUISITION, BANKRUPTCY , OR OTHER TRANSACTION , IN 28
412		-	WHICH THE THIRD PART Y ASSUMES CONTROL OF ALL OR PART OF THE B USINESS’S 29
413		-	ASSETS. 30
	403	+	(I) GOOD CLINICAL PRACTIC E GUIDELINES ISSUED BY THE 27
	404	+	INTERNATIONAL COUNCIL FOR HARMONISATION OF TECHNICAL REQUIREMENTS 28
	405	+	FOR PHARMACEUTICALS FOR HUMAN USE; OR 29
414	406
415		-	(T) (U) (1) “SENSITIVE PERSONAL IN FORMATION” MEANS: 31
	407	+	(II) HUMAN SUBJECT PROTECT ION REQUIREMENTS OF THE 30
	408	+	U.S. FOOD AND DRUG ADMINISTRATION . 31
416	409
417		-	(I) PERSONAL INFORMATION THAT REVEALS A CONSU MER’S: 32
418		-	10 HOUSE BILL 901
419		-
420		-
421		-	1. SOCIAL SECURITY NUMBER , DRIVER’S LICENSE 1
422		-	NUMBER, STATE IDENTIFICATION CARD NUMBER , OR PASSPORT NUMBER ; 2
423		-
424		-	2. ACCOUNT LOGIN INFORMA TION, FINANCIAL 3
425		-	ACCOUNT NUMBER , DEBIT CARD NUMBER , OR CREDIT CARD NUMBE R, IN 4
426		-	COMBINATION WITH ANY REQUIRED SECURITY OR ACCESS CODE, PASSWORD, OR 5
427		-	CREDENTIALS THAT ALL OW ACCESS TO AN ACCO UNT; 6
428		-
429		-	3. PRECISE GEOLOCATION ; 7
430		-
431		-	4. RACIAL OR ETHNIC ORIG IN OR RELIGIOUS OR 8
432		-	PHILOSOPHICAL BELIEF S; 9
433		-
434		-	5. UNION MEMBERSHIP STAT US; 10
435		-
436		-	6. 5. MAIL, E–MAIL, TEXT, OR MESSAGE CONTENTS , 11
437		-	UNLESS THE BUSINESS IS THE INTENDED RECIPIENT ; OR 12
438		-
439		-	7. 6. GENETIC DATA; 13
440		-
441		-	(II) BIOMETRIC INFORMATION THAT IS OR MAY BE PR OCESSED 14
442		-	FOR THE PURPOSE OF U NIQUELY IDENTIFYING A CONSUMER ; 15
443		-
444		-	(III) PERSONAL INFORMATION COLLECTED AND ANALYZ ED 16
445		-	CONCERNING A CONSUME R’S HEALTH; OR 17
446		-
447		-	(IV) PERSONAL INFORMATION COLLECTED AND ANALYZ ED 18
448		-	CONCERNING A CONSUME R’S SEX LIFE OR SEXUAL ORIENTATION . 19
449		-
450		-	(2) “SENSITIVE PERSONAL IN FORMATION” DOES NOT INCLUDE 20
451		-	PUBLICLY AVAILABLE I NFORMATION . 21
452		-
453		-	(V) “SERVICE PROVIDER ” MEANS A PERSON THAT PROCESSES PERSONAL 22
454		-	INFORMATION ON BEHAL F OF A BUSINESS AND THAT RECEIVES FROM O R ON BEHALF 23
455		-	OF THE BUSINESS , A CONSUMER ’S PERSONAL INFORMATI ON FOR A BUSINESS 24
456		-	PURPOSE IN ACCORDANC E WITH A WRITTEN CON TRACT, IF THE CONTRACT 25
457		-	PROHIBITS THE PERSON FROM: 26
458		-
459		-	(1) SELLING OR SHARING TH E PERSONAL INFORMATI ON; 27
460		-
461		-	(2) RETAINING, USING, OR DISCLOSING THE PE RSONAL 28
462		-	INFORMATION FOR ANY PURPOSE OTHER THAN F OR THE BUSINESS PURP OSES 29
463		-	SPECIFIED IN THE CON TRACT FOR THE BUSINE SS, INCLUDING RETAINING , USING, 30
464		-	OR DISCLOSING THE PE RSONAL INFORMATION FOR A COMMERCIAL PURPOSE 31 HOUSE BILL 901 11
465		-
466		-
467		-	OTHER THAN THE BUSIN ESS PURPOSES SPECIFI ED IN THE CONTRACT W ITH THE 1
468		-	BUSINESS, OR AS OTHERWISE ALLO WED UNDER THIS SUBTI TLE; 2
469		-
470		-	(3) RETAINING, USING, OR DISCLOSING THE PE RSONAL 3
471		-	INFORMATION OUTSIDE OF THE DIRECT BUSINESS RELATIONSHI P BETWEEN THE 4
472		-	SERVICE PROVIDER AND THE BUSINESS; AND 5
473		-
474		-	(4) COMBINING THE PERSONA L INFORMATION THAT T HE SERVICE 6
475		-	PROVIDER RECEIVES FR OM, OR ON BEHALF OF , THE BUSINESS WITH PE RSONAL 7
476		-	INFORMATION THAT IT RECEIVES FROM , OR ON BEHALF OF , ANOTHER PERSON OR 8
477		-	PERSONS, OR COLLECTS FROM ITS OWN INTERACTION WITH THE CONSUMER . 9
478		-
479		-	(U) (W) “SHARE” MEANS TO RENT , RELEASE, DISCLOSE, DISSEMINATE, 10
480		-	MAKE AVAILABLE , TRANSFER, OR OTHERWISE COMMUNI CATE, WHETHER ORALLY , 11
481		-	IN WRITING, OR BY ELECTRONIC OR OTHER MEANS , A CONSUMER ’S PERSONAL 12
482		-	INFORMATION TO A THI RD PARTY FOR CROSS –CONTEXT BEHAVIORAL A DVERTISING 13
483		-	WHETHER OR NOT FOR M ONETARY OR OTHER VAL UABLE CONSIDERATION , 14
484		-	INCLUDING IN A TRANS ACTION BETWEEN A BUS INESS AND A THIRD PA RTY FOR 15
485		-	CROSS–CONTEXT BEHAVIORAL TARGETED ADVERTISING FOR THE BENEFIT OF A 16
486		-	BUSINESS IN WHICH NO MONEY IS EXCHANGED . 17
487		-
488		-	(X) (1) “TARGETED ADVERTISING ” MEANS DISPLAYING 18
489		-	ADVERTISEMENTS TO A CONSUMER WHERE THE A DVERTISEMENT IS SELE CTED 19
490		-	BASED ON PERSONAL IN FORMATION OBTAINED O R INFERRED FROM THAT 20
491		-	CONSUMER ’S ACTIVITIES OVER TI ME AND ACROSS NONAFF ILIATED INTERNET 21
492		-	WEBSITES OR ONLINE A PPLICATIONS TO PREDI CT THE CONSUMER ’S PREFERENCES 22
493		-	OR INTERESTS. 23
494		-
495		-	(2) “TARGETED ADVERTISING ” DOES NOT INCLUDE : 24
496		-
497		-	(I) ADVERTISEMENTS BASED ON ACTIVITIES WITHIN A 25
498		-	BUSINESS’S OWN INTERNET WEBSITES OR ONLINE APPLICATIONS ; 26
499		-
500		-	(II) ADVERTISEMENTS BASED ON THE CONTEXT OF A 27
501		-	CONSUMER ’S CURRENT SEARCH QUERY , VISIT TO AN INTERNET WEBSITE OR O NLINE 28
502		-	APPLICATION; 29
503		-
504		-	(III) ADVERTISEMENTS DIRECT ED TO A CONSUMER IN 30
505		-	RESPONSE TO THE CONS UMER’S REQUEST FOR INFORM ATION OR FEEDBACK ; OR 31
506		-
507		-	(IV) PROCESSING PERSONAL I NFORMATION SOLELY TO 32
508		-	MEASURE OR RE PORT ADVERTISING FRE QUENCY, PERFORMANCE , OR REACH. 33
509		-
510		-	(V) (Y) “THIRD PARTY” MEANS A PERSON WHO I S NOT: 34 12 HOUSE BILL 901
	410	+	14–4503. 32 10 HOUSE BILL 901
511	411
512	412
513	413
514		-	(1) THE BUSINESS WITH WHI CH THE CONSUMER INTE NTIONALLY 1
515		-	INTERACTS AND THAT C OLLECTS PERSONAL INF ORMATION FROM THE CO NSUMER 2
516		-	AS PART OF THE CONSU MER’S INTERACTION WITH THE B USINESS; OR 3
	414	+	IT IS THE INTENT OF THE GENERAL ASSEMBLY THAT : 1
517	415
518		-	(2) A SERVICE PROVIDER FOR THE BUSINESS. 4
	416	+	(1) CHILDREN SHOULD BE AF FORDED PROTECTIONS N OT ONLY BY 2
	417	+	ONLINE PRODUCTS SPEC IFICALLY DIRECTED AT THEM, BUT BY ALL ONLINE 3
	418	+	PRODUCTS THEY ARE LI KELY TO ACCESS ; 4
519	419
520		-	14–4502. 5
	420	+	(2) BUSINESSES THAT DEVEL OP AND PROVIDE ONLIN E SERVICES 5
	421	+	THAT CHILDREN ARE LI KELY TO ACCESS SHOUL D CONSIDER THE BEST INTERESTS 6
	422	+	OF CHILDREN WHEN DES IGNING, DEVELOPING , AND PROVIDING THOSE ONLINE 7
	423	+	PRODUCT S; AND 8
521	424
522		-	THIS SUBTITLE DOES NO T APPLY TO: 6
	425	+	(3) IF A CONFLICT ARISES BETWEEN COMMERCIAL I NTERESTS AND 9
	426	+	THE BEST INTERESTS O F CHILDREN, COMPANIES THAT DEVELOP ONLINE PRODUCTS 10
	427	+	LIKELY TO BE ACCESSE D BY CHILDREN SHALL GIVE PRIORITY TO THE PRIVACY, 11
	428	+	SAFETY, AND WELL–BEING OF CHILDREN OV ER THOSE COMMERCIAL INTERESTS. 12
523	429
524		-	(1) PROTECTED HEALTH INFO RMATION THAT IS COLL ECTED BY A 7
525		-	COVERED ENTITY OR BU SINESS ASSOCIATION G OVERNED BY THE PRIVA CY 8
526		-	SECURITY AND BREACH NOTIFICATION RULES IN 45 C.F.R. PARTS 160 AND 164, 9
527		-	ESTABLISHED UNDER TH E FEDERAL HEALTH INSURANCE PORTABILITY AND 10
528		-	ACCOUNTABILITY ACT OF 1996 AND THE FEDERAL HEALTH INFORMATION 11
529		-	TECHNOLOGY FOR ECONOMIC AND CLINICAL HEALTH ACT; 12
	430	+	14–4504. 13
530	431
531		-	(2) A HEALTH PROVIDER OR COVERED ENTITY GO VERNED BY THE 13
532		-	PRIVACY SECURITY AND BREACH NOTIFICATION RULES IN 45 C.F.R. PARTS 160 AND 14
533		-	164, ESTABLISHED UNDER TH E FEDERAL HEALTH INSURANCE PORTABILITY AND 15
534		-	ACCOUNTABILITY ACT OF 1996 AND THE FEDERAL HEALTH INFORMATION 16
535		-	TECHNOLOGY FOR ECONOMIC AND CLINICAL HEALTH ACT, TO THE EXTENT THAT 17
536		-	THE PROVIDER OR COVE RED ENTITY MAINTAINS PATIENT INFORMATION IN THE 18
537		-	SAME MANNER AS MEDIC AL INFORMATION OR PR OTECTED HEALTH INFOR MATION 19
538		-	AS DESCRIBED IN ITEM (1) OF THIS SECTION; OR 20
	432	+	(A) THIS SECTION APPLIES ONLY TO AN ONLINE PR ODUCT THAT IS 14
	433	+	OFFERED TO THE PUBLIC ON OR AFT ER JULY 1, 2024. 15
539	434
540		-	(3) ~~INFORMATION COLLEC TED AS PART OF~~ A ~~CLI NICAL TRIAL 21~~
541		-	~~SUBJECT TO THE FEDERAL POLICY FOR THE~~ PROTECTION ~~OF HUMAN SUBJECTS,~~ 22
542		-	~~IN ACCORDANCE WITH : 23~~
	435	+	(B) A BUSINESS THAT PROVID ES AN ONLINE PRODUCT LIKELY TO BE 16
	436	+	ACCESSED BY CHILDREN SHALL PREPARE A DATA PROTECTION IM PACT 17
	437	+	ASSESSMENT FOR THE O NLINE PRODUCT . 18
543	438
544		-	(I) GOOD CLINICAL PRACTIC E GUIDELINES ISSUED BY THE 24
545		-	INTERNATIONAL COUNCIL FOR HARMONISATION OF TECHNICAL REQUIREMENTS 25
546		-	FOR PHARMACEUT ICALS FOR HUMAN USE; OR 26
	439	+	(C) THE DATA PROTECTION IMPA CT ASSESSMENT SHALL : 19
547	440
548		-	(II) HUMAN SUBJECT PROTECT ION REQUIREMENTS OF THE 27
549		-	U.S. FOOD AND DRUG ADMINISTRATION . 28
	441	+	(1) IDENTIFY THE PURPOSE OF THE O NLINE PRODUCT ; 20
550	442
551		-	14–4503. 29
	443	+	(2) IDENTIFY HOW THE ONLI NE PRODUCT USES CHIL DREN’S 21
	444	+	PERSONAL INFORMATION ; 22
552	445
553		-	IT IS THE INTENT OF T HE GENERAL ASSEMBLY THAT : 30
	446	+	(3) IDENTIFY THE RISKS OF MATERIAL DETRIMENT T O CHILDREN 23
	447	+	THAT ARISE FROM THE DATA MANAGEMENT PRAC TICES OF THE BUSINES S; AND 24
	448	+
	449	+	(4) ADDRESS, TO THE EXTENT APPLIC ABLE: 25
	450	+
	451	+	(I) WHETHER THE DESIGN OF THE ONLINE PRODUCT C OULD 26
	452	+	HARM CHILDREN , INCLUDING BY EXPOSIN G THEM TO HARMFUL OR POTENTIALLY 27
	453	+	HARMFUL CONTENT ON T HE ONLINE PRODUCT ; 28
	454	+	HOUSE BILL 901 11
	455	+
	456	+
	457	+	(II) WHETHER THE DESIGN OF THE ONLINE PRODUCT C OULD 1
	458	+	LEAD TO CHILDREN EXPERIEN CING OR BEING TARGET ED BY HARMFUL , OR 2
	459	+	POTENTIALLY HARMFUL , CONTACTS ON THE ONLI NE PRODUCT; 3
	460	+
	461	+	(III) WHETHER THE DESIGN OF THE ONLINE PRODUCT C OULD 4
	462	+	ALLOW CHILDREN TO WI TNESS, PARTICIPATE IN, OR BE SUBJECT TO HAR MFUL OR 5
	463	+	POTENTIALLY HARMFUL CONDUCT ON T HE ONLINE PRODUCT ; 6
	464	+
	465	+	(IV) WHETHER THE DESIGN OF THE ONLINE PRODUCT C OULD 7
	466	+	ALLOW CHILDREN TO BE PARTY TO OR BE EXPLO ITED BY A HARMFUL , OR 8
	467	+	POTENTIALLY HARMFUL , CONTACT ON THE ONLIN E PRODUCT; 9
	468	+
	469	+	(V) WHETHER ALGORITHMS US ED BY THE ONLINE PRODUCT 10
	470	+	COULD HARM CHILDREN ; 11
	471	+
	472	+	(VI) WHETHER TARGETED ADVE RTISING SYSTEMS USED BY THE 12
	473	+	ONLINE PRODUCT COULD HARM CHILDREN ; 13
	474	+
	475	+	(VII) WHETHER AND HOW THE O NLINE PRODUCT USES S YSTEM 14
	476	+	DESIGN FEATURES TO I NCREASE, SUSTAIN, OR EXTEND USE BY CHI LDREN, 15
	477	+	INCLUDING: 16
	478	+
	479	+	1. THE AUTOMATIC PLAYING OF MEDIA; 17
	480	+
	481	+	2. REWARDS FOR TIME SPEN T; AND 18
	482	+
	483	+	3. NOTIFICATIONS; AND 19
	484	+
	485	+	(VIII) WHETHER, HOW, AND FOR WHAT PURPOSE THE ONLINE 20
	486	+	PRODUCT COLLECTS OR PROCESSES SENSITIVE PERSONAL INFORMATION OF 21
	487	+	CHILDREN. 22
	488	+
	489	+	(D) (1) A DATA PROTE CTION IMPACT ASSESSM ENT PREPARED BY A 23
	490	+	BUSINESS FOR THE PUR POSE OF COMPLIANCE W ITH ANY OTHER LAW CO MPLIES 24
	491	+	WITH THIS SECTION IF THE ASSESSMENT MEETS THE REQUIREMEN TS OF THIS 25
	492	+	SECTION. 26
	493	+
	494	+	(2) A SINGLE DATA PROTECTI ON IMPACT ASSESSMENT MAY CONTAIN 27
	495	+	MULTIPLE SIMI LAR PROCESSING OPERA TIONS THAT PRESENT S IMILAR RISKS, ONLY 28
	496	+	IF EACH RELEVANT ONL INE PRODUCT IS ADDRE SSED. 29
	497	+	12 HOUSE BILL 901
	498	+
	499	+
	500	+	(E) A BUSINESS SHALL COMPL ETE A DATA PROTECTIO N IMPACT 1
	501	+	ASSESSMENT ON OR BEF ORE JUNE 30, 2024, FOR ANY ONLINE PRODU CT OFFERED 2
	502	+	TO THE PUBLIC THAT I S LIKELY TO BE ACCESSED BY CHILDREN BEFORE T HAT DATE. 3
	503	+
	504	+	14–4505. 4
	505	+
	506	+	(A) A BUSINESS THAT PROVID ES AN ONLINE PRODUCT LIKELY TO BE 5
	507	+	ACCESSED BY CHILDREN MAY NOT OFFER THE PRODUCT TO THE PUBLI C BEFORE 6
	508	+	COMPLETING A DATA PROTECTION IMPA CT ASSESSMENT . 7
	509	+
	510	+	(B) A BUSINESS THAT COMPLETES A DAT A PROTECTION IMPACT 8
	511	+	ASSESSMENT REQUIRED BY THIS SEC TION SHALL: 9
	512	+
	513	+	(1) MAINTAIN DOCUMENTATIO N OF THE ASSESSMENT FOR AS LONG 10
	514	+	AS THE ONLINE PRODUC T IS LIKELY TO BE AC CESSED BY CHILDREN ; 11
	515	+
	516	+	(2) REVIEW EACH DATA PROTECTION IMPA CT ASSESSMENT EVERY 2 12
	517	+	YEARS; 13
	518	+
	519	+	(3) DOCUMENT ANY RISK OF MATERIAL DETRIMENT T O CHILDREN 14
	520	+	THAT ARISES FROM THE DATA MANAGEMENT PRAC TICE OF THE BUSINESS 15
	521	+	IDENTIFIED IN THE ASSESSMENT ; 16
	522	+
	523	+	(4) CREATE A PLAN TO MITI GATE OR ELIMINATE TH E RISK BEFORE 17
	524	+	THE ONLINE PRODUCT I S MADE AVAILABLE TO CHILDREN; 18
	525	+
	526	+	(5) (I) ESTIMATE THE AGE OF C HILD USERS WITH A REASONA BLE 19
	527	+	LEVEL OF CERTAINTY A PPROPRIATE TO THE RI SKS THAT ARISE FROM THE DATA 20
	528	+	MANAGEMENT PRACTICES OF THE BUSINESS ; OR 21
	529	+
	530	+	(II) APPLY TO ALL CONSUMERS THE PRIVACY AND DATA 22
	531	+	PROTECTIONS AFFORDED TO CHILDREN; 23
	532	+
	533	+	(6) CONFIGURE ALL DEFAULT PRIVACY SETTINGS PRO VIDED TO 24
	534	+	CHILDREN BY THE ONLI NE PRODUCT TO OFFER A HIGH LEVEL OF PRIV ACY, UNLESS 25
	535	+	THE BUSINESS CAN DEM ONSTRATE A COMPELLIN G REASON THAT A DIFF ERENT 26
	536	+	SETTING IS IN THE BEST INTEREST OF CHILDREN ; 27
	537	+
	538	+	(7) PROVIDE ANY PRIVACY I NFORMATION , TERMS OF SERVICE , 28
	539	+	POLICIES, AND COMMUNITY STANDA RDS CONCISELY , PROMINENTLY , AND USING 29
	540	+	CLEAR LANGUAGE SUITE D TO THE AGE OF CHIL DREN LIKELY TO ACCES S THE 30
	541	+	ONLINE PRODUCT ; 31
554	542		HOUSE BILL 901 13
555	543
556	544
557		-	(1) CHILDREN SHOULD BE AF FORDED PROTECTIONS N OT ONLY BY 1
558		-	ONLINE PRODUCTS SPEC IFICALLY DIRECTED AT THE M, BUT BY ALL ONLINE 2
559		-	PRODUCTS THEY ARE LI KELY TO ACCESS ; 3
	545	+	(8) PROVIDE AN OBVIOUS SI GNAL TO THE CHILD WH EN THE CHILD’S 1
	546	+	LOCATION IS BEING MONITORED O R TRACKED, IF THE ONLINE PRODUC T ALLOWS 2
	547	+	THE CHILD’S PARENT, GUARDIAN, OR ANY OTHER CONSUME R TO TRACK THE CHILD ’S 3
	548	+	LOCATION; 4
560	549
561		-	(2) BUSINESSES THAT DEVEL OP AND PROVIDE ONLIN E SERVICES 4
562		-	THAT CHILDREN ARE LI KELY TO ACCESS SHOUL D CONSIDER THE BEST INTERESTS 5
563		-	OF CHILDREN WHEN DES IGNING, DEVELOPING , AND PROVID ING THOSE ONLINE 6
564		-	PRODUCTS; AND 7
	550	+	(9) ENFORCE PUBLISHED TER MS, POLICIES, AND CO MMUNITY 5
	551	+	STANDARDS ESTABLISHE D BY THE BUSINESS , INCLUDING PRIVACY PO LICIES, AND 6
	552	+	THOSE REGARDING CHIL DREN; AND 7
565	553
566		-	(3) IF A CONFLICT ARISES BETWEEN COMMERCIAL I NTERESTS AND 8
567		-	THE BEST INTERESTS O F CHILDREN, COMPANIES THAT DEVEL OP ONLINE PRODUCTS 9
568		-	LIKELY TO BE ACCESSE D BY CHILDREN SHALL GIVE PRIORITY TO THE PRIVACY, 10
569		-	SAFETY, AND WELL–BEING OF CHILDREN OVER THO SE COMMERCIAL INTERE STS. 11
	554	+	(10) PROVIDE PROMINENT , ACCESSIBLE, AND RESPONSIVE TOOLS TO 8
	555	+	HELP CHILDREN OR THE IR PARENTS OR GUARDI ANS, IF APPLICABLE, EXERCISE 9
	556	+	THEIR PRIVACY R IGHTS AND REPORT CON CERNS. 10
570	557
571		-	14–~~4504~~. 12
	558	+	14–4506. 11
572	559
573		-	~~WHEN DETERMINING WHET HER~~ AN ~~ACTION IS IN THE BEST INTERESTS O F 13~~
574		-	~~CHILDREN, A BUSINESS SHALL CON SIDER~~ CHILDREN ’S: 14
	560	+	A BUSINESS THAT PROVID ES AN ONLINE PRODUCT LIKELY TO BE ACCESSE D 12
	561	+	BY CHILDREN MAY NOT : 13
575	562
576		-	(1) PRIVACY; 15
	563	+	(1) USE THE PERSONAL INFO RMATION OF A CHILD I N A WAY THAT 14
	564	+	THE BUSINESS KNOWS , OR HAS REASON TO KNO W, IS MATERIALLY DETRIM ENTAL TO 15
	565	+	THE PHYSICAL HEALTH , MENTAL HEALTH , OR WELL–BEING OF A CHILD; 16
577	566
578		-	(2) ~~SAFETY; 16~~
	567	+	(2) PROFILE A CHILD BY DE FAULT, UNLESS: 17
579	568
580		-	(3) PHYSICAL HEALTH ; AND 17
	569	+	(I) THE BUSINESS CAN DEMO NSTRATE, TO THE ATTORNEY 18
	570	+	GENERAL’S SATISFACTION, THAT THE BUSINESS HAS APPROPRIATE SAFE GUARDS IN 19
	571	+	PLACE TO PROTECT CHI LDREN; AND 20
581	572
582		-	(4) MENTAL HEALTH . 18
	573	+	(II) 1. PROFILING IS NECESSAR Y TO PROVIDE THE ONL INE 21
	574	+	PRODUCT REQUEST , AND IS DONE ONLY WITH RESPECT TO THE ASPECTS OF THE 22
	575	+	ONLINE PRODUCT WITH WHICH THE CHILD IS A CTIVELY AND KNOWINGL Y ENGAGED; 23
	576	+	OR 24
583	577
584		-	14–4504. 14–4505. 19
	578	+	2. THE BUSINESS CAN DEMO NSTRATE A COMPELLI NG 25
	579	+	REASON THAT PROFILIN G IS IN THE BEST INTERESTS OF CHILDREN ; 26
585	580
586		-	(A) THIS SECTION APPLIES ONLY TO AN ONLINE PR ODUCT THAT IS 20
587		-	OFFERED TO THE PUBLI C ON OR AFTER JULY 1, 2024 APRIL 1, 2025. 21
588		-
589		-	(B) A BUSINESS THAT PROVID ES AN ONLINE PRODUCT LIKELY TO BE 22
590		-	ACCESSED BY CHILDREN SHALL PREPARE A DATA PROTECTION IMPACT 23
591		-	ASSESSMENT FOR THE O NLINE PRODUCT . 24
592		-
593		-	(C) THE DATA PROTECTION I MPACT ASSESSMENT SHA LL: 25
594		-
595		-	(1) IDENTIFY THE PURPOSE OF THE ONLINE PRODUC T; 26
596		-
597		-	(2) IDENTIFY HOW THE ONLI NE PRODUCT USES CHIL DREN’S 27
598		-	PERSONAL INFORMATION ; 28
	581	+	(3) COLLECT, SELL, SHARE, OR RETAIN ANY PERSON AL 27
	582	+	INFORMATION THAT IS UNNECESSARY TO PROVIDE AN ONLINE PRODUCT TH AT A 28
	583	+	CHILD IS ACTIVELY AN D KNOWINGLY ENGAGED WITH, UNLESS THE BUSINESS CAN 29
	584	+	DEMONSTRATE A COMPEL LING REASON THAT THE COLLECTION, SALE, SHARING, OR 30
	585	+	RETENTION OF THE PER SONAL INFORMATION IS IN THE BEST INTEREST S OF 31
	586	+	CHILDREN LIKELY TO A CCESS THE ONLINE PRO DUCT; 32
599	587		14 HOUSE BILL 901
600	588
601	589
602		-	(3) IDENTIFY THE RISKS OF MATERIAL DETRIMENT TO CHIL DREN 1
603		-	THAT ARISE FROM THE DATA MANAGEMENT PRAC TICES OF THE BUSINES S; AND 2
	590	+	(4) USE THE PERSONAL INFO RMATION OF A CHILD E ND–USER FOR 1
	591	+	ANY REASON OT HER THAN THAT FOR WH ICH THE PERSONAL INF ORMATION WAS 2
	592	+	COLLECTED, UNLESS THE BUSINESS CAN DEMONSTRATE A CO MPELLING REASON 3
	593	+	THAT THE USE OF THE PERSONAL INFORMATION IS IN THE BEST INTER ESTS OF 4
	594	+	CHILDREN LIKELY TO ACCESS THE ONLINE PRODUCT ; 5
604	595
605		-	(4) ADDRESS, TO THE EXTENT APPLIC ABLE: 3
	596	+	(5) COLLECT, SELL, OR SHARE ANY PRECISE GEOLOCATION 6
	597	+	INFORMATION OF CHILD REN BY DEFAULT , UNLESS THE COLLECTIO N OF THAT 7
	598	+	INFORMATION IS STRIC TLY NECESSARY IN ORD ER FOR THE BUSINESS TO PROVIDE 8
	599	+	THE ONLINE PRODUCT R EQUESTED, AND THEN MAY ONLY DO SO FOR THE LIMITED 9
	600	+	TIME THAT THE C OLLECTION OF PRECISE GEOLOCATION INFORMAT ION IS 10
	601	+	NECESSARY TO PROVIDE THE ONLINE PRODUCT ; 11
606	602
607		-	(I) ~~WHETHER THE DESIGN~~ OF ~~THE ONLINE PRODUCT C OULD 4~~
608		-	~~HARM CHILDREN , INCLUDING BY EXPOSIN G THEM~~ TO ~~HARMFUL OR POTENTIALLY 5~~
609		-	~~HARMFUL CONTENT ON T HE ONLINE PRODUCT~~ ; 6
	603	+	(6) COLLECT ANY PRECISE G EOLOCATION INFORMATI ON OF A CHILD 12
	604	+	WITHOUT PROVIDING AN OBVIOUS SIGN TO THE CHILD FOR THE DURATI ON THAT 13
	605	+	THE PRECISE GEOLOCAT ION INFORMATION IS BEING COLLECTED ; 14
610	606
611		-	(I) WHETHER ALGORITHMS US ED BY THE ONLINE PRO DUCT 7
612		-	COULD RESULT IN HARM TO CHILDREN; 8
	607	+	(7) USE DARK PATTERNS TO : 15
613	608
614		-	(II) WHETHER THE DESIGN DATA MANAGEMENT PRAC TICES OF 9
615		-	THE ONLINE PRODUCT C OULD LEAD TO CHILDRE N EXPERIENCING OR BE ING 10
616		-	TARGETED BY HARMFUL , OR POTENTIALLY HARMF UL, CONTACTS ON THE ONLI NE 11
617		-	PRODUCT; 12
	609	+	(I) LEAD OR ENCOURAGE CHI LDREN TO PROVIDE PER SONAL 16
	610	+	INFORMATION BEYOND W HAT IS REASONABLY EX PECTED TO PROVIDE THE ONLINE 17
	611	+	PRODUCT; 18
618	612
619		-	(III) WHETHER THE DESIGN DATA MANAGEMENT PRAC TICES OF 13
620		-	THE ONLINE PRODUCT C OULD ALLOW CHILDREN TO WITNESS, PARTICIPATE IN, OR 14
621		-	BE SUBJECT TO HARMFU L OR POTENTIALLY HAR MFUL CONDUCT ON THE ONLINE 15
622		-	PRODUCT; 16
	613	+	(II) CIRCUMVENT PRIVACY PROTECTIONS ; OR 19
623	614
624		-	(IV) WHETHER THE DESIGN DATA MANAGEMENT PRAC TICES OF 17
625		-	THE ONLINE PRODUCT C OULD ALLOW CHILDREN TO BE PARTY TO OR BE EXPLOITED 18
626		-	BY A HARMFUL, OR POTENTIALLY HARMF UL, CONTACT CONTACTS ON THE ONLINE 19
627		-	PRODUCT; 20
	615	+	(III) TAKE ANY ACTION THAT THE BUSINESS KNOWS , OR HAS 20
	616	+	REASON TO KNOW , IS MATERIALLY DETRIM ENTAL TO THE CHILD ’S PHYSICAL 21
	617	+	HEALTH, MENTAL HEALTH , OR WELL–BEING; OR 22
628	618
629		-	(V) WHETHER ALGORITHMS US ED BY THE ONLINE PROD UCT 21
630		-	COULD HARM CHILDREN ; 22
	619	+	(8) USE ANY PERSONAL INFO RMATION COLLECTED TO ESTIMATE AGE 23
	620	+	OR AGE RANGE FOR ANY OTHER PURPOSE , RETAIN THE PERSONAL INF ORMATION 24
	621	+	LONGER THAN NECESSAR Y TO ESTIMATE AGE , OR ATTEMPT AGE ASSUR ANCE IN A 25
	622	+	WAY THAT IS DISPROPO RTIONATE TO THE RISK S AND DATA PRACTICE OF AN ONLINE 26
	623	+	PRODUCT. 27
631	624
632		-	(VI) (V) WHETHER TARGETED ADVE RTISING SYSTEMS USED 23
633		-	BY THE ONLINE PRODUC T COULD HARM CHILDRE N; 24
	625	+	14–4507. 28
634	626
635		-	(VII) (VI) WHETHER AND HOW THE O NLINE PRODUCT USES 25
636		-	SYSTEM DESIGN FEATUR ES TO INCREASE, SUSTAIN, OR EXTEND USE BY CHILDREN, 26
637		-	INCLUDING: 27
638		-
639		-	1. THE AUTOMATIC PLAYING OF MEDIA; 28
640		-
641		-	2. REWARDS FOR TIME SPEN T; AND 29
642		-
643		-	3. NOTIFICATIONS; AND 30
	627	+	(A) WITHIN 3 BUSINESS DAYS AFTER RECEIVING A WRITTEN REQUEST FROM 29
	628	+	THE ATTORNEY GENERAL, A BUSINESS THAT PROV IDES AN ONLINE PRODU CT 30
	629	+	LIKELY TO BE ACCESSE D BY CHILDREN SHALL PROVIDE TO THE ATTORNEY 31
	630	+	GENERAL A LIST OF ALL DATA PROTECTION IMPA CT ASSESSMENTS THE BUSINESS 32
	631	+	HAS COMPLETED UNDER § 14–4504 OF THIS SUBTITLE. 33
644	632		HOUSE BILL 901 15
645	633
646	634
647		-	(VIII) (VII) WHETHER, HOW, AND FOR WHAT PURPOSE THE 1
648		-	ONLINE PRODUCT COLLE CTS OR PROCESSES SEN SITIVE PERSONAL INFO RMATION 2
649		-	OF CHILDREN. 3
	635	+	(B) WITHIN 5 BUSINESS DAYS AFTER RECEIVING A WRITTEN REQUEST FROM 1
	636	+	THE ATTORNEY GENERAL, THE BUSINESS SHALL PROVIDE TO THE ATTORNEY 2
	637	+	GENERAL ANY DATA PROTECTION IMPA CT ASSESSMENT COMPLETED UNDER § 3
	638	+	14–4504 OF THIS SUBTITLE. 4
650	639
651		-	(D) ~~(1) A DATA PROTECTION IMPA CT ASSESSMENT PREPAR ED BY A 4~~
652		-	~~BUSINESS FOR THE PUR POSE~~ OF ~~COMPLIANCE W ITH ANY OTHER LAW CO MPLIES 5~~
653		-	~~WITH THIS SECTION IF~~ THE ~~ASSESSMENT MEETS THE REQUIREMENTS OF THIS 6~~
654		-	~~SECTION~~. 7
	640	+	(C) TO THE EXTENT THAT AN Y DISCLOSURE R EQUIRED UNDER SUBSECTION 5
	641	+	(B) OF THIS SECTION INCL UDES INFORMATION SUB JECT TO ATTORNEY –CLIENT 6
	642	+	PRIVILEGE OR WORK PR ODUCT PROTECTION , THE DISCLOSURE MAY NOT 7
	643	+	CONSTITUTE A WAIVER OF THAT PRIVILEGE OR PROTECTION. 8
655	644
656		-	(2) A SINGLE DATA PROTECTI ON IMPACT ASSE SSMENT MAY CONTAIN 8
657		-	MULTIPLE SIMILAR PRO CESSING OPERATIONS T HAT PRESENT SIMILAR RISKS, ONLY 9
658		-	IF EACH RELEVANT ONL INE PRODUCT IS ADDRE SSED ADDRESS A SET OF SIM ILAR 10
659		-	PROCESSING OPERATION S THAT PRESENT SIMIL AR RISKS PROVIDED NO 11
660		-	INDIVIDUAL RISKS ARE MINIMIZED. 12
	645	+	14–4508. 9
661	646
662		-	(E) A BUSINESS SHALL COMPL ETE A DATA PROTECTIO N IMPACT 13
663		-	ASSESSMENT ON OR BEF ORE JUNE 30, 2024 APRIL 1, 2025, FOR ANY ONLINE 14
664		-	PRODUCT OFFERED TO T HE PUBLIC THAT IS LI KELY TO BE ACCESSED BY CHILDREN 15
665		-	BEFORE THAT DATE . 16
	647	+	(A) THE ATTORNEY GENERAL MAY FILE A CIVIL ACTION IN A CO URT OF 10
	648	+	COMPETENT JURISDICTI ON AGAINST A BUSINES S THAT VIOLATES THIS SUBTITLE 11
	649	+	FOR RECOVERY OF A CI VIL PENALTY OR INJUN CTION OR BOTH . 12
666	650
667		-	14–4505. 14–4506. 17
	651	+	(B) A BUSINESS THAT VIOLAT ES THIS SUBTITLE SHA LL BE LIABLE FOR A 13
	652	+	CIVIL PENALTY OF NOT MORE THAN: 14
668	653
669		-	(A) A BUSINESS THAT PROVIDES AN ONLINE P RODUCT LIKELY TO BE 18
670		-	ACCESSED BY CHILDREN MAY NOT OFFER THE PR ODUCT TO THE PUBLIC BEFORE 19
671		-	COMPLETING A DATA PR OTECTION IMPACT ASSE SSMENT. 20
	654	+	(1) $2,500 PER AFFECTED CHILD F OR EACH NEGLIGENT VI OLATION; 15
	655	+	OR 16
672	656
673		-	(B) ~~A BUSINESS THAT COMPLE TES A DATA PROTECTIO N IMPACT 21~~
674		-	~~ASSESSMENT REQUIRED BY THIS SECTION SHAL L: 22~~
	657	+	(2) $7,500 PER AFFECTED CHILD F OR EACH INTENTIONAL 17
	658	+	VIOLATION. 18
675	659
676		-	(1) MAINTAIN DOCUMENTATIO N OF THE ASSESSMENT FOR AS LONG 23
677		-	AS THE ONLINE PRODUC T IS LIKELY TO BE AC CESSED BY CHILDREN ; 24
	660	+	(C) IN ADDITION TO A CIVIL PENALTY UNDER SUBSECTION (B) OF THIS 19
	661	+	SECTION, A BUSINESS THAT VIOL ATES THIS SUBTITLE I S SUBJECT TO INJUNCTION 20
	662	+	AND OTHER APPROPRIAT E RELIEF. 21
678	663
679		-	(2) REVIEW EACH DATA PROT ECTION IMPACT ASSESS MENT EVERY 2 25
680		-	YEARS; 26
	664	+	(D) CIVIL PENALTIES , FEES, AND EXPENSES RECOVER ED UNDER THIS 22
	665	+	SECTION SHALL BE DEPOSITED I N THE GENERAL FUND WITH THE INTENT THAT 23
	666	+	THEY BE USED TO FULL Y OFFSET COSTS INCUR RED BY THE ATTORNEY GENERAL IN 24
	667	+	CONNECTION WI TH THIS SUBTITLE. 25
681	668
682		-	(3) DOCUMENT ANY RISK OF MATERIAL DETRIMENT T O CHILDREN 27
683		-	THAT ARIS ES FROM THE DATA MAN AGEMENT PRACTICE OF THE BUSINESS 28
684		-	IDENTIFIED IN THE AS SESSMENT; 29
	669	+	14–4509. 26
685	670
686		-	(4) CREATE A PLAN TO MITI GATE OR ELIMINATE TH E RISK BEFORE 30
687		-	THE ONLINE PRODUCT I S MADE AVAILABLE TO CHILDREN; 31
	671	+	(A) IF A BUSINESS IS IN S UBSTANTIAL COMPLIANC E WITH THE 27
	672	+	REQUIREMENTS OF §§ 14–4504 THROUGH 14–4506 OF THIS SUBTITLE , THE 28
	673	+	ATTORNEY GENERAL SHALL PROVIDE WRITTEN NOTICE TO TH E BUSINESS BEFORE 29
	674	+	FILING AN ACTION UNDER § 14–4508 OF THIS SUBTITLE. 30
688	675		16 HOUSE BILL 901
689	676
690	677
691		-	(5) (I) ~~ESTIMATE THE AGE~~ OF ~~C HILD USERS WITH A RE ASONABLE~~ 1
692		-	~~LEVEL~~ OF ~~CERTAINTY A PPROPRIATE TO~~ THE ~~RI SKS THAT ARISE FROM THE DATA~~ 2
693		-	~~MANAGEMENT PRACTICES OF THE BUSINESS ;~~ OR 3
	678	+	(B) NOTICE GIVEN UNDER SUBSECTION (A) OF THIS SECTION SHALL 1
	679	+	IDENTIFY THE SPECIFI C PROVISIONS OF THIS SUBTITLE THAT THE ATTORNEY 2
	680	+	GENERAL ALLEGES HAVE BEEN OR ARE BEING VI OLATED. 3
694	681
695		-	(II) APPLY TO ALL CONSUMER S THE PRIVACY AND DA TA 4
696		-	PROTECTIONS AFFORDED TO CHILDREN; 5
	682	+	(C) A BUSINESS MAY NOT BE LIABLE FOR A CIVIL PENALTY FOR AN Y 4
	683	+	VIOLATION FOR WHICH NOTICE IS GIVEN UNDER SUBSECTION (A) OF THIS SECTION 5
	684	+	IF THE BUSINESS: 6
697	685
698		-	(6) CONFIGURE ALL DEFAULT PRIVACY SETTINGS PRO VIDED TO 6
699		-	CHILDREN BY THE ONLIN E PRODUCT TO OFFER A HIGH LEVEL OF PRIVAC Y, UNLESS 7
700		-	THE BUSINESS CAN DEM ONSTRATE A COMPELLIN G REASON THAT A DIFF ERENT 8
701		-	SETTING IS IN THE BE ST INTEREST OF CHILD REN; 9
	686	+	(1) CURES ANY VIOLATION S PECIFIED IN THE ATTORNEY GENERAL’S 7
	687	+	NOTICE WITHIN 90 DAYS AFTER RECEIVING NOTICE UNDER SUBSECTION (A) OF THIS 8
	688	+	SECTION; 9
702	689
703		-	(7) PROVIDE ANY PRIVACY I NFORMATION , TERMS OF SERVICE , 10
704		-	POLICIES, AND COMMUNITY STANDARDS CO NCISELY, PROMINENTLY , AND USING 11
705		-	CLEAR LANGUAGE SUITE D TO THE AGE OF CHIL DREN LIKELY TO ACCES S THE 12
706		-	ONLINE PRODUCT ; 13
	690	+	(2) PROVIDES THE ATTORNEY GENERAL WITH A WRITTE N 10
	691	+	STATEMENT THAT THE A LLEGED VIOLATIONS HA VE BEEN CURED ; AND 11
707	692
708		-	(8) PROVIDE AN OBVIOUS SI GNAL TO THE CHILD WH EN THE CHILD’S 14
709		-	LOCATION IS BEING MO NITORED OR TRACKED , IF THE ONLINE PRODU CT ALLOWS 15
710		-	THE CHILD’S PARENT, GUARDIAN, OR ANY OTHER CONSUME R TO TRACK THE CHILD ’S 16
711		-	LOCATION; 17
	693	+	(3) TAKES MEASURES TO PREVENT FUTURE VI OLATIONS THAT THE 12
	694	+	ATTORNEY GENERAL AGREES TO BE SUFFICIENT. 13
712	695
713		-	(9) ENFORCE PUBLISHED TER MS, POLICIES, AND COMMUNITY 18
714		-	STANDARDS ESTABLISHE D BY THE BUSINESS , INCLUDING PRIVACY PO LICIES, AND 19
715		-	THOSE REGARDING CHIL DREN; AND 20
	696	+	14–4510. 14
716	697
717		-	(10) PROVIDE PROMINENT , ACCESSIBLE, AND RESPONSIVE TOOLS TO 21
718		-	HELP CHILDREN OR THE IR PARENTS OR GUARDI ANS, IF APPLICABLE, EXERCISE 22
719		-	THEIR PRIVACY RIGHTS AND REPORT CONCERNS . 23
	698	+	NOTHING IN THIS SUBTI TLE MAY BE INTERPRETED TO PROVIDE A PRIVATE 15
	699	+	RIGHT OF ACTION UNDE R THIS SUBTITLE OR A NY OTHER LAW . 16
720	700
721		-	14–~~4506~~. ~~14–4507. 24~~
	701	+	14–4511. 17
722	702
723		-	A BUSINESS THAT PROVID ES AN ONLINE PRODUCT LIKELY TO BE ACCESSE D 25
724		-	BY CHILDREN MAY NOT : 26
	703	+	THE SHARING OF PERSONAL INFORMAT ION WITHIN A JOINT V ENTURE OR 18
	704	+	PARTNERSHIP IS SUBJECT TO THE RE QUIREMENTS OF THIS SUBTITLE AS THOUGH 19
	705	+	THE JOINT VENTURE OR PAR TNERSHIP DOES NOT EXIST. 20
725	706
726		-	(1) USE THE PERSONAL INFO RMATION OF A CHILD I N A WAY THAT 27
727		-	THE BUSINESS KNOWS , OR HAS REASON TO KNO W, IS MATERIALLY DETRIM ENTAL TO 28
728		-	THE PHYSICAL HEALTH , MENTAL HEALTH , OR WELL–BEING OF A CHILD; 29
	707	+	14–4512. 21
729	708
730		-	(2) PROFILE A CHILD BY DE FAULT, UNLESS: 30
	709	+	NOTWITHSTANDING ANY O THER LAW , A DATA PROTECTION IMPA CT 22
	710	+	ASSESSMENT IS PROTECTED AS CONF IDENTIAL AND SHALL B E EXEMPT FROM 23
	711	+	PUBLIC DISCLOSURE , INCLUDING UNDER THE MARYLAND PUBLIC INFORMATION 24
	712	+	ACT. 25
731	713
732		-	(I) THE BUSINESS CAN DEMO NSTRATE, TO THE ATTORNEY 31
733		-	GENERAL’S SATISFACTION, THAT THE BUSINESS HA S APPROPRIATE SAFEGU ARDS IN 32
734		-	PLACE TO PROTECT CHI LDREN; AND 33 HOUSE BILL 901 17
	714	+	14–4513. 26
735	715
	716	+	THIS SUBTITLE MAY BE CITED AS THE MARYLAND AGE–APPROPRIATE 27
	717	+	DESIGN CODE ACT. 28
736	718
737		-
738		-	(II) 1. PROFILING IS NECESSAR Y TO PROVIDE THE ONL INE 1
739		-	PRODUCT REQUEST , AND IS DONE ONLY WIT H RESPECT TO THE ASPECTS OF THE 2
740		-	ONLINE PRODUCT WITH WHICH THE CHILD IS A CTIVELY AND KNOWINGL Y ENGAGED; 3
741		-	OR 4
742		-
743		-	2. THE BUSINESS CAN DEMO NSTRATE A COMPELLING 5
744		-	REASON THAT PROFILIN G IS IN THE BEST INTERESTS OF CHILDREN ; 6
745		-
746		-	(3) COLLECT, SELL, SHARE, OR RETAIN ANY P ERSONAL 7
747		-	INFORMATION THAT IS UNNECESSARY TO PROVI DE AN ONLINE PRODUCT THAT A 8
748		-	CHILD IS ACTIVELY AN D KNOWINGLY ENGAGED WITH, UNLESS THE BUSINESS CAN 9
749		-	DEMONSTRATE A COMPEL LING REASON THAT THE COLLECTION, SALE, SHARING, OR 10
750		-	RETENTION OF THE PER SONAL INFORMATION I S IN THE BEST INTERE STS OF 11
751		-	CHILDREN LIKELY TO A CCESS THE ONLINE PRO DUCT; 12
752		-
753		-	(4) USE THE PERSONAL INFO RMATION OF A CHILD E ND–USER FOR 13
754		-	ANY REASON OTHER THA N THAT FOR WHICH THE PERSONAL INFORMATION WAS 14
755		-	COLLECTED, UNLESS THE BUSINESS CAN DEMONSTRATE A CO MPELLING REASON 15
756		-	THAT THE USE OF THE PERSONAL INFORMATION IS IN THE BEST INTER ESTS OF 16
757		-	CHILDREN LIKELY TO A CCESS THE ONLINE PRO DUCT; 17
758		-
759		-	(5) COLLECT, SELL, OR SHARE ANY PRECISE GEOLOCATION 18
760		-	INFORMATION OF CHILD REN BY DEFAULT , UNLESS THE COLLECTIO N OF THAT 19
761		-	INFORMATIO N IS STRICTLY NECESS ARY IN ORDER FOR THE BUSINESS TO PROVIDE 20
762		-	THE ONLINE PRODUCT R EQUESTED, AND THEN MAY ONLY DO SO FOR THE LIMITED 21
763		-	TIME THAT THE COLLEC TION OF PRECISE GEOL OCATION INFORMATION IS 22
764		-	NECESSARY TO PROVIDE THE ONLINE PRODUCT ; 23
765		-
766		-	(6) COLLECT ANY PR ECISE GEOLOCATION IN FORMATION OF A CHILD 24
767		-	WITHOUT PROVIDING AN OBVIOUS SIGN TO THE CHILD FOR THE DURATI ON THAT 25
768		-	THE PRECISE GEOLOCAT ION INFORMATION IS B EING COLLECTED ; 26
769		-
770		-	(7) USE DARK PATTERNS TO : 27
771		-
772		-	(I) LEAD OR ENCOURAGE CHI LDREN TO PROVIDE PER SONAL 28
773		-	INFORMATION BEYOND WHAT IS REASONABLY EXPECTED TO PROVIDE THE ONLIN E 29
774		-	PRODUCT; 30
775		-
776		-	(II) CIRCUMVENT PRIVACY PR OTECTIONS; OR 31
777		-
778		-	(III) TAKE ANY ACTION THAT THE BUSINESS KNOWS , OR HAS 32
779		-	REASON TO KNOW , IS MATERIALLY DETRIM ENTAL TO THE CHILD ’S PHYSICAL 33
780		-	HEALTH, MENTAL HEALTH, OR WELL–BEING; OR 34 18 HOUSE BILL 901
781		-
782		-
783		-
784		-	(8) USE ANY PERSONAL INFO RMATION COLLECTED TO ESTIMATE AGE 1
785		-	OR AGE RANGE FOR ANY OTHER PURPOSE , RETAIN THE PERSONAL INFORMATION 2
786		-	LONGER THAN NECESSAR Y TO ESTIMATE AGE , OR ATTEMPT AGE ASSUR ANCE IN A 3
787		-	WAY THAT IS DISPROPO RTIONATE TO THE RISKS AND DATA P RACTICE OF AN ONLINE 4
788		-	PRODUCT. 5
789		-
790		-	14–4507. 14–4508. 6
791		-
792		-	(A) WITHIN 3 BUSINESS DAYS AFTER RECEIVING A WRITTEN REQUEST FROM 7
793		-	THE ATTORNEY GENERAL DIVISION, A BUSINESS THAT PROV IDES AN ONLINE 8
794		-	PRODUCT LIKELY TO BE ACCESSED BY CHILDREN SHALL PROV IDE TO THE 9
795		-	ATTORNEY GENERAL DIVISION A LIST OF ALL DATA P ROTECTION IMPACT 10
796		-	ASSESSMENTS THE BUSI NESS HAS COMPLETED U NDER § 14–4504 14–4505 OF THIS 11
797		-	SUBTITLE. 12
798		-
799		-	(B) WITHIN 5 BUSINESS DAYS AFTER RECEIVING A WRITTEN REQUEST FROM 13
800		-	THE ATTORNEY GENERAL DIVISION, THE BUSINESS SHALL P ROVIDE TO THE 14
801		-	ATTORNEY GENERAL DIVISION ANY DATA PROTECTION IMPACT ASSESSMENT 15
802		-	COMPLETED UNDER § 14–4504 OF THIS SUBTITLE. 16
803		-
804		-	(C) TO THE EXTENT THAT AN Y DISCLOSURE REQUIRE D UNDER SUBSECTION 17
805		-	(B) OF THIS SECTION INCL UDES INFORMATION SUB JECT TO ATTORNEY –CLIENT 18
806		-	PRIVILEGE OR WORK PR ODUCT PROTECTION , THE DISCLOSURE MAY N OT 19
807		-	CONSTITUTE A WAIVER OF THAT PRIVILEGE OR PROTECTION. 20
808		-
809		-	14–4508. 14–4509. 21
810		-
811		-	(A) THE ATTORNEY GENERAL MAY FILE A CI VIL ACTION IN A COUR T OF 22
812		-	COMPETENT JURISDICTI ON AGAINST A BUSINESS THAT VIOLAT ES THIS SUBTITLE 23
813		-	FOR RECOVERY OF A CI VIL PENALTY OR INJUN CTION OR BOTH A VIOLATION OF THIS 24
814		-	SUBTITLE: 25
815		-
816		-	(1) IS AN UNFAIR, ABUSIVE, OR DECEPTIVE TRADE P RACTICE; AND 26
817		-
818		-	(2) EXCEPT FOR § 13–410 OF THIS ARTICLE , IS SUBJECT TO THE 27
819		-	ENFORCEMENT PROVISIO NS CONTAINED IN TITLE 13 OF THIS ARTICLE. 28
820		-
821		-	(B) A BUSINESS THAT VIOLAT ES THIS SUBTITLE SHALL BE LIABLE FOR A 29
822		-	CIVIL PENALTY OF NOT MORE THAN IS SUBJECT TO A CIVI L PENALTY NOT 30
823		-	EXCEEDING: 31
824		-
825		-	(1) $2,500 PER AFFECTED CHILD F OR EACH NEGLIGENT VIOLATION; 32
826		-	OR 33 HOUSE BILL 901 19
827		-
828		-
829		-
830		-	(2) $7,500 PER AFFECTED CHILD F OR EACH INTENTIONAL 1
831		-	VIOLATION. 2
832		-
833		-	(C) IN ADDITION TO A CIVI L PENALTY UNDER SUBS ECTION (B) OF THIS 3
834		-	SECTION, A BUSINESS THAT VIOL ATES THIS SUBTITLE I S SUBJECT TO INJUNCT ION 4
835		-	AND OTHER APPROPRIAT E RELIEF. 5
836		-
837		-	(D) (C) CIVIL PENALTIES, FEES, AND EXPENSES RECOVER ED UNDER THIS 6
838		-	SECTION SHALL BE DEP OSITED IN THE COMMISSIONER SHALL PA Y ALL FINES, 7
839		-	PENALTIES, AND EXPENSES COLLECT ED BY THE COMMISSIONER UNDER TH IS 8
840		-	SUBSECTION INTO THE GENERAL FUND WITH THE INTENT THAT THEY FINES, 9
841		-	PENALTIES, AND EXPENSES BE USED TO FULLY OFF SET ANY COSTS INCURRED BY 10
842		-	THE ATTORNEY GENERAL IN CONNECTION WITH THIS SUBTITLE . 11
843		-
844		-	14–4509. 14–4510. 12
845		-
846		-	(A) IF A BUSINESS IS IN S UBSTANTIAL COMPLIANC E WITH THE 13
847		-	REQUIREMENTS OF §§ 14–4504 14–4505 THROUGH 14–4506 14–4507 OF THIS 14
848		-	SUBTITLE, THE ATTORNEY GENERAL DIVISION SHALL PROVIDE WRITTE N NOTICE 15
849		-	TO THE BUSINESS BEFO RE FILING AN ACTION UNDER § 14–4508 14–4509 OF THIS 16
850		-	SUBTITLE. 17
851		-
852		-	(B) NOTICE GIVEN UNDER SU BSECTION (A) OF THIS SECTION SHAL L 18
853		-	IDENTIFY THE SPECIFI C PROVISIONS OF THIS SUBTITLE THAT THE ATTORNEY 19
854		-	GENERAL DIVISION ALLEGES HAVE BEEN OR ARE BEING VIOLATED . 20
855		-
856		-	(C) A BUSINESS MAY NOT BE LIABLE FOR A CIVIL P ENALTY FOR ANY 21
857		-	VIOLATION FOR WHICH NOTICE IS G IVEN UNDER SUBSECTIO N (A) OF THIS SECTION 22
858		-	IF THE BUSINESS: 23
859		-
860		-	(1) CURES ANY VIOLATION S PECIFIED IN THE ATTORNEY GENERAL’S 24
861		-	DIVISION’S NOTICE WITHIN 90 DAYS AFTER RECEIVING NOTICE UNDER SUBSECT ION 25
862		-	(A) OF THIS SECTION; 26
863		-
864		-	(2) PROVIDES THE ATTORNEY GENERAL DIVISION WITH A WRITTEN 27
865		-	STATEMENT THAT THE A LLEGED VIOLATIONS HA VE BEEN CURED ; AND 28
866		-
867		-	(3) TAKES MEASURES TO PRE VENT FUTURE VIOLATIO NS THAT THE 29
868		-	ATTORNEY GENERAL DIVISION AGREES TO BE SUFFICI ENT. 30
869		-
870		-	14–4510. 14–4511. 31
871		-	20 HOUSE BILL 901
872		-
873		-
874		-	NOTHING IN THIS SUBTI TLE MAY BE INTERPRETED T O PROVIDE A PRIVATE 1
875		-	RIGHT OF ACTION UNDE R THIS SUBTITLE OR A NY OTHER LAW . 2
876		-
877		-	14–4511. 3
878		-
879		-	THE SHARING OF PERSON AL INFORMATION WITHI N A JOINT VENTURE OR 4
880		-	PARTNERSHIP IS SUBJE CT TO THE REQUIREMEN TS OF THIS SUBTITLE AS THOUGH 5
881		-	THE JOINT VENTURE OR PARTNERSHIP DOES NOT EXIST. 6
882		-
883		-	14–4512. 7
884		-
885		-	NOTWITHSTANDING ANY O THER LAW , A DATA PROTECTION IM PACT 8
886		-	ASSESSMENT IS PROTEC TED AS CONFIDENTIAL AND SHALL BE EXEMPT FROM 9
887		-	PUBLIC DISCLOSURE , INCLUDING UNDER THE MARYLAND PUBLIC INFORMATION 10
888		-	ACT. 11
889		-
890		-	14–4513. 12
891		-
892		-	THIS SUBTITLE MAY BE CITE D AS THE MARYLAND AGE–APPROPRIATE 13
893		-	DESIGN CODE ACT. 14
894		-
895		-	SECTION 2. AND BE IT FURTHER ENACTED, That this Act shall take effect 15
896		-	October 1, 2023. 16
897		-
898		-
899		-
900		-
901		-	Approved:
902		-	________________________________________________________________________________
903		-	Governor.
904		-	________________________________________________________________________________
905		-	Speaker of the House of Delegates.
906		-	________________________________________________________________________________
907		-	President of the Senate.
	719	+	SECTION 2. AND BE IT FURTHER ENACTED, That this Act shall take effect 29
	720	+	October 1, 2023. 30