EXPLANATION: CAPITALS INDICATE MAT TER ADDED TO EXISTIN G LAW.
[Brackets] indicate matter deleted from existing law.
*sb0844*
SENATE BILL 844
I3, S1 3lr1979
CF HB 901
By: Senators Kramer and West
Introduced and read first time: February 6, 2023
Assigned to: Finance
A BILL ENTITLED
AN ACT concerning 1
Consumer Protection – Online Products and Services – Children’s Data 2
FOR the purpose of requiring a business that offers an online product likely to be accessed 3
by children to complete a certain data protection impact assessment under certain 4
circumstances; prohibiting a business from offering a certain online product before 5
completing a data protection impact assessment; requiring businesses to document 6
certain risks associated with certain online products; requiring certain privacy 7
protections for certain online products; prohibiting certain data collection and 8
sharing practices; providing certain exemptions; and generally relating to the 9
protection of online privacy of children. 10
BY adding to 11
Article – Commercial Law 12
Section 14–4501 through 14–4513 to be under the new subtitle “Subtitle 45. 13
Maryland Age–Appropriate Design Code Act” 14
Annotated Code of Maryland 15
(2013 Replacement Volume and 2022 Supplement) 16
Preamble 17
WHEREAS, The United Nations Convention on the Rights of the Child recognizes 18
that children need special safeguards and care in all aspects of their lives, specifying how 19
children’s rights apply in the digital environment in General Comment No. 25; and 20
WHEREAS, As children spend more of their time interacting with the online world, 21
the impact of the design of online products on their well–being has become a focus of 22
significant concern; and 23
WHEREAS, There is widespread agreement at the international level, and 24
bipartisan agreement in the United States, that more needs to be done to create a safer 25
online space for children to learn, explore, and play; and 26 2 SENATE BILL 844
WHEREAS, Lawmakers around the globe have taken steps to enhance privacy 1
protections for children based on the understanding that, in relation to data protection, 2
greater privacy necessarily means greater security and well–being; and 3
WHEREAS, Children should be afforded protections not only by online products and 4
services specifically directed at them, but by all online products they are likely to access, 5
and thus businesses should take into account the unique needs of different age ranges, 6
including the following developmental stages: 0 to 5 years of age, or “preliterate and early 7
literacy”; 6 to 9 years of age, or “core primary school years”; 10 to 12 years of age, or 8
“transition years”; 13 to 15 years of age, or “early teens”; and 16 to 17 years of age, or 9
“approaching adulthood”; and 10
WHEREAS, While it is clear that the same data protection regime may not be 11
appropriate for children of all ages, children of all ages should nonetheless be afforded 12
privacy and protection, and online products should adopt data protection regimes 13
appropriate for children of the ages likely to access those products; and 14
WHEREAS, According to the Pew Research Center, in 20 22, 97% of American 15
teenagers aged 13–17 used the Internet every day, with 46% responding they used the 16
Internet almost constantly; and, additionally, 36% of teens reported being concerned about 17
their social media use, while an earlier Pew Research Center study found that 59% of teens 18
have been bullied or harassed online; and 19
WHEREAS, The findings of the Pew Research Center are not surprising, given what 20
is known about controllers’ use of personal data and how it is utilized to inform 21
manipulative practices, to which children are particularly vulnerable; and 22
WHEREAS, Online products that are likely to be accessed by children should offer 23
strong privacy protections by design and by default, including by disabling features that 24
profile children using their previous behavior, browsing history, or assumptions of their 25
similarity to other children in order to offer them detrimental material; and 26
WHEREAS, Ensuring robust privacy, and thus safety, protections for children by 27
design is consistent with federal safety laws and policies applied to children’s products, 28
regulating everything from toys to clothing to furniture and games; and 29
WHEREAS, The consumer protections that federal safety laws apply to children’s 30
products require these products to comply with certain safety standards by their very 31
design, so that harms to children, and in some cases other consumers, are prevented; and 32
WHEREAS, It is the intent of the Maryland General Assembly that the Maryland 33
Age–Appropriate Design Code Act promote innovation by businesses whose online products 34
are likely to be accessed by children by ensuring that those online products are designed in 35
a manner that recognizes the distinct needs of children within different age ranges; and 36
SENATE BILL 844 3
WHEREAS, It is the intent of the Maryland General Assembly that businesses 1
covered by the Maryland Age–Appropriate Design Code Act may look to guidance and 2
innovation in response to the Age–Appropriate Design Code established in the United 3
Kingdom and California when developing online products that are likely to be accessed by 4
children; now, therefore, 5
SECTION 1. BE IT ENACTED BY THE GENERAL ASSEMBLY OF MARYLAND, 6
That the Laws of Maryland read as follows: 7
Article – Commercial Law 8
SUBTITLE 45. MARYLAND AGE–APPROPRIATE DESIGN CODE ACT. 9
14–4501. 10
(A) IN THIS SUBTITLE THE FOLLOWING WORDS HAVE THE MEANINGS 11
INDICATED. 12
(B) (1) “AGGREGATE CONSUMER IN FORMATION” MEANS INFORMATION : 13
(I) THAT RELATES TO A GRO UP OR CATEGORY OF CO NSUMERS; 14
(II) FROM WHICH INDIVIDUAL CONSUMER IDENTITIES HAVE 15
BEEN REMOVED ; AND 16
(III) THAT IS NOT LINKED OR REASONABLY LINKABLE TO ANY 17
CONSUMER OR HOUSEHOL D, INCLUDING BY A DEVIC E. 18
(2) “AGGREGATE CONSUMER IN FORMATION” DOES NOT INCLUDE 19
INDIVIDUAL CONSUMER RECORDS THAT HAVE BE EN DEIDENTIFIED . 20
(C) (1) “BUSINESS” MEANS A SOLE PROPRIE TORSHIP, LIMITED LIABILITY 21
COMPANY, CORPORATION , ASSOCIATION, OR OTHER LEGAL ENTIT Y THAT: 22
(I) IS ORGANIZED OR OPERA TED FOR THE PROFIT O R 23
FINANCIAL BENEFIT OF ITS SHAREHOLDERS OR OTHER OWNERS ; 24
(II) COLLECTS CONSUMERS ’ PERSONAL INFORMATION , OR ON 25
THE BEHALF OF WHICH ANOTHER COLLECTS CON SUMERS’ PERSONAL 26
INFORMATION ; 27
(III) ALONE, OR JOINTLY WITH ITS AFFILIATES OR 28
SUBSIDIARIES, DETERMINES THE PURPO SES AND MEANS OF THE PROCESSING OF 29
CONSUMERS ’ PERSONAL INFORMATION ; 30 4 SENATE BILL 844
(IV) DOES BUSINESS IN THE STATE; AND 1
(V) SATISFIES AT LEAST ON E OF THE FOLLOWING C RITERIA: 2
1. THE BUSINESS HAS ANNU AL GROSS REVENUES IN 3
EXCESS OF $25,000,000, ADJUSTED EVERY ODD –NUMBERED YEAR TO REF LECT 4
ADJUSTMENTS IN THE CONSUMER PRICE INDEX; 5
2. THE BUSINESS ANNUALLY BUYS, RECEIVES, SELLS, 6
OR SHARES THE PERSON AL INFORMATION OF 50,000 OR MORE CONSUMERS , 7
HOUSEHOLDS , OR DEVICES, ALONE OR IN COMBINAT ION WITH ITS AFFILIA TES OR 8
SUBSIDIARIES, AND FOR THE BUSINESS ’S COMMERCIAL PURPOSE S; OR 9
3. THE BUSINESS DERIVES AT LEAST 50% OF ITS 10
ANNUAL REVENUES FROM THE SALE OF CONSUMER S’ PERSONAL INFORMATION . 11
(2) “BUSINESS” INCLUDES: 12
(I) AN ENTITY THAT CONTRO LS OR IS CONTROLLED BY A 13
BUSINESS AND THAT SH ARES COMMON BRANDING WITH THAT BUSINESS ; AND 14
(II) A JOINT VENTURE OR PAR TNERSHIP COMPOSED OF 15
BUSINESSES IN WHICH EACH HAS AT LEAST A 40% INTEREST IN THE JOIN T VENTURE 16
OR PARTNERSHIP . 17
(D) “CHILD” MEANS A CONSUMER THA T IS UNDER THE AGE O F 18 YEARS. 18
(E) “COLLECT” MEANS TO ACTIVELY OR PASSIVELY BUY , RENT, GATHER, 19
OBTAIN, RECEIVE, OR ACCESS ANY PERSON AL INFORMATION PERTA INING TO A 20
CONSUMER OR OBSERVE A CONSUMER ’S BEHAVIOR, BY ANY MEANS. 21
(F) “COMMON BRANDING ” MEANS A SHARED NAME , SERVICE MARK , OR 22
TRADEMARK THAT WOULD CAUSE A REASONABLE C ONSUMER TO UND ERSTAND 23
THAT TWO OR MORE ENT ITIES ARE COMMONLY O WNED. 24
(G) “CONSUMER” MEANS AN INDIVIDUAL WHO IS A RESIDENT OF THE 25
STATE, HOWEVER IDENTIFIED , INCLUDING BY ANY UNI QUE IDENTIFIER. 26
(H) “CONTROL” MEANS: 27
(1) OWNERSHIP OF OR THE P OWER TO VOTE MORE TH AN 50% OF THE 28
OUTSTANDING SHARES O F ANY CLASS OF VOTIN G SECURITY OF A BUSI NESS; 29 SENATE BILL 844 5
(2) ANY MANNER OF CONTROL OVER THE ELECTION OF A MAJORITY 1
OF THE DIRECTORS OF A BUSINESS, OR INDIVIDUALS EXERC ISING SIMILAR 2
FUNCTIONS; OR 3
(3) THE POWER TO EXERCISE A CONTROLLIN G INFLUENCE OVER THE 4
MANAGEMENT OF A BUSI NESS. 5
(I) “DARK PATTERN ” MEANS A USER INTERFA CE DESIGNED OR 6
MANIPULATED WITH THE SUBSTANTIAL EFFECT O F SUBVERTING OR IMPA IRING 7
USER AUTONOMY , DECISION MAKING , OR CHOICE. 8
(J) “DATA PROTECTION IMPAC T ASSESSMENT” OR “ASSESSMENT” MEANS A 9
SYSTEMATIC SURVEY TO ASSESS AND MITIGATE RISKS TO CHILDREN WH O ARE 10
REASONABLY LIKELY TO ACCESS THE ONLINE PR ODUCT AT ISSUE THAT ARISE FROM 11
THE DATA MANAGEMENT PRACTICES OF THE BUS INESS AND THE PROVIS ION OF THE 12
ONLINE PRODUCT . 13
(K) “DEFAULT” MEANS A PRESELECTED OPTION ADOPTED BY TH E 14
BUSINESS FOR AN ONLI NE PRODUCT. 15
(L) “DEIDENTIFIED INFORMAT ION” MEANS INFORMATION TH AT CANNOT 16
BE USED TO REASONABL Y INFER INFORMATION ABOUT, OR OTHERWISE BE LINK ED 17
TO, A PARTICULAR CONSUME R, IF THE BUSINE SS THAT POSSESSES TH E 18
INFORMATION : 19
(1) TAKES REASONABLE MEAS URES TO ENSURE THAT THE 20
INFORMATION CANNOT B E ASSOCIATED WITH A CONSUMER OR HOUSEHOL D; 21
(2) COMMITS IN PUBLICLY A VAILABLE TERMS AND C ONDITIONS OR IN 22
A PUBLICLY AVAILABLE PRIVACY POLICY TO : 23
(I) MAINTAIN AND USE THE INFORMATION IN DEIDE NTIFIED 24
FORM; AND 25
(II) NOT ATTEMPT TO REIDEN TIFY THE INFORMATION , EXCEPT 26
FOR THE SOLE PURPOSE OF DETERMINING WHETH ER THE BUSINESS ’S 27
DEIDENTIFICATION PRO CESS SATISFIES THE R EQUIREMENTS OF THIS SUBSECTION; 28
AND 29
(3) CONTRACTUALLY OBLIGAT ES ANY RECIPIENTS OF THE 30
INFORMATION TO COMPL Y WITH ALL PROVISION S OF THIS SUBSECTION . 31
6 SENATE BILL 844
(M) “LIKELY TO BE ACCESSED BY CHILDREN ” MEANS REASONABLY 1
EXPECTED THAT THE ON LINE SERVICE , PRODUCT, OR FEATURE WOULD BE 2
ACCESSED BY CHIL DREN, BASED ON SATISFYING ANY OF THE FOLLOWING CRITERIA: 3
(1) THE ONLINE PRODUCT IS DIRECTED TO CHILDREN AS DEFINED IN 4
THE FEDERAL CHILDREN’S ONLINE PRIVACY PROTECTION ACT; 5
(2) THE ONLINE PRODUCT IS DETERMINED , BASED ON COMPETENT 6
AND RELIABLE EVIDENC E REGARDING AUDIENCE C OMPOSITION, TO BE ROUTINELY 7
ACCESSED BY A SIGNIF ICANT NUMBER OF CHIL DREN; 8
(3) THE ONLINE PRODUCT IS SUBSTANTIALLY SIMILA R OR THE SAME 9
AS AN ONLINE PRODUCT THAT SATISFIES ITEM (2) OF THIS SUBSECTION ; 10
(4) THE ONLINE PRODUCT FE ATURES ADVERTISEMENTS MAR KETED 11
TO CHILDREN; 12
(5) THE ONLINE PRODUCT HA S DESIGN ELEMENTS TH AT ARE KNOWN 13
TO BE OF INTEREST TO CHILDREN, SUCH AS GAMES , CARTOONS, MUSIC, AND 14
CELEBRITIES WHO APPE AL TO CHILDREN ; OR 15
(6) THE BUSINESS KNOWS , BASED ON INTERNAL RE SEARCH, THAT A 16
SIGNIFICANT AMOUNT O F THE ONLINE PRODUCT ’S AUDIENCE IS CHILDR EN. 17
(N) (1) “ONLINE PRODUCT ” MEANS AN ONLINE SERV ICE, PRODUCT, OR 18
FEATURE. 19
(2) “ONLINE PRODUCT ” DOES NOT INCLUDE : 20
(I) A TELECOMMUNICATIONS S ERVICE, AS DEFINED IN 47 21
U.S.C. § 153; OR 22
(II) THE DELIVERY OR USE O F A PHYSICAL PRODUCT SOLD BY 23
AN ONLINE RETAILER . 24
(O) (1) “PERSONAL INFORMATION ” MEANS INFORMATION TH AT 25
IDENTIFIES, RELATES TO , DESCRIBES, IS REASONABLY CAPABL E OF BEING 26
ASSOCIATED WITH , OR COULD REASONABLY BE LINKED, DIRECTLY OR INDIRECT LY, 27
WITH A PARTICULAR CO NSUMER OR HOUSEHOLD . 28
(2) “PERSONAL INFORMATION ” DOES NOT INCLUDE : 29
SENATE BILL 844 7
(I) PUBLICLY AVAILABLE IN FORMATION OR LAWFULL Y 1
OBTAINED, TRUTHFUL INFORMATION THAT IS OF PUBLIC CO NCERN; OR 2
(II) CONSUMER INFORMATION THAT IS DEIDENTIFIED OR 3
AGGREGATE CONSUMER I NFORMATION . 4
(P) “PRECISE GEOLOCATION ” MEANS ANY DATA THAT IS: 5
(1) DERIVED FROM A DEVICE ; AND 6
(2) USED OR INTENDED TO B E USED TO LOCATE A C ONSUMER WITHIN 7
A GEOGRAPHIC AREA TH AT IS LESS THAN OR E QUAL TO THE AREA OF A CIRCLE WIT H 8
A RADIUS OF 1,850 FEET. 9
(Q) (1) “PROFILING” MEANS ANY FORM OF AU TOMATED PROCESSING O F 10
PERSONAL INFORMATION THAT USES PERSONAL I NFORMATION TO EVALUA TE 11
CERTAIN ASPECTS RELA TING TO AN INDIVIDUA L. 12
(2) “PROFILING” INCLUDES ANALYZING OR PREDICTING ASPECT S 13
CONCERNING AN INDIVI DUAL’S PERFORMANCE AT WOR K, ECONOMIC SITUATION , 14
HEALTH, PERSONAL PREFERENCES , INTERESTS, RELIABILITY, BEHAVIOR, 15
LOCATION, OR MOVEMENTS . 16
(R) (1) “PUBLICLY AVAILABLE IN FORMATION” MEANS INFORMATION 17
THAT: 18
(I) IS LAWFULLY MADE AVAILA BLE FROM FEDERAL , STATE, OR 19
LOCAL GOVERNMENT REC ORDS; OR 20
(II) A BUSINESS HAS A REASO NABLE BASIS TO BELIE VE IS 21
LAWFULLY MADE AVAILA BLE TO THE GENERAL P UBLIC BY THE CONSUME R OR BY 22
WIDELY DISTRIBUTED M EDIA. 23
(2) “PUBLICLY AVAILABLE I NFORMATION ” DOES NOT INCLUDE 24
BIOMETRIC INFORMATIO N COLLECTED BY A BUS INESS ABOUT A CONSUM ER 25
WITHOUT THE CONSUMER ’S KNOWLEDGE . 26
(S) “SELL” MEANS TO TRANSFER , RENT, RELEASE, DISCLOSE, 27
DISSEMINATE, MAKE AVAILABLE , OR OTHERWISE COMMUNI CATE, WHETHER 28
ORALLY, IN WRITING, OR BY ELECTRONIC OR OTHER MEANS , A CONSUMER ’S 29
PERSONAL INFORMATION BY THE BUSINESS TO A THIRD PARTY FOR MONE TARY OR 30
OTHER VALUABLE CONSI DERATION. 31
8 SENATE BILL 844
(T) (1) “SENSITIVE PERSONAL IN FORMATION” MEANS: 1
(I) PERSONAL INFORMATION THAT REVEALS A CONSU MER’S: 2
1. SOCIAL SECURITY NUMBER , DRIVER’S LICENSE 3
NUMBER, STATE IDENTIFICATION CARD NUMBER , OR PASSPORT NUMBER ; 4
2. ACCOUNT LOGIN INFORMA TION, FINANCIAL 5
ACCOUNT NUMBER , DEBIT CARD NUMBER , OR CREDIT CARD NUMBE R, IN 6
COMBINATION WITH ANY REQUIRED SEC URITY OR ACCESS CODE , PASSWORD, OR 7
CREDENTIALS THAT ALL OW ACCESS TO AN ACCO UNT; 8
3. PRECISE GEOLOCATION ; 9
4. RACIAL OR ETHNIC ORIG IN OR RELIGIOUS OR 10
PHILOSOPHICAL BELIEF S; 11
5. UNION MEMBERSHIP STAT US; 12
6. MAIL, E–MAIL, TEXT, OR MESSAGE CONTENTS, 13
UNLESS THE BUSINESS IS THE INTENDED RECI PIENT; OR 14
7. GENETIC DATA; 15
(II) BIOMETRIC INFORMATION THAT IS OR MAY BE PR OCESSED 16
FOR THE PURPOSE OF U NIQUELY IDENTIFYING A CONSUMER ; 17
(III) PERSONAL INFORMATION COLLECTED AND ANALYZ ED 18
CONCERNIN G A CONSUMER ’S HEALTH; OR 19
(IV) PERSONAL INFORMATION COLLECTED AND ANALYZ ED 20
CONCERNING A CONSUME R’S SEX LIFE OR SEXUAL ORIENTATION . 21
(2) “SENSITIVE PERSONAL IN FORMATION” DOES NOT INCLUDE 22
PUBLICLY AVAILABLE I NFORMATION . 23
(U) “SHARE” MEANS TO RENT , RELEASE, DISCLOSE, DISSEMINATE, MAKE 24
AVAILABLE, TRANSFER, OR OTHERWISE COMMUNI CATE, WHETHER ORALLY , IN 25
WRITING, OR BY ELECTRONIC OR OTHER MEANS , A CONSUMER ’S PERSONAL 26
INFORMATION TO A THI RD PARTY FOR CROSS –CONTEXT BEHAVIORAL A DVERTISING 27
WHETHER OR NOT FOR M ONETARY OR OTHER VAL UABLE CONSIDERATION , 28
INCLUDING IN A TRANS ACTION BETWEEN A BUS INESS AND A THIRD PA RTY FOR 29 SENATE BILL 844 9
CROSS–CONTEXT BEHAVIORAL A DVERTISING FOR THE B ENEFIT OF A BUSINESS IN 1
WHICH NO MONEY IS EX CHANGED. 2
(V) “THIRD PARTY” MEANS A PERSON WHO IS NO T: 3
(1) THE BUSINESS WITH WHI CH THE CONSUMER INTE NTIONALLY 4
INTERACTS AND THAT C OLLECTS PERSONAL INF ORMATION FROM THE CO NSUMER 5
AS PART OF THE CONSU MER’S INTERACTION WITH T HE BUSINESS; OR 6
(2) A SERVICE PROVIDER FOR THE BUSINESS. 7
14–4502. 8
THIS SUBTITLE DOES NO T APPLY TO: 9
(1) PROTECTED HEALTH INFO RMATION THAT IS COLL ECTED BY A 10
COVERED ENTITY OR BU SINESS ASSOCIATION G OVERNED BY THE PRIVA CY 11
SECURITY AND BREACH NOTIFICATION RULES I N 45 C.F.R. PARTS 160 AND 164, 12
ESTABLISHED UNDER TH E FEDERAL HEALTH INSURANCE PORTABILITY AND 13
ACCOUNTABILITY ACT OF 1996 AND THE FEDERAL HEALTH INFORMATION 14
TECHNOLOGY FOR ECONOMIC AND CLINICAL HEALTH ACT; 15
(2) A HEALTH PROVIDER OR C OVERED ENTITY GOVERN ED BY THE 16
PRIVACY SECURITY AND BREACH NOTIFICATION RULES IN 45 C.F.R. PARTS 160 AND 17
164, ESTABLISHED UNDER TH E FEDERAL HEALTH INSURANCE PORTABILITY AND 18
ACCOUNTABILITY ACT OF 1996 AND THE FEDERAL HEALTH INFORMATION 19
TECHNOLOGY FOR ECONOMIC AND CLINICAL HEALTH ACT, TO THE EXTENT THAT 20
THE PROVIDER OR COVE RED ENTITY MAINTAINS PATIENT INFORMATION IN THE 21
SAME MANNER AS MEDIC AL INFORMATION OR PR OTECTED HEALTH INFOR MATION 22
AS DESCRIBED IN ITEM (1) OF THIS SECTION; OR 23
(3) INFORMATION COLLECTED AS PART OF A CLINICA L TRIAL 24
SUBJECT TO THE FEDERAL POLICY FOR THE PROTECTION OF HUMAN SUBJECTS, 25
IN ACCORDANCE WITH : 26
(I) GOOD CLINICAL PRACTIC E GUIDELINES ISSUED BY THE 27
INTERNATIONAL COUNCIL FOR HARMONISATION OF TECHNICAL REQUIREMENTS 28
FOR PHARMACEUTICALS FOR HUMAN USE; OR 29
(II) HUMAN SUBJECT PROTECT ION REQUIREMENTS OF THE 30
U.S. FOOD AND DRUG ADMINISTRATION . 31
14–4503. 32 10 SENATE BILL 844
IT IS THE INTENT OF T HE GENERAL ASSEMBLY THAT : 1
(1) CHILDREN SHOULD BE AF FORDED PROTECTIONS N OT ONLY BY 2
ONLINE PRODUCTS SPEC IFICALLY DIRECTED AT THEM, BUT BY ALL ONLINE 3
PRODUCTS THEY ARE LI KELY TO ACCESS ; 4
(2) BUSINESSES THAT DEVEL OP AND PROVIDE ONLIN E SERVICES 5
THAT CHILDREN ARE LI KELY TO ACCESS SHOUL D CONSIDER THE BEST INTERESTS 6
OF CHILDREN WHEN DES IGNING, DEVELOPING , AND PROVIDING THOSE ONLINE 7
PRODUCTS; AND 8
(3) IF A CONFLICT ARISES BETWEEN COMMERCIAL I NTERESTS AND 9
THE BEST INTERESTS O F CHILDREN, COMPANIES THAT DEVEL OP ONLINE PRODUCTS 10
LIKELY TO BE ACCESSE D BY CHILDREN SHALL GIVE PRIORITY TO THE PRIVACY, 11
SAFETY, AND WELL–BEING OF CHILDREN OV ER THOSE COMMERCIAL INTERESTS. 12
14–4504. 13
(A) THIS SECTION APPLIE S ONLY TO AN ONLINE PRODUCT THAT IS 14
OFFERED TO THE PUBLI C ON OR AFTER JULY 1, 2024. 15
(B) A BUSINESS THAT PROVID ES AN ONLINE PRODUCT LIKELY TO BE 16
ACCESSED BY CHILDREN SHALL PREPARE A DATA PROTECTION IMPACT 17
ASSESSMENT FOR THE O NLINE PRODUCT . 18
(C) THE DATA PROTECTION IMPACT AS SESSMENT SHALL : 19
(1) IDENTIFY THE PURPOSE OF THE ONLINE PRODUC T; 20
(2) IDENTIFY HOW THE ONLI NE PRODUCT USES CHIL DREN’S 21
PERSONAL INFORMATION ; 22
(3) IDENTIFY THE RISKS OF MATERIAL DETRIMENT T O CHILDREN 23
THAT ARISE FROM THE DATA MANAGEM ENT PRACTICES OF THE BUSINESS; AND 24
(4) ADDRESS, TO THE EXTENT APPLIC ABLE: 25
(I) WHETHER THE DESIGN OF THE ONLINE PRODUCT C OULD 26
HARM CHILDREN , INCLUDING BY EXPOSIN G THEM TO HARMFUL OR POTENTIALLY 27
HARMFUL CONTENT ON T HE ONLINE PRODUCT ; 28
SENATE BILL 844 11
(II) WHETHER THE DESIGN OF THE ON LINE PRODUCT COULD 1
LEAD TO CHILDREN EXP ERIENCING OR BEING T ARGETED BY HARMFUL , OR 2
POTENTIALLY HARMFUL , CONTACTS ON THE ONLI NE PRODUCT; 3
(III) WHETHER THE DESIGN OF THE ONLINE PRODUCT C OULD 4
ALLOW CHILDREN TO WI TNESS, PARTICIPATE IN, OR BE SUBJECT TO HARM FUL OR 5
POTENTIALLY HARMFUL CONDUCT ON THE ONLIN E PRODUCT; 6
(IV) WHETHER THE DESIGN OF THE ONLINE PRODUCT C OULD 7
ALLOW CHILDREN TO BE PARTY TO OR BE EXPLO ITED BY A HARMFUL , OR 8
POTENTIALLY HARMFUL , CONTACT ON THE ONLIN E PRODUCT; 9
(V) WHETHER ALGORITHMS US ED BY THE ONLINE PRO DUCT 10
COULD HARM CHILDREN ; 11
(VI) WHETHER TARGETED ADVE RTISING SYSTEMS USED BY THE 12
ONLINE PRODUCT COULD HARM CHILDREN ; 13
(VII) WHETHER AND HOW THE O NLINE PRODUCT USES S YSTEM 14
DESIGN FEATURES TO I NCREASE, SUSTAIN, OR EXTEND USE BY CHI LDREN, 15
INCLUDING: 16
1. THE AUTOMATIC PLAYING OF MEDIA; 17
2. REWARDS FOR TIME SPEN T; AND 18
3. NOTIFICATIONS; AND 19
(VIII) WHETHER, HOW, AND FOR WHAT PURPOSE THE ONLINE 20
PRODUCT COLLECTS OR PROCESSES SENSITIVE PERSONAL INFORMAT ION OF 21
CHILDREN. 22
(D) (1) A DATA PROTECTION IMPA CT ASSESSMENT PREPAR ED BY A 23
BUSINESS FOR THE PUR POSE OF COMPLIANCE W ITH ANY OTHER LAW CO MPLIES 24
WITH THIS SECTION IF THE ASSESSMENT MEETS THE REQUIREMENTS OF THIS 25
SECTION. 26
(2) A SINGLE DATA PROTECTI ON IMPACT ASSESSMENT MA Y CONTAIN 27
MULTIPLE SIMILAR PRO CESSING OPERATIONS T HAT PRESENT SIMILAR RISKS, ONLY 28
IF EACH RELEVANT ONL INE PRODUCT IS ADDRE SSED. 29
12 SENATE BILL 844
(E) A BUSINESS SHALL COMPL ETE A DATA PROTECTIO N IMPACT 1
ASSESSMENT ON OR BEF ORE JUNE 30, 2024, FOR ANY ONLI NE PRODUCT OFFERED 2
TO THE PUBLIC THAT I S LIKELY TO BE ACCES SED BY CHILDREN BEFO RE THAT DATE. 3
14–4505. 4
(A) A BUSINESS THAT PROVID ES AN ONLINE PRODUCT LIKELY TO BE 5
ACCESSED BY CHILDREN MAY NOT OFFER THE PR ODUCT TO THE PUBLIC BEFORE 6
COMPLETING A DATA PR OTECTION IMPACT ASSESSM ENT. 7
(B) A BUSINESS THAT COMPLE TES A DATA PROTECTIO N IMPACT 8
ASSESSMENT REQUIRED BY THIS SECTION SHAL L: 9
(1) MAINTAIN DOCUMENTATIO N OF THE ASSESSMENT FOR AS LONG 10
AS THE ONLINE PRODUC T IS LIKELY TO BE AC CESSED BY CHILDREN ; 11
(2) REVIEW EACH DATA PROT ECTION IMPACT ASSESS MENT EVERY 2 12
YEARS; 13
(3) DOCUMENT ANY RISK OF MATERIAL DETRIMENT T O CHILDREN 14
THAT ARISES FROM THE DATA MANAGEMENT PRAC TICE OF THE BUSINESS 15
IDENTIFIED IN THE AS SESSMENT; 16
(4) CREATE A PLAN TO MITI GATE OR ELIMINAT E THE RISK BEFORE 17
THE ONLINE PRODUCT I S MADE AVAILABLE TO CHILDREN; 18
(5) (I) ESTIMATE THE AGE OF C HILD USERS WITH A RE ASONABLE 19
LEVEL OF CERTAINTY A PPROPRIATE TO THE RI SKS THAT ARISE FROM THE DATA 20
MANAGEMENT PRACTICES OF THE BUSINESS ; OR 21
(II) APPLY TO ALL CONSUMERS THE PR IVACY AND DATA 22
PROTECTIONS AFFORDED TO CHILDREN; 23
(6) CONFIGURE ALL DEFAULT PRIVACY SETTINGS PRO VIDED TO 24
CHILDREN BY THE ONLI NE PRODUCT TO OFFER A HIGH LEVEL OF PRIV ACY, UNLESS 25
THE BUSINESS CAN DEM ONSTRATE A COMPELLIN G REASON THAT A DIFFERENT 26
SETTING IS IN THE BE ST INTEREST OF CHILD REN; 27
(7) PROVIDE ANY PRIVACY I NFORMATION , TERMS OF SERVICE , 28
POLICIES, AND COMMUNITY STANDA RDS CONCISELY , PROMINENTLY , AND USING 29
CLEAR LANGUAGE SUITE D TO THE AGE OF CHIL DREN LIKELY TO ACCES S THE 30
ONLINE PRODUCT; 31
SENATE BILL 844 13
(8) PROVIDE AN OBVIOUS SI GNAL TO THE CHILD WH EN THE CHILD’S 1
LOCATION IS BEING MO NITORED OR TRACKED , IF THE ONLINE PRODUC T ALLOWS 2
THE CHILD’S PARENT, GUARDIAN, OR ANY OTHER CONSUME R TO TRACK THE CHILD ’S 3
LOCATION; 4
(9) ENFORCE PUBLISHED TER MS, POLICIES, AND COMMUNITY 5
STANDARDS ESTABLISHE D BY THE BUSINESS , INCLUDING PRIVACY PO LICIES, AND 6
THOSE REGARDING CHIL DREN; AND 7
(10) PROVIDE PROMINENT , ACCESSIBLE, AND RESPONSIVE TOOLS TO 8
HELP CHILDREN OR THE IR PARENTS OR GUARDI ANS, IF APPLICABLE, EXERCISE 9
THEIR PRIVACY RIGHTS AND REPORT CONCERNS . 10
14–4506. 11
A BUSINESS THAT PROVID ES AN ONLINE PRODUCT LIKELY TO BE ACCESSE D 12
BY CHILDREN MAY NOT : 13
(1) USE THE PERSONAL INFO RMATION OF A CHILD I N A WAY THAT 14
THE BUSINESS KNOWS , OR HAS REASON TO KNO W, IS MATERIALLY DETRIMENTAL TO 15
THE PHYSICAL HEALTH , MENTAL HEALTH , OR WELL–BEING OF A CHILD; 16
(2) PROFILE A CHILD BY DE FAULT, UNLESS: 17
(I) THE BUSINESS CAN DEMO NSTRATE, TO THE ATTORNEY 18
GENERAL’S SATISFACTION, THAT THE BUSINESS HA S APPROPRIATE SAFEGU ARDS IN 19
PLACE TO PROTECT CHILDREN ; AND 20
(II) 1. PROFILING IS NECESSAR Y TO PROVIDE THE ONL INE 21
PRODUCT REQUEST , AND IS DONE ONLY WIT H RESPECT TO THE ASP ECTS OF THE 22
ONLINE PRODUCT WITH WHICH THE CHILD IS A CTIVELY AND KNOWINGL Y ENGAGED; 23
OR 24
2. THE BUSINESS CAN DEMO NSTRATE A COMPELLING 25
REASON THAT PROFILIN G IS IN THE BEST INTERESTS OF CHILDREN ; 26
(3) COLLECT, SELL, SHARE, OR RETAIN ANY PERSON AL 27
INFORMATION THAT IS UNNECESSARY TO PROVI DE AN ONLINE PRODUCT THAT A 28
CHILD IS ACTIVELY AN D KNOWINGLY ENGAGED WITH, UNLESS THE BUS INESS CAN 29
DEMONSTRATE A COMPEL LING REASON THAT THE COLLECTION, SALE, SHARING, OR 30
RETENTION OF THE PER SONAL INFORMATION IS IN THE BEST INTEREST S OF 31
CHILDREN LIKELY TO A CCESS THE ONLINE PRO DUCT; 32
14 SENATE BILL 844
(4) USE THE PERSONAL INFO RMATION OF A CHILD E ND–USER FOR 1
ANY REASON OTHER THAN TH AT FOR WHICH THE PER SONAL INFORMATION WA S 2
COLLECTED, UNLESS THE BUSINESS CAN DEMONSTRATE A CO MPELLING REASON 3
THAT THE USE OF THE PERSONAL INFORMATION IS IN THE BEST INTER ESTS OF 4
CHILDREN LIKELY TO A CCESS THE ONLINE PRO DUCT; 5
(5) COLLECT, SELL, OR SHARE ANY PRECISE GEOLOCATION 6
INFORMATION OF CHILD REN BY DEFAULT , UNLESS THE COLLECTIO N OF THAT 7
INFORMATION IS STRIC TLY NECESSARY IN ORD ER FOR THE BUSINESS TO PROVIDE 8
THE ONLINE PRODUCT R EQUESTED, AND THEN MAY ONLY DO SO FOR THE LIMITED 9
TIME THAT THE COLLECTION OF PRECISE GEOLOCATI ON INFORMATION IS 10
NECESSARY TO PROVIDE THE ONLINE PRODUCT ; 11
(6) COLLECT ANY PRECISE G EOLOCATION INFORMATI ON OF A CHILD 12
WITHOUT PROVIDING AN OBVIOUS SIGN TO THE CHILD FOR THE DURATI ON THAT 13
THE PRECISE GEOLOCAT ION INFORMATION IS BEING C OLLECTED; 14
(7) USE DARK PATTERNS TO : 15
(I) LEAD OR ENCOURAGE CHI LDREN TO PROVIDE PER SONAL 16
INFORMATION BEYOND W HAT IS REASONABLY EX PECTED TO PROVIDE TH E ONLINE 17
PRODUCT; 18
(II) CIRCUMVENT PRIVACY PR OTECTIONS; OR 19
(III) TAKE ANY A CTION THAT THE BUSIN ESS KNOWS, OR HAS 20
REASON TO KNOW , IS MATERIALLY DETRIM ENTAL TO THE CHILD ’S PHYSICAL 21
HEALTH, MENTAL HEALTH , OR WELL–BEING; OR 22
(8) USE ANY PERSONAL INFO RMATION COLLECTED TO ESTIMATE AGE 23
OR AGE RANGE FOR ANY OTHER PURPOSE , RETAIN THE PERSONAL INFORMATION 24
LONGER THAN NECESSAR Y TO ESTIMATE AGE , OR ATTEMPT AGE ASSUR ANCE IN A 25
WAY THAT IS DISPROPO RTIONATE TO THE RISK S AND DATA PRACTICE OF AN ONLINE 26
PRODUCT. 27
14–4507. 28
(A) WITHIN 3 BUSINESS DAYS AFTER RECEIVING A WRITTEN REQUEST FROM 29
THE ATTORNEY GENERAL, A BUSINESS THAT PROV IDES AN ONLINE PRODU CT 30
LIKELY TO BE ACCESSE D BY CHILDREN SHALL PROVIDE TO THE ATTORNEY 31
GENERAL A LIST OF ALL DATA PROTECTION IMPA CT ASSESSMENTS THE B USINESS 32
HAS COMPLETED UNDER § 14–4504 OF THIS SUBTITLE. 33
SENATE BILL 844 15
(B) WITHIN 5 BUSINESS DAYS AFTER RECEIVING A WRITTEN REQUEST FROM 1
THE ATTORNEY GENERAL, THE BUSINESS SHALL P ROVIDE TO THE ATTORNEY 2
GENERAL ANY DATA PROT ECTION IMPACT ASSESS MENT COMPLETED UNDER § 3
14–4504 OF THIS SUBTITLE. 4
(C) TO THE EXTENT THAT AN Y DISCLOSURE REQUIRE D UNDER SUBSECTION 5
(B) OF THIS SECTION INCL UDES INFORMATION SUB JECT TO ATTORNEY –CLIENT 6
PRIVILEGE OR WORK PR ODUCT PROTECTION , THE DISCLOSURE MAY N OT 7
CONSTITUTE A WAIVER OF THAT PRIVILEGE OR PROTECTION. 8
14–4508. 9
(A) THE ATTORNEY GENERAL MAY FILE A CI VIL ACTION IN A COURT OF 10
COMPETENT JURISDICTI ON AGAINST A BUSINES S THAT VIOLATES THIS SUBTITLE 11
FOR RECOVERY OF A CI VIL PENALTY OR INJUN CTION OR BOTH . 12
(B) A BUSINESS THAT VIOLAT ES THIS SUBTITLE SHA LL BE LIABLE FOR A 13
CIVIL PENALTY OF NOT MORE THAN: 14
(1) $2,500 PER AFFECTED CHILD F OR EACH NEGLIGENT VI OLATION; 15
OR 16
(2) $7,500 PER AFFECTED CHILD F OR EACH INTENTIONAL 17
VIOLATION. 18
(C) IN ADDITION TO A CIVI L PENALTY UNDER SUBS ECTION (B) OF THIS 19
SECTION, A BUSINESS THAT VIOL ATES THIS SUBTITLE I S SUBJECT TO INJUNCT ION 20
AND OTHER APPROPRIAT E RELIEF. 21
(D) CIVIL PENALTIES , FEES, AND EXPENSES RECOVER ED UNDER THIS 22
SECTION SHALL BE DEP OSITED IN THE GENERAL FUND WITH THE INTENT THAT 23
THEY BE USED TO FULL Y OFFSET COSTS INCUR RED BY THE ATTORNEY GENERAL IN 24
CONNECTION WITH THIS SUBTITLE. 25
14–4509. 26
(A) IF A BUSINESS IS IN S UBSTANTIAL COMPLIANC E WITH THE 27
REQUIREMENTS OF §§ 14–4504 THROUGH 14–4506 OF THIS SUBTITLE , THE 28
ATTORNEY GENERAL SHALL PROVIDE WRITTEN NOTICE TO TH E BUSINESS BEFORE 29
FILING AN ACTION UND ER § 14–4508 OF THIS SUBTITLE. 30
16 SENATE BILL 844
(B) NOTICE GIVEN UNDER SU BSECTION (A) OF THIS SECTION SHAL L 1
IDENTIFY THE SPECIFI C PROVISIONS OF THIS SUBTITLE THAT THE ATTORNEY 2
GENERAL ALLEGES HAVE BEEN OR ARE BEING VI OLATED. 3
(C) A BUSINESS MAY NOT BE LIABLE FOR A CIVIL P ENALTY FOR ANY 4
VIOLATION FOR WHICH NOTICE IS GIVEN UNDE R SUBSECTION (A) OF THIS SECTION 5
IF THE BUSINESS: 6
(1) CURES ANY VIOLATION S PECIFIED IN THE ATTORNEY GENERAL’S 7
NOTICE WITHIN 90 DAYS AFTER RECEIVING NOTICE UNDER SUBSECT ION (A) OF THIS 8
SECTION; 9
(2) PROVIDES THE ATTORNEY GENERAL WITH A WRITTE N 10
STATEMENT THAT THE A LLEGED VIOLATIONS HA VE BEEN CURED ; AND 11
(3) TAKES MEASURES TO PRE VENT FUTURE VIOLATIO NS THAT THE 12
ATTORNEY GENERAL AGREES TO BE SUFFICIENT. 13
14–4510. 14
NOTHING IN THIS SUBTI TLE MAY BE INTERPRET ED TO PROV IDE A PRIVATE 15
RIGHT OF ACTION UNDE R THIS SUBTITLE OR A NY OTHER LAW . 16
14–4511. 17
THE SHARING OF PERSON AL INFORMATION WITHI N A JOINT VENTURE OR 18
PARTNERSHIP IS SUBJE CT TO THE REQUIREMEN TS OF THIS SUBTITLE AS THOUGH 19
THE JOINT VENTURE OR PARTNERSHIP DOES NOT EXIST. 20
14–4512. 21
NOTWITHSTANDING ANY O THER LAW , A DATA PROTECTION IM PACT 22
ASSESSMENT IS PROTEC TED AS CONFIDENTIAL AND SHALL BE EXEMPT FROM 23
PUBLIC DISCLOSURE , INCLUDING UNDER THE MARYLAND PUBLIC INFORMATION 24
ACT. 25
14–4513. 26
THIS SUBTITLE MAY BE CITED AS THE MARYLAND AGE–APPROPRIATE 27
DESIGN CODE ACT. 28
SECTION 2. AND BE IT FURTHER ENACTED, That this Act shall take effect 29
October 1, 2023. 30