EXPLANATION: CAPITALS INDICATE MAT TER ADDED TO EXISTIN G LAW.
[Brackets] indicate matter deleted from existing law.
Underlining indicates amendments to bill.
Strike out indicates matter stricken from the bill by amendment or deleted from the law by
amendment.
*hb0603*
HOUSE BILL 603
I3, S1 4lr1482
HB 901/23 – ECM CF SB 571
By: Delegates Solomon, Wilson, and Love
Introduced and read first time: January 24, 2024
Assigned to: Economic Matters
Committee Report: Favorable with amendments
House action: Adopted
Read second time: March 2, 2024
CHAPTER ______
AN ACT concerning 1
Consumer Protection – Online Products and Services – Data of Children 2
(Maryland Kids Code) 3
FOR the purpose of requiring a covered entity that offers an online product reasonably 4
likely to be accessed by children to complete a certain data protection impact 5
assessment under certain circumstances; requiring certain privacy protections for 6
certain online products; prohibiting certain data collection and sharing practices; 7
authorizing certain monitoring practices; and generally relating to the protection of 8
online privacy of children. 9
BY repealing and reenacting, with amendments, 10
Article – Commercial Law 11
Section 13–301(14)(xl) 12
Annotated Code of Maryland 13
(2013 Replacement Volume and 2023 Supplement) 14
BY repealing and reenacting, without amendments, 15
Article – Commercial Law 16
Section 13–301(14)(xli) 17
Annotated Code of Maryland 18
(2013 Replacement Volume and 2023 Supplement) 19
BY adding to 20
Article – Commercial Law 21 2 HOUSE BILL 603
Section 13–301(14)(xlii); and 14–4601 through 14–4612 14–4613 to be under the new 1
subtitle “Subtitle 46. Maryland Age–Appropriate Design Code Act” 2
Annotated Code of Maryland 3
(2013 Replacement Volume and 2023 Supplement) 4
Preamble 5
WHEREAS, The United Nations Convention on the Rights of the Child recognizes 6
that children need special safeguards and care in all aspects of their lives, specifying how 7
children’s rights apply in the digital environment in General Comment No. 25; and 8
WHEREAS, As children spend more of their time interacting with the online world, 9
the impact of the design of online products on their well–being has become a focus of 10
significant concern; and 11
WHEREAS, There is widespread agreement at the international level, and 12
bipartisan agreement in the United States, that more needs to be done to create a safer 13
online space for children to learn, explore, and play; and 14
WHEREAS, Lawmakers around the globe have t aken steps to enhance privacy 15
protections for children based on the understanding that, in relation to data protection, 16
greater privacy necessarily means greater security and well–being; and 17
WHEREAS, Children should be afforded protections not only by online products and 18
services specifically directed at them, but by all online products they are likely to access, 19
and thus covered entities should take into account the unique needs of different age ranges, 20
including the following developmental stages: 0 to 5 years of age, or “preliterate and early 21
literacy”; 6 to 9 years of age, or “core primary school years”; 10 to 12 years of age, or 22
“transition years”; 13 to 15 years of age, or “early teens”; and 16 to 17 years of age, or 23
“approaching adulthood”; and 24
WHEREAS, While it is clear that the same data protection regime may not be 25
appropriate for children of all ages, children of all ages should nonetheless be afforded 26
privacy and protection, and online products should adopt data protection regimes 27
appropriate for children of the ages likely to access those products; and 28
WHEREAS, According to the Pew Research Center, in 2022, 97% of American 29
teenagers aged 13–17 used the Internet every day, with 46% responding they used the 30
Internet almost constantly; and, additionally, 36% of teens reported being concerned about 31
their social media use, while an earlier Pew Research Center study found that 59% of teens 32
have been bullied or harassed online; and 33
WHEREAS, The findings of the Pew Research Center are not surprising, given what 34
is known about controllers’ use of personal data and how it is utilized to inform 35
manipulative practices, to which children are particularly vulnerable; and 36
HOUSE BILL 603 3
WHEREAS, Online products that are likely to be accessed by children should offer 1
strong privacy protections that, by design, prevent the use of children’s personal data to 2
offer elements that the covered entity offering the online product knows, or has reason to 3
know, are likely to be materially detrimental to the physical health, mental health, or 4
well–being of children; and 5
WHEREAS, Ensuring robust privacy, and thus safety, protections for children by 6
design is consistent with federal safety laws and policies applied to children’s products, 7
regulating everything from toys to clothing to furniture and games; and 8
WHEREAS, The consumer protections that federal safety laws apply to children’s 9
products require these products to comply with certain safety standards by their very 10
design, so that harms to children, and in some cases other consumers, are prevented; and 11
WHEREAS, It is the intent of the Maryland General Assembly that the Maryland 12
Age–Appropriate Design Code Act promote innovation by covered entities whose online 13
products are likely to be accessed by children by ensuring that those online products are 14
designed in a manner that recognizes the distinct needs of children within different age 15
ranges; and now, therefore, 16
WHEREAS, It is the intent of the Maryland General Assembly that covered entities 17
covered by the Maryland Age–Appropriate Design Code Act may look to guidance and 18
innovation in response to the Age–Appropriate Design Code established in the United 19
Kingdom and California when developing online products that are likely to be accessed by 20
children; now, therefore, 21
SECTION 1. BE IT ENACTED BY THE GENERAL ASSEMBLY OF MARYLAND, 22
That the Laws of Maryland read as follows: 23
Article – Commercial Law 24
13–301. 25
Unfair, abusive, or deceptive trade practices include any: 26
(14) Violation of a provision of: 27
(xl) Title 14, Subtitle 13 of the Public Safety Article; [or] 28
(xli) Title 14, Subtitle 45 of this article; or 29
(XLII) TITLE 14, SUBTITLE 46 OF THIS ARTICLE; OR 30
SUBTITLE 46. MARYLAND AGE–APPROPRIATE DESIGN CODE ACT. 31
14–4601. 32
4 HOUSE BILL 603
(A) IN THIS SUBTITLE THE FOLLOWING WORDS HAVE THE MEANINGS 1
INDICATED. 2
(B) (1) “AGGREGATE CONSUMER IN FORMATION” MEANS INFORMATION : 3
(I) THAT RELATES TO A GRO UP OR CATEGORY OF CO NSUMERS; 4
(II) FROM WHICH INDIVIDUAL CONSUMER IDENTITIES HAVE 5
BEEN REMOVED ; AND 6
(III) THAT IS NOT LINKED OR REASON ABLY LINKABLE TO ANY 7
CONSUMER OR HOUSEHOL D, INCLUDING BY A DEVIC E. 8
(2) “AGGREGATE CONSUMER IN FORMATION” DOES NOT INCLUDE 9
INDIVIDUAL CONSUMER RECORDS THAT HAVE BE EN DE–IDENTIFIED. 10
(C) “BEST INTERESTS OF CHI LDREN” MEANS A COVERED EN TITY’S USE OF 11
THE PERSONAL DATA OF A CHILD CHILDREN OR THE DESIGN OF AN ONLINE 12
PRODUCT IN A WAY THA T DOES NOT: 13
(1) BENEFIT THE COVERED E NTITY TO THE DETRIME NT OF A CHILD 14
CHILDREN; AND 15
(2) RESULT IN: 16
(I) REASONABLY FORESEEABL E AND MATERIAL PHYSI CAL OR 17
FINANCIAL HARM TO A CHILD CHILDREN; 18
(II) SEVERE AND REASONABLY FORESEEABLE PSYCHOLO GICAL 19
OR EMOTIONAL HARM TO A CHILD CHILDREN; 20
(III) A HIGHLY OFFENSIVE INT RUSION ON A CHILD’S CHILDREN’S 21
REASONABLE EXPECTATION OF PRIVA CY; OR 22
(IV) DISCRIMINATION AGAINS T A CHILD CHILDREN BASED ON 23
RACE, COLOR, RELIGION, NATIONAL ORIGIN , DISABILITY, GENDER IDENTITY , SEX, 24
OR SEXUAL ORIENTATIO N. 25
(D) (1) “BIOMETRIC INFORMATION DATA” MEANS INFORMATION DATA 26
GENERATED BY AUTOMATIC MEASUREMEN TS OF AN INDIVIDUAL ’S BIOLOGICAL 27
CHARACTERISTICS . 28
(2) “BIOMETRIC INFORMATION DATA” INCLUDES: 29
HOUSE BILL 603 5
(I) A FINGERPRINT ; 1
(II) A VOICEPRINT; 2
(III) AN EYE RETINA OR IRIS PATTERN; OR 3
(IV) ANY OTHER UNIQUE BIOL OGICAL PATTERN OR 4
CHARACTERISTIC THAT I S USED TO IDENTIFY A SPECIFIC INDIVIDUAL . 5
(3) “BIOMETRIC INFORMATION DATA” DOES NOT INCLUDE : 6
(I) A DIGITAL OR PHYSICAL PHOTOGRAPH ; 7
(II) AN AUDIO OR VIDEO REC ORDING; OR 8
(III) DATA GENERATED FROM A DIGITAL OR PHYSICAL 9
PHOTOGRAPH , OR AN AUDIO OR VIDEO RECORDING, UNLESS THE DATA IS 10
GENERATED TO IDENTIF Y A SPECIFIC INDIVID UAL. 11
(E) “CHILD” MEANS A CONSUMER WHO IS UNDER THE AGE OF 18 YEARS. 12
(F) (1) “COLLECT” MEANS TO BUY, RENT, GATHER, OBTAIN, RECEIVE, OR 13
ACCESS PERSONAL DATA RELATING TO A C ONSUMER. 14
(2) “COLLECT” INCLUDES: 15
(I) ACTIVELY OR PASSIVELY RECEIVING RECEIVING DATA 16
FROM THE CONSUMER ; AND 17
(II) OBSERVING THE CONSUME R’S BEHAVIOR. 18
(G) (1) “CONSUMER” MEANS AN INDIVIDUAL WHO IS A RESIDENT OF THE 19
STATE, HOWEVER IDENTIFIED, INCLUDING BY A UNIQU E IDENTIFIER. 20
(2) “CONSUMER” DOES NOT INCLUDE AN INDIVIDUAL ACTING IN A 21
COMMERCIAL OR EMPLOY MENT CONTEXT OR AS A N EMPLOYER , AN OWNER, A 22
DIRECTOR, AN OFFICER, OR A CONTRACTOR OF A COMPANY, PARTNERSHIP , SOLE 23
PROPRIETORS HIP, NONPROFIT ORGANIZATI ON, OR GOVERNMENT AGENCY 24
GOVERNMENTAL UNIT WHOSE COMMUNICATIONS OR TRANSACTIONS WITH THE 25
COVERED ENTITY OCCUR SOLELY WITHIN THE CO NTEXT OF THAT INDIVI DUAL’S 26
ROLE WITH THE COMPAN Y, PARTNERSHIP , SOLE PROPRIETORSHIP , NONPROFIT 27
ORGANIZATION, OR GOVERNMENT AGENCY GOVERNMENTAL UNIT . 28
6 HOUSE BILL 603
(H) (1) “COVERED ENTITY ” MEANS A SOLE PROPRIE TORSHIP, A LIMITED 1
LIABILITY COMPANY , A CORPORATION , AN ASSOCIATION , OR ANY OTHER LEGAL 2
ENTITY THAT: 3
(I) IS ORGANIZED OR OPERA TED FOR THE PROFIT O R 4
FINANCIAL BENEFIT OF ITS SHARE HOLDERS OR OTHER OWN ERS; 5
(II) COLLECTS CONSUMERS ’ PERSONAL INFORMATION DATA OR 6
USES ANOTHER ENTITY TO CO LLECT CONSUMERS ’ PERSONAL INFORMATION DATA 7
ON ITS BEHALF; 8
(III) ALONE, OR JOINTLY WITH ITS AFFILIATES OR 9
SUBSIDIARIES, DETERMINES THE PURPOSES A ND MEANS OF THE PROC ESSING OF 10
CONSUMERS ’ PERSONAL DATA ; 11
(IV) DOES BUSINESS IN THE STATE; AND 12
(V) 1. HAS ANNUAL GROSS REVE NUES IN EXCESS OF 13
$25,000,000, ADJUSTED EVERY ODD –NUMBERED YEAR TO REF LECT ADJUSTMENTS 14
IN THE CONSUMER PRICE INDEX; 15
2. ANNUALLY BUYS , RECEIVES, SELLS, OR SHARES THE 16
PERSONAL DATA OF 50,000 OR MORE CONSUMERS , HOUSEHOLDS , OR DEVICES, 17
ALONE OR IN COMBINAT ION WITH ITS AFFILIA TES OR SUBSIDIARIES , FOR THE 18
COVERED ENTITY ’S COMMERCIAL PURPOSE S; OR 19
3. DERIVES AT LEAST 50% OF ITS ANNUAL REVENU ES 20
FROM THE SALE OF CON SUMERS’ PERSONAL DATA . 21
(2) “COVERED ENTITY ” INCLUDES: 22
(I) AN ENTITY THAT CONTRO LS OR IS CONTROLLED BY A 23
BUSINESS AND THAT SH ARES A NAME, SERVICE MARK , OR TRADEMARK THAT WO ULD 24
CAUSE A REASONABLE CONSUMER TO UNDERSTA ND THAT TWO OR MORE ENTITIES 25
ARE COMMONLY OWNED ; AND 26
(II) A JOINT VENTURE OR PAR TNERSHIP COMPOSED OF 27
BUSINESSES IN WHICH EACH HAS AT LEAST A 40% INTEREST IN THE JOIN T VENTURE 28
OR PARTNERSHIP . 29
(I) (1) “DARK PATTERN ” MEANS A USER INTERFACE DESIGNED O R 30
MANIPULATED WITH THE PURPOSE OF SUBVERTIN G OR IMPAIRING USER 31
AUTONOMY , DECISION MAKING , OR CHOICE. 32
HOUSE BILL 603 7
(2) “DARK PATTERN ” INCLUDES ANY PRACTIC E IDENTIFIED BY THE 1
FEDERAL TRADE COMMISSION AS A DARK PATTERN. 2
(J) “DATA PROTECTION IMPACT ASSESSMENT ” OR “ASSESSMENT” MEANS A 3
SYSTEMATIC SURVEY TO ASSESS COMPLIANCE WI TH THE DUTY TO ACT I N THE BEST 4
INTERESTS OF CHILDRE N. 5
(K) “DEFAULT” MEANS A PRESELECTED OPTION ADOPTED BY TH E 6
COVERED ENTITY FOR A N ONLINE PRODUCT . 7
(L) “DE–IDENTIFIED I NFORMATION ” MEANS DATA THAT CANN OT 8
REASONABLY BE USED T O INFER INFORMATION ABOUT, OR OTHERWISE BE LINK ED 9
TO, AN IDENTIFIED OR IDE NTIFIABLE INDIVIDUAL , IF THE COVERED ENTIT Y THAT 10
POSSESSES THE DATA : 11
(1) TAKES REASONABLE MEAS URES TO ENSURE THAT THE DATA 12
CANNOT BE LINKED WITH AN INDIVIDUAL; 13
(2) PUBLICLY COMMITS TO : 14
(I) MAINTAIN AND USE THE DATA IN DE–IDENTIFIED FORM ; 15
AND 16
(II) NOT ATTEMPT TO RE –IDENTIFY THE INFORMA TION; AND 17
(3) CONTRACTUALLY OBLIGAT ES ANY RECIPIENTS OF THE 18
INFORMATION TO COMPL Y WITH ALL PROVISIONS OF THIS SUBSECTION . 19
(M) “DERIVED DATA” MEANS DATA THAT ARE DERIVED FROM OTHER D ATA 20
OR INFORMATION , OR OTHERWISE OBTAINE D THROUGH CORRELATIO NS, 21
PREDICTIONS, ASSUMPTIONS , INFERENCES, OR CONCLUSIONS DRAWN FROM FACTS 22
OR EVIDENCE OR ANOTHER SOURCE OF IN FORMATION OR DATA AB OUT A CHILD OR 23
A CHILD’S DEVICE. 24
(N) (L) “DIVISION” MEANS THE DIVISION OF CONSUMER PROTECTION 25
OF THE OFFICE OF THE ATTORNEY GENERAL. 26
(O) (M) (1) “ONLINE PRODUCT ” MEANS AN ONLINE SERV ICE, PRODUCT, 27
OR FEATURE. 28
(2) “ONLINE PRODUCT ” DOES NOT INCLUDE : 29
(I) A TELECOMMUNICATIONS S ERVICE, AS DEFINED IN 47 30
U.S.C. § 153; 31 8 HOUSE BILL 603
(II) THE SALE, DELIVERY, OR USE OF A PHYSICAL PRODUCT 1
SOLD BY AN ONLINE RE TAILER; OR 2
(III) A BROADBAND INTERNET ACCESS SERVI CE, AS DEFINED IN 3
47 C.F.R. § 8.1(B). 4
(P) (N) (1) “PERSONAL DATA ” MEANS INFORMATION TH AT IS LINKED 5
OR REASONABLY ABLE T O BE LINKED, ALONE OR IN COMBINAT ION WITH OTHER 6
INFORMATION , TO AN IDENTIFIED OR IDENTIFIABLE INDIVID UAL. 7
(2) “PERSONAL DATA ” INCLUDES DERIVED DAT A THAT OTHERWISE 8
MEETS THE DEFINITION IN PARAGRAPH (1) OF THIS SUBSECTION DOES NOT 9
INCLUDE: 10
(I) DE–IDENTIFIED DATA ; OR 11
(II) PUBLICLY AVAILABLE IN FORMATION. 12
(Q) (O) (1) “PRECISE GEOLOCATION ” MEANS ANY DATA THAT IS: 13
(1) DERIVED FROM A DEVICE ; AND 14
(2) USED OR INTENDED TO B E USED TO LOCATE A C ONSUMER 15
GEOGRAPHICALLY WITHI N A RADIUS OF UP TO 1,850 FEET INFORMATION DERIVED 16
FROM TECHNOLOGY THAT CAN PRECISELY AND AC CURATELY IDENTIFY TH E 17
SPECIFIC LOCATION OF A CONSUMER WITHIN A RADIUS OF 1,750 FEET. 18
(2) “PRECISE GEOLOCATION ” INCLUDES LATITUDE AN D LONGITUDE 19
COORDINATES OF SIMIL AR PRECISION TO THOS E PRODUCED BY A GLOB AL 20
POSITIONING SYSTEM O R A SIMILAR MECHANIS M. 21
(3) “PRECISE GEOLOCATION ” DOES NOT INCLUDE : 22
(I) THE CONTENT OF COMMUN ICATIONS; 23
(II) DATA GENERATED BY OR CONNECTED WITH A UTI LITY 24
COMPANY’S ADVANCED METERING INFRASTRUCTURE ; OR 25
(III) DATA GENERATED BY EQU IPMENT USED BY A UTI LITY 26
COMPANY. 27
(R) (P) (1) “PROCESS” MEANS TO CONDUCT OR DIRECT ANY 28
OPERATION THAT MAY BE PERFORME D ON PERSONAL DATA , WHETHER OR NOT BY 29 HOUSE BILL 603 9
AUTOMATED MEANS TO PERFORM AN OPERAT ION OR SET OF OPERAT IONS BY 1
MANUAL OR AUTOMATED MEANS ON PERSONAL DA TA. 2
(2) “PROCESS” INCLUDES: 3
(I) COLLECTING PERSONAL D ATA; 4
(II) USING PERSONAL DATA ; 5
(III) STORING PERSONAL DATA ; 6
(IV) DISCLOSING PERSONAL D ATA; 7
(V) ANALYZING PERSONAL DA TA; 8
(VI) DELETING PERSONAL DAT A; 9
(VII) MODIFYING PERSONAL DA TA; AND 10
(VIII) OTHERWISE HANDLING PE RSONAL DATA COLLECTING, 11
USING, STORING, DISCLOSING, ANALYZING, DELETING, OR MODIFYING PERSONA L 12
DATA. 13
(S) (Q) (1) “PROFILING” MEANS ANY FORM OF AU TOMATED 14
PROCESSING OF PERSON AL DATA THAT USES PE RSONAL DATA TO EVALU ATE, 15
ANALYZE, OR PREDICT CERTAIN A SPECTS RELATING TO A N INDIVIDUAL, INCLUDING 16
AN INDIVIDUAL’S ECONOMIC SITUATION , HEALTH, PERSONAL PREFERENCES , 17
INTERESTS, RELIABILITY, BEHAVIOR, LOCATION, OR MOVEMENTS . 18
(2) “PROFILING” DOES NOT INCLUDE THE PROCESSING OF 19
PERSONAL DATA THAT D OES NOT RESULT IN AN ASSESSMENT OR JUDGME NT ABOUT 20
AN INDIVIDUAL. 21
(T) (R) (1) “PUBLICLY AVAILABLE IN FORMATION” MEANS 22
INFORMATION THAT : 23
(I) IS LAWFULLY MADE AVAI LABLE FROM FEDERAL , STATE, OR 24
LOCAL GOVERNMENT REC ORDS; OR 25
(II) A COVERED ENTITY HAS A REASONABLE BASIS TO BELIEVE 26
IS LAWFULLY MADE AVA ILABLE TO THE GENERAL PUBLIC BY TH E CONSUMER OR BY 27
WIDELY DISTRIBUTED M EDIA. 28
10 HOUSE BILL 603
(2) “PUBLICLY AVAILABLE IN FORMATION” DOES NOT INCLUDE 1
BIOMETRIC INFORMATION DATA COLLECTED BY A COVER ED ENTITY ABOUT A 2
CONSUMER WITHOUT THE CONSUMER ’S KNOWLEDGE . 3
(U) (S) “REASONABLY LIKEL Y TO BE ACCESSED BY CHILDREN” MEANS 4
REASONABLY EXPECTED IT IS REASONABLE TO EXPECT THAT THE ONLINE PROD UCT 5
WOULD BE ACCESSED BY CHILDREN, BASED ON SATISFYING ANY OF THE FOLLOWING 6
CRITERIA: 7
(1) THE ONLINE PRODUCT IS DIRECTED TO CHILDREN AS DEFINED IN 8
THE FEDERAL CHILDREN’S ONLINE PRIVACY PROTECTION ACT; 9
(2) THE ONLINE PRODUCT IS DETERMINED , BASED ON COMPETENT 10
AND RELIABLE EVIDENC E REGARDING AUDIENCE COMPOSITION , TO BE ROUTINELY 11
ACCESSED BY A SIGNIF ICANT NUMBER OF CHIL DREN; 12
(3) THE ONLINE PRODUCT IS SUBSTANTIALLY SIMILA R OR THE SAME 13
AS AN ONLINE PRODUCT THAT SATISFIES ITEM (2) OF THIS SUBSECTION ; 14
(4) THE ONLINE PRODUCT FE ATURES ADVERTISEMENT S MARKETED 15
TO CHILDREN; 16
(5) THE COVERED ENTITY ’S INTERNAL RESEARCH FINDINGS 17
DETERMINE THAT A SIG NIFICANT AMOUNT OF THE ONLINE PRODUCT’S AUDIENCE IS 18
COMPOSED OF CHILDREN ; OR 19
(6) THE COVERED ENTITY KN OWS OR SHOULD HAVE K NOWN THAT A 20
USER IS A CHILD. 21
(V) (T) (1) “SELL” MEANS TO TRANSFER , RENT, RELEASE, DISCLOSE, 22
DISSEMINATE, MAKE AVAILABLE , OR OTHERWISE COMM UNICATE, WHETHER 23
ORALLY, IN WRITING, OR BY ELECTRONIC OR OTHER MEANS , A CONSUMER ’S 24
PERSONAL DATA , IN A TRANSACTION FOR MONETARY OR OTHER VA LUABLE 25
CONSIDERATION BETWEE N A COVERED ENTITY A ND A THIRD PARTY . 26
(2) “SELL” DOES NOT INCLUDE : 27
(I) THE DISCLOSU RE OF PERSONAL DATA TO THE SERVICE 28
PROVIDER THAT PROCES SES PERSONAL DATA ON BEHALF OF THE COVERE D ENTITY; 29
(II) THE DISCLOSURE OF PER SONAL DATA TO A THIR D PARTY 30
FOR PURPOSES OF PROV IDING A PRODUCT OR S ERVICE REQUESTED BY THE 31
CONSUMER ; 32
HOUSE BILL 603 11
(III) THE DISCLOSURE OR TRANSF ER OF PERSONAL DATA TO AN 1
AFFILIATE OR SUBSIDI ARY OF THE COVERED E NTITY; 2
(IV) THE DISCLOSURE OF PER SONAL DATA WHERE THE 3
CONSUMER DIRECTS THE COVERED ENTITY TO DI SCLOSE THE PERSONAL DATA OR 4
INTENTIONALLY USES T HE COVERED ENTITY TO INTERACT WITH A THIRD PARTY; OR 5
(V) THE DISCLOSURE OR TRA NSFER OF PERSONAL DA TA TO A 6
THIRD PARTY AS AN AS SET THAT IS PART OF AN ACTUAL OR PROPOSE D MERGER, 7
ACQUISITION, BANKRUPTCY , OR OTHER TRANSACTION , IN WHICH THE THIRD P ARTY 8
ASSUMES CONTROL OF A LL OR PART OF THE COVERED E NTITY’S ASSETS. 9
(W) (1) “SENSITIVE PERSONAL DA TA” MEANS: 10
(I) PERSONAL DATA THAT RE VEALS A CONSUMER ’S: 11
1. SOCIAL SECURITY NUMBER , DRIVER’S LICENSE 12
NUMBER, STATE IDENTIFICATION CARD NUMBER , OR PASSPORT NUMBER ; 13
2. ACCOUNT L OGIN INFORMATION , FINANCIAL 14
ACCOUNT NUMBER , DEBIT CARD NUMBER , OR CREDIT CARD NUMBE R, IN 15
COMBINATION WITH ANY REQUIRED SECURITY OR ACCESS CODE , PASSWORD, OR 16
CREDENTIALS THAT ALL OW ACCESS TO AN ACCO UNT; 17
3. PRECISE GEOLOCATION ; 18
4. RACIAL OR ETHNIC ORIGIN OR RELIGIOUS OR 19
PHILOSOPHICAL BELIEF S; 20
5. MAIL, E–MAIL, TEXT, OR MESSAGE CONTENTS , 21
UNLESS THE COVERED E NTITY IS THE INTENDE D RECIPIENT; OR 22
6. GENETIC DATA; 23
(II) BIOMETRIC INFORMATION THAT IS OR MAY BE PR OCESSED 24
FOR THE PURPOSE OF U NIQUELY IDENTIFYING A CO NSUMER; 25
(III) PERSONAL DATA COLLECT ED AND ANALYZED CONC ERNING 26
A CONSUMER ’S HEALTH; OR 27
(IV) PERSONAL DATA COLLECT ED AND ANALYZED CONC ERNING 28
A CONSUMER ’S SEX LIFE OR SEXUAL ORIENTATION . 29
12 HOUSE BILL 603
(2) “SENSITIVE PERSONAL DA TA” DOES NOT IN CLUDE PUBLICLY 1
AVAILABLE INFORMATIO N. 2
(X) (U) “SERVICE PROVIDER ” MEANS A PERSON THAT PROCESSES 3
PERSONAL DATA ON BEH ALF OF A COVERED ENT ITY AND THAT RECEIVE S FROM OR 4
ON BEHALF OF THE COV ERED ENTITY A CONSUM ER’S PERSONAL DATA FOR 5
BUSINESS PURPOSES IN ACCORDANCE WITH A WR ITTEN CONTRACT , IF THE 6
CONTRACT PROHIBITS T HE PERSON FROM : 7
(1) SELLING OR SHARING TH E PERSONAL DATA ; 8
(2) RETAINING, USING, OR DISCLOSING THE PE RSONAL DATA FOR 9
ANY PURPOSE OTHER TH AN FOR THE BUSINESS PURPOSES SPECIFIED I N THE 10
CONTRACT FOR THE COVERED ENTITY, INCLUDING RETAINING , USING, OR 11
DISCLOSING THE PERSO NAL DATA FOR A COMME RCIAL PURPOSE OTHER THAN THE 12
BUSINESS PURPOSES SP ECIFIED IN THE CONTR ACT WITH THE COVERED ENTITY, OR 13
AS OTHERWISE ALLOWED UNDER THIS SUBTITLE ; 14
(3) RETAINING, USING, OR DISCLOSING THE PE RSONAL DATA 15
OUTSIDE THE DIRECT B USINESS RELATIONSHIP BETWEEN THE SERVICE PROVIDER 16
AND THE COVERED ENTI TY; AND 17
(4) COMBINING THE PERSONA L DATA THAT THE SERV ICE PROVIDER 18
RECEIVES FROM , OR ON BEHALF OF , THE COVERED ENTITY W ITH PERSONAL DATA 19
THAT IT RECEIVES FRO M, OR ON BEHALF OF , ANOTHER PERSON OR PE RSONS, OR 20
COLLECTS FROM ITS OW N INTERACTION WITH T HE CONSUMER . 21
(Y) (V) “SHARE” MEANS TO RENT , RELEASE, DISSEMINATE, MAKE 22
AVAILABLE, TRANSFER, OR OTHERWISE COMMUNI CATE, WHETHER OR ALLY, IN 23
WRITING, OR BY ELECTRONIC OR OTHER MEANS , A CONSUMER ’S PERSONAL DATA TO 24
A THIRD PARTY FOR CR OSS–CONTEXT BEHAVIORAL A DVERTISING WHETHER O R NOT 25
FOR MONETARY OR OTHE R VALUABLE CONSIDERA TION, INCLUDING IN A 26
TRANSACTION BETWEEN A COVERED EN TITY AND A THIRD PARTY FOR TARGE TED 27
ADVERTISING FOR THE BENEFIT OF A COVERED ENTITY IN WHICH NO M ONEY IS 28
EXCHANGED . 29
(Z) (1) “TARGETED ADVERTISING ” MEANS DISPLAYING 30
ADVERTISEMENTS TO A CONSUMER WHERE THE A DVERTISEMENT IS SELE CTED 31
BASED ON PERSONAL DA TA OBTAINED OR INFERRED FROM THAT C ONSUMER’S 32
ACTIVITIES OVER TIME AND ACROSS NONAFFILI ATED INTERNET WEBSITES OR 33
ONLINE APPLICATIONS TO PREDICT THE CONSU MER’S PREFERENCES OR 34
INTERESTS. 35
(2) “TARGETED ADVERTISING ” DOES NOT INCLUDE : 36 HOUSE BILL 603 13
(I) ADVERTISEMENTS BASED ON ACTIVITIES WITHIN A 1
COVERED ENTITY ’S OWN INTERNET WEBSITES OR ONLINE APPLICATIONS ; 2
(II) ADVERTISEMENTS BASED ON THE CONTEXT OF A 3
CONSUMER ’S CURRENT SEARCH QUE RY, VISIT TO AN INTERNET WEBSITE , OR USE OF 4
AN ONLINE APPLICATIO N; 5
(III) ADVERTISEMENTS DI RECTED TO A CONSUMER IN 6
RESPONSE TO THE CONS UMER’S REQUEST FOR INFORM ATION OR FEEDBACK ; OR 7
(IV) PROCESSING PERSONAL D ATA SOLELY TO MEASUR E OR 8
REPORT ADVERTISING F REQUENCY, PERFORMANCE , OR REACH. 9
(AA) (W) “THIRD PARTY” MEANS A PERSON WHO I S NOT: 10
(1) THE COVERED ENTITY WI TH WHICH THE CONSUME R 11
INTENTIONALLY INTERA CTS AND THAT COLLECT S PERSONAL DATA FROM THE 12
CONSUMER AS PART OF THE CONSUMER ’S INTERACTION WITH T HE COVERED 13
ENTITY; OR 14
(2) A SERVICE PROVIDER FOR THE COVERED ENTITY . 15
14–4602. 16
THIS SUBTITLE DOES NOT APPL Y TO: 17
(1) DATA SUBJECT TO A STA TUTE OR REGULATION I DENTIFIED 18
UNDER ITEM (I) OF THIS ITEM THAT IS CONTROLLED BY A COVE RED ENTITY OR 19
SERVICE PROVIDER THA T IS: 20
(I) REQUIRED TO COMPLY WI TH: 21
1. TITLE V OF THE FEDERAL GRAMM–LEACH–BLILEY 22
ACT; 23
2. THE FEDERAL HEALTH INFORMATION TECHNOLOGY 24
FOR ECONOMIC AND CLINICAL HEALTH ACT; OR 25
3. REGULATIONS PROMULGAT ED UNDER § 264(C) OF 26
THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996; AND 27
(II) IN COMPLIANCE WITH TH E INFORMATION SECURI TY 28
REQUIREMENTS OF APPL ICABLE STATUTES OR R EGULATIONS IDENTIFIE D IN ITEM 29 14 HOUSE BILL 603
(I) OF THIS ITEM; OR PROTECTED HEALTH INFO RMATION THAT IS COLL ECTED BY A 1
COVERED ENTITY OR BU SINESS ASSOCIATION G OVERNED BY THE PRIVA CY 2
SECURITY AND BREACH NOTIFI CATION RULES IN 45 C.F.R. PARTS 160 AND 164, 3
ESTABLISHED UNDER TH E FEDERAL HEALTH INSURANCE PORTABILITY AND 4
ACCOUNTABILITY ACT OF 1996 AND THE FEDERAL HEALTH INFORMATION 5
TECHNOLOGY FOR ECONOMIC AND CLINICAL HEALTH ACT; 6
(2) A COVERED ENTITY GOVERNED BY T HE PRIVACY SECURITY AND 7
BREACH NOTIFICATION RULES IN 45 C.F.R. PARTS 160 AND 164, ESTABLISHED 8
UNDER THE FEDERAL HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY 9
ACT OF 1996 AND THE FEDERAL HEALTH INFORMATION TECHNOLOGY FOR 10
ECONOMIC AND CLINICAL HEALTH ACT, TO THE EXTENT THAT T HE COVERED 11
ENTITY MAINTAINS PAT IENT INFORMATION IN THE SAME MANNER AS M EDICAL 12
INFORMATION OR PROTE CTED HEALTH INFORMAT ION AS DESCRIBED IN ITEM (1) OF 13
THIS SECTION; OR 14
(3) (2) INFORMATION COLLECTED AS PART OF A CLI NICAL TRIAL 15
SUBJECT TO THE FEDERAL POLICY FOR THE PROTECTION OF HUMAN SUBJECTS, 16
IN ACCORDANCE WITH : 17
(I) GOOD CLINICAL PRACTIC E GUIDELINES ISSUED BY THE 18
INTERNATIONAL COUNCIL FOR HARMONISATION OF TECHNICAL REQUIREMENTS 19
FOR PHARMACEUTICALS FOR HUMAN USE; OR 20
(II) HUMAN SUBJECT PROTECT ION REQUIREMENTS OF THE 21
U.S. FOOD AND DRUG ADMINISTRATION . 22
14–4603. 23
IT IS THE INTENT OF T HE GENERAL ASSEMBLY THAT : 24
(1) CHILDREN SHOULD BE AF FORDED PROTECTIONS N OT ONLY BY 25
ONLINE PRODUCTS SPEC IFICALLY DIRECTED AT THEM, BUT BY ALL ONLINE 26
PRODUCTS THEY ARE RE ASONABLY LIKELY TO A CCESS; 27
(2) COVERED ENTITIES THAT DEVELOP AND PROVIDE ONLINE 28
SERVICES PRODUCTS THAT CHILDREN ARE REASONABLY LIKELY TO ACCESS SHA LL 29
ENSURE THE BEST INTE RESTS OF CHILDREN WH EN DESIGNING, DEVELOPING, AND 30
PROVIDING THOSE ONLI NE PRODUCTS ; 31
(3) ALL COVERED ENTITIES THAT OPERATE IN THE STATE AND 32
PROCESS CHILDREN ’S DATA IN ANY CAPACI TY SHALL DO SO IN A MANNER 33
CONSISTENT WITH THE BEST INTERESTS OF CH ILDREN; 34
HOUSE BILL 603 15
(4) IF A CONFLICT ARISES BETWEEN COMMER CIAL INTERESTS AND 1
THE BEST INTERESTS O F CHILDREN, COVERED ENTITIES THA T DEVELOP ONLINE 2
PRODUCTS LIKELY TO B E ACCESSED BY CHILDR EN SHALL GIVE PRIORITY TO 3
PRIORITIZE THE PRIVACY, SAFETY, AND WELL–BEING OF CHILDREN OVER THOSE 4
COMMERCIAL INTERESTS; AND; 5
(5) NOTHING IN THIS SUBTI TLE MAY BE CONSTRUED TO INFRINGE ON 6
THE EXISTING RIGHTS AND FREEDOMS OF CHIL DREN REQUIRE A COVERED EN TITY 7
TO MONITOR OR CENSOR THIRD–PARTY CONTENT OR OTH ERWISE IMPACT THE 8
EXISTING RIGHTS AND FREEDOMS OF ANY PERS ON; AND 9
(6) NOTHING IN THIS SUBTI TLE MAY BE CONSTRUED TO 10
DISCRIMINATE AGAINST CHILDREN ON THE BASI S OF RACE, COLOR, RELIGION, 11
NATIONAL ORIGIN , DISABILITY, GENDER IDENTITY , SEX, OR SEXUAL ORIENTATIO N. 12
14–4604. 13
(A) (1) SUBJECT TO PARAGRAPH (2) OF THIS SUBSECTION , A COVERED 14
ENTITY THAT PROVIDES AN ONLINE PRODUCT RE ASONABLY LIKELY TO B E 15
ACCESSED BY CHILDREN SHALL PREPARE A DATA PROTECTION IMPACT 16
ASSESSMENT FOR THE O NLINE PRODUCT . 17
(2) ON OR BEFORE APRIL 1, 2026, A COVERED ENTITY SHA LL 18
PREPARE A DATA PROTE CTION IMPACT ASSESSMENT FOR ANY O NLINE PRODUCT 19
THAT: 20
(I) MEETS THE CRITERIA UN DER PARAGRAPH (1) OF THIS 21
SUBSECTION; 22
(II) IS OFFERED TO THE PUB LIC ON OR BEFORE APRIL 1, 2026; 23
AND 24
(III) WILL CONTINUE TO BE O FFERED TO THE PUBLIC AFTER 25
JULY 1, 2026. 26
(3) FOR AN ONLINE PRODUCT THAT MEETS THE CRITE RIA UNDER 27
PARAGRAPH (1) OF THIS SUBSECTION A ND IS INITIALLY OFFE RED TO THE PUBLIC 28
AFTER APRIL 1, 2026, A COVERED ENTITY SHA LL COMPLETE A DATA P ROTECTION 29
IMPACT ASSESSMENT WITHIN 90 DAYS AFTER THE ONLIN E PRODUCT IS OFFERED TO 30
THE PUBLIC. 31
(B) THE DATA PROTECTION I MPACT ASSESSMENT SHA LL: 32
(1) IDENTIFY THE PURPOSE OF THE ONLINE PRODUC T; 33 16 HOUSE BILL 603
(2) IDENTIFY HOW THE ONLI NE PRODUCT USES CHIL DREN’S DATA; 1
(3) DETERMINE WHETHER THE ONLINE PRODUCT IS DE SIGNED AND 2
OFFERED IN A MANNER CONSISTEN T WITH THE BEST INTE RESTS OF CHILDREN 3
REASONABLY LIKELY TO ACCESS THE ONLINE PR ODUCT THROUGH CONSID ERATION 4
OF: 5
(I) WHETHER THE DATA MANA GEMENT OR PROCESSING 6
PRACTICES OF THE ONL INE PRODUCT COULD LE AD TO CHILDREN EXPER IENCING OR 7
BEING TARGETED BY CONTAC TS THAT WOULD RESULT IN: 8
1. REASONABLY FORESEEABL E AND MATERIAL 9
PHYSICAL OR FINANCIA L HARM TO THE CHILD CHILDREN; 10
2. REASONABLY FORESEEABL E AND EXTREME 11
PSYCHOLOGICAL OR EMO TIONAL HARM TO THE CHILD CHILDREN; 12
3. A HIGHLY OFFENSIVE INT RUSION ON THE CHILD’S 13
CHILDREN’S REASONABLE EXPECTATI ON OF PRIVACY; OR 14
4. DISCRIMINATION AGAINS T THE CHILD CHILDREN 15
BASED ON RACE , COLOR, RELIGION, NATIONAL ORIGIN , DISABILITY, GENDER 16
IDENTITY, SEX, OR SEXUAL ORIENTATIO N; 17
(II) WHETHER THE DATA MANA GEMENT OR PROCESSING 18
PRACTICES OF THE ONL INE PRODUCT COULD PE RMIT CHILDREN TO WITNESS, 19
PARTICIPATE IN, OR BE SUBJECT TO CON DUCT THAT WOULD RESU LT IN: 20
1. REASONABLY FORESEEABL E AND MATERIAL 21
PHYSICAL OR FINANCIA L HARM TO THE CHILD CHILDREN; 22
2. REASONABLY FORESEEABL E AND EXTREME 23
PSYCHOLOGICAL OR EMO TIONAL HARM TO THE CHILD CHILDREN; 24
3. A HIGHLY OFFENSIVE INT RUSION ON THE CHILD’S 25
CHILDREN’S REASONABLE EXPECTATI ON OF PRIVACY; OR 26
4. DISCRIMINATION AGAINS T THE CHILD CHILDREN 27
BASED ON RACE , COLOR, RELIGION, NATIONAL ORIGIN , DISABILITY, GENDER 28
IDENTITY, SEX, OR SEXUAL ORIENTATIO N; 29
(III) WHETHER THE DATA MANA GEMENT OR PROCESSING 30
PRACTICES OF THE ONL INE PRODUCT ARE REAS ONABLY EXPECTED TO A LLOW 31 HOUSE BILL 603 17
CHILDREN BECOMING PA RTY TO OR EXPLOITED BY A CONTRACT THROUG H THE 1
ONLINE PRODUCT THAT WOULD RESULT IN : 2
1. REASONABLY FORESEEABL E AND MATERIAL 3
PHYSICAL OR FINANCIA L HARM TO THE CHILD CHILDREN; 4
2. REASONABLY FORESEEABL E AND EXTREME 5
PSYCHOLOGICAL OR EMOTIONAL HARM TO THE CHILD CHILDREN; 6
3. A HIGHLY OFFENSIVE INT RUSION ON THE CHILD’S 7
CHILDREN’S REASONABLE EXPECTATI ON OF PRIVACY; OR 8
4. DISCRIMINATION AGAINS T THE CHILD CHILDREN 9
BASED ON RACE , COLOR, RELIGION, NATIONAL ORIGIN , DISABILITY, GENDER 10
IDENTITY, SEX, OR SEXUAL ORIENTATIO N; 11
(IV) WHETHER TARGETED ADVE RTISING SYSTEMS USED BY THE 12
ONLINE PRODUCT WOULD RESULT IN: 13
1. REASONABLY FORESEEABL E AND MATERIAL 14
PHYSICAL OR FINANCIA L HARM TO THE CHILD ; 15
2. REASONABLY FORESEEABL E AND EXTREME 16
PSYCHOLOGICAL OR EMO TIONAL HARM TO THE C HILD; 17
3. A HIGHLY OFFENSIVE INT RUSION ON THE CHILD ’S 18
REASONABLE EXPECTATI ON OF PRIVACY; OR 19
4. DISCRIMINATION AGAINS T THE CHILD BASED ON 20
RACE, COLOR, RELIGION, NATIONAL ORIGIN , DISABILITY, SEX, OR SEXUAL 21
ORIENTATION ; 22
(V) WHETHER THE ONLINE PR ODUCT USES SYSTEM DE SIGN 23
FEATURES TO INCREASE , SUSTAIN, OR EXTEND THE USE OF THE ONLINE PRODUCT , 24
INCLUDING THE AUTOMA TIC PLAYING OF MEDIA , REWARDS FOR TIME SPE NT, AND 25
NOTIFICATIONS THAT W OULD RESULT IN : 26
1. REASONABLY FORESEEABL E AND MATERIAL 27
PHYSICAL OR FINANCIA L HARM TO THE CHILD CHILDREN; 28
2. REASONABLY FORESEEABL E AND EXTREME 29
PSYCHOLOGICAL OR EMO TIONAL HARM TO THE CHILD CHILDREN; 30
18 HOUSE BILL 603
3. A HIGHLY OFFENSIVE INT RUSION ON THE CHILD’S 1
CHILDREN’S REASONABLE EXPECTATI ON OF PRIVACY; OR 2
4. DISCRIMINATION AGAINS T THE CHILD CHILDREN 3
BASED ON RACE , COLOR, RELIGION, NATIONAL ORIGIN , DISABILITY, GENDER 4
IDENTITY, SEX, OR SEXUAL ORIENTATIO N; 5
(VI) (V) WHETHER, HOW, AND FOR WHAT PURPOSE THE 6
ONLINE PRODUCT COLLECTS OR PR OCESSES SENSITIVE PERSONAL DATA OF 7
CHILDREN AND WHETHER THOSE PRACTICES WOUL D RESULT IN: 8
1. REASONABLY FORESEEABL E AND MATERIAL 9
PHYSICAL OR FINANCIA L HARM TO THE CHILD CHILDREN; 10
2. REASONABLY FORESEEABL E AND EXTREME 11
PSYCHOLO GICAL OR EMOTIONAL H ARM TO THE CHILD CHILDREN; 12
3. A HIGHLY OFFENSIVE INT RUSION ON THE CHILD’S 13
CHILDREN’S REASONABLE EXPECTATI ON OF PRIVACY; OR 14
4. DISCRIMINATION AGAINS T THE CHILD CHILDREN 15
BASED ON RACE , COLOR, RELIGION, NATIONAL ORIGIN , DISABILITY, GENDER 16
IDENTITY, SEX, OR SEXUAL ORIENTATIO N; 17
(VII) (VI) WHETHER AND HOW DATA COLLECTED TO 18
UNDERSTAND THE EXPER IMENTAL IMPACT OF TH E PRODUCT REVEALS DA TA 19
MANAGEMENT OR DESIGN PRACTICES THAT WO ULD RESULT IN: 20
1. REASONABLY FORESEEABL E AND MATERIAL 21
PHYSICAL OR FINANCIA L HARM TO THE CHILD CHILDREN; 22
2. REASONABLY FORESEEABL E AND EXTREME 23
PSYCHOLOGICAL OR EMO TIONAL HARM TO THE CHILD CHILDREN; 24
3. A HIGHLY OFFENSIVE INT RUSION ON THE CHILD’S 25
CHILDREN’S REASONABLE EXPECTATI ON OF PRIVACY; OR 26
4. DISCRIMINATION AGAINS T THE CHILD CHILDREN 27
BASED ON RACE , COLOR, RELIGION, NATIONAL ORIGIN , DISABILITY, GENDER 28
IDENTITY, SEX, OR SEXUAL ORIENTATIO N; 29
(VIII) (VII) WHETHER ALGORITHMS US ED BY THE ONLINE 30
PRODUCT WOULD RESULT IN: 31
HOUSE BILL 603 19
1. REASONABLY FORESEEABL E AND MATERIAL 1
PHYSICAL OR FINANCIA L HARM TO THE CHILD CHILDREN; 2
2. REASONABLY FORESEEABL E AND EXTREME 3
PSYCHOLOGICAL OR EMO TIONAL HARM TO THE CHILD CHILDREN; 4
3. A HIGHLY OFFENSIVE INT RUSION ON THE CHILD’S 5
CHILDREN’S REASONABLE EXPECTATI ON OF PRIVACY; OR 6
4. DISCRIMINATION AGAINS T THE CHILD CHILDREN 7
BASED ON RACE , COLOR, RELIGION, NATIONAL ORIGIN , DISABILITY, GENDER 8
IDENTITY, SEX, OR SEXUAL ORIENTATION; AND 9
(IX) (VIII) ANY OTHER FACTOR THAT MAY INDICATE THAT TH E 10
ONLINE PRODUCT IS DE SIGNED AND OFFERED IN A MANNER THAT IS INCONSISTENT 11
WITH THE BEST INTERE STS OF CHILDREN ; AND 12
(4) INCLUDE A DESCRIPTION OF STEPS THAT THE CO VERED ENTITY 13
HAS TAKEN AND WILL TAKE TO COMPLY WITH THE D UTY TO ACT IN A MANN ER 14
CONSISTENT WITH THE BEST INTERESTS OF CH ILDREN. 15
(C) (1) A DATA PROTECTION IMPA CT ASSESSMENT PREPAR ED BY A 16
COVERED ENTITY FOR T HE PURPOSE OF COMPLI ANCE WITH ANY OTHER LAW 17
COMPLIES WITH THIS SECTION IF THE ASSES SMENT MEETS THE REQU IREMENTS OF 18
THIS SECTION. 19
(2) A SINGLE DATA PROTECTI ON IMPACT ASSESSMENT MAY CONTAIN 20
MULTIPLE SIMILAR PRO CESSING OPERATIONS T HAT PRESENT SIMILAR RISKS ONLY 21
IF EACH RELEVANT ONL INE PRODUCT IS ADDRE SSED. 22
14–4605. 23
A COVERED ENTITY REQUI RED TO COMPLETE A DA TA PROTECTION IMPACT 24
ASSESSMENT UNDER § 14–4604 OF THIS SUBTITLE SHA LL: 25
(1) MAINTAIN DOCUMENTATIO N OF THE ASSESSMENT FOR AS LONG 26
AS THE ONLINE PRODUC T IS LIKELY TO BE AC CESSED BY CHILDREN ; 27
(2) REVIEW EACH DA TA PROTECTION IMPACT ASSESSMENT AS 28
NECESSARY TO ACCOUNT FOR MATERIAL CHANGES TO PROCESSING PERTAI NING TO 29
THE ONLINE PRODUCT W ITHIN 90 DAYS OF SUCH MATERIA L CHANGES; 30
(3) CONFIGURE NOTWITHSTANDING ANY O THER LAW, CONFIGURE 31
ALL DEFAULT PRIVACY SETTINGS PROV IDED TO CHILDREN BY THE ONLINE 32 20 HOUSE BILL 603
PRODUCT TO OFFER A H IGH LEVEL OF PRIVACY , UNLESS THE COVERED E NTITY CAN 1
DEMONSTRATE A COMPEL LING REASON THAT A D IFFERENT SETTING IS IN THE BEST 2
INTERESTS OF CHILDRE N; 3
(4) PROVIDE ANY PRIVACY I NFORMATION , TERMS OF SERVICE , 4
POLICIES, AND COMMUNITY STANDA RDS CONCISELY , PROMINENTLY , AND USING 5
CLEAR LANGUAGE SUITE D TO THE AGE OF CHIL DREN LIKELY TO ACCES S THE 6
ONLINE PRODUCT ; AND 7
(5) PROVIDE PROMINENT , ACCESSIBLE, AND RESPONSIVE TOOLS TO 8
HELP CHILDREN OR THE IR PARENTS OR GUARDI ANS, IF APPLICABLE, EXERCISE 9
THEIR PRIVACY RIGHTS AND REPORT CONCERNS . 10
14–4606. 11
(A) A COVERED ENTITY THAT PROVIDES AN ONLINE P RODUCT THAT IS 12
ACCESSED OR REASONAB LY LIKELY TO BE ACCE SSED BY CHILDREN MAY NOT: 13
(1) PROCESS THE PERSONAL DATA OF A CHILD IN A WAY THAT IS 14
INCONSISTENT WITH TH E BEST INTERESTS OF CHILDREN REASONABLY LIKELY TO 15
ACCESS THE ONLINE PR ODUCT; 16
(2) PROFILE A CHILD BY DE FAULT, UNLESS: 17
(I) THE COVERED ENTITY CA N DEMONSTRATE THAT T HE 18
COVERED ENTITY HAS A PPROPRIATE SAFEGUARD S IN PLACE TO ENSURE THAT 19
PROFILING IS CONSIST ENT WITH THE BEST IN TERESTS OF CHILDREN WHO ACCESS 20
OR ARE REASONABLY LI KELY TO ACCESS THE O NLINE PRODUCT ; AND 21
(II) 1. PROFILING IS NECESSAR Y TO PROVIDE THE 22
REQUESTED ONLINE PRODUCT , AND IS DONE ONLY WIT H RESPECT TO THE ASPECTS 23
OF THE ONLINE PRODUC T THAT THE CHILD IS ACTIVELY AND KNOWING LY ENGAGED 24
WITH; OR 25
2. THE COVERED ENTITY CA N DEMONSTRATE A 26
COMPELLING REASON TH AT PROFILING IS IN T HE BEST INTERESTS OF CHILDREN; 27
(3) PROCESS PERSONAL DATA OF A CHILD THAT IS NOT REASONABLY 28
NECESSARY TO PROVIDE AN ONLINE PRODUCT TH AT THE CHILD IS ACTI VELY AND 29
KNOWINGLY ENGAGED WI TH; 30
(4) PROCESS THE PERSONAL DATA OF A CHILD END USER FOR ANY 31
REASON OTHER THAN A REASON FOR WHICH THA T PERSONAL DATA WAS 32
COLLECTED; 33 HOUSE BILL 603 21
(5) PROCESS ANY PRECISE GEOL OCATION INFORMATION DATA OF A 1
CHILD BY DEFAULT , UNLESS: 2
(I) THE COLLECTION OF THE PRECISE GEOLOCATION 3
INFORMATION DATA IS STRICTLY NECESSAR Y FOR THE COVERED EN TITY TO 4
PROVIDE THE ONLINE P RODUCT; AND 5
(II) THE PRECISE GEOLOCATI ON DATA IS PROCESSED ON LY FOR 6
THE LIMITED TIME THA T IS NECESSARY TO PR OVIDE THE ONLINE PRO DUCT; 7
(6) PROCESS ANY PRECISE G EOLOCATION INFORMATION DATA OF A 8
CHILD WITHOUT PROVID ING AN OBVIOUS SIGNA L TO THE CHILD FOR T HE DURATION 9
THAT THE PRECISE GEO LOCATION INFORMATION DATA IS BEING COLLECTED ; 10
(7) USE DARK PATTERNS TO : 11
(I) CAUSE A CHILD TO PROV IDE PERSONAL DATA BE YOND 12
WHAT IS REASONABLY E XPECTED TO PROVIDE T HE ONLINE PRODUCT ; 13
(II) CIRCUMVENT PRIVACY PR OTECTIONS; OR 14
(III) TAKE ANY ACTION THAT THE COVERED ENTITY KNO WS, OR 15
HAS REASON TO KNOW , IS NOT IN THE BEST I NTERESTS OF CHILDREN WHO ACCESS 16
OR ARE REASONABLY LI KELY TO ACCESS THE O NLINE PRODUCT ; 17
(8) PROCESS ANY PERSONAL DATA FOR THE PURPOSE OF 18
ESTIMATING THE AGE O F A CHILD THAT IS AC TIVELY AND KNOWINGLY ENGAGED 19
WITH AN ONLINE PRODU CT THAT IS NOT REASO NABLY NECESSARY TO P ROVIDE THE 20
ONLINE PRODUCT ; OR 21
(9) ALLOW A CHILD’S PARENT, GUARDIAN, OR ANY OTHER CONSUME R 22
TO MONITOR THE CHILD ’S ONLINE ACTIVITY OR TRACK THE CHILD ’S LOCATION, 23
WITHOUT PROVID ING AN OBVIOUS SIGNA L TO THE CHILD WHEN THE CHILD IS BEING 24
MONITORED OR TRACKED ALLOW A PERSON OTHER THAN A CHILD ’S PARENT OR 25
GUARDIAN TO MONITOR THE CHILD’S ONLINE ACTIVITY WI THOUT FIRST NOTIFYIN G 26
THE CHILD AND THE CH ILD’S PARENT OR GUARDIAN . 27
(B) A COVERED ENTITY THAT PROVIDES AN ONLINE P RODUCT THAT IS 28
ACCESSED OR REASONAB LY LIKELY TO BE ACCE SSED BY CHILDREN MAY ALLOW A 29
CHILD’S PARENT OR GUARDIAN TO MONITOR THE CHILD ’S ONLINE ACTIVITY OR 30
TRACK THE CHILD ’S LOCATION, WITHOUT PROVIDING AN OBVIOUS SIGNAL TO THE 31
CHILD WHEN THE CHILD IS BEING MONITORED O R TRACKED. 32
22 HOUSE BILL 603
(C) IN MAKING A DETERMINA TION AS TO WHETHER A N ONLINE PRODUCT IS 1
REASONABLY LIKELY TO BE ACCESSED BY CHILD REN, A COVERED ENTITY MAY NOT 2
COLLECT OR PROCESS A NY PERSONAL DATA BEY OND WHAT IS REASON ABLY 3
NECESSARY TO MAKE TH E DETERMINATION . 4
14–4607. 5
(A) WITHIN 5 BUSINESS DAYS AFTER RECEIVING A WRITTEN REQUEST FROM 6
THE DIVISION, A COVERED ENTITY THA T PROVIDES AN ONLINE PRODUCT 7
REASONABLY LIKELY TO BE ACCESSED BY CHILD REN SHALL PROVIDE TO THE 8
DIVISION A LIST OF ALL DATA PROTECTION IMPACT AS SESSMENTS THE COVERE D 9
ENTITY HAS COMPLETED UNDER § 14–4604 OF THIS SUBTITLE. 10
(B) (1) WITHIN 7 BUSINESS DAYS AFTER RECEIVING A WRITTEN REQUEST 11
FROM THE DIVISION, A COVERED ENTITY SHA LL PROVIDE TO THE DIVISION ANY 12
DATA PROTECTION IMPAC T ASSESSMENT COMPLET ED UNDER § 14–4604 OF THIS 13
SUBTITLE. 14
(2) THE DIVISION MAY EXTEND B EYOND 7 DAYS THE AMOUNT OF 15
TIME ALLOWED FOR A C OVERED ENTITY TO PRO DUCE A DATA PROTECTI ON IMPACT 16
ASSESSMENT . 17
(C) TO THE EXTENT THAT AN Y DISCLOSUR E REQUIRED UNDER SUB SECTION 18
(B) OF THIS SECTION INCL UDES INFORMATION SUB JECT TO ATTORNEY –CLIENT 19
PRIVILEGE OR WORK –PRODUCT PROTECTION , THE DISCLOSURE MAY N OT 20
CONSTITUTE A WAIVER OF THAT PRIVILEGE OR PROTECTION. 21
14–4608. 22
(A) A VIOLATION OF THIS SU BTITLE: 23
(1) IS AN UNFAIR, ABUSIVE, OR DECEPTIVE TRADE P RACTICE; AND 24
(2) EXCEPT FOR § 13–410 OF THIS ARTICLE , IS SUBJECT TO THE 25
ENFORCEMENT PROVISIO NS CONTAINED IN TITLE 13 OF THIS ARTICLE. 26
(B) A COVERED ENTITY THAT VIOLATES THIS SUBTIT LE IS SUBJECT TO A 27
CIVIL PENALTY NOT EXCE EDING: 28
(1) $2,500 PER AFFECTED CHILD F OR EACH NEGLIGENT VI OLATION; 29
AND 30
(2) $7,500 PER AFFECTED CHILD F OR EACH INTENTIONAL 31
VIOLATION. 32 HOUSE BILL 603 23
(C) THE DIVISION SHALL PAY AL L FINES, PENALTIES, AND EXPENSES 1
COLLECTED BY THE DIVISION UNDER THIS SUBSECTION INTO THE GENERAL FUND 2
WITH THE INTENT THAT FINES, PENALTIES, AND EXPENSES BE USED TO FULLY 3
OFFSET ANY COSTS INC URRED BY THE DIVISION IN CONNECTIO N WITH THIS 4
SUBTITLE. 5
14–4609. 6
(A) IF A COVERED ENTITY I S IN SUBSTANTIAL COM PLIANCE WITH THE 7
REQUIREMENTS OF §§ 14–4604 THROUGH 14–4606 OF THIS SUBTITLE , THE 8
DIVISION SHALL PROVID E WRITTEN NOTICE TO THE COVERED ENTITY B EFORE 9
FILING AN ACTION UND ER § 14–4608 OF THIS SUBTITLE . 10
(B) NOTICE GIVEN UNDER SU BSECTION (A) OF THIS SECTION SHAL L 11
IDENTIFY THE SPECIFIC PROVISIO NS OF THIS SUBTITLE THAT THE DIVISION 12
ALLEGES HAVE BEEN OR ARE BEING VIOLATED . 13
(C) A COVERED ENTITY MAY N OT BE LIABLE FOR A C IVIL PENALTY FOR A 14
VIOLATION FOR WHICH NOTICE IS GIVEN UNDE R SUBSECTION (A) OF THIS SECTION 15
IF THE COVERED EN TITY: 16
(1) HAS COMPLETED A DATA PROTECTION IMPACT AS SESSMENT 17
UNDER § 14–4604(A)(2) OF THIS SUBTITLE FOR EXISTING ONLINE PROD UCTS THAT 18
ARE REASONABLY LIKEL Y TO BE ACCESSED BY CHILDREN; 19
(2) HAS COMPLETED A DATA PROTECTION IMPACT AS SESSMENT 20
UNDER § 14–4604(A)(3) OF THIS SUBTITLE PRI OR TO OFFERING TO TH E PUBLIC A 21
NEW ONLINE PRODUCT T HAT IS REASONABLY LI KELY TO BE ACCESSED BY 22
CHILDREN; 23
(3) CURES THE VIOLATION S PECIFIED IN THE DIVISION’S NOTICE 24
WITHIN 90 DAYS AFTER ISSUANCE OF THE NOTICE UNDER SUBSECTION (A) OF THIS 25
SECTION; 26
(4) PROVIDES THE DIVISION WITH A WRITT EN STATEMENT THAT TH E 27
ALLEGED VIOLATION HA S BEEN CURED; AND 28
(5) TAKES MEASURES TO PRE VENT ANY FUTURE VIOL ATION THAT 29
THE DIVISION AGREED TO BE SUFFICIENT. 30
14–4610. 31
NOTHING IN THIS SUBTI TLE MAY BE INTERPRETED O R CONSTRUED TO : 32 24 HOUSE BILL 603
(1) PROVIDE A PRIVATE RIG HT OF ACTION UNDER T HIS SUBTITLE OR 1
ANY OTHER LAW ; 2
(2) IMPOSE LIABILITY IN A MANNER THAT IS INCON SISTENT WITH 47 3
U.S.C. § 230; 4
(3) PREVENT OR PRECLUDE A CHILD FROM DELIBERAT ELY OR 5
INDEPENDENTLY SEARCH ING FOR OR SPECIFICA LLY REQUESTING CONTE NT; OR 6
(4) REQUIRE A COVERED ENT ITY TO IMPLEMENT AN AGE–GATING 7
REQUIREMENT . 8
14–4611. 9
NOTWITHSTANDING ANY O THER LAW , A DATA PROTECTION IM PACT 10
ASSESSMENT IS PROTEC TED AS CONFIDENTIAL AND SHALL BE EXEMPT FROM 11
PUBLIC DISCLOSURE , INCLUDING UNDER THE MARYLAND PUBLIC INFORMATION 12
ACT. 13
14–4612. 14
(A) WHEREVER POSSIBLE , LAW RELATING TO CONS UMERS’ PERSONAL 15
DATA SHOULD BE CONST RUED TO HARMONIZE WI TH THE PROVISIONS OF THIS 16
SUBTITLE. 17
(B) IN THE EVENT OF A CONFLICT BETWEEN O THER LAWS AND THIS 18
SUBTITLE, THE PROVISIONS OF TH E LAW THAT AFFORD TH E GREATEST PROTECTIO N 19
FOR THE RIGHT OF PRI VACY FOR CONSUMERS S HALL CONTROL . 20
14–4613. 21
THIS SUBTITLE MAY BE CITED AS THE MARYLAND AGE–APPROPRIATE 22
DESIGN CODE ACT. 23
SECTION 2. AND BE IT FURTHER ENACTED, That this Act shall take effect 24
October 1, 2024. 25