EXPLANATION: CAPITALS INDICATE MAT TER ADDED TO EXISTIN G LAW.
[Brackets] indicate matter deleted from existing law.
Underlining indicates amendments to bill.
Strike out indicates matter stricken from the bill by amendment or deleted from the law by
amendment.
*sb0571*
SENATE BILL 571
I3, S1 4lr1822
SB 844/23 – FIN CF HB 603
By: Senators Kramer, Hester, and West
Introduced and read first time: January 25, 2024
Assigned to: Finance
Committee Report: Favorable with amendments
Senate action: Adopted
Read second time: February 26, 2024
CHAPTER ______
AN ACT concerning 1
Consumer Protection – Online Products and Services – Data of Children 2
(Maryland Kids Code) 3
FOR the purpose of requiring a covered entity that offers an online product reasonably 4
likely to be accessed by children to complete a certain data protection impact 5
assessment under certain circumstances; requiring certain privacy protections for 6
certain online products; prohibiting certain data collection and sharing practices; 7
and generally relating to the protection of online privacy of children. 8
BY repealing and reenacting, with amendments, 9
Article – Commercial Law 10
Section 13–301(14)(xl) 11
Annotated Code of Maryland 12
(2013 Replacement Volume and 2023 Supplement) 13
BY repealing and reenacting, without amendments, 14
Article – Commercial Law 15
Section 13–301(14)(xli) 16
Annotated Code of Maryland 17
(2013 Replacement Volume and 2023 Supplement) 18
BY adding to 19
Article – Commercial Law 20
Section 13–301(14)(xlii); and 14–4601 through 14–4612 14–4613 to be under the new 21
subtitle “Subtitle 46. Maryland Age–Appropriate Design Code Act” 22 2 SENATE BILL 571
Annotated Code of Maryland 1
(2013 Replacement Volume and 2023 Supplement) 2
Preamble 3
WHEREAS, The United Nations Convention on the Rights of the Child recognizes 4
that children need special safeguards and care in all aspects of their lives, specifying how 5
children’s rights apply in the digital environment in General Comment No. 25; and 6
WHEREAS, As children spend more of their time interacting with the online world, 7
the impact of the design of online products on their well–being has become a focus of 8
significant concern; and 9
WHEREAS, There is widespread agreement at the international level, and 10
bipartisan agreement in the United States, that more needs to be done to create a safer 11
online space for children to learn, explore, and play; and 12
WHEREAS, Lawmakers around the globe have taken steps to enhance privacy 13
protections for children based on the understanding that, in relation to data protection, 14
greater privacy necessarily means greater security and well–being; and 15
WHEREAS, Children should be afforded protections not only by online products and 16
services specifically directed at them, but by all online products they are likely to access, 17
and thus covered entities should take into account the unique needs of different age ranges, 18
including the following developmental stages: 0 to 5 years of age, or “preliterate and early 19
literacy”; 6 to 9 years of age, or “core primary school years”; 10 to 12 years of age, or 20
“transition years”; 13 to 15 years of age, or “early teens”; and 16 to 17 years of age, or 21
“approaching adulthood”; and 22
WHEREAS, While it is clear that the same data protection regime may not be 23
appropriate for children of all ages, children of all ages should nonetheless be afforded 24
privacy and protection, and online products should adopt data protection regimes 25
appropriate for children of the ages likely to access those products; and 26
WHEREAS, According to the Pew Research Center, in 2022, 97% of American 27
teenagers aged 13–17 used the Internet every day, with 46% responding they used the 28
Internet almost constantly; and, additionally, 36% of teens reported being concerned about 29
their social media use, while an earlier Pew Research Center study found that 59% of teens 30
have been bullied or harassed online; and 31
WHEREAS, The findings of the Pew Research Center are not surprising, given what 32
is known about controllers’ use of personal data and how it is utilized to inform 33
manipulative practices, to which children are particularly vulnerable; and 34
WHEREAS, Online products that are likely to be accessed by children should offer 35
strong privacy protections that, by design, prevent the use of children’s personal data to 36
offer elements that the covered entity offering the online product knows, or has reason to 37 SENATE BILL 571 3
know, are likely to be materially detrimental to the physical health, mental health, or 1
well–being of children; and 2
WHEREAS, Ensuring robust privacy, and thus safety, protections for children by 3
design is consistent with federal safety laws and policies applied to children’s products, 4
regulating everything from toys to clothing to furniture and games; and 5
WHEREAS, The consumer protections that federal safety laws apply to children’s 6
products require these products to comply with certain safety standards by their very 7
design, so that harms to children, and in some cases other consumers, are prevented; and 8
WHEREAS, It is the intent of the Maryland General Assembly that the Maryland 9
Age–Appropriate Design Code Act promote innovation by covered entities whose online 10
products are likely to be accessed by children by ensuring that those online products are 11
designed in a manner that recognizes the distinct needs of children within different age 12
ranges; and now, therefore, 13
WHEREAS, It is the intent of the Maryland General Assembly that covered entities 14
covered by the Maryland Age–Appropriate Design Code Act may look to guidance and 15
innovation in response to the Age–Appropriate Design Code established in the United 16
Kingdom and California when developing online products that are likely to be accessed by 17
children; now, therefore, 18
SECTION 1. BE IT ENACTED BY THE GENERAL ASSEMBLY OF MARYLAND, 19
That the Laws of Maryland read as follows: 20
Article – Commercial Law 21
13–301. 22
Unfair, abusive, or deceptive trade practices include any: 23
(14) Violation of a provision of: 24
(xl) Title 14, Subtitle 13 of the Public Safety Article; [or] 25
(xli) Title 14, Subtitle 45 of this article; or 26
(XLII) TITLE 14, SUBTITLE 46 OF THIS ARTICLE; OR 27
SUBTITLE 46. MARYLAND AGE–APPROPRIATE DESIGN CODE ACT. 28
14–4601. 29
(A) IN THIS SUBTITLE THE FOLLOWING WORDS HAVE THE MEANINGS 30
INDICATED. 31 4 SENATE BILL 571
(B) (1) “AGGREGATE CONSUMER INFORMATION ” MEANS INFORMATION : 1
(I) THAT RELATES TO A GRO UP OR CATEGORY OF CO NSUMERS; 2
(II) FROM WHICH INDIVIDUAL CONSUMER IDENTITIES HAVE 3
BEEN REMOVED ; AND 4
(III) THAT IS NOT LINKED OR REASONABLY LINKABLE TO ANY 5
CONSUMER OR HOUSEHOL D, INCLUDING BY A DEVICE. 6
(2) “AGGREGATE CONSUMER IN FORMATION” DOES NOT INCLUDE 7
INDIVIDUAL CONSUMER RECORDS THAT HAVE BE EN DE–IDENTIFIED. 8
(C) “BEST INTERESTS OF CHI LDREN” MEANS A COVERED ENTI TY’S USE OF 9
THE PERSONAL DATA OF A CHILD CHILDREN OR THE DESIGN OF AN ONLINE 10
PRODUCT IN A WAY THA T DOES NOT: 11
(1) BENEFIT THE COVERED E NTITY TO THE DETRIME NT OF A CHILD 12
CHILDREN; AND 13
(2) RESULT IN: 14
(I) REASONABLY FORESEEABL E AND MATERIAL PHYSI CAL OR 15
FINANCIAL HARM TO A CHILD CHILDREN; 16
(II) SEVERE AND REASONABLY FORESEEABLE PSYCHOLO GICAL 17
OR EMOTIONAL HARM TO A CHILD CHILDREN; 18
(III) A HIGHLY OFFENSIVE INT RUSION ON A CHILD’S CHILDREN’S 19
REASONABLE EXPECTATI ON OF PRIVACY; OR 20
(IV) DISCRIMINATION AGAINS T A CHILD CHILDREN BASED ON 21
RACE, COLOR, RELIGION, NATIONAL ORIGIN , DISABILITY, GENDER IDENTITY , SEX, 22
OR SEXUAL ORIENTATIO N. 23
(D) (1) “BIOMETRIC INFORMATION DATA” MEANS INFORMATION DATA 24
GENERATED BY AUTOMAT IC MEASUREMENTS OF A N INDIVIDUAL’S BIOLOGICAL 25
CHARACTERISTICS . 26
(2) “BIOMETRIC INFORMATION DATA” INCLUDES: 27
(I) A FINGERPRINT ; 28
(II) A VOICEPRINT; 29 SENATE BILL 571 5
(III) AN EYE RETINA OR IRIS PATTERN; OR 1
(IV) ANY OTHER UNIQUE BIOL OGICAL PATTERN OR 2
CHARACTERISTIC THAT IS USED TO IDENTIFY A SPECIFIC INDIVIDUA L. 3
(3) “BIOMETRIC INFORMATI ON DATA” DOES NOT INCLUDE : 4
(I) A DIGITAL OR PHYSICAL PHOTOGRAPH ; 5
(II) AN AUDIO OR VIDEO REC ORDING; OR 6
(III) DATA GENERATED FROM A DIGITAL OR PHYSICAL 7
PHOTOGRAPH , OR AN AUDIO OR VIDEO RECORDING, UNLESS THE DATA IS 8
GENERATED TO IDENTIF Y A SPECIFIC INDIVIDUAL . 9
(E) “CHILD” MEANS A CONSUMER WHO IS UNDER THE AGE OF 18 YEARS. 10
(F) (1) “COLLECT” MEANS TO BUY, RENT, GATHER, OBTAIN, RECEIVE, OR 11
ACCESS PERSONAL DATA RELATING TO A CONSUM ER. 12
(2) “COLLECT” INCLUDES: 13
(I) ACTIVELY OR PASSIVELY RECEIVING RECEIVING DATA 14
FROM THE CONSUMER ; AND 15
(II) OBSERVING THE CONSUME R’S BEHAVIOR. 16
(G) (1) “CONSUMER” MEANS AN INDIVIDUAL WHO IS A RESIDENT OF THE 17
STATE, HOWEVER IDENTIFIED , INCLUDING BY A UNIQU E IDENTIFIER. 18
(2) “CONSUMER” DOES NOT INCLUDE AN INDIVIDUAL ACTING IN A 19
COMMERCIAL OR EMPLOY MENT CONTEXT OR AS A N EMPLOYER , AN OWNER, A 20
DIRECTOR, AN OFFICER, OR A CONTRACTOR OF A COMPANY, PARTNERSHIP , SOLE 21
PROPRIETORSHIP , NONPROFIT ORGANIZATI ON, OR GOVERNMENT AGENCY UNIT 22
WHOSE COMMUNICATIONS OR TRANSACT IONS WITH THE COVERE D ENTITY OCCUR 23
SOLELY WITHIN THE CO NTEXT OF THAT INDIVI DUAL’S ROLE WITH THE COMP ANY, 24
PARTNERSHIP , SOLE PROPRIETORSHIP , NONPROFIT ORGANIZATI ON, OR 25
GOVERNMENT AGENCY UNIT. 26
(H) (1) “COVERED ENTITY ” MEANS A SOLE PROPRIE TORSHIP, A LIMITED 27
LIABILITY COMPANY , A CORPORATION , AN ASSOCIATION , OR ANY OTHER LEGAL 28
ENTITY THAT: 29
6 SENATE BILL 571
(I) IS ORGANIZED OR OPERA TED FOR THE PROFIT O R 1
FINANCIAL BENEFIT OF ITS SHAREHOLDERS OR OTHER OWNERS ; 2
(II) COLLECTS CONSUMERS ’ PERSONAL INFORMATION DATA OR 3
USES ANOTHER ENTITY TO COLLECT CONSUMERS ’ PERSONAL INFORMATION DATA 4
ON ITS BEHALF; 5
(III) ALONE, OR JOINTLY WITH ITS AFFILIATES OR 6
SUBSIDIARIES, DETERMINES THE PURPO SES AND MEANS OF THE PROCESSING OF 7
CONSUMERS ’ PERSONAL DATA ; 8
(IV) DOES BUSINESS IN THE STATE; AND 9
(V) 1. HAS ANNUAL GROSS REVE NUES IN EXCESS OF 10
$25,000,000, ADJUSTED EVERY ODD –NUMBERED YEAR TO REF LECT ADJUSTMENTS 11
IN THE CONSUMER PRICE INDEX; 12
2. ANNUALLY BUYS , RECEIVES, SELLS, OR SHARES THE 13
PERSONAL DATA OF 50,000 OR MORE CONSUMERS , HOUSEHO LDS, OR DEVICES, 14
ALONE OR IN COMBINAT ION WITH ITS AFFILIA TES OR SUBSIDIARIES , FOR THE 15
COVERED ENTITY ’S COMMERCIAL PURPOSE S; OR 16
3. DERIVES AT LEAST 50% OF ITS ANNUAL REVENU ES 17
FROM THE SALE OF CON SUMERS’ PERSONAL DATA . 18
(2) “COVERED ENTITY ” INCLUDES: 19
(I) AN ENTITY THAT CONTRO LS OR IS CONTROLLED BY A 20
BUSINESS AND THAT SH ARES A NAME, SERVICE MARK , OR TRADEMARK THAT WO ULD 21
CAUSE A REASONABLE C ONSUMER TO UNDERSTAN D THAT TWO OR MORE E NTITIES 22
ARE COMMONLY OWNED ; AND 23
(II) A JOINT VENTURE OR PAR TNERSHIP COMPOSED OF 24
BUSINESSES IN WHICH EACH HAS AT LEAST A 40% INTEREST IN THE JOIN T VENTURE 25
OR PARTNERSHIP . 26
(I) (1) “DARK PATTERN ” MEANS A USER INTERFA CE DESIGNED OR 27
MANIPULATED WITH THE PURPOSE OF SUBVERTIN G OR IMPAIRING USER 28
AUTONOMY , DECISION MAKING , OR CHOICE. 29
(2) “DARK PATTERN ” INCLUDES ANY PRACTIC E IDENTIFIED BY THE 30
FEDERAL TRADE COMMISSION AS A DARK PATTERN. 31
SENATE BILL 571 7
(J) “DATA PROTECTION IMPAC T ASSESSMENT” OR “ASSESSMENT” MEANS A 1
SYSTEMATIC SURVEY TO ASSESS COMPLIANCE WI TH THE DUTY TO ACT I N THE BEST 2
INTERESTS OF CHILDREN . 3
(K) “DEFAULT” MEANS A PRESELECTED OPTION ADOPTED BY TH E 4
COVERED ENTITY FOR A N ONLINE PRODUCT . 5
(L) “DE–IDENTIFIED INFORMATI ON” MEANS DATA THAT CANN OT 6
REASONABLY BE USED T O INFER INFORMATION ABOUT, OR OTHERWISE BE LINK ED 7
TO, AN IDENTIFIED OR IDENTI FIABLE INDIVIDUAL , IF THE COVERED ENTIT Y THAT 8
POSSESSES THE DATA : 9
(1) TAKES REASONABLE MEAS URES TO ENSURE THAT THE DATA 10
CANNOT BE LINKED WIT H AN INDIVIDUAL; 11
(2) PUBLICLY COMMITS TO : 12
(I) MAINTAIN AND USE THE DATA IN DE–IDENTIFIED FORM; 13
AND 14
(II) NOT ATTEMPT TO RE –IDENTIFY THE INFORMA TION; AND 15
(3) CONTRACTUALLY OBLIGAT ES ANY RECIPIENTS OF THE 16
INFORMATION TO COMPL Y WITH ALL PROVISION S OF THIS SUBSECTION . 17
(M) “DERIVED DATA” MEANS DATA THAT ARE DERIVED FROM OTHER D ATA 18
OR INFORMATION , OR OTHERWISE OBTAINE D THROUGH CORRELATIO NS, 19
PREDICTIONS, ASSUMPTIONS , INFERENCES, OR CONCLUSIONS DRAWN FROM FACTS 20
OR EVIDENCE OR ANOTH ER SOURCE OF INFORMA TION OR DATA ABOUT A CHILD OR 21
A CHILD’S DEVICE. 22
(N) (L) “DIVISION” MEANS THE DIVISION OF CONSUMER PROTECTION 23
OF THE OFFICE OF THE ATTORNEY GENERAL. 24
(O) (M) (1) “ONLINE PRODUCT ” MEANS AN ONLINE SERV ICE, PRODUCT, 25
OR FEATURE. 26
(2) “ONLINE PRODUCT ” DOES NOT INCLUDE : 27
(I) A TELECOMMUNICATIONS S ERVICE, AS DEFINED IN 47 28
U.S.C. § 153; 29
(II) THE SALE, DELIVERY, OR USE OF A PHYSICAL PRODUCT 30
SOLD BY AN ONLINE RE TAILER; OR 31 8 SENATE BILL 571
(III) A BROADBAND INTERNET ACCESS SERVI CE, AS DEFINED IN 1
47 C.F.R. § 8.1(B). 2
(P) (N) (1) “PERSONAL DATA ” MEANS INFORMATION TH AT IS LINKED 3
OR REASONABLY ABLE T O BE LINKED, ALONE OR IN COMBINAT ION WITH OTHER 4
INFORMATION , TO AN IDENTIFIED OR IDENTIFIABLE INDIVID UAL. 5
(2) “PERSONAL DATA ” INCLUDES DERIVED DAT A THAT OTHERWISE 6
MEETS THE DEFINITION IN PARAGRAPH (1) OF THIS SUBSECTION DOES NOT 7
INCLUDE: 8
(I) DE–IDENTIFIED DATA; OR 9
(II) PUBLICLY AVAILABLE IN FORMATION. 10
(Q) (O) (1) “PRECISE GEOLOCATION ” MEANS ANY DATA THAT IS: 11
(1) DERIVED FROM A DEVICE ; AND 12
(2) USED OR INTENDED TO B E USED TO LOCATE A C ONSUMER 13
GEOGRAPHICALLY WITHI N A RADIUS OF UP TO 1,850 FEET INFORMATION DERIVED 14
FROM TECHNOLOGY THAT CAN PRECISELY AND AC CURATELY IDENTIFY TH E 15
SPECIFIC LOCATION OF A CONSUMER WITHIN A RADIUS OF 1,750 FEET. 16
(2) “PRECISE GEOLOCATION ” INCLUDES LATITUDE AN D LONGITUDE 17
COORDINATES OF SIMIL AR PRECISION TO THOS E PRODUCED BY A GLOBAL 18
POSITIONING SYSTEM O R A SIMILAR MECHANIS M. 19
(3) “PRECISE GEOLOCATION ” DOES NOT INCLUDE : 20
(I) THE CONTENT OF COMMUN ICATIONS; 21
(II) DATA GENERATED BY OR CONNECTED WITH A UTI LITY 22
COMPANY’S ADVANCED METERING INFRASTRUCTURE ; OR 23
(III) DATA GENERATED BY EQU IPMENT USED BY A UTI LITY 24
COMPANY. 25
(R) (P) (1) “PROCESS” MEANS TO CONDUCT OR DIRECT ANY 26
OPERATION THAT MAY BE PERFORME D ON PERSONAL DATA , WHETHER OR NOT BY 27
AUTOMATED MEANS TO PERFORM AN OPERAT ION OR SET OF OPERAT IONS BY 28
MANUAL OR AUTOMATED MEANS O N PERSONAL DATA . 29
SENATE BILL 571 9
(2) “PROCESS” INCLUDES: 1
(I) COLLECTING PERSONAL D ATA; 2
(II) USING PERSONAL DATA ; 3
(III) STORING PERSONAL DATA ; 4
(IV) DISCLOSING PERSONAL D ATA; 5
(V) ANALYZING PERSONAL DA TA; 6
(VI) DELETING PERSONAL DATA; 7
(VII) MODIFYING PERSONAL DA TA; AND 8
(VIII) OTHERWISE HANDLING PE RSONAL DATA COLLECTING, 9
USING, STORING, DISCLOSING, ANALYZING, DELETING, OR MODIFYING PERSONA L 10
DATA. 11
(S) (Q) (1) “PROFILING” MEANS ANY FORM OF AU TOMATED 12
PROCESSING OF PERSON AL DATA THAT USES PERSO NAL DATA TO EVALUATE , 13
ANALYZE, OR PREDICT CERTAIN A SPECTS RELATING TO A N INDIVIDUAL, INCLUDING 14
AN INDIVIDUAL ’S ECONOMIC SITUATION , HEALTH, PERSONAL PREFERENCES , 15
INTERESTS, RELIABILITY, BEHAVIOR, LOCATION, OR MOVEMENTS . 16
(2) “PROFILING” DOES NOT INCLUDE THE PROCESSING OF 17
PERSONAL DATA THAT D OES NOT RESULT IN AN ASSESSMENT OR JUDGME NT ABOUT 18
AN INDIVIDUAL. 19
(T) (R) (1) “PUBLICLY AVAILABLE IN FORMATION” MEANS 20
INFORMATION THAT : 21
(I) IS LAWFULLY MADE AVAI LABLE FROM FEDERAL , STATE, OR 22
LOCAL GOVERNMENT RECORDS ; OR 23
(II) A COVERED ENTITY HAS A REASONABLE BASIS TO BELIEVE 24
IS LAWFULLY MADE AVA ILABLE TO THE GENERA L PUBLIC BY THE CONS UMER OR BY 25
WIDELY DISTRIBUTED M EDIA. 26
(2) “PUBLICLY AVAILABLE IN FORMATION” DOES NOT INCLUDE 27
BIOMETRIC INFORMATION DATA COLLECTED BY A COVER ED ENTITY ABOUT A 28
CONSUMER WITHOUT THE CONSUMER ’S KNOWLEDGE . 29
10 SENATE BILL 571
(U) (S) “REASONABLY LIKELY TO BE ACCESSED BY CHILD REN” MEANS 1
REASONABLY EXPECTED IT IS REASONABLE TO EXPECT THAT THE ONLINE PROD UCT 2
WOULD BE ACCESSED BY CHILDREN, BASED ON SATISFYING ANY OF THE FOLLOWING 3
CRITERIA: 4
(1) THE ONLINE PRODUCT IS DIRECTED TO CHILDREN AS DEFINED IN 5
THE FEDERAL CHILDREN’S ONLINE PRIVACY PROTECTION ACT; 6
(2) THE ONLINE PRODUCT IS DETERMINED , BASED ON COMPETENT 7
AND RELIABLE EVIDENC E REGARDING AUDIENCE COMPOSITION , TO BE ROUTINELY 8
ACCESSED BY A SIGNIF ICANT NUMBER OF CHIL DREN; 9
(3) THE ONLINE PRODUCT IS SUBSTANTIALLY SIMILA R OR THE SAME 10
AS AN ONLINE PRODUCT THAT SATISFIES ITEM (2) OF THIS SUBSECTION ; 11
(4) THE ONLINE PRODUCT FE ATURES ADVERTISEMENTS MA RKETED 12
TO CHILDREN; 13
(5) THE COVERED ENTITY ’S INTERNAL RESEARCH FINDINGS 14
DETERMINE THAT A SIG NIFICANT AMOUNT OF T HE ONLINE PRODUCT ’S AUDIENCE IS 15
COMPOSED OF CHILDREN ; OR 16
(6) THE COVERED ENTITY KN OWS OR SHOULD HAVE K NOWN THAT A 17
USER IS A CHILD. 18
(V) (T) (1) “SELL” MEANS TO TRANSFER , RENT, RELEASE, DISCLOSE, 19
DISSEMINATE, MAKE AVAILABLE , OR OTHERWISE COMMUNI CATE, WHETHER 20
ORALLY, IN WRITING, OR BY ELECTRONIC OR OTHER MEANS , A CONSUMER ’S 21
PERSONAL DATA , IN A TRANSACTION FOR MONETARY OR O THER VALUABLE 22
CONSIDERATION BETWEE N A COVERED ENTITY A ND A THIRD PARTY . 23
(2) “SELL” DOES NOT INCLUDE : 24
(I) THE DISCLOSURE OF PER SONAL DATA TO THE SE RVICE 25
PROVIDER THAT PROCES SES PERSONAL DATA ON BEHALF OF THE COVERE D ENTITY; 26
(II) THE DISCLOSURE OF PERSONAL DATA TO A T HIRD PARTY 27
FOR PURPOSES OF PROV IDING A PRODUCT OR S ERVICE REQUESTED BY THE 28
CONSUMER ; 29
(III) THE DISCLOSURE OR TRA NSFER OF PERSONAL DA TA TO AN 30
AFFILIATE OR SUBSIDI ARY OF THE COVERED E NTITY; 31
SENATE BILL 571 11
(IV) THE DISCLOSURE OF PER SONAL DATA WH ERE THE 1
CONSUMER DIRECTS THE COVERED ENTITY TO DI SCLOSE THE PERSONAL DATA OR 2
INTENTIONALLY USES T HE COVERED ENTITY TO INTERACT WITH A THIR D PARTY; OR 3
(V) THE DISCLOSURE OR TRA NSFER OF PERSONAL DA TA TO A 4
THIRD PARTY AS AN AS SET THAT IS PART OF AN ACTUAL OR PROPOSED MERGER , 5
ACQUISITION, BANKRUPTCY , OR OTHER TRANSACTION , IN WHICH THE THIRD P ARTY 6
ASSUMES CONTROL OF A LL OR PART OF THE CO VERED ENTITY’S ASSETS. 7
(W) (1) “SENSITIVE PERSONAL DA TA” MEANS: 8
(I) PERSONAL DATA THAT RE VEALS A CONSUMER ’S: 9
1. SOCIAL SECURITY NUMBER , DRIVER’S LICENSE 10
NUMBER, STATE IDENTIFICATION CARD NUMBER , OR PASSPORT NUMBER ; 11
2. ACCOUNT LOGIN INFORMA TION, FINANCIAL 12
ACCOUNT NUMBER , DEBIT CARD NUMBER , OR CREDIT CARD NUMBE R, IN 13
COMBINATION WITH ANY REQUIRED SECURITY OR ACCESS CODE, PASSWORD, OR 14
CREDENTIALS THAT ALL OW ACCESS TO AN ACCO UNT; 15
3. PRECISE GEOLOCATION ; 16
4. RACIAL OR ETHNIC ORIG IN OR RELIGIOUS OR 17
PHILOSOPHICAL BELIEF S; 18
5. MAIL, E–MAIL, TEXT, OR MESSAGE CONTENTS , 19
UNLESS THE COVERED E NTITY IS THE INTENDE D RECIPIENT; OR 20
6. GENETIC DATA; 21
(II) BIOMETRIC INFORMATION THAT IS OR MAY BE PR OCESSED 22
FOR THE PURPOSE OF U NIQUELY IDENTIFYING A CONSUMER ; 23
(III) PERSONAL DATA COLLECT ED AND ANALYZED CONC ERNING 24
A CONSUMER ’S HEALTH; OR 25
(IV) PERSONAL DATA COL LECTED AND ANALYZED CONCERNING 26
A CONSUMER ’S SEX LIFE OR SEXUAL ORIENTATION . 27
(2) “SENSITIVE PERSONAL DA TA” DOES NOT INCLUDE PUB LICLY 28
AVAILABLE INFORMATIO N. 29
12 SENATE BILL 571
(X) (U) “SERVICE PROVIDER ” MEANS A PERSON THAT PROCESSES 1
PERSONAL DATA ON BEH ALF OF A COVERED ENTITY AND THAT RECE IVES FROM OR 2
ON BEHALF OF THE COV ERED ENTITY A CONSUM ER’S PERSONAL DATA FOR 3
BUSINESS PURPOSES IN ACCORDANCE WITH A WR ITTEN CONTRACT , IF THE 4
CONTRACT PROHIBITS T HE PERSON FROM : 5
(1) SELLING OR SHARING TH E PERSONAL DATA ; 6
(2) RETAINING, USING, OR DISCLOSING THE PE RSONAL DATA FOR 7
ANY PURPOSE OTHER TH AN FOR THE BUSINESS PURPOSES SPECIFIED I N THE 8
CONTRACT FOR THE COV ERED ENTITY , INCLUDING RETAINING , USING, OR 9
DISCLOSING THE PERSO NAL DATA FOR A COMME RCIAL PURPOSE OTHER THAN THE 10
BUSINESS PURPOSES SPECIFIED IN THE CONTRACT WITH TH E COVERED ENTITY , OR 11
AS OTHERWISE ALLOWED UNDER THIS SUBTITLE ; 12
(3) RETAINING, USING, OR DISCLOSING THE PE RSONAL DATA 13
OUTSIDE THE DIRECT B USINESS RELATIONSHIP BETWEEN THE SERVICE PROVIDER 14
AND THE COVERED ENTI TY; AND 15
(4) COMBINING THE PERSONA L DATA THAT THE SERV ICE PROVIDER 16
RECEIVES FROM , OR ON BEHALF OF , THE COVERED ENTITY W ITH PERSONAL DATA 17
THAT IT RECEIVES FRO M, OR ON BEHALF OF , ANOTHER PERSON OR PE RSONS, OR 18
COLLECTS FROM ITS OW N INTERACTION WITH T HE CONSUMER . 19
(Y) (V) “SHARE” MEANS TO RENT , RELEASE, DISSEMINATE, MAKE 20
AVAILABLE, TRANSFER, OR OTHERWISE COMMUNI CATE, WHETHER ORALLY , IN 21
WRITING, OR BY ELECTRONIC OR OTHER MEANS , A CONSUMER ’S PERSONAL DATA TO 22
A THIRD PARTY FOR CR OSS–CONTEXT BEHAVIORAL A DVERTISING WHE THER OR NOT 23
FOR MONETARY OR OTHE R VALUABLE CONSIDERA TION, INCLUDING IN A 24
TRANSACTION BETWEEN A COVERED EN TITY AND A THIRD PAR TY FOR TARGETED 25
ADVERTISING FOR THE BENEFIT OF A COVERED ENTITY IN WHICH NO M ONEY IS 26
EXCHANGED . 27
(Z) (1) “TARGETED ADVERTISING ” MEANS DISPLAYING 28
ADVERTISEMENTS TO A CONSUMER WHERE THE A DVERTISEMENT IS SELE CTED 29
BASED ON PERSONAL DA TA OBTAINED OR INFER RED FROM THAT CONSUM ER’S 30
ACTIVITIES OVER TIME AND ACROSS NONAFFILI ATED INTERNET WEBSITES OR 31
ONLINE APPLICATIONS TO PREDICT THE CONSUMER ’S PREFERENCES OR 32
INTERESTS. 33
(2) “TARGETED ADVERTISING ” DOES NOT INCLUDE : 34
(I) ADVERTISEMENTS BASED ON ACTIVITIES WITHIN A 35
COVERED ENTITY ’S OWN INTERNET WEBSITES OR ONLINE APPLICATIONS ; 36 SENATE BILL 571 13
(II) ADVERTISEMENTS BASED ON THE CONTEXT OF A 1
CONSUMER’S CURRENT SEARCH QUE RY, VISIT TO AN INTERNET WEBSITE , OR USE OF 2
AN ONLINE APPLICATIO N; 3
(III) ADVERTISEMENTS DIRECT ED TO A CONSUMER IN 4
RESPONSE TO THE CONS UMER’S REQUEST FOR INFORM ATION OR FEEDBACK ; OR 5
(IV) PROCESSING PERSONAL D ATA SOLELY TO MEAS URE OR 6
REPORT ADVERTISING F REQUENCY, PERFORMANCE , OR REACH. 7
(AA) (W) “THIRD PARTY” MEANS A PERSON WHO I S NOT: 8
(1) THE COVERED ENTITY WI TH WHICH THE CONSUME R 9
INTENTIONALLY INTERA CTS AND THAT COLLECT S PERSONAL DATA FROM THE 10
CONSUMER AS PART OF THE CONSUMER ’S INTERACTION WITH T HE COVERED 11
ENTITY; OR 12
(2) A SERVICE PROVIDER FOR THE COVERED ENTITY . 13
14–4602. 14
THIS SUBTITLE DOES NO T APPLY TO: 15
(1) DATA SUBJECT TO A STA TUTE OR REGULATION I DENTIFIED 16
UNDER ITEM (I) OF THIS ITEM THAT IS CONTROLLED BY A COVERED ENTITY OR 17
SERVICE PROVIDER THA T IS: 18
(I) REQUIRED TO COMPLY WI TH: 19
1. TITLE V OF THE FEDERAL GRAMM–LEACH–BLILEY 20
ACT; 21
2. THE FEDERAL HEALTH INFORMATION TECHNOLOGY 22
FOR ECONOMIC AND CLINICAL HEALTH ACT; OR 23
3. REGULATIONS PROMULGAT ED UNDER § 264(C) OF 24
THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996; AND 25
(II) IN COMPLIANCE WITH TH E INFORMATION SECURI TY 26
REQUIREMENTS OF APPL ICABLE STATUTES OR R EGULATIONS IDENTIFIE D IN ITEM 27
(I) OF THIS ITEM; OR PROTECTED HEALTH INFO RMATION THAT IS COLLECTE D BY A 28
COVERED ENTITY OR BU SINESS ASSOCIATION G OVERNED BY THE PRIVA CY 29
SECURITY AND BREACH NOTIFICATION RULES I N 45 C.F.R. PARTS 160 AND 164, 30 14 SENATE BILL 571
ESTABLISHED UNDER TH E FEDERAL HEALTH INSURANCE PORTABILITY AND 1
ACCOUNTABILITY ACT OF 1996 AND THE FEDERAL HEALTH INFORMATION 2
TECHNOLOGY FOR ECONOMIC AND CLINICAL HEALTH ACT; 3
(2) A COVERED ENTITY GOVER NED BY THE PRIVACY S ECURITY AND 4
BREACH NOTIFICATION RULES IN 45 C.F.R. PARTS 160 AND 164, ESTABLISHED 5
UNDER THE FEDERAL HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY 6
ACT OF 1996 AND THE FEDERAL HEALTH INFORMATION TECHNOLOGY FOR 7
ECONOMIC AND CLINICAL HEALTH ACT, TO THE EXTENT THAT T HE COVERED 8
ENTITY MAINTAINS PAT IENT INFORMATION IN THE SAME MANNER AS M EDICAL 9
INFORMATION OR PROTE CTED HEALTH INFORMAT ION AS DESCRIBED IN IT EM (1) OF 10
THIS SECTION; OR 11
(3) (2) INFORMATION COLLECTED AS PART OF A CLINICA L TRIAL 12
SUBJECT TO THE FEDERAL POLICY FOR THE PROTECTION OF HUMAN SUBJECTS, 13
IN ACCORDANCE WITH : 14
(I) GOOD CLINICAL PRACTIC E GUIDELINES ISSUED BY THE 15
INTERNATIONAL COUNCIL FOR HARMONISATION OF TECHNICAL REQUIREMENTS 16
FOR PHARMACEUTICALS FOR HUMAN USE; OR 17
(II) HUMAN SUBJECT PROTECT ION REQUIREMENTS OF THE 18
U.S. FOOD AND DRUG ADMINISTRATION . 19
14–4603. 20
IT IS THE INTENT OF T HE GENERAL ASSEMBLY THAT : 21
(1) CHILDREN SHOULD BE AF FORDED PROTECTIONS N OT ONLY BY 22
ONLINE PRODUCTS SPEC IFICALLY DIRECTED AT THEM, BUT BY ALL ONLINE 23
PRODUCTS THEY ARE RE ASONABLY LIKELY TO A CCESS; 24
(2) COVERED ENTITIES THAT DEVELOP AND PROVIDE ONLINE 25
SERVICES PRODUCTS THAT CHILDREN ARE REASONABLY LIKELY TO ACCESS SHA LL 26
ENSURE THE BEST INTE RESTS OF CHILDREN WH EN DESIGNING, DEVELOPING , AND 27
PROVIDING THOSE ONLI NE PRODUCTS ; 28
(3) ALL COVERED ENTITIES THAT OPERATE IN THE STATE AND 29
PROCESS CHILDREN ’S DATA IN ANY CAPACI TY SHALL DO SO IN A MANNER 30
CONSISTENT WITH THE BEST INTERESTS OF CH ILDREN; 31
(4) IF A CONFLICT ARISES BETWEEN COMMERCIAL I NTERESTS AND 32
THE BEST INTERESTS O F CHILDREN, COVERED ENTITIES THA T DEVELOP ONLINE 33
PRODUCTS LIKELY TO B E ACCESSED BY CHILDR EN SHALL GIVE PRIORITY TO 34 SENATE BILL 571 15
PRIORITIZE THE PRIVACY, SAFETY, AND WELL–BEING OF CHILDREN OVER THOSE 1
COMMERCIAL INTERESTS; AND; 2
(5) NOTHING IN THIS SUBTI TLE MAY BE CONSTRUED TO INFRINGE ON 3
THE EXISTING RIGHTS AND FREEDOMS OF CHIL DREN REQUIRE A COVERED EN TITY 4
TO MONITOR OR CENSOR THIRD–PARTY CONTENT OR OTHERWISE IMPACT THE 5
EXISTING RIGHTS AND FREEDOMS OF ANY PERS ON; AND 6
(6) NOTHING IN THIS SUBTI TLE MAY BE CONSTRUED TO 7
DISCRIMINATE AGAINST CHILDREN ON THE BASI S OF RACE, COLOR, RELIGION, 8
NATIONAL ORIGIN , DISABILITY, GENDER IDENTITY , SEX, OR SEXUAL ORIENTATION . 9
14–4604. 10
(A) (1) SUBJECT TO PARAGRAPH (2) OF THIS SUBSECTION , A COVERED 11
ENTITY THAT PROVIDES AN ONLINE PRODUCT RE ASONABLY LIKELY TO B E 12
ACCESSED BY CHILDREN SHALL PREPARE A DATA PROTECTION IMPACT 13
ASSESSMENT FOR THE O NLINE PRODUCT . 14
(2) ON OR BEFORE APRIL 1, 2026, A COVERED ENTITY SHA LL 15
PREPARE A DATA PROTE CTION IMPACT ASSESSM ENT FOR ANY ONLINE P RODUCT 16
THAT: 17
(I) MEETS THE CRITERIA UN DER PARAGRAPH (1) OF THIS 18
SUBSECTION; 19
(II) IS OFFERED TO THE PUB LIC ON OR BEFORE APRIL 1, 2026; 20
AND 21
(III) WILL CONTINUE TO BE O FFERED TO THE PUBLIC AFTER 22
JULY 1, 2026. 23
(3) FOR AN ONLINE PRODUCT THAT MEETS THE CRITE RIA UNDER 24
PARAGRAPH (1) OF THIS SUBSECTION A ND IS INITIALLY OFFE RED TO THE PUBLIC 25
AFTER APRIL 1, 2026, A COVERED ENTITY SHA LL COMPLETE A DATA P ROTECTION 26
IMPACT ASSESSMENT WITHIN 90 DAYS AFTER THE ONLIN E PRODUCT IS OFFERED TO 27
THE PUBLIC. 28
(B) THE DATA PROTECTION I MPACT ASSESSMENT SHA LL: 29
(1) IDENTIFY THE PURPOSE OF THE ONLINE PRODUC T; 30
(2) IDENTIFY HOW THE ONLI NE PRODUCT USES CHIL DREN’S DATA; 31
16 SENATE BILL 571
(3) DETERMINE WHETHER THE ONLINE PRODUCT IS DE SIGNED AND 1
OFFERED IN A MANNER CONSISTENT WITH THE BEST INTERE STS OF CHILDREN 2
REASONABLY LIKELY TO ACCESS THE ONLINE PR ODUCT THROUGH CONSID ERATION 3
OF: 4
(I) WHETHER THE DATA MANA GEMENT OR PROCESSING 5
PRACTICES OF THE ONL INE PRODUCT COULD LE AD TO CHILDREN EXPER IENCING OR 6
BEING TARGETED BY CONTACTS THAT WOULD RESULT IN : 7
1. REASONABLY FORESEEABL E AND MATERIAL 8
PHYSICAL OR FINANCIA L HARM TO THE CHILD CHILDREN; 9
2. REASONABLY FORESEEABL E AND EXTREME 10
PSYCHOLOGICAL OR EMO TIONAL HARM TO THE CHILD CHILDREN; 11
3. A HIGHLY OFFENSIVE INT RUSION ON THE CHILD’S 12
CHILDREN’S REASONABLE EXPECTATI ON OF PRIVACY; OR 13
4. DISCRIMINATION AGAINS T THE CHILD CHILDREN 14
BASED ON RACE , COLOR, RELIGION, NATIONAL ORIGIN , DISABILITY, GENDER 15
IDENTITY, SEX, OR SEXUAL ORIENTATIO N; 16
(II) WHETHER THE DATA MANA GEMENT OR PROCESSING 17
PRACTICES OF THE ONL INE PRODUCT COULD PE RMIT CHILDREN TO WITNESS, 18
PARTICIPATE IN, OR BE SUBJECT TO CON DUCT THAT WOULD RESU LT IN: 19
1. REASONABLY FORESEEABL E AND MATERIAL 20
PHYSICAL OR FINANCIA L HARM TO THE CHILD CHILDREN; 21
2. REASONABLY FORESEEABL E AND EXTREME 22
PSYCHOLOGICAL OR EMO TIONAL HARM TO THE CHILD CHILDREN; 23
3. A HIGHLY OFFENSIVE INT RUSION ON THE CHILD’S 24
CHILDREN’S REASONABLE EXPECTATI ON OF PRIVACY; OR 25
4. DISCRIMINATION AGAINS T THE CHILD CHILDREN 26
BASED ON RACE , COLOR, RELIGION, NATIONAL ORIGIN , DISABILITY, GENDER 27
IDENTITY, SEX, OR SEXUAL ORIENTATIO N; 28
(III) WHETHER THE DATA MANA GEMENT OR PROCESSING 29
PRACTICES OF THE ONL INE PRODUCT ARE REAS ONABLY EXPECTED TO A LLOW 30
CHILDREN BECOMING PA RTY TO OR EXPLOITED BY A CONTRACT THROUGH THE 31
ONLINE PRODUCT THAT WOULD RESULT IN : 32
SENATE BILL 571 17
1. REASONABLY FORESEEABL E AND MATERIAL 1
PHYSICAL OR FINANCIA L HARM TO THE CHILD CHILDREN; 2
2. REASONABLY FORESEEABL E AND EXTREME 3
PSYCHOLOGICAL OR EMO TIONAL HARM TO THE CHILD CHILDREN; 4
3. A HIGHLY OFFENSIVE INT RUSION ON THE CHILD’S 5
CHILDREN’S REASONABLE EXPECTATI ON OF PRIVACY; OR 6
4. DISCRIMINATION AGAINS T THE CHILD CHILDREN 7
BASED ON RACE , COLOR, RELIGION, NATIONAL ORIGIN , DISABILITY, GENDER 8
IDENTITY, SEX, OR SEXUAL ORIENTATION ; 9
(IV) WHETHER TARGETED ADVE RTISING SYSTEMS USED BY THE 10
ONLINE PRODUCT WOULD RESULT IN: 11
1. REASONABLY FORESEEABL E AND MATERIAL 12
PHYSICAL OR FINANCIA L HARM TO THE CHILD ; 13
2. REASONABLY FORESEEABL E AND EXTREME 14
PSYCHOLOGICAL OR EMOTIONAL HARM TO TH E CHILD; 15
3. A HIGHLY OFFENSIVE INT RUSION ON THE CHILD ’S 16
CHILDREN’S REASONABLE EXPECTATI ON OF PRIVACY; OR 17
4. DISCRIMINATION AGAINS T THE CHILD BASED ON 18
RACE, COLOR, RELIGION, NATIONAL ORIGIN , DISABILITY, SEX, OR SEXUAL 19
ORIENTATION ; 20
(V) WHETHER THE ONLINE PR ODUCT USES SYSTEM DE SIGN 21
FEATURES TO INCREASE , SUSTAIN, OR EXTEND THE USE OF THE ONLINE PRODUCT , 22
INCLUDING THE AUTOMA TIC PLAYING OF MEDIA , REWARDS FOR TIME SPE NT, AND 23
NOTIFICATIONS THAT W OULD RESULT IN : 24
1. REASONABLY FORESEEABLE AND MATERIAL 25
PHYSICAL OR FINANCIA L HARM TO THE CHILD CHILDREN; 26
2. REASONABLY FORESEEABL E AND EXTREME 27
PSYCHOLOGICAL OR EMO TIONAL HARM TO THE CHILD CHILDREN; 28
3. A HIGHLY OFFENSIVE INT RUSION ON THE CHILD’S 29
CHILDREN’S REASONABLE E XPECTATION OF PRIVAC Y; OR 30
18 SENATE BILL 571
4. DISCRIMINATION AGAINS T THE CHILD CHILDREN 1
BASED ON RACE , COLOR, RELIGION, NATIONAL ORIGIN , DISABILITY, GENDER 2
IDENTITY, SEX, OR SEXUAL ORIENTATIO N; 3
(VI) (V) WHETHER, HOW, AND FOR WHAT PURPOSE THE 4
ONLINE PRODUCT COLLECTS OR PROCESSES SENSITIVE PERSONAL DATA OF 5
CHILDREN AND WHETHER THOSE PRACTICES WOUL D RESULT IN: 6
1. REASONABLY FORESEEABL E AND MATERIAL 7
PHYSICAL OR FINANCIA L HARM TO THE CHILD CHILDREN; 8
2. REASONABLY FORESEEABL E AND EXTREME 9
PSYCHOLO GICAL OR EMOTIONAL H ARM TO THE CHILD CHILDREN; 10
3. A HIGHLY OFFENSIVE INT RUSION ON THE CHILD’S 11
CHILDREN’S REASONABLE EXPECTATI ON OF PRIVACY; OR 12
4. DISCRIMINATION AGAINS T THE CHILD CHILDREN 13
BASED ON RACE , COLOR, RELIGION, NATIONAL ORIGIN , DISABILITY, GENDER 14
IDENTITY, SEX, OR SEXUAL ORIENTATIO N; 15
(VII) (VI) WHETHER AND HOW DATA COLLECTED TO 16
UNDERSTAND THE EXPER IMENTAL IMPACT OF TH E PRODUCT REVEALS DA TA 17
MANAGEMENT OR DESIGN PRACTICES THAT WO ULD RESULT IN: 18
1. REASONABLY FORESEEABL E AND MATERIAL 19
PHYSICAL OR FINANCIA L HARM TO THE CHILD CHILDREN; 20
2. REASONABLY FORESEEABL E AND EXTREME 21
PSYCHOLOGICAL OR EMO TIONAL HARM TO THE CHILD CHILDREN; 22
3. A HIGHLY OFFENSIVE INT RUSION ON THE CHILD’S 23
CHILDREN’S REASONABLE EXPECTATI ON OF PRIVACY; OR 24
4. DISCRIMINATION AGAINS T THE CHILD CHILDREN 25
BASED ON RACE , COLOR, RELIGION, NATIONAL ORIGIN , DISABILITY, GENDER 26
IDENTITY, SEX, OR SEXUAL ORIENTATIO N; 27
(VIII) (VII) WHETHER ALGORITHMS US ED BY THE ONLINE 28
PRODUCT WOULD RESULT IN: 29
1. REASONABLY FORESEEABL E AND MATERIAL 30
PHYSICAL OR FINANCIA L HARM TO THE CHILD CHILDREN; 31
SENATE BILL 571 19
2. REASONABLY FORESEEABL E AND EXTREME 1
PSYCHOLOGICAL OR EMO TIONAL HARM TO THE CHILD CHILDREN; 2
3. A HIGHLY OFFENSIVE INT RUSION ON THE CHILD’S 3
CHILDREN’S REASONABLE EXPECTATI ON OF PRIVACY; OR 4
4. DISCRIMINATION AGAINS T THE CHILD CHILDREN 5
BASED ON RACE , COLOR, RELIGION, NATIONAL ORIGIN , DISABILITY, GENDER 6
IDENTITY, SEX, OR SEXUAL ORIENTATIO N; AND 7
(IX) (VIII) ANY OTHER FACTOR THAT MAY INDICATE THAT TH E 8
ONLINE PRODUCT IS DE SIGNED AND OFFERED IN A MANNER THAT IS INCONSISTENT 9
WITH THE BEST INTERE STS OF CHILDREN ; AND 10
(4) INCLUDE A DESCRIPTION OF STEPS THAT THE CO VERED ENTITY 11
HAS TAKEN AND WILL T AKE TO COMPLY WITH THE DUTY TO ACT IN A MANNER 12
CONSISTENT WITH THE BEST INTERESTS OF CH ILDREN. 13
(C) (1) A DATA PROTECTION IMPA CT ASSESSMENT PREPAR ED BY A 14
COVERED ENTITY FOR T HE PURPOSE OF COMPLI ANCE WITH ANY OTHER LAW 15
COMPLIES WITH THIS S ECTION IF THE ASSESS MENT MEETS THE REQUIREMENTS OF 16
THIS SECTION. 17
(2) A SINGLE DATA PROTECTI ON IMPACT ASSESSMENT MAY CONTAIN 18
MULTIPLE SIMILAR PRO CESSING OPERATIONS T HAT PRESENT SIMILAR RISKS ONLY 19
IF EACH RELEVANT ONL INE PRODUCT IS ADDRE SSED. 20
14–4605. 21
A COVERED ENTITY REQUI RED TO COMPLETE A DATA PROTEC TION IMPACT 22
ASSESSMENT UNDER § 14–4604 OF THIS SUBTITLE SHA LL: 23
(1) MAINTAIN DOCUMENTATIO N OF THE ASSESSMENT FOR AS LONG 24
AS THE ONLINE PRODUC T IS LIKELY TO BE AC CESSED BY CHILDREN ; 25
(2) REVIEW EACH DATA PROT ECTION IMPACT ASSESS MENT AS 26
NECESSARY TO ACCOUNT FOR MATERIAL CHANGES TO PROCESSING PERTAI NING TO 27
THE ONLINE PRODUCT W ITHIN 90 DAYS OF SUCH MATERIA L CHANGES; 28
(3) CONFIGURE NOTWITHSTANDING ANY O THER LAW, CONFIGURE 29
ALL DEFAULT PRIVACY SETTINGS PROVIDED TO CHILDREN BY THE ONLI NE 30
PRODUCT TO OFFER A HI GH LEVEL OF PRIVACY , UNLESS THE COVERED E NTITY CAN 31
DEMONSTRATE A COMPEL LING REASON THAT A D IFFERENT SETTING IS IN THE BEST 32
INTERESTS OF CHILDRE N; 33 20 SENATE BILL 571
(4) PROVIDE ANY PRIVACY I NFORMATION , TERMS OF SERVICE , 1
POLICIES, AND COMMUNITY STANDA RDS CONCISELY, PROMINENTLY , AND USING 2
CLEAR LANGUAGE SUITE D TO THE AGE OF CHIL DREN LIKELY TO ACCES S THE 3
ONLINE PRODUCT ; AND 4
(5) PROVIDE PROMINENT , ACCESSIBLE, AND RESPONSIVE TOOLS TO 5
HELP CHILDREN OR THE IR PARENTS OR GUARDI ANS, IF APPLICABLE, EXERCISE 6
THEIR PRIVACY RIGHTS AN D REPORT CONCERNS . 7
14–4606. 8
(A) A COVERED ENTITY THAT PROVIDES AN ONLINE P RODUCT THAT IS 9
ACCESSED OR REASONAB LY LIKELY TO BE ACCE SSED BY CHILDREN MAY NOT: 10
(1) PROCESS THE PERSONAL DATA OF A CHILD IN A WAY THAT IS 11
INCONSISTENT WITH THE BEST INTERESTS O F CHILDREN REASONABL Y LIKELY TO 12
ACCESS THE ONLINE PR ODUCT; 13
(2) PROFILE A CHILD BY DE FAULT, UNLESS: 14
(I) THE COVERED ENTITY CA N DEMONSTRATE THAT T HE 15
COVERED ENTITY HAS A PPROPRIATE SAFEGUARD S IN PLACE TO ENSURE THAT 16
PROFILING IS CONSISTENT WITH THE BEST INTERESTS OF CH ILDREN WHO ACCESS 17
OR ARE REASONABLY LI KELY TO ACCESS THE O NLINE PRODUCT ; AND 18
(II) 1. PROFILING IS NECESSAR Y TO PROVIDE THE 19
REQUESTED ONLINE PRODUCT , AND IS DONE ONLY WIT H RESPECT TO THE ASP ECTS 20
OF THE ONLINE PROD UCT THAT THE CHILD I S ACTIVELY AND KNOWI NGLY ENGAGED 21
WITH; OR 22
2. THE COVERED ENTITY CA N DEMONSTRATE A 23
COMPELLING REASON TH AT PROFILING IS IN T HE BEST INTERESTS OF CHILDREN; 24
(3) PROCESS PERSONAL DATA OF A CHILD THAT IS N OT REASONABLY 25
NECESSARY TO PR OVIDE AN ONLINE PROD UCT THAT THE CHILD I S ACTIVELY AND 26
KNOWINGLY ENGAGED WI TH; 27
(4) PROCESS THE PERSONAL DATA OF A CHILD END USER FOR ANY 28
REASON OTHER THAN A REASON FOR WHICH THA T PERSONAL DATA WAS 29
COLLECTED; 30
(5) PROCESS ANY PRECISE G EOLOCATION INFORMATION DATA OF A 31
CHILD BY DEFAULT , UNLESS: 32 SENATE BILL 571 21
(I) THE COLLECTION OF THE PRECISE GEOLOCATION 1
INFORMATION DATA IS STRICTLY NECESSAR Y FOR THE COVERED EN TITY TO 2
PROVIDE THE ONLINE P RODUCT; AND 3
(II) THE PRECISE GEOLOCATI ON DATA IS PROCESSED ONLY FOR 4
THE LIMITED TIME THAT IS NE CESSARY TO PROVIDE T HE ONLINE PRODUCT ; 5
(6) PROCESS ANY PRECISE G EOLOCATION INFORMATION DATA OF A 6
CHILD WITHOUT PROVID ING AN OBVIOUS SIGNA L TO THE CHILD FOR T HE DURATION 7
THAT THE PRECISE GEO LOCATION INFORMATION DATA IS BEING COLLECTED; 8
(7) USE DARK PATTERNS TO : 9
(I) CAUSE A CHILD TO PROV IDE PERSONAL DATA BE YOND 10
WHAT IS REASONABLY E XPECTED TO PROVIDE T HE ONLINE PRODUCT ; 11
(II) CIRCUMVENT PRIVACY PR OTECTIONS; OR 12
(III) TAKE ANY ACTION THAT THE COVERED ENTITY K NOWS, OR 13
HAS REASON TO KNOW , IS NOT IN THE BEST I NTERESTS OF CHILDREN WHO ACCESS 14
OR ARE REASONABLY LI KELY TO ACCESS THE O NLINE PRODUCT ; OR 15
(8) PROCESS ANY PERSONAL DATA FOR THE PURPOSE OF 16
ESTIMATING THE AGE O F A CHILD THAT IS AC TIVELY AND KNOWINGLY ENGAGED 17
WITH AN ONLINE PRODUCT TH AT IS NOT REASONABLY NECESSARY TO PROVIDE THE 18
ONLINE PRODUCT ; OR 19
(9) ALLOW A CHILD’S PARENT, GUARDIAN, OR ANY OTHER CONSUME R 20
TO MONITOR THE CHILD ’S ONLINE ACTIVITY OR TRACK THE CHILD ’S LOCATION, 21
WITHOUT PROVIDING AN OBVIOUS SIGNAL T O THE CHILD WHEN THE CHILD IS BEING 22
MONITORED OR TRACKED . 23
(B) IN MAKING A DETERMINA TION AS TO WHETHER A N ONLINE PRODUCT IS 24
REASONABLY LIKELY TO BE ACCESSED BY CHILD REN, A COVERED ENTITY MAY NOT 25
COLLECT OR PROCESS A NY PERSONAL DATA BEY OND WHAT IS REASONAB LY 26
NECESSARY TO MAKE TH E DETERMINATION . 27
14–4607. 28
(A) WITHIN 5 BUSINESS DAYS AFTER RECEIVING A WRITTEN REQUEST FROM 29
THE DIVISION, A COVERED ENTITY THA T PROVIDES AN ONLINE PRODUCT 30
REASONABLY LIKELY TO BE ACCESSED BY CHILD REN SHALL PROVIDE TO THE 31 22 SENATE BILL 571
DIVISION A LIST OF ALL DATA P ROTECTION IMPACT ASS ESSMENTS THE COVERED 1
ENTITY HAS COMPLETED UNDER § 14–4604 OF THIS SUBTITLE. 2
(B) (1) WITHIN 7 BUSINESS DAYS AFTER RECEIVING A WRITTEN REQUEST 3
FROM THE DIVISION, A COVERED ENTITY SHA LL PROVIDE TO THE DIVISION ANY 4
DATA PROTECTION IMPACT ASSESSMENT COMPLETED UNDER § 14–4604 OF THIS 5
SUBTITLE. 6
(2) THE DIVISION MAY EXTEND B EYOND 7 DAYS THE AMOUNT OF 7
TIME ALLOWED FOR A C OVERED ENTITY TO PRO DUCE A DATA PROTECTI ON IMPACT 8
ASSESSMENT . 9
(C) TO THE EXTENT THAT AN Y DISCLOSURE REQUIRED UNDER SUBSE CTION 10
(B) OF THIS SECTION INCL UDES INFORMATION SUB JECT TO ATTORNEY –CLIENT 11
PRIVILEGE OR WORK –PRODUCT PROTECTION , THE DISCLOSURE MAY N OT 12
CONSTITUTE A WAIVER OF THAT PRIVILEGE OR PROTECTION. 13
14–4608. 14
(A) A VIOLATION OF THIS SU BTITLE: 15
(1) IS AN UNFAIR, ABUSIVE, OR DECEPTIVE TRADE P RACTICE; AND 16
(2) EXCEPT FOR § 13–410 OF THIS ARTICLE , IS SUBJECT TO THE 17
ENFORCEMENT PROVISIO NS CONTAINED IN TITLE 13 OF THIS ARTICLE. 18
(B) A COVERED ENTITY THAT VIOLATES THIS SUBTIT LE IS SUBJECT TO A 19
CIVIL PENALTY NOT EXCEED ING: 20
(1) $2,500 PER AFFECTED CHILD F OR EACH NEGLIGENT VI OLATION; 21
AND 22
(2) $7,500 PER AFFECTED CHILD F OR EACH INTENTIONAL 23
VIOLATION. 24
(C) THE DIVISION SHALL PAY AL L FINES, PENALTIES, AND EXPENSES 25
COLLECTED BY THE DIVISION UNDER THIS SUBSECTION INTO THE GENERAL FUND 26
WITH THE INTENT THAT FINES, PENALTIES, AND EXPENSES BE USED TO FULLY 27
OFFSET ANY COSTS INC URRED BY THE DIVISION IN CONNECTIO N WITH THIS 28
SUBTITLE. 29
14–4609. 30
SENATE BILL 571 23
(A) IF A COVERED ENTITY I S IN SUBSTANTIAL COM PLIANCE WITH THE 1
REQUIREMENTS OF §§ 14–4604 THROUGH 14–4606 OF THIS SUBTITLE , THE 2
DIVISION SHALL PROVID E WRITTEN NOTICE TO THE COVERED ENTITY B EFORE 3
FILING AN ACTION UND ER § 14–4608 OF THIS SUBTITLE . 4
(B) NOTICE GIVEN UNDER SU BSECTION (A) OF THIS SECTION SHAL L 5
IDENTIFY THE SPECIFIC PROVISIO NS OF THIS SUBTITLE THAT THE DIVISION 6
ALLEGES HAVE BEEN OR ARE BEING VIOLATED . 7
(C) A COVERED ENTITY MAY N OT BE LIABLE FOR A C IVIL PENALTY FOR A 8
VIOLATION FOR WHICH NOTICE IS GIVEN UNDE R SUBSECTION (A) OF THIS SECTION 9
IF THE COVERED EN TITY: 10
(1) HAS COMPLETED A DATA PROTECTION IMPACT AS SESSMENT 11
UNDER § 14–4604(A)(2) OF THIS SUBTITLE FOR EXISTING ONLINE PROD UCTS THAT 12
ARE REASONABLY LIKEL Y TO BE ACCESSED BY CHILDREN; 13
(2) HAS COMPLETED A DATA PROTECTION IMPACT AS SESSMENT 14
UNDER § 14–4604(A)(3) OF THIS SUBTITLE PRI OR TO OFFERING TO TH E PUBLIC A 15
NEW ONLINE PRODUCT T HAT IS REASONABLY LI KELY TO BE ACCESSED BY 16
CHILDREN; 17
(3) CURES THE VIOLATION S PECIFIED IN THE DIVISION’S NOTICE 18
WITHIN 90 DAYS AFTER ISSUANCE OF THE NOTICE UNDER SUBSECTION (A) OF THIS 19
SECTION; 20
(4) PROVIDES THE DIVISION WITH A WRITT EN STATEMENT THAT TH E 21
ALLEGED VIOLATION HA S BEEN CURED; AND 22
(5) TAKES MEASURES TO PRE VENT ANY FUTURE VIOL ATION THAT 23
THE DIVISION AGREED TO BE SUFFICIENT. 24
14–4610. 25
NOTHING IN THIS SUBTI TLE MAY BE INTERPRETED O R CONSTRUED TO : 26
(1) PROVIDE A PRIVATE RIG HT OF ACTION UNDER T HIS SUBTITLE OR 27
ANY OTHER LAW ; 28
(2) IMPOSE LIABILITY IN A MANNER THAT IS INCON SISTENT WITH 47 29
U.S.C. § 230; 30
(3) PREVENT OR PRECLUDE A CHILD FROM DELIBERAT ELY OR 31
INDEPENDENTLY SEARCH ING FOR OR SPECIFICA LLY REQUESTING CONTE NT; OR 32 24 SENATE BILL 571
(4) REQUIRE A COVERED ENT ITY TO IMPLEMENT AN AGE–GATING 1
REQUIREMENT . 2
14–4611. 3
NOTWITHSTANDING ANY O THER LAW , A DATA PROTECTION IM PACT 4
ASSESSMENT IS PROTEC TED AS CONFIDENTIAL AND SHALL BE EXEMPT FROM 5
PUBLIC DISCLOSURE , INCLUDING UNDER THE MARYLAND PUBLIC INFORMATION 6
ACT. 7
14–4612. 8
(A) WHEREVER POSSIBLE , LAW RELATING TO CONS UMERS’ PERSONAL 9
DATA SHOULD BE CONST RUED TO HARMONIZE WI TH THE PROVISIONS OF THIS 10
SUBTITLE. 11
(B) IN THE EVENT OF A CONFLICT BETWEEN O THER LAWS AND THIS 12
SUBTITLE, THE PROVISIONS OF TH E LAW THAT AFFORD TH E GREATEST PROTECTIO N 13
FOR THE RIGHT OF PRI VACY FOR CONSUMERS S HALL CONTROL . 14
14–4613. 15
THIS SUBTITLE MAY BE CITED AS THE MARYLAND AGE–APPROPRIATE 16
DESIGN CODE ACT. 17
SECTION 2. AND BE IT FURTHER ENACTED, That this Act shall take effect 18
October 1, 2024. 19
Approved:
________________________________________________________________________________
Governor.
________________________________________________________________________________
President of the Senate.
________________________________________________________________________________
Speaker of the House of Delegates.