EXPLANATION: CAPITALS INDICATE MAT TER ADDED TO EXISTIN G LAW.
[Brackets] indicate matter deleted from existing law.
Underlining indicates amendments to bill.
Strike out indicates matter stricken from the bill by amendment or deleted from the law by
amendment.
Italics indicate opposite chamber/conference committee amendments.
*sb0571*
SENATE BILL 571
I3, S1 (4lr1822)
ENROLLED BILL
— Finance/Economic Matters —
Introduced by Senators Kramer, Hester, and West
Read and Examined by Proofreaders:
_______________________________________________
Proofreader.
_______________________________________________
Proofreader.
Sealed with the Great Seal and presented to the Governor, for his approval this
_______ day of _______________ at _________________ _______ o’clock, ________M.
______________________________________________
President.
CHAPTER ______
AN ACT concerning 1
Consumer Protection – Online Products and Services – Data of Children 2
(Maryland Kids Code) 3
FOR the purpose of requiring a covered entity that offers an online product reasonably 4
likely to be accessed by children to complete a certain data protection impact 5
assessment under certain circumstances; requiring certain privacy protections for 6
certain online products; prohibiting certain data collection and sharing practices; 7
authorizing certain monitoring practices; and generally relating to the protection of 8
online privacy of children. 9
BY repealing and reenacting, with amendments, 10
Article – Commercial Law 11
Section 13–301(14)(xl) 12
Annotated Code of Maryland 13
(2013 Replacement Volume and 2023 Supplement) 14 2 SENATE BILL 571
BY repealing and reenacting, without amendments, 1
Article – Commercial Law 2
Section 13–301(14)(xli) 3
Annotated Code of Maryland 4
(2013 Replacement Volume and 2023 Supplement) 5
BY adding to 6
Article – Commercial Law 7
Section 13–301(14)(xlii); and 14–4601 through 14–4612 14–4613 to be under the new 8
subtitle “Subtitle 46. Maryland Age–Appropriate Design Code Act” 9
Annotated Code of Maryland 10
(2013 Replacement Volume and 2023 Supplement) 11
Preamble 12
WHEREAS, The United Nations Convention on the Rights of the Child recognizes 13
that children need special safeguards and care in all aspects of their lives, specifying how 14
children’s rights apply in the digital environment in General Comment No. 25; and 15
WHEREAS, As children spend more of their time interacting with the online world, 16
the impact of the design of online products on their well–being has become a focus of 17
significant concern; and 18
WHEREAS, There is widespread agreement at the international level, and 19
bipartisan agreement in the United States, that more needs to be done to create a safer 20
online space for children to learn, explore, and play; and 21
WHEREAS, Lawmakers around the globe have t aken steps to enhance privacy 22
protections for children based on the understanding that, in relation to data protection, 23
greater privacy necessarily means greater security and well–being; and 24
WHEREAS, Children should be afforded protections not only by online products and 25
services specifically directed at them, but by all online products they are likely to access, 26
and thus covered entities should take into account the unique needs of different age ranges, 27
including the following developmental stages: 0 to 5 years of age, or “preliterate and early 28
literacy”; 6 to 9 years of age, or “core primary school years”; 10 to 12 years of age, or 29
“transition years”; 13 to 15 years of age, or “early teens”; and 16 to 17 years of age, or 30
“approaching adulthood”; and 31
WHEREAS, While it is clear that the same data protection regime may not be 32
appropriate for children of all ages, children of all ages should nonetheless be afforded 33
privacy and protection, and online products should adopt data protection regimes 34
appropriate for children of the ages likely to access those products; and 35
WHEREAS, According to the Pew Research Center, in 2022, 97% of American 36
teenagers aged 13–17 used the Internet every day, with 46% responding they used the 37 SENATE BILL 571 3
Internet almost constantly; and, additionally, 36% of teens reported being concerned about 1
their social media use, while an earlier Pew Research Center study found that 59% of teens 2
have been bullied or harassed online; and 3
WHEREAS, The findings of the Pew Research Center are not surprising, given what 4
is known about controllers’ use of personal data and how it is utilized to inform 5
manipulative practices, to which children are particularly vulnerable; and 6
WHEREAS, Online products that are likely to be accessed by children should offer 7
strong privacy protections that, by design, prevent the use of children’s personal data to 8
offer elements that the covered entity offering the online product knows, or has reason to 9
know, are likely to be materially detrimental to the physical health, mental health, or 10
well–being of children; and 11
WHEREAS, Ensuring robust privacy, and thus safety, protections for children by 12
design is consistent with federal safety laws and policies applied to children’s products, 13
regulating everything from toys to clothing to furniture and games; and 14
WHEREAS, The consumer protections that federal safety laws apply to children’s 15
products require these products to comply with certain safety standards by their very 16
design, so that harms to children, and in some cases other consumers, are prevented; and 17
WHEREAS, It is the intent of the Maryland General Assembly that the Maryland 18
Age–Appropriate Design Code Act promote innovation by covered entities whose online 19
products are likely to be accessed by children by ensuring that those online products are 20
designed in a manner that recognizes the distinct needs of children within different age 21
ranges; and now, therefore, 22
WHEREAS, It is the intent of the Maryland General Assembly that covered entities 23
covered by the Maryland Age–Appropriate Design Code Act may look to guidance and 24
innovation in response to the Age–Appropriate Design Code established in the United 25
Kingdom and California when developing online products that are likely to be accessed by 26
children; now, therefore, 27
SECTION 1. BE IT ENACTED BY THE GENERAL ASSEMBLY OF MARYLAND, 28
That the Laws of Maryland read as follows: 29
Article – Commercial Law 30
13–301. 31
Unfair, abusive, or deceptive trade practices include any: 32
(14) Violation of a provision of: 33
(xl) Title 14, Subtitle 13 of the Public Safety Article; [or] 34
4 SENATE BILL 571
(xli) Title 14, Subtitle 45 of this article; or 1
(XLII) TITLE 14, SUBTITLE 46 OF THIS ARTICLE; OR 2
SUBTITLE 46. MARYLAND AGE–APPROPRIATE DESIGN CODE ACT. 3
14–4601. 4
(A) IN THIS SUBTITLE THE FOLLOWING WORDS HAVE THE MEANINGS 5
INDICATED. 6
(B) (1) “AGGREGATE CONSUMER IN FORMATION” MEANS INFORMATION : 7
(I) THAT RELATES TO A GRO UP OR CATEGORY OF CO NSUMERS; 8
(II) FROM WHICH INDIVIDUAL CONSUMER IDENTITIES HAVE 9
BEEN REMOVED ; AND 10
(III) THAT IS NOT LINKED OR REASON ABLY LINKABLE TO ANY 11
CONSUMER OR HOUSEHOL D, INCLUDING BY A DEVIC E. 12
(2) “AGGREGATE CONSUMER IN FORMATION” DOES NOT INCLUDE 13
INDIVIDUAL CONSUMER RECORDS THAT HAVE BE EN DE–IDENTIFIED. 14
(C) “BEST INTERESTS OF CHI LDREN” MEANS A COVERED EN TITY’S USE OF 15
THE PERSONAL DATA OF A CHILD CHILDREN OR THE DESIGN OF AN ONLINE 16
PRODUCT IN A WAY THA T DOES NOT: 17
(1) BENEFIT THE COVERED E NTITY TO THE DETRIME NT OF A CHILD 18
CHILDREN; AND 19
(2) RESULT IN: 20
(I) REASONABLY FORESEEABL E AND MATERIAL PHYSI CAL OR 21
FINANCIAL HARM TO A CHILD CHILDREN; 22
(II) SEVERE AND REASONABLY FORESEEABLE PSYCHOLO GICAL 23
OR EMOTIONAL HARM TO A CHILD CHILDREN; 24
(III) A HIGHLY OFFENSIVE INT RUSION ON A CHILD’S CHILDREN’S 25
REASONABLE EXPECTATION OF PRIVA CY; OR 26
SENATE BILL 571 5
(IV) DISCRIMINATION AGAINS T A CHILD CHILDREN BASED ON 1
RACE, COLOR, RELIGION, NATIONAL ORIGIN , DISABILITY, GENDER IDENTITY , SEX, 2
OR SEXUAL ORIENTATIO N. 3
(D) (1) “BIOMETRIC INFORMATION DATA” MEANS INFORMATION DATA 4
GENERATED BY AUTOMATIC MEASUREMEN TS OF AN INDIVIDUAL ’S BIOLOGICAL 5
CHARACTERISTICS . 6
(2) “BIOMETRIC INFORMATION DATA” INCLUDES: 7
(I) A FINGERPRINT ; 8
(II) A VOICEPRINT; 9
(III) AN EYE RETINA OR IRIS PATTERN; OR 10
(IV) ANY OTHER UNIQUE BIOL OGICAL PATTERN OR 11
CHARACTERISTIC THAT I S USED TO IDENTIFY A SPECIFIC INDIVIDUAL . 12
(3) “BIOMETRIC INFORMATION DATA” DOES NOT INCLUDE : 13
(I) A DIGITAL OR PHYSICAL PHOTOGRAPH ; 14
(II) AN AUDIO OR VIDEO REC ORDING; OR 15
(III) DATA GENERATED FROM A DIGITAL OR PHYSICAL 16
PHOTOGRAPH , OR AN AUDIO OR VIDEO RECORDING, UNLESS THE DATA IS 17
GENERATED TO IDENTIF Y A SPECIFIC INDIVID UAL. 18
(E) “CHILD” MEANS A CONSUMER WHO IS UNDER THE AGE OF 18 YEARS. 19
(F) (1) “COLLECT” MEANS TO BUY, RENT, GATHER, OBTAIN, RECEIVE, OR 20
ACCESS PERSONAL DATA RELATING TO A C ONSUMER. 21
(2) “COLLECT” INCLUDES: 22
(I) ACTIVELY OR PASSIVELY RECEIVING RECEIVING DATA 23
FROM THE CONSUMER ; AND 24
(II) OBSERVING THE CONSUME R’S BEHAVIOR. 25
(G) (1) “CONSUMER” MEANS AN INDIVIDUAL WHO IS A RESIDENT OF THE 26
STATE, HOWEVER IDENTIFIED , INCLUDING BY A UNIQU E IDENTIFIER. 27
6 SENATE BILL 571
(2) “CONSUMER” DOES NOT INCLUDE AN INDIVIDUAL ACTING IN A 1
COMMERCIAL OR EMPLOY MENT CONTEXT OR AS A N EMPLOYER , AN OWNER, A 2
DIRECTOR, AN OFFICER, OR A CONTRACTOR OF A COMPANY, PARTNERSHIP , SOLE 3
PROPRIETORSHIP, NONPROFIT ORGANIZATI ON, OR GOVERNMENT AGENCY 4
GOVERNMENTAL UNIT WHOSE COMMUNICATIONS OR TRANSACTIONS WITH THE 5
COVERED ENTITY OCCUR SOLELY WITHIN THE CO NTEXT OF THAT INDIVI DUAL’S 6
ROLE WITH THE COMPAN Y, PARTNERSHIP , SOLE PROPRIETORSHIP , NONPROFIT 7
ORGANIZATION, OR GOVERNMENT AGENCY GOVERNMENTAL UNIT. 8
(H) (1) “COVERED ENTITY ” MEANS A SOLE PROPRIE TORSHIP, A LIMITED 9
LIABILITY COMPANY , A CORPORATION , AN ASSOCIATION , OR ANY OTHER LEGAL 10
ENTITY THAT: 11
(I) IS ORGANIZED OR OPERA TED FOR THE PROFIT O R 12
FINANCIAL BENEFIT OF ITS SHAREHOLDERS OR OTHER OWNERS ; 13
(II) COLLECTS CONSUMERS ’ PERSONAL INFORMATION DATA OR 14
USES ANOTHER ENTITY TO CO LLECT CONSUMERS ’ PERSONAL INFORMATION DATA 15
ON ITS BEHALF; 16
(III) ALONE, OR JOINTLY WITH ITS AFFILIATES OR 17
SUBSIDIARIES, DETERMINES THE PURPO SES AND MEANS OF THE PROCESSING OF 18
CONSUMERS ’ PERSONAL DATA ; 19
(IV) DOES BUSINESS IN THE STATE; AND 20
(V) 1. HAS ANNUAL GROSS REVE NUES IN EXCESS OF 21
$25,000,000, ADJUSTED EVERY ODD –NUMBERED YEAR TO REF LECT ADJUSTMENTS 22
IN THE CONSUMER PRICE INDEX; 23
2. ANNUALLY BUYS , RECEIVES, SELLS, OR SHARES THE 24
PERSONAL DATA OF 50,000 OR MORE CONSUMERS , HOUSEHOLDS , OR DEVICES, 25
ALONE OR IN COMBINAT ION WITH ITS AFFILIA TES OR SUBSIDIARIES , FOR THE 26
COVERED ENTITY ’S COMMERCIAL PURPOSE S; OR 27
3. DERIVES AT LEAST 50% OF ITS ANNUAL REVENU ES 28
FROM THE SALE OF CON SUMERS’ PERSONAL DATA . 29
(2) “COVERED ENTITY ” INCLUDES: 30
(I) AN ENTITY THAT CONTRO LS OR IS CONTROLLED BY A 31
BUSINESS AND THAT SH ARES A NAME, SERVICE MARK , OR TRADEMARK THAT WO ULD 32
CAUSE A REASONABLE CONSUMER TO UNDERSTAND THAT T WO OR MORE ENTITIES 33
ARE COMMONLY OWNED ; AND 34 SENATE BILL 571 7
(II) A JOINT VENTURE OR PAR TNERSHIP COMPOSED OF 1
BUSINESSES IN WHICH EACH HAS AT LEAST A 40% INTEREST IN THE JOIN T VENTURE 2
OR PARTNERSHIP . 3
(I) (1) “DARK PATTERN ” MEANS A USER INTERFACE D ESIGNED OR 4
MANIPULATED WITH THE PURPOSE OF SUBVERTIN G OR IMPAIRING USER 5
AUTONOMY , DECISION MAKING , OR CHOICE. 6
(2) “DARK PATTERN ” INCLUDES ANY PRACTIC E IDENTIFIED BY THE 7
FEDERAL TRADE COMMISSION AS A DARK PATTERN. 8
(J) “DATA PROTECT ION IMPACT ASSESSMEN T” OR “ASSESSMENT” MEANS A 9
SYSTEMATIC SURVEY TO ASSESS COMPLIANCE WI TH THE DUTY TO ACT I N THE BEST 10
INTERESTS OF CHILDRE N. 11
(K) “DEFAULT” MEANS A PRESELECTED OPTION ADOPTED BY TH E 12
COVERED ENTITY FOR A N ONLINE PRODUCT . 13
(L) “DE–IDENTIFIED INFORMATION ” MEANS DATA THAT CANN OT 14
REASONABLY BE USED T O INFER INFORMATION ABOUT, OR OTHERWISE BE LINK ED 15
TO, AN IDENTIFIED OR IDE NTIFIABLE INDIVIDUAL , IF THE COVERED ENTIT Y THAT 16
POSSESSES THE DATA : 17
(1) TAKES REASONABLE MEAS URES TO ENSURE THAT THE DATA 18
CANNOT BE LINKED WIT H AN INDIVIDUAL; 19
(2) PUBLICLY COMMITS TO : 20
(I) MAINTAIN AND USE THE DATA IN DE–IDENTIFIED FORM ; 21
AND 22
(II) NOT ATTEMPT TO RE –IDENTIFY THE INFORMA TION; AND 23
(3) CONTRACTUALLY OBLIGAT ES ANY RECIPIENTS OF THE 24
INFORMATION TO COMPLY WITH ALL PROV ISIONS OF THIS SUBSE CTION. 25
(M) “DERIVED DATA” MEANS DATA THAT ARE DERIVED FROM OTHER D ATA 26
OR INFORMATION , OR OTHERWISE OBTAINE D THROUGH CORRELATIO NS, 27
PREDICTIONS, ASSUMPTIONS , INFERENCES, OR CONCLUSIONS DRAWN FROM FACTS 28
OR EVIDENCE OR ANOTHER SOURCE OF IN FORMATION OR DATA AB OUT A CHILD OR 29
A CHILD’S DEVICE. 30
8 SENATE BILL 571
(N) (L) “DIVISION” MEANS THE DIVISION OF CONSUMER PROTECTION 1
OF THE OFFICE OF THE ATTORNEY GENERAL. 2
(O) (M) (1) “ONLINE PRODUCT ” MEANS AN ONLINE SERV ICE, PRODUCT, 3
OR FEATURE. 4
(2) “ONLINE PRODUCT ” DOES NOT INCLUDE : 5
(I) A TELECOMMUNICATIONS S ERVICE, AS DEFINED IN 47 6
U.S.C. § 153; 7
(II) THE SALE, DELIVERY, OR USE OF A PHYSICAL PRODUCT 8
SOLD BY AN ONLINE RE TAILER; OR 9
(III) A BROADBAND INTERNET ACCESS SERVI CE, AS DEFINED IN 10
47 C.F.R. § 8.1(B). 11
(P) (N) (1) “PERSONAL DATA ” MEANS INFORMATION TH AT IS LINKED 12
OR REASONABLY ABLE T O BE LINKED, ALONE OR IN COMBINAT ION WITH OTHER 13
INFORMATION , TO AN IDENTIFIED OR IDENTIFIABLE INDIVID UAL. 14
(2) “PERSONAL DATA ” INCLUDES DERIVED DAT A THAT OTHERWISE 15
MEETS THE DEFINITION IN PARAGRAPH (1) OF THIS SUBSECTION DOES NOT 16
INCLUDE: 17
(I) DE–IDENTIFIED DATA ; OR 18
(II) PUBLICLY AVAILABLE IN FORMATION. 19
(Q) (O) (1) “PRECISE GEOLOCATION ” MEANS ANY DATA THAT IS: 20
(1) DERIVED FROM A DEVICE ; AND 21
(2) USED OR INTENDED TO B E USED TO LOCATE A C ONSUMER 22
GEOGRAPHICALLY WITHI N A RADIUS OF UP TO 1,850 FEET INFORMATION DERIVED 23
FROM TECHNOLOGY THAT CAN PRECISELY AND AC CURATELY IDENTIFY TH E 24
SPECIFIC LOCATION OF A CONSUMER WITHIN A RADIUS OF 1,750 FEET. 25
(2) “PRECISE GEOLOCATION ” INCLUDES LATITUDE AN D LONGITUDE 26
COORDINATES OF SIMIL AR PRECISION TO THOS E PRODUCED BY A GLOB AL 27
POSITIONING SYSTEM O R A SIMILAR MECHANIS M. 28
(3) “PRECISE GEOLOCATION ” DOES NOT INCLUDE : 29
SENATE BILL 571 9
(I) THE CONTENT OF COMMUN ICATIONS; 1
(II) DATA GENERATED BY OR CONNECTED WITH A UTI LITY 2
COMPANY’S ADVANCED METERING INFRASTRUCTURE ; OR 3
(III) DATA GENERATED BY EQU IPMENT USED BY A UTI LITY 4
COMPANY. 5
(R) (P) (1) “PROCESS” MEANS TO CONDUCT OR DIRECT ANY 6
OPERATION THAT MAY BE PERFORME D ON PERSONAL DATA , WHETHER OR NOT BY 7
AUTOMATED MEANS TO PERFORM AN OPERAT ION OR SET OF OPERAT IONS BY 8
MANUAL OR AUTOMATED MEANS ON PERSONAL DA TA. 9
(2) “PROCESS” INCLUDES: 10
(I) COLLECTING PERSONAL D ATA; 11
(II) USING PERSONAL DATA ; 12
(III) STORING PERSONAL DATA ; 13
(IV) DISCLOSING PERSONAL D ATA; 14
(V) ANALYZING PERSONAL DA TA; 15
(VI) DELETING PERSONAL DAT A; 16
(VII) MODIFYING PERSONAL DA TA; AND 17
(VIII) OTHERWISE HANDLING PE RSONAL DATA COLLECTING, 18
USING, STORING, DISCLOSING, ANALYZING, DELETING, OR MODIFYING PERSONA L 19
DATA. 20
(S) (Q) (1) “PROFILING” MEANS ANY FORM OF AU TOMATED 21
PROCESSING OF PERSON AL DATA THAT USES PE RSONAL DATA TO EVALU ATE, 22
ANALYZE, OR PREDICT CERTAIN A SPECTS RELATING TO A N INDIVIDUAL, INCLUDING 23
AN INDIVIDUAL ’S ECONOMIC S ITUATION, HEALTH, PERSONAL PREFERENCES , 24
INTERESTS, RELIABILITY, BEHAVIOR, LOCATION, OR MOVEMENTS . 25
(2) “PROFILING” DOES NOT INCLUDE THE PROCESSING OF 26
PERSONAL DATA THAT D OES NOT RESULT IN AN ASSESSMENT OR JUDGME NT ABOUT 27
AN INDIVIDUAL. 28
10 SENATE BILL 571
(T) (R) (1) “PUBLICLY AVAILABLE IN FORMATION” MEANS 1
INFORMATION THAT : 2
(I) IS LAWFULLY MADE AVAI LABLE FROM FEDERAL , STATE, OR 3
LOCAL GOVERNMENT REC ORDS; OR 4
(II) A COVERED ENTITY HAS A REASONABLE BASIS TO BELIEVE 5
IS LAWFULLY MADE AVA ILABLE TO THE GENERA L PUBLIC BY THE CONSUMER OR BY 6
WIDELY DISTRIBUTED M EDIA. 7
(2) “PUBLICLY AVAILABLE IN FORMATION” DOES NOT INCLUDE 8
BIOMETRIC INFORMATION DATA COLLECTED BY A COVER ED ENTITY ABOUT A 9
CONSUMER WITHOUT THE CONSUMER ’S KNOWLEDGE . 10
(U) (S) “REASONABLY LIKELY TO BE ACCESSED BY CHILDREN ” MEANS 11
REASONABLY EXPECTED IT IS REASONABLE TO EXPECT THAT THE ONLINE PROD UCT 12
WOULD BE ACCESSED BY CHILDREN, BASED ON SATISFYING ANY OF THE FOLLOWING 13
CRITERIA: 14
(1) THE ONLINE PRODUCT IS DIRECTED TO CHILDREN AS DEFINED IN 15
THE FEDERAL CHILDREN’S ONLINE PRIVACY PROTECTION ACT; 16
(2) THE ONLINE PRODUCT IS DETERMINED , BASED ON COMPETENT 17
AND RELIABLE EVIDENC E REGARDING AUDIENCE COMPOSITION , TO BE ROUTINELY 18
ACCESSED BY A SIGNIF ICANT NUMBER OF CHIL DREN; 19
(3) THE ONLINE PRODUCT IS SUBSTANTIALLY SIM ILAR OR THE SAME 20
AS AN ONLINE PRODUCT THAT SATISFIES ITEM (2) OF THIS SUBSECTION ; 21
(4) THE ONLINE PRODUCT FE ATURES ADVERTISEMENT S MARKETED 22
TO CHILDREN; 23
(5) THE COVERED ENTITY ’S INTERNAL RESEARCH FINDINGS 24
DETERMINE THAT A SIG NIFICANT AMOUNT OF T HE ONLINE PRODUCT ’S AUDIENCE IS 25
COMPOSED OF CHILDREN ; OR 26
(6) THE COVERED ENTITY KN OWS OR SHOULD HAVE K NOWN THAT A 27
USER IS A CHILD. 28
(V) (T) (1) “SELL” MEANS TO TRANSFER , RENT, RELEASE, DISCLOSE, 29
DISSEMINATE, MAKE AVAILABLE , OR OTHERWISE COMMUNI CATE, WHETHER 30
ORALLY, IN WRITING, OR BY ELECTRONIC OR OTHER MEANS , A CONSUMER ’S 31
PERSONAL DATA , IN A TRANSACTION FOR MONETARY OR OTHER VA LUABLE 32
CONSIDERATION BETWEE N A COVERED ENTITY A ND A THIRD PARTY . 33 SENATE BILL 571 11
(2) “SELL” DOES NOT INCLUDE : 1
(I) THE DISCLOSURE OF PER SONAL DATA TO THE SERVICE 2
PROVIDER THAT PROCES SES PERSONAL DATA ON BEHALF OF THE COVERE D ENTITY; 3
(II) THE DISCLOSURE OF PER SONAL DATA TO A THIR D PARTY 4
FOR PURPOSES OF PROV IDING A PRODUCT OR S ERVICE REQUESTED BY THE 5
CONSUMER ; 6
(III) THE DISCLOSURE OR TRA NSFER OF PERSONAL DAT A TO AN 7
AFFILIATE OR SUBSIDI ARY OF THE COVERED E NTITY; 8
(IV) THE DISCLOSURE OF PER SONAL DATA WHERE THE 9
CONSUMER DIRECTS THE COVERED ENTITY TO DI SCLOSE THE PERSONAL DATA OR 10
INTENTIONALLY USES T HE COVERED ENTITY TO INTERACT WITH A THIR D PARTY; OR 11
(V) THE DISCLOSURE OR TRA NSFER OF PERSONAL DA TA TO A 12
THIRD PARTY AS AN AS SET THAT IS PART OF AN ACTUAL OR PROPOSE D MERGER, 13
ACQUISITION, BANKRUPTCY , OR OTHER TRANSACTION , IN WHICH THE THIRD P ARTY 14
ASSUMES CONTROL OF A LL OR PART OF THE CO VERED ENTITY’S ASSETS. 15
(W) (1) “SENSITIVE PERSONAL DA TA” MEANS: 16
(I) PERSONAL DATA THAT RE VEALS A CONSUMER ’S: 17
1. SOCIAL SECURITY NUMBER , DRIVER’S LICENSE 18
NUMBER, STATE IDENTIFICATION CARD NUMBER , OR PASSPORT NUMBER ; 19
2. ACCOUNT LOGIN INFORMA TION, FINANCIAL 20
ACCOUNT NUMBER , DEBIT CARD NUMBER , OR CREDIT CARD NUMBE R, IN 21
COMBINATION WITH ANY REQUIRED SECURITY OR ACCESS CODE , PASSWORD, OR 22
CREDENTIALS THAT ALL OW ACCESS TO AN ACCO UNT; 23
3. PRECISE GEOLOCATION ; 24
4. RACIAL OR ETHNIC ORIG IN OR RELIGIOUS OR 25
PHILOSOPHICAL BELIEF S; 26
5. MAIL, E–MAIL, TEXT, OR MESSAGE CONTENTS , 27
UNLESS THE COVERED E NTITY IS THE INTENDE D RECIPIENT; OR 28
6. GENETIC DATA; 29
12 SENATE BILL 571
(II) BIOMETRIC INFORMATION THAT IS OR MAY BE PR OCESSED 1
FOR THE PURPOSE OF U NIQUELY IDENTI FYING A CONSUMER ; 2
(III) PERSONAL DATA COLLECT ED AND ANALYZED CONC ERNING 3
A CONSUMER ’S HEALTH; OR 4
(IV) PERSONAL DATA COLLECT ED AND ANALYZED CONC ERNING 5
A CONSUMER ’S SEX LIFE OR SEXUAL ORIENTATION . 6
(2) “SENSITIVE PERSONAL DA TA” DOES NOT INCLUDE PUB LICLY 7
AVAILABLE INFORMATIO N. 8
(X) (U) “SERVICE PROVIDER ” MEANS A PERSON THAT PROCESSES 9
PERSONAL DATA ON BEH ALF OF A COVERED ENT ITY AND THAT RECEIVE S FROM OR 10
ON BEHALF OF THE COV ERED ENTITY A CONSUM ER’S PERSONAL DATA FOR 11
BUSINESS PURPOSES IN ACCORDANCE WITH A WRITTEN CONTRACT , IF THE 12
CONTRACT PROHIBITS T HE PERSON FROM : 13
(1) SELLING OR SHARING TH E PERSONAL DATA ; 14
(2) RETAINING, USING, OR DISCLOSING THE PE RSONAL DATA FOR 15
ANY PURPOSE OTHER TH AN FOR THE BUSINESS PURPOSES SPECIFIED I N THE 16
CONTRACT FOR THE COV ERED ENTITY , INCLUDING RETAINING , USING, OR 17
DISCLOSING THE PERSO NAL DATA FOR A COMME RCIAL PURPOSE OTHER THAN THE 18
BUSINESS PURPOSES SP ECIFIED IN THE CONTR ACT WITH THE COVERED ENTITY, OR 19
AS OTHERWISE ALLOWED UNDER THIS SUBTITLE ; 20
(3) RETAINING, USING, OR DISCLOSING THE PERSON AL DATA 21
OUTSIDE THE DIRECT B USINESS RELATIONSHIP BETWEEN THE SERVICE PROVIDER 22
AND THE COVERED ENTI TY; AND 23
(4) COMBINING THE PERSONA L DATA THAT THE SERV ICE PROVIDER 24
RECEIVES FROM , OR ON BEHALF OF , THE COVERED ENTITY W ITH PERSONAL DATA 25
THAT IT RECEIVES FRO M, OR ON BEHALF OF , ANOTHER PERSON OR PE RSONS, OR 26
COLLECTS FROM ITS OW N INTERACTION WITH T HE CONSUMER . 27
(Y) (V) “SHARE” MEANS TO RENT , RELEASE, DISSEMINATE, MAKE 28
AVAILABLE, TRANSFER, OR OTHERWISE COMMUNI CATE, WHETHER ORALLY , IN 29
WRITING, OR BY ELECTRONIC OR OTHER MEANS , A CONSUMER ’S PERSONAL DATA TO 30
A THIRD PARTY FOR CR OSS–CONTEXT BEHAVIORAL A DVERTISING WHETHER O R NOT 31
FOR MONETARY OR OTHE R VALUABLE CONSIDERA TION, INCLUDING IN A 32
TRANSACTION BETWEEN A COVERED EN TITY AND A THIRD PAR TY FOR TARGETED 33
ADVERTISING FOR THE BENEFIT OF A COVERED ENTITY IN WHICH NO M ONEY IS 34
EXCHANGED . 35 SENATE BILL 571 13
(Z) (1) “TARGETED ADVERTISING ” MEANS DISPLAYING 1
ADVERTISEMENTS TO A CONSUMER WHERE THE A DVERTISEMENT IS SELE CTED 2
BASED ON PERSONAL DA TA OBTAINED OR INFER RED FROM THAT CONSUMER ’S 3
ACTIVITIES OVER TIME AND ACROSS NONAFFILI ATED INTERNET WEBSITES OR 4
ONLINE APPLICATIONS TO PREDICT THE CONSU MER’S PREFERENCES OR 5
INTERESTS. 6
(2) “TARGETED ADVERTISING ” DOES NOT INCLUDE : 7
(I) ADVERTISEMENTS BASED ON ACTIVITIES WITHIN A 8
COVERED ENTITY ’S OWN INTERNET WEBSITES OR ONLINE APPLICATIONS ; 9
(II) ADVERTISEMENTS BASED ON THE CONTEXT OF A 10
CONSUMER ’S CURRENT SEARCH QUE RY, VISIT TO AN INTERNET WEBSITE , OR USE OF 11
AN ONLINE APPLICATIO N; 12
(III) ADVERTISEMENTS DIRECT ED TO A CONSUMER IN 13
RESPONSE TO THE CONS UMER’S REQUEST FOR INFORM ATION OR FEEDBACK ; OR 14
(IV) PROCESSING PERSONAL D ATA SOLELY TO MEASUR E OR 15
REPORT ADVERTISING F REQUENCY, PERFORMANCE , OR REACH. 16
(AA) (W) “THIRD PARTY” MEANS A PERSON WHO I S NOT: 17
(1) THE COVERED ENTITY WITH WHICH THE CONSU MER 18
INTENTIONALLY INTERA CTS AND THAT COLLECT S PERSONAL DATA FROM THE 19
CONSUMER AS PART OF THE CONSUMER ’S INTERACTION WITH T HE COVERED 20
ENTITY; OR 21
(2) A SERVICE PROVIDER FOR THE COVERED ENTITY . 22
14–4602. 23
THIS SUBTITLE DOES NO T APPLY TO: 24
(1) DATA SUBJECT TO A STA TUTE OR REGULATION I DENTIFIED 25
UNDER ITEM (I) OF THIS ITEM THAT IS CONTROLLED BY A COVE RED ENTITY OR 26
SERVICE PROVIDER THA T IS: 27
(I) REQUIRED TO COMPLY WI TH: 28
1. TITLE V OF THE FEDERAL GRAMM–LEACH–BLILEY 29
ACT; 30 14 SENATE BILL 571
2. THE FEDERAL HEALTH INFORMATION TECHNOLOGY 1
FOR ECONOMIC AND CLINICAL HEALTH ACT; OR 2
3. REGULATIONS PROMULGAT ED UNDER § 264(C) OF 3
THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996; AND 4
(II) IN COMPLIANCE WITH TH E INFORMATION SECURI TY 5
REQUIREMENTS OF APPL ICABLE STATUTES OR R EGULATIONS IDENTIFIE D IN ITEM 6
(I) OF THIS ITEM; OR PROTECTED HEALTH INFO RMATION THAT IS COLL ECTED BY A 7
COVERED ENTITY OR BU SINESS ASSOCIATION G OVERNED BY THE PRIVA CY 8
SECURITY AND BREACH NOTIFICATION RULES I N 45 C.F.R. PARTS 160 AND 164, 9
ESTABLISHED UNDER TH E FEDERAL HEALTH INSURANCE PORTABILITY AND 10
ACCOUNTABILITY ACT OF 1996 AND THE FEDERAL HEALTH INFORMATION 11
TECHNOLOGY FOR ECONOMIC AND CLINICAL HEALTH ACT; 12
(2) A COVERED ENTITY GOVER NED BY THE PRIVACY S ECURITY AND 13
BREACH NOTIFICATION RULES IN 45 C.F.R. PARTS 160 AND 164, ESTABLISHED 14
UNDER THE FEDERAL HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY 15
ACT OF 1996 AND THE FEDERAL HEALTH INFORMATION TECHNOLOGY FOR 16
ECONOMIC AND CLINICAL HEALTH ACT, TO THE EXTENT THAT T HE COVERED 17
ENTITY MAINTAINS PAT IENT INFORMATION IN THE SAME MANNER AS M EDICAL 18
INFORMATION OR PROTE CTED HEALTH INFORMAT ION AS DESCRIBED IN ITEM (1) OF 19
THIS SECTION; OR 20
(3) (2) INFORMATION COLLECTED AS PART OF A CLINICA L TRIAL 21
SUBJECT TO THE FEDERAL POLICY FOR THE PROTECTION OF HUMAN SUBJECTS, 22
IN ACCORDANCE WITH : 23
(I) GOOD CLINICAL PRACTIC E GUIDELINES ISSUED BY THE 24
INTERNATIONAL COUNCIL FOR HARMONISATION OF TECHNICAL REQUIREMENTS 25
FOR PHARMACEUTICALS FOR HUMAN USE; OR 26
(II) HUMAN SUBJECT PROTECT ION REQU IREMENTS OF THE 27
U.S. FOOD AND DRUG ADMINISTRATION . 28
14–4603. 29
IT IS THE INTENT OF T HE GENERAL ASSEMBLY THAT : 30
(1) CHILDREN SHOULD BE AF FORDED PROTECTIONS N OT ONLY BY 31
ONLINE PRODUCTS SPEC IFICALLY DIRECTED AT THEM, BUT BY ALL ONLINE 32
PRODUCTS THEY ARE RE ASONABLY LIKELY TO ACC ESS; 33
SENATE BILL 571 15
(2) COVERED ENTITIES THAT DEVELOP AND PROVIDE ONLINE 1
SERVICES PRODUCTS THAT CHILDREN ARE REASONABLY LIKELY TO ACCESS SHA LL 2
ENSURE THE BEST INTE RESTS OF CHILDREN WH EN DESIGNING, DEVELOPING , AND 3
PROVIDING THOSE ONLI NE PRODUCTS ; 4
(3) ALL COVERED ENTITIES THAT OPERATE IN THE STATE AND 5
PROCESS CHILDREN ’S DATA IN ANY CAPACI TY SHALL DO SO IN A MANNER 6
CONSISTENT WITH THE BEST INTERESTS OF CH ILDREN; 7
(4) IF A CONFLICT ARISES BETWEEN COMMERCIAL I NTERESTS AND 8
THE BEST INTERESTS O F CHILDREN, COVERED ENTITIES THA T DEVELOP ONLINE 9
PRODUCTS LIKELY TO B E ACCESSED BY CHILDR EN SHALL GIVE PRIORITY TO 10
PRIORITIZE THE PRIVACY, SAFETY, AND WELL–BEING OF CHILDREN OVER THOSE 11
COMMERCIAL INTERESTS; AND; 12
(5) NOTHING IN THIS SUBTI TLE MAY BE CONSTRUED TO INFRINGE ON 13
THE EXISTING RIGHTS AND FREEDOMS OF CHIL DREN REQUIRE A COVERED EN TITY 14
TO MONITOR OR CENSOR THIRD–PARTY CONTENT OR OTH ERWISE IMPACT THE 15
EXISTING RIGHTS AND FREEDOMS OF ANY PERS ON; AND 16
(6) NOTHING I N THIS SUBTITLE MAY BE CONSTRUED TO 17
DISCRIMINATE AGAINST CHILDREN ON THE BASI S OF RACE, COLOR, RELIGION, 18
NATIONAL ORIGIN , DISABILITY, GENDER IDENTITY , SEX, OR SEXUAL ORIENTATIO N. 19
14–4604. 20
(A) (1) SUBJECT TO PARAGRAPH (2) OF THIS SUBSECTION , A COVERED 21
ENTITY THAT PROVIDES A N ONLINE PRODUCT REA SONABLY LIKELY TO BE 22
ACCESSED BY CHILDREN SHALL PREPARE A DATA PROTECTION IMPACT 23
ASSESSMENT FOR THE O NLINE PRODUCT . 24
(2) ON OR BEFORE APRIL 1, 2026, A COVERED ENTITY SHA LL 25
PREPARE A DATA PROTE CTION IMPACT ASSESSMENT FOR ANY O NLINE PRODUCT 26
THAT: 27
(I) MEETS THE CRITERIA UN DER PARAGRAPH (1) OF THIS 28
SUBSECTION; 29
(II) IS OFFERED TO THE PUB LIC ON OR BEFORE APRIL 1, 2026; 30
AND 31
(III) WILL CONTINUE TO BE O FFERED TO THE PUBLIC AFTER 32
JULY 1, 2026. 33
16 SENATE BILL 571
(3) FOR AN ONLINE PRODUCT TH AT MEETS THE CRITERI A UNDER 1
PARAGRAPH (1) OF THIS SUBSECTION A ND IS INITIALLY OFFE RED TO THE PUBLIC 2
AFTER APRIL 1, 2026, A COVERED ENTITY SHA LL COMPLETE A DATA P ROTECTION 3
IMPACT ASSESSMENT WITHIN 90 DAYS AFTER THE ONLIN E PRODUCT IS OFFE RED TO 4
THE PUBLIC. 5
(B) THE DATA PROTECTION I MPACT ASSESSMENT SHA LL: 6
(1) IDENTIFY THE PURPOSE OF THE ONLINE PRODUC T; 7
(2) IDENTIFY HOW THE ONLI NE PRODUCT USES CHIL DREN’S DATA; 8
(3) DETERMINE WHETHER THE ONLINE PRODUCT IS DE SIGNED AND 9
OFFERED IN A MANNER CONSISTENT WIT H THE BEST INTERESTS OF CHILDREN 10
REASONABLY LIKELY TO ACCESS THE ONLINE PR ODUCT THROUGH CONSID ERATION 11
OF: 12
(I) WHETHER THE DATA MANA GEMENT OR PROCESSING 13
PRACTICES OF THE ONL INE PRODUCT COULD LE AD TO CHILDREN EXPER IENCING OR 14
BEING TARGETED BY CONTACTS TH AT WOULD RESULT IN : 15
1. REASONABLY FORESEEABL E AND MATERIAL 16
PHYSICAL OR FINANCIA L HARM TO THE CHILD CHILDREN; 17
2. REASONABLY FORESEEABL E AND EXTREME 18
PSYCHOLOGICAL OR EMO TIONAL HARM TO THE CHILD CHILDREN; 19
3. A HIGHLY OFFENSIVE INT RUSION ON THE CHILD’S 20
CHILDREN’S REASONABLE EXPECTATI ON OF PRIVACY; OR 21
4. DISCRIMINATION AGAINS T THE CHILD CHILDREN 22
BASED ON RACE , COLOR, RELIGION, NATIONAL ORIGIN , DISABILITY, GENDER 23
IDENTITY, SEX, OR SEXUAL ORIENTATIO N; 24
(II) WHETHER THE DATA MANA GEMENT OR PROCESSING 25
PRACTICES OF THE ONL INE PRODUCT COULD PE RMIT CHILDREN TO WITNESS, 26
PARTICIPATE IN, OR BE SUBJECT TO CON DUCT THAT WOULD RESU LT IN: 27
1. REASONABLY FORESEEABL E AND MATERIAL 28
PHYSICAL OR FINANCIA L HARM TO THE CHILD CHILDREN; 29
2. REASONABLY FORESEEABL E AND EXTREME 30
PSYCHOLOGICAL OR EMO TIONAL HARM TO THE CHILD CHILDREN; 31
SENATE BILL 571 17
3. A HIGHLY OFFENSIVE INT RUSION ON THE CHILD’S 1
CHILDREN’S REASONABLE EXPECTATI ON OF PRIVACY; OR 2
4. DISCRIMINATION AGAINS T THE CHILD CHILDREN 3
BASED ON RACE , COLOR, RELIGION, NATIONAL ORIGIN , DISABILITY, GENDER 4
IDENTITY, SEX, OR SEXUAL ORIENTATIO N; 5
(III) WHETHER THE DATA MANA GEMENT OR PROCESSING 6
PRACTICES OF THE ONL INE PRODUCT ARE REAS ONABLY EXPECTED TO A LLOW 7
CHILDREN BECOMING PA RTY TO OR EXPLOITED BY A CONTR ACT THROUGH THE 8
ONLINE PRODUCT THAT WOULD RESULT IN : 9
1. REASONABLY FORESEEABL E AND MATERIAL 10
PHYSICAL OR FINANCIA L HARM TO THE CHILD CHILDREN; 11
2. REASONABLY FORESEEABL E AND EXTREME 12
PSYCHOLOGICAL OR EMO TIONAL HARM TO THE CHILD CHILDREN; 13
3. A HIGHLY OFFENSIVE INT RUSION ON THE CHILD’S 14
CHILDREN’S REASONABLE EXPECTATI ON OF PRIVACY; OR 15
4. DISCRIMINATION AGAINS T THE CHILD CHILDREN 16
BASED ON RACE , COLOR, RELIGION, NATIONAL ORIGIN , DISABILITY, GENDER 17
IDENTITY, SEX, OR SEXUAL ORIENTATION; 18
(IV) WHETHER TARGETED ADVE RTISING SYSTEMS USED BY THE 19
ONLINE PRODUCT WOULD RESULT IN: 20
1. REASONABLY FORESEEABL E AND MATERIAL 21
PHYSICAL OR FINANCIA L HARM TO THE CHILD ; 22
2. REASONABLY FORESEEABL E AND EXTREME 23
PSYCHOLOGICAL OR EMOTIONAL HARM TO TH E CHILD; 24
3. A HIGHLY OFFENSIVE INT RUSION ON THE CHILD ’S 25
CHILDREN’S REASONABLE EXPECTATI ON OF PRIVACY; OR 26
4. DISCRIMINATION AGAINS T THE CHILD BASED ON 27
RACE, COLOR, RELIGION, NATIONAL ORIGIN , DISABILITY, SEX, OR SEXUAL 28
ORIENTATION; 29
(V) WHETHER THE ONLINE PR ODUCT USES SYSTEM DE SIGN 30
FEATURES TO INCREASE , SUSTAIN, OR EXTEND THE USE OF THE ONLINE PRODUCT , 31 18 SENATE BILL 571
INCLUDING THE AUTOMA TIC PLAYING OF MEDIA , REWARDS FOR TIME SPE NT, AND 1
NOTIFICATIONS THAT W OULD RESULT IN : 2
1. REASONABLY FORESEEABL E AND MATERIAL 3
PHYSICAL OR FINANCIA L HARM TO THE CHILD CHILDREN; 4
2. REASONABLY FORESEEABL E AND EXTREME 5
PSYCHOLOGICAL OR EMO TIONAL HARM TO THE CHILD CHILDREN; 6
3. A HIGHLY OFFENSIVE INT RUSION ON THE CHILD’S 7
CHILDREN’S REASONABL E EXPECTATION OF PRI VACY; OR 8
4. DISCRIMINATION AGAINS T THE CHILD CHILDREN 9
BASED ON RACE , COLOR, RELIGION, NATIONAL ORIGIN , DISABILITY, GENDER 10
IDENTITY, SEX, OR SEXUAL ORIENTATIO N; 11
(VI) (V) WHETHER, HOW, AND FOR WHAT PURPOSE THE 12
ONLINE PRODUCT COLLECTS OR PROCESSES SENSITIVE PERSONAL DATA OF 13
CHILDREN AND WHETHER THOSE PRACTICES WOUL D RESULT IN: 14
1. REASONABLY FORESEEABL E AND MATERIAL 15
PHYSICAL OR FINANCIA L HARM TO THE CHILD CHILDREN; 16
2. REASONABLY FORESEEABL E AND EXTREME 17
PSYCHOLO GICAL OR EMOTIONAL H ARM TO THE CHILD CHILDREN; 18
3. A HIGHLY OFFENSIVE INT RUSION ON THE CHILD’S 19
CHILDREN’S REASONABLE EXPECTATI ON OF PRIVACY; OR 20
4. DISCRIMINATION AGAINS T THE CHILD CHILDREN 21
BASED ON RACE , COLOR, RELIGION, NATIONAL ORIGIN , DISABILITY, GENDER 22
IDENTITY, SEX, OR SEXUAL ORIENTATIO N; 23
(VII) (VI) WHETHER AND HOW DATA COLLECTED TO 24
UNDERSTAND THE EXPER IMENTAL IMPACT OF TH E PRODUCT REVEALS DA TA 25
MANAGEMENT OR DESIGN PRACTICES THAT WOULD RESULT IN : 26
1. REASONABLY FORESEEABL E AND MATERIAL 27
PHYSICAL OR FINANCIA L HARM TO THE CHILD CHILDREN; 28
2. REASONABLY FORESEEABL E AND EXTREME 29
PSYCHOLOGICAL OR EMO TIONAL HARM TO THE CHILD CHILDREN; 30
SENATE BILL 571 19
3. A HIGHLY OFFENSIVE INT RUSION ON THE CHILD’S 1
CHILDREN’S REASONABLE EXPECTATI ON OF PRIVACY; OR 2
4. DISCRIMINATION AGAINS T THE CHILD CHILDREN 3
BASED ON RACE , COLOR, RELIGION, NATIONAL ORIGIN , DISABILITY, GENDER 4
IDENTITY, SEX, OR SEXUAL ORIENTATIO N; 5
(VIII) (VII) WHETHER ALGORITHMS US ED BY THE ONLINE 6
PRODUCT WOULD RESULT IN: 7
1. REASONABLY FORESEEABL E AND MATERIAL 8
PHYSICAL OR FINANCIA L HARM TO THE CHILD CHILDREN; 9
2. REASONABLY FORESEEABL E AND EXTREME 10
PSYCHOLOGICAL OR EMO TIONAL HARM TO THE CHILD CHILDREN; 11
3. A HIGHLY OFFENSIVE I NTRUSION ON THE CHILD’S 12
CHILDREN’S REASONABLE EXPECTATI ON OF PRIVACY; OR 13
4. DISCRIMINATION AGAINS T THE CHILD CHILDREN 14
BASED ON RACE , COLOR, RELIGION, NATIONAL ORIGIN , DISABILITY, GENDER 15
IDENTITY, SEX, OR SEXUAL ORIENTATIO N; AND 16
(IX) (VIII) ANY OTHER FACTOR THAT MAY INDICATE THAT TH E 17
ONLINE PRODUCT IS DE SIGNED AND OFFERED IN A MANNER THAT IS INCONSISTENT 18
WITH THE BEST INTERE STS OF CHILDREN ; AND 19
(4) INCLUDE A DESCRIPTION OF STEPS THAT THE CO VERED ENTITY 20
HAS TAKEN AND WILL T AKE TO COMPLY WITH THE DUTY TO ACT IN A MANNER 21
CONSISTENT WITH THE BEST INTERESTS OF CH ILDREN. 22
(C) (1) A DATA PROTECTION IMPA CT ASSESSMENT PREPAR ED BY A 23
COVERED ENTITY FOR T HE PURPOSE OF COMPLI ANCE WITH ANY OTHER LAW 24
COMPLIES WITH THIS S ECTION IF THE ASSESS MENT MEETS THE REQUIREMENTS OF 25
THIS SECTION. 26
(2) A SINGLE DATA PROTECTI ON IMPACT ASSESSMENT MAY CONTAIN 27
MULTIPLE SIMILAR PRO CESSING OPERATIONS T HAT PRESENT SIMILAR RISKS ONLY 28
IF EACH RELEVANT ONL INE PRODUCT IS ADDRE SSED. 29
14–4605. 30
A COVERED ENTITY REQUI RED TO COMPLETE A DATA PROTEC TION IMPACT 31
ASSESSMENT UNDER § 14–4604 OF THIS SUBTITLE SHA LL: 32 20 SENATE BILL 571
(1) MAINTAIN DOCUMENTATIO N OF THE ASSESSMENT FOR AS LONG 1
AS THE ONLINE PRODUC T IS LIKELY TO BE AC CESSED BY CHILDREN ; 2
(2) REVIEW EACH DATA PROT ECTION IMPACT ASSESS MENT AS 3
NECESSARY TO ACCOUNT FOR MATERIAL CHANGES TO PROCESSING PERTAI NING TO 4
THE ONLINE PRODUCT W ITHIN 90 DAYS OF SUCH MATERIA L CHANGES; 5
(3) CONFIGURE NOTWITHSTANDING ANY O THER LAW, CONFIGURE 6
ALL DEFAULT PRIVACY SETTINGS PROVIDED TO CHILDREN BY THE ONLI NE 7
PRODUCT TO OFFER A HI GH LEVEL OF PRIVACY , UNLESS THE COVERED E NTITY CAN 8
DEMONSTRATE A COMPEL LING REASON THAT A D IFFERENT SETTING IS IN THE BEST 9
INTERESTS OF CHILDRE N; 10
(4) PROVIDE ANY PRIVACY I NFORMATION , TERMS OF SERVICE , 11
POLICIES, AND COMMUNITY STANDA RDS CONCISELY, PROMINENTLY , AND USING 12
CLEAR LANGUAGE SUITE D TO THE AGE OF CHIL DREN LIKELY TO ACCES S THE 13
ONLINE PRODUCT ; AND 14
(5) PROVIDE PROMINENT , ACCESSIBLE, AND RESPONSIVE TOOLS TO 15
HELP CHILDREN OR THE IR PARENTS OR GUARDI ANS, IF APPLICABLE, EXERCISE 16
THEIR PRIVACY RIGHTS AN D REPORT CONCERNS . 17
14–4606. 18
(A) A COVERED ENTITY THAT PROVIDES AN ONLINE P RODUCT THAT IS 19
ACCESSED OR REASONAB LY LIKELY TO BE ACCE SSED BY CHILDREN MAY NOT: 20
(1) PROCESS THE PERSONAL DATA OF A CHILD IN A WAY THAT IS 21
INCONSISTENT WITH THE BEST INTERESTS O F CHILDREN REASONABL Y LIKELY TO 22
ACCESS THE ONLINE PR ODUCT; 23
(2) PROFILE A CHILD BY DE FAULT, UNLESS: 24
(I) THE COVERED ENTITY CA N DEMONSTRATE THAT T HE 25
COVERED ENTITY HAS A PPROPRIATE SAFEGUARD S IN PLACE TO ENSURE THAT 26
PROFILING IS CONSISTENT WITH THE BEST INTERESTS OF CH ILDREN WHO ACCESS 27
OR ARE REASONABLY LI KELY TO ACCESS THE O NLINE PRODUCT ; AND 28
(II) 1. PROFILING IS NECESSAR Y TO PROVIDE THE 29
REQUESTED ONLINE PRODUCT , AND IS DONE ONLY WIT H RESPECT TO THE ASP ECTS 30
OF THE ONLINE PRODUCT THAT THE CHI LD IS ACTIVELY AND K NOWINGLY ENGAGED 31
WITH; OR 32
SENATE BILL 571 21
2. THE COVERED ENTITY CA N DEMONSTRATE A 1
COMPELLING REASON TH AT PROFILING IS IN T HE BEST INTERESTS OF CHILDREN; 2
(3) PROCESS PERSONAL DATA OF A CHILD THAT IS N OT REASONABLY 3
NECESSARY T O PROVIDE AN ONLINE PRODUCT THAT THE CHI LD IS ACTIVELY AND 4
KNOWINGLY ENGAGED WI TH; 5
(4) PROCESS THE PERSONAL DATA OF A CHILD END USER FOR ANY 6
REASON OTHER THAN A REASON FOR WHICH THA T PERSONAL DATA WAS 7
COLLECTED; 8
(5) PROCESS ANY PRECISE G EOLOCATION INFORMATION DATA OF A 9
CHILD BY DEFAULT , UNLESS: 10
(I) THE COLLECTION OF THE PRECISE GEOLOCATION 11
INFORMATION DATA IS STRICTLY NECESSAR Y FOR THE COVERED EN TITY TO 12
PROVIDE THE ONLINE P RODUCT; AND 13
(II) THE PRECISE GEOLOCATI ON DATA IS PROCESSED ONLY FOR 14
THE LIMITED TIME THAT IS NECESSARY TO PROVIDE THE ONLINE PRODUCT ; 15
(6) PROCESS ANY PRECISE G EOLOCATION INFORMATION DATA OF A 16
CHILD WITHOUT PROVID ING AN OBVIOUS SIGNA L TO THE CHILD FOR T HE DURATION 17
THAT THE PRECISE GEO LOCATION INFORMATION DATA IS BEING COLLECTED; 18
(7) USE DARK PATTERNS TO : 19
(I) CAUSE A CHILD TO PROV IDE PERSONAL DATA BE YOND 20
WHAT IS REASONABLY E XPECTED TO PROVIDE T HE ONLINE PRODUCT ; 21
(II) CIRCUMVENT PRIVACY PR OTECTIONS; OR 22
(III) TAKE ANY ACTION THAT THE COVERED ENTITY K NOWS, OR 23
HAS REASON TO KNOW , IS NOT IN THE BEST I NTERESTS OF CHILDREN WHO ACCESS 24
OR ARE REASONABLY LI KELY TO ACCESS THE O NLINE PRODUCT ; OR 25
(8) PROCESS ANY PERSONAL DATA FOR THE PURPOSE OF 26
ESTIMATING THE AGE O F A CHILD THAT IS AC TIVELY AND KNOWINGLY ENGAGED 27
WITH AN ONLINE PRODUCT TH AT IS NOT REASONABLY NECESSARY TO PROVIDE THE 28
ONLINE PRODUCT ; OR 29
(9) ALLOW A PERSON OTHER THAN A CHILD’S PARENT OR GUARDIAN 30
TO MONITOR THE CHILD ’S ONLINE ACTIVITY WI THOUT FIRST NOTIFYIN G THE CHILD 31
AND THE CHILD’S PARENT OR GUARDIAN .; OR 32 22 SENATE BILL 571
(9) ALLOW A CHILD’S PARENT, GUARDIAN, OR ANY OTHER CONSUME R 1
TO MONITOR THE CHILD ’S ONLINE ACTIVITY OR TRACK THE CHILD ’S LOCATION, 2
WITHOUT PROVIDING AN OBVIOUS SIGNAL TO TH E CHILD WHEN THE CHI LD IS BEING 3
MONITORED OR TRACKED . 4
(B) A COVERED ENTITY THAT PROVIDES AN ONL INE PRODUCT THAT IS 5
ACCESSED OR REASONAB LY LIKELY TO BE ACCE SSED BY CHILDREN MAY ALLOW A 6
CHILD’S PARENT OR GUARDIAN TO MONITOR THE CHILD ’S ONLINE ACTIVITY OR 7
TRACK THE CHILD ’S LOCATION, WITHOUT PROVIDING AN OBVIOUS SIGNAL TO TH E 8
CHILD WHEN THE CHILD IS BEI NG MONITORED OR TRAC KED. 9
(C) IN MAKING A DETERMINA TION AS TO WHETHER A N ONLINE PRODUCT IS 10
REASONABLY LIKELY TO BE ACCESSED BY CHILD REN, A COVERED ENTITY MAY NOT 11
COLLECT OR PROCESS A NY PERSONAL DATA BEY OND WHAT IS REASONAB LY 12
NECESSARY TO MAKE THE DETERMIN ATION. 13
14–4607. 14
(A) WITHIN 5 BUSINESS DAYS AFTER RECEIVING A WRITTEN REQUEST FROM 15
THE DIVISION, A COVERED ENTITY THA T PROVIDES AN ONLINE PRODUCT 16
REASONABLY LIKELY TO BE ACCESSED BY CHILD REN SHALL PROVIDE TO THE 17
DIVISION A LIST OF AL L DATA PROTECTION IMPA CT ASSESSMENTS THE C OVERED 18
ENTITY HAS COMPLETED UNDER § 14–4604 OF THIS SUBTITLE. 19
(B) (1) WITHIN 7 BUSINESS DAYS AFTER RECEIVING A WRITTEN REQUEST 20
FROM THE DIVISION, A COVERED ENTITY SHA LL PROVIDE TO THE DIVISION ANY 21
DATA PROTECTION IMPACT ASSESSMENT CO MPLETED UNDER § 14–4604 OF THIS 22
SUBTITLE. 23
(2) THE DIVISION MAY EXTEND B EYOND 7 DAYS THE AMOUNT OF 24
TIME ALLOWED FOR A C OVERED ENTITY TO PRO DUCE A DATA PROTECTI ON IMPACT 25
ASSESSMENT . 26
(C) TO THE EXTENT THAT AN Y DISCLOSURE REQUIRE D UNDER SUBSECTION 27
(B) OF THIS SECTION INCL UDES INFORMATION SUB JECT TO ATTORNEY –CLIENT 28
PRIVILEGE OR WORK –PRODUCT PROTECTION , THE DISCLOSURE MAY N OT 29
CONSTITUTE A WAIVER OF THAT PRIVILEGE OR PROTECTION. 30
14–4608. 31
(A) A VIOLATION OF THIS SU BTITLE: 32
(1) IS AN UNFAIR, ABUSIVE, OR DECEPTIVE TRADE P RACTICE; AND 33 SENATE BILL 571 23
(2) EXCEPT FOR § 13–410 OF THIS ARTICLE , IS SUBJECT TO THE 1
ENFORCEMENT PROVISIO NS CONTAINED IN TITLE 13 OF THIS ARTICLE. 2
(B) A COVERED ENTITY THAT VIOLATES THIS SUBTIT LE IS SUBJECT TO A 3
CIVIL PENALTY NOT EXCEEDING: 4
(1) $2,500 PER AFFECTED CHILD F OR EACH NEGLIGENT VI OLATION; 5
AND 6
(2) $7,500 PER AFFECTED CHILD F OR EACH INTENTIONAL 7
VIOLATION. 8
(C) THE DIVISION SHALL PAY AL L FINES, PENALTIES, AND EXPENSES 9
COLLECTED BY THE DIVISION UNDER THIS S UBSECTION INTO THE GENERAL FUND 10
WITH THE INTENT THAT FINES, PENALTIES, AND EXPENSES BE USED TO FULLY 11
OFFSET ANY COSTS INC URRED BY THE DIVISION IN CONNECTIO N WITH THIS 12
SUBTITLE. 13
14–4609. 14
(A) IF A COVERED ENTITY I S IN SUBSTANTIAL COM PLIANCE WITH THE 15
REQUIREMENTS OF §§ 14–4604 THROUGH 14–4606 OF THIS SUBTITLE , THE 16
DIVISION SHALL PROVID E WRITTEN NOTICE TO THE COVERED ENTITY B EFORE 17
FILING AN ACTION UND ER § 14–4608 OF THIS SUBTITLE . 18
(B) NOTICE GIVEN UNDER SU BSECTION (A) OF THIS SECTION SHAL L 19
IDENTIFY THE SPECIFI C PROVISIONS OF THIS SUBTI TLE THAT THE DIVISION 20
ALLEGES HAVE BEEN OR ARE BEING VIOLATED . 21
(C) A COVERED ENTITY MAY N OT BE LIABLE FOR A C IVIL PENALTY FOR A 22
VIOLATION FOR WHICH NOTICE IS GIVEN UNDE R SUBSECTION (A) OF THIS SECTION 23
IF THE COVERED ENTIT Y: 24
(1) HAS COMPLETED A DATA PRO TECTION IMPACT ASSES SMENT 25
UNDER § 14–4604(A)(2) OF THIS SUBTITLE FOR EXISTING ONLINE PROD UCTS THAT 26
ARE REASONABLY LIKEL Y TO BE ACCESSED BY CHILDREN; 27
(2) HAS COMPLETED A DATA PROTECTION IMPACT AS SESSMENT 28
UNDER § 14–4604(A)(3) OF THIS SUBTITLE PRIOR TO OF FERING TO THE PUBLIC A 29
NEW ONLINE PRODUCT T HAT IS REASONABLY LI KELY TO BE ACCESSED BY 30
CHILDREN; 31
24 SENATE BILL 571
(3) CURES THE VIOLATION S PECIFIED IN THE DIVISION’S NOTICE 1
WITHIN 90 DAYS AFTER ISSUANCE OF THE NOTICE UNDER SUBSECTION (A) OF THIS 2
SECTION; 3
(4) PROVIDES THE DIVISION WITH A WRITT EN STATEMENT THAT TH E 4
ALLEGED VIOLATION HA S BEEN CURED; AND 5
(5) TAKES MEASURES TO PRE VENT ANY FUTURE VIOL ATION THAT 6
THE DIVISION AGREED TO BE SUFFICIENT. 7
14–4610. 8
NOTHING IN THIS SUBTI TLE MAY BE INTERPRETED OR CONST RUED TO: 9
(1) PROVIDE A PRIVATE RIG HT OF ACTION UNDER T HIS SUBTITLE OR 10
ANY OTHER LAW ; 11
(2) IMPOSE LIABILITY IN A MANNER THAT IS INCON SISTENT WITH 47 12
U.S.C. § 230; 13
(3) PREVENT OR PRECLUDE A CHILD FROM DELIBERAT ELY OR 14
INDEPENDENTLY SEARCHING FOR OR SPE CIFICALLY REQUESTING CONTENT; OR 15
(4) REQUIRE A COVERED ENT ITY TO IMPLEMENT AN AGE–GATING 16
REQUIREMENT . 17
14–4611. 18
NOTWITHSTANDING ANY O THER LAW , A DATA PROTECTION IM PACT 19
ASSESSMENT IS PROTEC TED AS CONFIDENTIAL AND SHALL BE EXEMPT FROM 20
PUBLIC DISCLOSURE , INCLUDING UNDER THE MARYLAND PUBLIC INFORMATION 21
ACT. 22
14–4612. 23
(A) WHEREVER POSSIBLE , LAW RELATING TO CONS UMERS’ PERSONAL 24
DATA SHOULD BE CONST RUED TO HARMONIZE WI TH THE PROVISIONS OF THIS 25
SUBTITLE. 26
(B) IN THE EVENT OF A CON FLICT BETWEEN OTHER LAWS AN D THIS 27
SUBTITLE, THE PROVISIONS OF TH E LAW THAT AFFORD TH E GREATEST PROTECTIO N 28
FOR THE RIGHT OF PRI VACY FOR CONSUMERS S HALL CONTROL . 29
14–4613. 30 SENATE BILL 571 25
THIS SUBTITLE MAY BE CITED AS THE MARYLAND AGE–APPROPRIATE 1
DESIGN CODE ACT. 2
SECTION 2. AND BE IT FURTHER ENACTED, That this Act shall take effect 3
October 1, 2024. 4
Approved:
________________________________________________________________________________
Governor.
________________________________________________________________________________
President of the Senate.
________________________________________________________________________________
Speaker of the House of Delegates.