WES MOORE, Governor Ch. 460
– 1 –
Chapter 460
(Senate Bill 571)
AN ACT concerning
Consumer Protection – Online Products and Services – Data of Children
(Maryland Kids Code)
FOR the purpose of requiring a covered entity that offers an online product reasonably
likely to be accessed by children to complete a certain data protection impact
assessment under certain circumstances; requiring certain privacy protections for
certain online products; prohibiting certain data collection and sharing practices;
authorizing certain monitoring practices; and generally relating to the protection of
online privacy of children.
BY repealing and reenacting, with amendments,
Article – Commercial Law
Section 13–301(14)(xl)
Annotated Code of Maryland
(2013 Replacement Volume and 2023 Supplement)
BY repealing and reenacting, without amendments,
Article – Commercial Law
Section 13–301(14)(xli)
Annotated Code of Maryland
(2013 Replacement Volume and 2023 Supplement)
BY adding to
Article – Commercial Law
Section 13–301(14)(xlii); and 14–4601 through 14–4612 14–4613 to be under the new
subtitle “Subtitle 46. Maryland Age–Appropriate Design Code Act”
Annotated Code of Maryland
(2013 Replacement Volume and 2023 Supplement)
Preamble
WHEREAS, The United Nations Convention on the Rights of the Child recognizes
that children need special safeguards and care in all aspects of their lives, specifying how
children’s rights apply in the digital environment in General Comment No. 25; and
WHEREAS, As children spend more of their time interacting with the online world,
the impact of the design of online products on their well–being has become a focus of
significant concern; and
Ch. 460 2024 LAWS OF MARYLAND
– 2 –
WHEREAS, There is widespread agreement at the international level, and
bipartisan agreement in the United States, that more needs to be done to create a safer
online space for children to learn, explore, and play; and
WHEREAS, Lawmakers around the globe have taken steps to enhance privacy
protections for children based on the understanding that, in relation to data protection,
greater privacy necessarily means greater security and well–being; and
WHEREAS, Children should be afforded protections not only by online products and
services specifically directed at them, but by all online products they are likely to access,
and thus covered entities should take into account the unique needs of different age ranges,
including the following developmental stages: 0 to 5 years of age, or “preliterate and early
literacy”; 6 to 9 years of age, or “core primary school years”; 10 to 12 years of age, or
“transition years”; 13 to 15 years of age, or “early teens”; and 16 to 17 years of age, or
“approaching adulthood”; and
WHEREAS, While it is clear that the same data protection regime may not be
appropriate for children of all ages, children of all ages should nonetheless be afforded
privacy and protection, and online products should adopt data protection regimes
appropriate for children of the ages likely to access those products; and
WHEREAS, According to the Pew Research Center, in 2022, 97% of American
teenagers aged 13–17 used the Internet every day, with 46% responding they used the
Internet almost constantly; and, additionally, 36% of teens reported being concerned about
their social media use, while an earlier Pew Research Center study found that 59% of teens
have been bullied or harassed online; and
WHEREAS, The findings of the Pew Research Center are not surprising, given what
is known about controllers’ use of personal data and how it is utilized to inform
manipulative practices, to which children are particularly vulnerable; and
WHEREAS, Online products that are likely to be accessed by children should offer
strong privacy protections that, by design, prevent the use of children’s personal data to
offer elements that the covered entity offering the online product knows, or has reason to
know, are likely to be materially detrimental to the physical health, mental health, or
well–being of children; and
WHEREAS, Ensuring robust privacy, and thus safety, protections for children by
design is consistent with federal safety laws and policies applied to children’s products,
regulating everything from toys to clothing to furniture and games; and
WHEREAS, The consumer protections that federal safety laws apply to children’s
products require these products to comply with certain safety standards by their very
design, so that harms to children, and in some cases other consumers, are prevented; and
WES MOORE, Governor Ch. 460
– 3 –
WHEREAS, It is the intent of the Maryland General Assembly that the Maryland
Age–Appropriate Design Code Act promote innovation by covered entities whose online
products are likely to be accessed by children by ensuring that those online products are
designed in a manner that recognizes the distinct needs of children within different age
ranges; and now, therefore,
WHEREAS, It is the intent of the Maryland General Assembly that covered entities
covered by the Maryland Age–Appropriate Design Code Act may look to guidance and
innovation in response to the Age–Appropriate Design Code established in the United
Kingdom and California when developing online products that are likely to be accessed by
children; now, therefore,
SECTION 1. BE IT ENACTED BY THE GENERAL ASSEMBLY OF MARYLAND,
That the Laws of Maryland read as follows:
Article – Commercial Law
13–301.
Unfair, abusive, or deceptive trade practices include any:
(14) Violation of a provision of:
(xl) Title 14, Subtitle 13 of the Public Safety Article; [or]
(xli) Title 14, Subtitle 45 of this article; or
(XLII) TITLE 14, SUBTITLE 46 OF THIS ARTICLE; OR
SUBTITLE 46. MARYLAND AGE–APPROPRIATE DESIGN CODE ACT.
14–4601.
(A) IN THIS SUBTITLE THE FOLLOWING WORDS HAVE THE MEANINGS
INDICATED.
(B) (1) “AGGREGATE CONSUMER IN FORMATION” MEANS INFORMATION :
(I) THAT RELATES TO A GRO UP OR CATEGORY OF CO NSUMERS;
(II) FROM WHICH I NDIVIDUAL CONSUMER I DENTITIES HAVE
BEEN REMOVED ; AND
(III) THAT IS NOT LINKED OR REASONABLY LINKABLE TO ANY
CONSUMER OR HOUSEHOL D, INCLUDING BY A DEVIC E. Ch. 460 2024 LAWS OF MARYLAND
– 4 –
(2) “AGGREGATE CONSUMER IN FORMATION” DOES NOT INCLUDE
INDIVIDUAL CONSUMER RECORDS THAT HAVE BE EN DE–IDENTIFIED.
(C) “BEST INTERESTS OF CHI LDREN” MEANS A COVERED ENTI TY’S USE OF
THE PERSONAL DATA OF A CHILD CHILDREN OR THE DESIGN OF AN ONLINE
PRODUCT IN A WAY THA T DOES NOT:
(1) BENEFIT THE COVERED E NTITY TO THE DETRIME NT OF A CHILD
CHILDREN; AND
(2) RESULT IN:
(I) REASONABLY FORESEEABL E AND MATERIAL PHYSI CAL OR
FINANCIAL HARM TO A CHILD CHILDREN;
(II) SEVERE AND REASONABLY FORESEEABLE PSYCHOLO GICAL
OR EMOTIONAL HARM TO A CHILD CHILDREN;
(III) A HIGHLY OFFENSIVE INT RUSION ON A CHILD’S CHILDREN’S
REASONABLE EXPECTATI ON OF PRIVACY; OR
(IV) DISCRIMINATION AGAINS T A CHILD CHILDREN BASED ON
RACE, COLOR, RELIGION, NATIONAL ORIGIN , DISABILITY, GENDER IDENTITY , SEX,
OR SEXUAL ORIENTATIO N.
(D) (1) “BIOMETRIC INFORMATION DATA” MEANS INFORMATION DATA
GENERATED BY AUTOMAT IC MEASUREMENTS OF A N INDIVIDUAL’S BIOLOGICAL
CHARACTERISTICS .
(2) “BIOMETRIC INFORMATION DATA” INCLUDES:
(I) A FINGERPRINT ;
(II) A VOICEPRINT;
(III) AN EYE RETINA OR IRIS PATTERN; OR
(IV) ANY OTHER U NIQUE BIOLOGICAL PAT TERN OR
CHARACTERISTIC THAT IS USED TO IDENTIFY A SPECIFIC INDIVIDUA L.
(3) “BIOMETRIC INFORMATION DATA” DOES NOT INCLUDE :
(I) A DIGITAL OR PHYSICAL PHOTOGRAPH ; WES MOORE, Governor Ch. 460
– 5 –
(II) AN AUDIO OR VIDEO REC ORDING; OR
(III) DATA GENERATED FROM A DIGITAL OR PH YSICAL
PHOTOGRAPH , OR AN AUDIO OR VIDEO RECORDING, UNLESS THE DATA IS
GENERATED TO IDENTIF Y A SPECIFIC INDIVID UAL.
(E) “CHILD” MEANS A CONSUMER WHO IS UNDER THE AGE OF 18 YEARS.
(F) (1) “COLLECT” MEANS TO BUY, RENT, GATHER, OBTAIN, RECEIVE, OR
ACCESS PERSONAL DATA RELATING TO A CONSUM ER.
(2) “COLLECT” INCLUDES:
(I) ACTIVELY OR PASSIVELY RECEIVING RECEIVING DATA
FROM THE CONSUMER ; AND
(II) OBSERVING THE CONSUME R’S BEHAVIOR.
(G) (1) “CONSUMER” MEANS AN INDIVIDUAL WHO IS A RESIDENT OF THE
STATE, HOWEVER IDENTIFIED , INCLUDING BY A UNIQU E IDENTIFIER.
(2) “CONSUMER” DOES NOT INCLUDE AN INDIVIDUAL ACTING IN A
COMMERCIAL OR EMPLOY MENT CONTEXT OR AS A N EMPLOYER , AN OWNER, A
DIRECTOR, AN OFFICER, OR A CONTRACTOR OF A COMPANY, PARTNERSHIP, SOLE
PROPRIETORSHIP , NONPROFIT ORGANIZATI ON, OR GOVERNMENT AGENCY
GOVERNMENTAL UNIT WHOSE COMMUNICATIONS OR TRANSACTIONS WITH THE
COVERED ENTITY OCCUR SOLELY WITHIN THE CO NTEXT OF THAT INDIVI DUAL’S
ROLE WITH THE COMPAN Y, PARTNERSHIP , SOLE PROPRI ETORSHIP, NONPROFIT
ORGANIZATION , OR GOVERNMENT AGENCY GOVERNMENTAL UNIT.
(H) (1) “COVERED ENTITY ” MEANS A SOLE PROPRIE TORSHIP, A LIMITED
LIABILITY COMPANY , A CORPORATION , AN ASSOCIATION , OR ANY OTHER LEGAL
ENTITY THAT:
(I) IS ORGANIZED OR OPERA TED FOR THE PROFIT OR
FINANCIAL BENEFIT OF ITS SHAREHOLDERS OR OTHER OWNERS ;
(II) COLLECTS CONSUMERS ’ PERSONAL INFORMATION DATA OR
USES ANOTHER ENTITY TO CO LLECT CONSUMERS ’ PERSONAL INFORMATION DATA
ON ITS BEHALF;
Ch. 460 2024 LAWS OF MARYLAND
– 6 –
(III) ALONE, OR JOINTLY WITH ITS AFFILIATES OR
SUBSIDIARIES, DETERMINES THE PURPO SES AND MEANS OF THE PROCESSING OF
CONSUMERS ’ PERSONAL DATA ;
(IV) DOES BUSINESS IN THE STATE; AND
(V) 1. HAS ANNUAL GROSS REVE NUES IN EXCESS OF
$25,000,000, ADJUSTED EVERY ODD –NUMBERED YEAR TO REF LECT ADJUSTMENTS
IN THE CONSUMER PRICE INDEX;
2. ANNUALLY BUYS , RECEIVES, SELLS, OR SHARES THE
PERSONAL DATA OF 50,000 OR MORE CONSUMERS , HOUSEHOLDS , OR DEVICES,
ALONE OR IN COMBINAT ION WITH ITS AFFILIA TES OR SUBSIDIARIES , FOR THE
COVERED ENTITY ’S COMMERC IAL PURPOSES; OR
3. DERIVES AT LEAST 50% OF ITS ANNUAL REVENU ES
FROM THE SALE OF CON SUMERS’ PERSONAL DATA .
(2) “COVERED ENTITY ” INCLUDES:
(I) AN ENTITY THAT CONTRO LS OR IS CONTROLLED BY A
BUSINESS AND THAT SH ARES A NAME, SERVICE MARK , OR TRADEMARK THAT WOULD
CAUSE A REASONABLE C ONSUMER TO UNDERSTAN D THAT TWO OR MORE E NTITIES
ARE COMMONLY OWNED ; AND
(II) A JOINT VENTURE OR PAR TNERSHIP COMPOSED OF
BUSINESSES IN WHICH EACH HAS AT LEAST A 40% INTEREST IN THE JOIN T VENTURE
OR PARTNERSHIP .
(I) (1) “DARK PATTERN ” MEANS A USER INTERFA CE DESIGNED OR
MANIPULATED WITH THE PURPOSE OF SUBVERTIN G OR IMPAIRING USER
AUTONOMY , DECISION MAKING , OR CHOICE.
(2) “DARK PATTERN ” INCLUDES ANY PRACTIC E IDENTIFIED BY THE
FEDERAL TRADE COMMISSION AS A DARK PATTERN.
(J) “DATA PROTECTION IMPAC T ASSESSMENT” OR “ASSESSMENT” MEANS A
SYSTEMATIC SURVEY TO ASSESS COMPLIANCE WI TH THE DUTY TO ACT I N THE BEST
INTERESTS OF CHILDRE N.
(K) “DEFAULT” MEANS A PRESELECTED OPTION ADOPTED BY TH E
COVERED ENTITY FOR A N ONLINE PRODUCT.
WES MOORE, Governor Ch. 460
– 7 –
(L) “DE–IDENTIFIED INFORMATI ON” MEANS DATA THAT CANN OT
REASONABLY BE USED T O INFER INFORMATION ABOUT, OR OTHERWISE BE LINK ED
TO, AN IDENTIFIED OR IDE NTIFIABLE INDIVIDUAL , IF THE COVERED ENTIT Y THAT
POSSESSES THE DATA :
(1) TAKES REASONABLE MEASURES TO ENSURE T HAT THE DATA
CANNOT BE LINKED WIT H AN INDIVIDUAL;
(2) PUBLICLY COMMITS TO :
(I) MAINTAIN AND USE THE DATA IN DE–IDENTIFIED FORM ;
AND
(II) NOT ATTEMPT TO RE –IDENTIFY THE INFORMA TION; AND
(3) CONTRACTUALLY OBLIGAT ES ANY RECIP IENTS OF THE
INFORMATION TO COMPL Y WITH ALL PROVISION S OF THIS SUBSECTION .
(M) “DERIVED DATA” MEANS DATA THAT ARE DERIVED FROM OTHER D ATA
OR INFORMATION , OR OTHERWISE OBTAINE D THROUGH CORRELATIO NS,
PREDICTIONS, ASSUMPTIONS , INFERENCES, OR CONCLUSIONS DRA WN FROM FACTS
OR EVIDENCE OR ANOTH ER SOURCE OF INFORMA TION OR DATA ABOUT A CHILD OR
A CHILD’S DEVICE.
(N) (L) “DIVISION” MEANS THE DIVISION OF CONSUMER PROTECTION
OF THE OFFICE OF THE ATTORNEY GENERAL.
(O) (M) (1) “ONLINE PRODUCT ” MEANS AN ONLINE SERVICE, PRODUCT,
OR FEATURE.
(2) “ONLINE PRODUCT ” DOES NOT INCLUDE :
(I) A TELECOMMUNICATIONS S ERVICE, AS DEFINED IN 47
U.S.C. § 153;
(II) THE SALE, DELIVERY, OR USE OF A PHYSICAL PRODUCT
SOLD BY AN ONLINE RE TAILER; OR
(III) A BROADBAND INTERNET ACCESS SERVICE , AS DEFINED IN
47 C.F.R. § 8.1(B).
(P) (N) (1) “PERSONAL DATA ” MEANS INFORMATION TH AT IS LINKED
OR REASONABLY ABLE T O BE LINKED, ALONE OR IN COMBINAT ION WITH OTHER
INFORMATION , TO AN IDENTIFIED OR IDENTIFIABLE INDIVID UAL. Ch. 460 2024 LAWS OF MARYLAND
– 8 –
(2) “PERSONAL DATA ” INCLUDES DERIVED DAT A THAT OTHERWISE
MEETS THE DEFINITION IN PARAGRAPH (1) OF THIS SUBSECTION DOES NOT
INCLUDE:
(I) DE–IDENTIFIED DATA ; OR
(II) PUBLICLY AVAILABLE IN FORMATION.
(Q) (O) (1) “PRECISE GEOLOCATION ” MEANS ANY DATA THAT IS:
(1) DERIVED FROM A DEVICE ; AND
(2) USED OR INTENDED TO B E USED TO LOCATE A C ONSUMER
GEOGRAPHICALLY WITHI N A RADIUS OF UP TO 1,850 FEET INFORMATION DERIVED
FROM TECHNOLOGY THAT CAN PRECISELY AND AC CURATELY IDENTIFY TH E
SPECIFIC LOCATION OF A CONSUMER WITHIN A RA DIUS OF 1,750 FEET.
(2) “PRECISE GEOLOCATION ” INCLUDES LATITUDE AN D LONGITUDE
COORDINATES OF SIMIL AR PRECISION TO THOS E PRODUCED BY A GLOB AL
POSITIONING SYSTEM O R A SIMILAR MECHANIS M.
(3) “PRECISE GEOLOCATION ” DOES NOT INCLUDE :
(I) THE CONTENT OF COMMUN ICATIONS;
(II) DATA GENERATED BY OR CONNECTED WITH A UTI LITY
COMPANY’S ADVANCED METERING INFRASTRUCTURE ; OR
(III) DATA GENERATED BY EQU IPMENT USED BY A UTI LITY
COMPANY.
(R) (P) (1) “PROCESS” MEANS TO CONDUCT OR DIRECT ANY
OPERATION THAT MAY BE PERFORME D ON PERSONAL DATA , WHETHER OR NOT BY
AUTOMATED MEANS TO PERFORM AN OPERAT ION OR SET OF OPERAT IONS BY
MANUAL OR AUTOMATED MEANS ON PERSONAL DA TA.
(2) “PROCESS” INCLUDES:
(I) COLLECTING PERSONAL D ATA;
(II) USING PERSONAL DATA ;
(III) STORING PERSONAL DATA ; WES MOORE, Governor Ch. 460
– 9 –
(IV) DISCLOSING PERSONAL D ATA;
(V) ANALYZING PERSONAL DA TA;
(VI) DELETING PERSONAL DAT A;
(VII) MODIFYING PERSONAL DA TA; AND
(VIII) OTHERWISE HANDLING PE RSONAL DATA COLLECTING,
USING, STORING, DISCLOSING, ANALYZING, DELETING, OR MODIFYING PERSONA L
DATA.
(S) (Q) (1) “PROFILING” MEANS ANY FORM OF AU TOMATED
PROCESSING OF PERSON AL DATA THAT USES PE RSONAL DATA TO EVALU ATE,
ANALYZE, OR PREDICT CERTAIN A SPECTS RELATING TO A N INDIVIDUAL, INCLUDING
AN INDIVIDUAL ’S ECONOMIC SITUATION , HEALTH, PERSONAL PREFERENCES ,
INTERESTS, RELIABILITY, BEHAVIOR, LOCATION, OR MOVEMENTS .
(2) “PROFILING” DOES NOT INCLUDE THE PROCESSING OF
PERSONAL DATA THAT D OES NOT RESULT IN AN ASSESSMENT OR JUDGME NT ABOUT
AN INDIVIDUAL.
(T) (R) (1) “PUBLICLY AVAILABLE IN FORMATION” MEANS
INFORMATION THAT :
(I) IS LAWFULLY MADE AVAI LABLE FROM FEDERAL , STATE, OR
LOCAL GOVERNMENT REC ORDS; OR
(II) A COVERED ENTITY HAS A REASONABLE BASIS TO BELIEVE
IS LAWFULLY MADE AVA ILABLE TO THE GENERAL PUB LIC BY THE CONSUMER OR BY
WIDELY DISTRIBUTED M EDIA.
(2) “PUBLICLY AVAILABLE IN FORMATION” DOES NOT INCLUDE
BIOMETRIC INFORMATION DATA COLLECTED BY A COVER ED ENTITY ABOUT A
CONSUMER WITHOUT THE CONSUMER ’S KNOWLEDGE .
(U) (S) “REASONABLY LIKELY TO BE ACCESSED BY CHILD REN” MEANS
REASONABLY EXPECTED IT IS REASONABLE TO EXPECT THAT THE ONLINE PROD UCT
WOULD BE ACCESSED BY CHILDREN, BASED ON SATISFYING ANY OF THE FOLLOWING
CRITERIA:
(1) THE ONLINE PRODUCT IS DIRECTED TO CHILDREN AS DEFINED IN
THE FEDERAL CHILDREN’S ONLINE PRIVACY PROTECTION ACT; Ch. 460 2024 LAWS OF MARYLAND
– 10 –
(2) THE ONLINE PRODUCT IS DETERMINED , BASED ON COMPETENT
AND RELIABLE EVIDENC E REGARDING AUDIENCE COMPOSITION , TO BE ROUTINELY
ACCESSED BY A SIGNIF ICANT NUMBER OF CHIL DREN;
(3) THE ONLINE PRODUCT IS SUB STANTIALLY SIMILAR O R THE SAME
AS AN ONLINE PRODUCT THAT SATISFIES ITEM (2) OF THIS SUBSECTION ;
(4) THE ONLINE PRODUCT FE ATURES ADVERTISEMENT S MARKETED
TO CHILDREN;
(5) THE COVERED ENTITY ’S INTERNAL RESEARCH FINDINGS
DETERMINE THA T A SIGNIFICANT AMOU NT OF THE ONLINE PRO DUCT’S AUDIENCE IS
COMPOSED OF CHILDREN ; OR
(6) THE COVERED ENTITY KN OWS OR SHOULD HAVE K NOWN THAT A
USER IS A CHILD.
(V) (T) (1) “SELL” MEANS TO TRANSFER , RENT, RELEASE, DISCLOSE,
DISSEMINATE, MAKE AVAILABLE , OR OTHERWISE COMMUNIC ATE, WHETHER
ORALLY, IN WRITING, OR BY ELECTRONIC OR OTHER MEANS , A CONSUMER ’S
PERSONAL DATA , IN A TRANSACTION FOR MONETARY OR OTHER VA LUABLE
CONSIDERATION BETWEE N A COVERED ENTITY A ND A THIRD PARTY .
(2) “SELL” DOES NOT INCLUDE :
(I) THE DISCLOSURE OF PER SONAL DATA TO THE SE RVICE
PROVIDER THAT PROCES SES PERSONAL DATA ON BEHALF OF THE COVERE D ENTITY;
(II) THE DISCLOSURE OF PER SONAL DATA TO A THIR D PARTY
FOR PURPOSES OF PROV IDING A PRODUCT OR S ERVICE REQUESTED BY THE
CONSUMER ;
(III) THE DISCLOSURE OR TRA NSFER OF PERSONAL DA TA TO AN
AFFILIATE OR SUBSIDI ARY OF THE COVERED E NTITY;
(IV) THE DISCLOSURE OF PER SONAL DATA WHERE THE
CONSUMER DIRECTS THE COVERED ENTITY TO DI SCLOSE THE PERSONAL DATA OR
INTENTIONALLY USES T HE COVERED ENTITY TO INTERACT W ITH A THIRD PARTY; OR
(V) THE DISCLOSURE OR TRA NSFER OF PERSONAL DA TA TO A
THIRD PARTY AS AN AS SET THAT IS PART OF AN ACTUAL OR PROPOSE D MERGER, WES MOORE, Governor Ch. 460
– 11 –
ACQUISITION, BANKRUPTCY , OR OTHER TRANSACTION , IN WHICH THE THIRD P ARTY
ASSUMES CONTROL OF ALL OR PART OF TH E COVERED ENTITY ’S ASSETS.
(W) (1) “SENSITIVE PERSONAL DA TA” MEANS:
(I) PERSONAL DATA THAT RE VEALS A CONSUMER ’S:
1. SOCIAL SECURITY NUMBER , DRIVER’S LICENSE
NUMBER, STATE IDENTIFICATION CARD NUMBER , OR PASSPORT NUMBER ;
2. ACCOUNT LOGIN INFORMA TION, FINANCIAL
ACCOUNT NUMBER , DEBIT CARD NUMBER , OR CREDIT CARD NUMBE R, IN
COMBINATION WITH ANY REQUIRED SECURITY OR ACCESS CODE , PASSWORD, OR
CREDENTIALS THAT ALL OW ACCESS TO AN ACCO UNT;
3. PRECISE GEOLOCATION ;
4. RACIAL OR ETHNIC ORIG IN OR RELIGIOUS OR
PHILOSOPHICAL BELIEF S;
5. MAIL, E–MAIL, TEXT, OR MESSAGE CONTENTS ,
UNLESS THE COVERED E NTITY IS THE INTENDE D RECIPIENT; OR
6. GENETIC DATA;
(II) BIOMETRIC INFORMATION THAT IS OR MAY BE PR OCESSED
FOR THE PURPOSE OF UNIQUELY IDENTIFYING A CONSUM ER;
(III) PERSONAL DATA COLLECT ED AND ANALYZED CONC ERNING
A CONSUMER ’S HEALTH; OR
(IV) PERSONAL DATA COLLECT ED AND ANALYZED CONC ERNING
A CONSUMER ’S SEX LIFE OR SEXUAL ORIENTATION .
(2) “SENSITIVE PERSONAL DATA” DOES NOT INCLUDE PUB LICLY
AVAILABLE INFORMATIO N.
(X) (U) “SERVICE PROVIDER ” MEANS A PERSON THAT PROCESSES
PERSONAL DATA ON BEH ALF OF A COVERED ENT ITY AND THAT RECEIVE S FROM OR
ON BEHALF OF THE COV ERED ENTITY A CONSUM ER’S PERSONAL DATA FOR
BUSINESS PURPOSES IN ACCORDAN CE WITH A WRITTEN CO NTRACT, IF THE
CONTRACT PROHIBITS T HE PERSON FROM :
(1) SELLING OR SHARING TH E PERSONAL DATA ; Ch. 460 2024 LAWS OF MARYLAND
– 12 –
(2) RETAINING, USING, OR DISCLOSING THE PE RSONAL DATA FOR
ANY PURPOSE OTHER TH AN FOR THE BUSINESS PURPOSES SPECIFIED IN THE
CONTRACT FOR THE COV ERED ENTITY , INCLUDING RETAINING , USING, OR
DISCLOSING THE PERSO NAL DATA FOR A COMME RCIAL PURPOSE OTHER THAN THE
BUSINESS PURPOSES SP ECIFIED IN THE CONTR ACT WITH THE COVERED ENTITY, OR
AS OTHERWISE ALLOWED UNDER THIS SUBTITLE ;
(3) RETAINING, USING, OR DISCLOSING THE PE RSONAL DATA
OUTSIDE THE DIRECT B USINESS RELATIONSHIP BETWEEN THE SERVICE PROVIDER
AND THE COVERED ENTI TY; AND
(4) COMBINING THE PERSONA L DATA THAT THE SERV ICE PROVIDER
RECEIVES FROM , OR ON BEHALF OF , THE COVERE D ENTITY WITH PERSON AL DATA
THAT IT RECEIVES FRO M, OR ON BEHALF OF , ANOTHER PERSON OR PE RSONS, OR
COLLECTS FROM ITS OW N INTERACTION WITH T HE CONSUMER .
(Y) (V) “SHARE” MEANS TO RENT , RELEASE, DISSEMINATE, MAKE
AVAILABLE, TRANSFER, OR OTHERWISE COMMUNI CATE, WHETHER ORALLY , IN
WRITING, OR BY ELECTRONIC OR OTHER MEANS , A CONSUMER ’S PERSONAL DATA TO
A THIRD PARTY FOR CR OSS–CONTEXT BEHAVIORAL A DVERTISING WHETHER O R NOT
FOR MONETARY OR OTHE R VALUABLE CONSIDERA TION, INCLUDING IN A
TRANSACTION BETWEEN A COVERED EN TITY AND A THIRD PAR TY FOR TARGETED
ADVERTISING FOR THE BENEFIT OF A COVERED ENTITY IN WHICH NO M ONEY IS
EXCHANGED .
(Z) (1) “TARGETED ADVERTISING ” MEANS DISPLAYING
ADVERTISEMENTS TO A CONSUMER WHERE THE A DVERTISEMENT IS SELE CTED
BASED ON PERSONAL DA TA OBTAINED OR INFERRED FROM THAT CONSUMER ’S
ACTIVITIES OVER TIME AND ACROSS NONAFFILI ATED INTERNET WEBSITES OR
ONLINE APPLICATIONS TO PREDICT THE CONSU MER’S PREFERENCES OR
INTERESTS.
(2) “TARGETED ADVERTISING ” DOES NOT INCLUDE :
(I) ADVERTISEMENTS BASE D ON ACTIVITIES WITH IN A
COVERED ENTITY ’S OWN INTERNET WEBSITES OR ONLINE APPLICATIONS ;
(II) ADVERTISEMENTS BASED ON THE CONTEXT OF A
CONSUMER ’S CURRENT SEARCH QUE RY, VISIT TO AN INTERNET WEBSITE , OR USE OF
AN ONLINE APPLICATIO N;
WES MOORE, Governor Ch. 460
– 13 –
(III) ADVERTISEMEN TS DIRECTED TO A CON SUMER IN
RESPONSE TO THE CONS UMER’S REQUEST FOR INFORM ATION OR FEEDBACK ; OR
(IV) PROCESSING PERSONAL D ATA SOLELY TO MEASUR E OR
REPORT ADVERTISING F REQUENCY, PERFORMANCE , OR REACH.
(AA) (W) “THIRD PARTY” MEANS A PERSON WHO I S NOT:
(1) THE COVERED ENTITY WI TH WHICH THE CONSUME R
INTENTIONALLY INTERA CTS AND THAT COLLECT S PERSONAL DATA FROM THE
CONSUMER AS PART OF THE CONSUMER ’S INTERACTION WITH T HE COVERED
ENTITY; OR
(2) A SERVICE PROVIDER FOR THE COVERED ENTITY .
14–4602.
THIS SUBTITLE DOES NOT AP PLY TO:
(1) DATA SUBJECT TO A STA TUTE OR REGULATION I DENTIFIED
UNDER ITEM (I) OF THIS ITEM THAT IS CONTROLLED BY A COVE RED ENTITY OR
SERVICE PROVIDER THA T IS:
(I) REQUIRED TO COMPLY WI TH:
1. TITLE V OF THE FEDERAL GRAMM–LEACH–BLILEY
ACT;
2. THE FEDERAL HEALTH INFORMATION TECHNOLOGY
FOR ECONOMIC AND CLINICAL HEALTH ACT; OR
3. REGULATIONS PROMULGAT ED UNDER § 264(C) OF
THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996; AND
(II) IN COMPLIANCE WITH TH E INFORMATION SECURITY
REQUIREMENTS OF APPL ICABLE STATUTES OR R EGULATIONS IDENTIFIE D IN ITEM
(I) OF THIS ITEM; OR PROTECTED HEALTH INFO RMATION THAT IS COLL ECTED BY A
COVERED ENTITY OR BU SINESS ASSOCIATION G OVERNED BY THE PRIVA CY
SECURITY AND BREACH NOTIFICATION RULES IN 45 C.F.R. PARTS 160 AND 164,
ESTABLISHED UNDER TH E FEDERAL HEALTH INSURANCE PORTABILITY AND
ACCOUNTABILITY ACT OF 1996 AND THE FEDERAL HEALTH INFORMATION
TECHNOLOGY FOR ECONOMIC AND CLINICAL HEALTH ACT;
Ch. 460 2024 LAWS OF MARYLAND
– 14 –
(2) A COVERED ENTITY GOVER NED BY THE PRIVACY SECURITY AND
BREACH NOTIFICATION RULES IN 45 C.F.R. PARTS 160 AND 164, ESTABLISHED
UNDER THE FEDERAL HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY
ACT OF 1996 AND THE FEDERAL HEALTH INFORMATION TECHNOLOGY FOR
ECONOMIC AND CLINICAL HEALTH ACT, TO THE EXTENT THAT THE COVERED
ENTITY MAINTAINS PAT IENT INFORMATION IN THE SAME MANNER AS M EDICAL
INFORMATION OR PROTE CTED HEALTH INFORMAT ION AS DESCRIBED IN ITEM (1) OF
THIS SECTION; OR
(3) (2) INFORMATION COLLECTED AS PART OF A CLINICA L TRIAL
SUBJECT TO THE FEDERAL POLICY FOR THE PROTECTION OF HUMAN SUBJECTS,
IN ACCORDANCE WITH :
(I) GOOD CLINICAL PRACTIC E GUIDELINES ISSUED BY THE
INTERNATIONAL COUNCIL FOR HARMONISATION OF TECHNICAL REQUIREMENTS
FOR PHARMACEUTICALS FOR HUMAN USE; OR
(II) HUMAN SUB JECT PROTECTION REQU IREMENTS OF THE
U.S. FOOD AND DRUG ADMINISTRATION .
14–4603.
IT IS THE INTENT OF T HE GENERAL ASSEMBLY THAT :
(1) CHILDREN SHOULD BE AF FORDED PROTECTIONS N OT ONLY BY
ONLINE PRODUCTS SPEC IFICALLY DIRECTED AT THEM, BUT BY ALL ONLINE
PRODUCTS THEY ARE RE ASONABLY LIKELY TO A CCESS;
(2) COVERED ENTITIES THAT DEVELOP AND PROVIDE ONLINE
SERVICES PRODUCTS THAT CHILDREN ARE REASONABLY LIKELY TO ACCESS SHA LL
ENSURE THE BEST INTE RESTS OF CHILDREN WH EN DESIGNING, DEVELOPING , AND
PROVIDING THO SE ONLINE PRODUCTS ;
(3) ALL COVERED ENTITIES THAT OPERATE IN THE STATE AND
PROCESS CHILDREN ’S DATA IN ANY CAPACI TY SHALL DO SO IN A MANNER
CONSISTENT WITH THE BEST INTERESTS OF CH ILDREN;
(4) IF A CONFLICT ARISES BETWEEN COMMERCIAL I NTERESTS AND
THE BEST INTERESTS OF CHI LDREN, COVERED ENTITIES THA T DEVELOP ONLINE
PRODUCTS LIKELY TO B E ACCESSED BY CHILDR EN SHALL GIVE PRIORITY TO
PRIORITIZE THE PRIVACY, SAFETY, AND WELL–BEING OF CHILDREN OVER THOSE
COMMERCIAL INTERESTS; AND;
WES MOORE, Governor Ch. 460
– 15 –
(5) NOTHING IN THIS SUBTI TLE MAY BE CONSTRUED TO INFRINGE ON
THE EXISTING RIGHTS AND FREEDOMS OF CHIL DREN REQUIRE A COVERED EN TITY
TO MONITOR OR CENSOR THIRD–PARTY CONTENT OR OTH ERWISE IMPACT THE
EXISTING RIGHTS AND FREEDOMS OF ANY PERS ON; AND
(6) NOTHING I N THIS SUBTITLE MAY BE CONSTRUED TO
DISCRIMINATE AGAINST CHILDREN ON THE BASI S OF RACE, COLOR, RELIGION,
NATIONAL ORIGIN , DISABILITY, GENDER IDENTITY , SEX, OR SEXUAL ORIENTATIO N.
14–4604.
(A) (1) SUBJECT TO PARAGRAPH (2) OF THIS SUBSECTION , A COVERED
ENTITY THAT PROVIDES A N ONLINE PRODUCT REA SONABLY LIKELY TO BE
ACCESSED BY CHILDREN SHALL PREPARE A DATA PROTECTION IMPACT
ASSESSMENT FOR THE O NLINE PRODUCT .
(2) ON OR BEFORE APRIL 1, 2026, A COVERED ENTITY SHA LL
PREPARE A DATA PROTE CTION IMPACT ASSESSMENT FOR ANY O NLINE PRODUCT
THAT:
(I) MEETS THE CRITERIA UN DER PARAGRAPH (1) OF THIS
SUBSECTION;
(II) IS OFFERED TO THE PUB LIC ON OR BEFORE APRIL 1, 2026;
AND
(III) WILL CONTINUE TO BE O FFERED TO THE PUBLIC AFTER
JULY 1, 2026.
(3) FOR AN ONLINE PRODUCT TH AT MEETS THE CRITERI A UNDER
PARAGRAPH (1) OF THIS SUBSECTION A ND IS INITIALLY OFFE RED TO THE PUBLIC
AFTER APRIL 1, 2026, A COVERED ENTITY SHA LL COMPLETE A DATA P ROTECTION
IMPACT ASSESSMENT WITHIN 90 DAYS AFTER THE ONLIN E PRODUCT IS OFFE RED TO
THE PUBLIC.
(B) THE DATA PROTECTION I MPACT ASSESSMENT SHA LL:
(1) IDENTIFY THE PURPOSE OF THE ONLINE PRODUC T;
(2) IDENTIFY HOW THE ONLI NE PRODUCT USES CHIL DREN’S DATA;
(3) DETERMINE WHETHER THE ONLINE PRODUCT IS DE SIGNED AND
OFFERED IN A MANNER CONSISTE NT WITH THE BEST INT ERESTS OF CHILDREN Ch. 460 2024 LAWS OF MARYLAND
– 16 –
REASONABLY LIKELY TO ACCESS THE ONLINE PR ODUCT THROUGH CONSID ERATION
OF:
(I) WHETHER THE DATA MANA GEMENT OR PROCESSING
PRACTICES OF THE ONL INE PRODUCT COULD LE AD TO CHILDREN EXPER IENCING OR
BEING TARGETED BY CONT ACTS THAT WOULD RESU LT IN:
1. REASONABLY FORESEEABL E AND MATERIAL
PHYSICAL OR FINANCIA L HARM TO THE CHILD CHILDREN;
2. REASONABLY FORESEEABL E AND EXTREME
PSYCHOLOGICAL OR EMO TIONAL HARM TO THE CHILD CHILDREN;
3. A HIGHLY OFFENSIVE INT RUSION ON THE CHILD’S
CHILDREN’S REASONABLE EXPECTATI ON OF PRIVACY; OR
4. DISCRIMINATION AGAINS T THE CHILD CHILDREN
BASED ON RACE , COLOR, RELIGION, NATIONAL ORIGIN , DISABILITY, GENDER
IDENTITY, SEX, OR SEXUAL ORIENTATIO N;
(II) WHETHER THE DATA MANA GEMENT OR PROCESSING
PRACTICES OF THE ONL INE PRODUCT COULD PE RMIT CHILDREN TO WITNESS,
PARTICIPATE IN, OR BE SUBJECT TO CON DUCT THAT WOULD RESU LT IN:
1. REASONABLY FORESEEABL E AND MATERIAL
PHYSICAL OR FINANCIA L HARM TO THE CHILD CHILDREN;
2. REASONABLY FORESEEABL E AND EXTREME
PSYCHOLOGICAL OR EMO TIONAL HARM TO THE CHILD CHILDREN;
3. A HIGHLY OFFENSIVE INT RUSION ON THE CHILD’S
CHILDREN’S REASONABLE EXPECTATI ON OF PRIVACY; OR
4. DISCRIMINATION AGAINS T THE CHILD CHILDREN
BASED ON RACE , COLOR, RELIGION, NATIONAL ORIGIN , DISABILITY, GENDER
IDENTITY, SEX, OR SEXUAL ORIENTATIO N;
(III) WHETHER THE DATA MANA GEMENT OR PROCESSING
PRACTICES OF THE ONL INE PRODUCT ARE REAS ONABLY EXPECTED TO A LLOW
CHILDREN BECOMING PA RTY TO OR EXPLOITED BY A CONTR ACT THROUGH THE
ONLINE PRODUCT THAT WOULD RESULT IN :
WES MOORE, Governor Ch. 460
– 17 –
1. REASONABLY FORESEEABL E AND MATERIAL
PHYSICAL OR FINANCIA L HARM TO THE CHILD CHILDREN;
2. REASONABLY FORESEEABL E AND EXTREME
PSYCHOLOGICAL OR EMO TIONAL HARM TO THE CHILD CHILDREN;
3. A HIGHLY OFFENSIVE INT RUSION ON THE CHILD’S
CHILDREN’S REASONABLE EXPECTATI ON OF PRIVACY; OR
4. DISCRIMINATION AGAINS T THE CHILD CHILDREN
BASED ON RACE , COLOR, RELIGION, NATIONAL ORIGIN , DISABILITY, GENDER
IDENTITY, SEX, OR SEXUAL OR IENTATION;
(IV) WHETHER TARGETED ADVE RTISING SYSTEMS USED BY THE
ONLINE PRODUCT WOULD RESULT IN:
1. REASONABLY FORESEEABL E AND MATERIAL
PHYSICAL OR FINANCIA L HARM TO THE CHILD ;
2. REASONABLY FORESEEABL E AND EXTREME
PSYCHOLOGICAL OR EMO TIONAL HARM TO THE CHILD ;
3. A HIGHLY OFFENSIVE INT RUSION ON THE CHILD ’S
CHILDREN’S REASONABLE EXPECTATI ON OF PRIVACY; OR
4. DISCRIMINATION AGAINS T THE CHILD BASED ON
RACE, COLOR, RELIGION, NATIONAL ORIGIN , DISABILITY, SEX, OR SEXUAL
ORIENTATION ;
(V) WHETHER THE ONLINE PR ODUCT USES SYSTEM DE SIGN
FEATURES TO INCREASE , SUSTAIN, OR EXTEND THE USE OF THE ONLINE PRODUCT ,
INCLUDING THE AUTOMA TIC PLAYING OF MEDIA , REWARDS FOR TIME SPE NT, AND
NOTIFICATIONS THAT W OULD RESULT IN :
1. REASONABLY FORESEEABL E AND MATERIAL
PHYSICAL OR FINANCIA L HARM TO THE CHILD CHILDREN;
2. REASONABLY FORESEEABL E AND EXTREME
PSYCHOLOGICAL OR EMO TIONAL HARM TO THE CHILD CHILDREN;
3. A HIGHLY OFFENSIVE INT RUSION ON THE CHILD’S
CHILDREN’S REASONABLE EXPECTATI ON OF PRIVACY; OR
Ch. 460 2024 LAWS OF MARYLAND
– 18 –
4. DISCRIMINATION AGAINS T THE CHILD CHILDREN
BASED ON RACE , COLOR, RELIGION, NATIONAL ORIGIN , DISABILITY, GENDER
IDENTITY, SEX, OR SEXUAL ORIENTATIO N;
(VI) (V) WHETHER, HOW, AND FOR WHAT PURPOSE THE
ONLINE PRODUCT COLLECTS OR PROCESSES SENSITIVE PERSONAL DATA OF
CHILDREN AND WHETHER THOSE PRACTICES WOUL D RESULT IN:
1. REASONABLY FORESEEABL E AND MATERIAL
PHYSICAL OR FINANCIA L HARM TO THE CHILD CHILDREN;
2. REASONABLY FORESEEABL E AND EXTREME
PSYCHOLO GICAL OR EMOTIONAL H ARM TO THE CHILD CHILDREN;
3. A HIGHLY OFFENSIVE INT RUSION ON THE CHILD’S
CHILDREN’S REASONABLE EXPECTATI ON OF PRIVACY; OR
4. DISCRIMINATION AGAINS T THE CHILD CHILDREN
BASED ON RACE , COLOR, RELIGION, NATIONAL ORIGIN , DISABILITY, GENDER
IDENTITY, SEX, OR SEXUAL ORIENTATIO N;
(VII) (VI) WHETHER AND HOW DATA COLLECTED TO
UNDERSTAND THE EXPER IMENTAL IMPACT OF TH E PRODUCT REVEALS DA TA
MANAGEMENT OR DESIGN PRACTICES THAT WOULD RESULT IN:
1. REASONABLY FORESEEABL E AND MATERIAL
PHYSICAL OR FINANCIA L HARM TO THE CHILD CHILDREN;
2. REASONABLY FORESEEABL E AND EXTREME
PSYCHOLOGICAL OR EMO TIONAL HARM TO THE CHILD CHILDREN;
3. A HIGHLY OFFENSIVE INT RUSION ON THE CHILD’S
CHILDREN’S REASONABL E EXPECTATION OF PRI VACY; OR
4. DISCRIMINATION AGAINS T THE CHILD CHILDREN
BASED ON RACE , COLOR, RELIGION, NATIONAL ORIGIN , DISABILITY, GENDER
IDENTITY, SEX, OR SEXUAL ORIENTATIO N;
(VIII) (VII) WHETHER ALGORITHMS US ED BY THE ONLINE
PRODUCT WOULD RESULT IN:
1. REASONABLY FORESEEABL E AND MATERIAL
PHYSICAL OR FINANCIA L HARM TO THE CHILD CHILDREN; WES MOORE, Governor Ch. 460
– 19 –
2. REASONABLY FORESEEABL E AND EXTREME
PSYCHOLOGICAL OR EMO TIONAL HARM TO THE CHILD CHILDREN;
3. A HIGHLY OFFENSIVE INT RUSION ON THE CHILD’S
CHILDREN’S REASONABLE EXPECTATI ON OF PRIVACY; OR
4. DISCRIMINATION AGAINS T THE CHILD CHILDREN
BASED ON RACE , COLOR, RELIGION, NATIONAL ORIGIN , DISABILITY, GENDER
IDENTITY, SEX, OR SEXUAL ORIENTATIO N; AND
(IX) (VIII) ANY OTHER FACTOR THAT MAY INDICATE THAT TH E
ONLINE PRODUCT IS DE SIGNED AND OFFERED IN A MANNER THAT IS INCONSISTENT
WITH THE BEST INTERE STS OF CHILDREN ; AND
(4) INCLUDE A DESCRIPTION OF STEPS THAT THE CO VERED ENTITY
HAS TAKEN AND WILL T AKE TO COMPLY WIT H THE DUTY TO ACT IN A MANNER
CONSISTENT WITH THE BEST INTERESTS OF CH ILDREN.
(C) (1) A DATA PROTECTION IMPA CT ASSESSMENT PREPAR ED BY A
COVERED ENTITY FOR T HE PURPOSE OF COMPLI ANCE WITH ANY OTHER LAW
COMPLIES WITH THIS S ECTION IF THE ASSESS MENT MEETS THE REQUIREMENTS OF
THIS SECTION.
(2) A SINGLE DATA PROTECTI ON IMPACT ASSESSMENT MAY CONTAIN
MULTIPLE SIMILAR PRO CESSING OPERATIONS T HAT PRESENT SIMILAR RISKS ONLY
IF EACH RELEVANT ONL INE PRODUCT IS ADDRE SSED.
14–4605.
A COVERED ENTITY REQUI RED TO COMPL ETE A DATA PROTECTIO N IMPACT
ASSESSMENT UNDER § 14–4604 OF THIS SUBTITLE SHA LL:
(1) MAINTAIN DOCUMENTATIO N OF THE ASSESSMENT FOR AS LONG
AS THE ONLINE PRODUC T IS LIKELY TO BE AC CESSED BY CHILDREN ;
(2) REVIEW EACH DATA PROT ECTION IMPACT ASSESS MENT AS
NECESSARY TO ACCOUNT FOR MATERIAL CHANGES TO PROCESSING PERTAI NING TO
THE ONLINE PRODUCT W ITHIN 90 DAYS OF SUCH MATERIA L CHANGES;
(3) CONFIGURE NOTWITHSTANDING ANY O THER LAW, CONFIGURE
ALL DEFAULT PRIVACY SETTINGS PROVIDED TO CHILDREN BY THE ONLI NE
PRODUCT TO OFFER A HIGH LEVEL OF PRIVACY , UNLESS THE COVERED E NTITY CAN Ch. 460 2024 LAWS OF MARYLAND
– 20 –
DEMONSTRATE A COMPEL LING REASON THAT A D IFFERENT SETTING IS IN THE BEST
INTERESTS OF CHILDRE N;
(4) PROVIDE ANY PRIVACY I NFORMATION , TERMS OF SERVICE ,
POLICIES, AND COMMUNITY STANDA RDS CONCISELY, PROMINENTLY , AND USING
CLEAR LANGUAGE SUITE D TO THE AGE OF CHIL DREN LIKELY TO ACCES S THE
ONLINE PRODUCT ; AND
(5) PROVIDE PROMINENT , ACCESSIBLE, AND RESPONSIVE TOOLS TO
HELP CHILDREN OR THE IR PARENTS OR GUARDI ANS, IF APPLICABLE, EXERCISE
THEIR PRIVACY RIGHTS AND R EPORT CONCERNS .
14–4606.
(A) A COVERED ENTITY THAT PROVIDES AN ONLINE P RODUCT THAT IS
ACCESSED OR REASONAB LY LIKELY TO BE ACCE SSED BY CHILDREN MAY NOT:
(1) PROCESS THE PERSONAL DATA OF A CHILD IN A WAY THAT IS
INCONSISTENT WITH TH E BEST INTERESTS OF CHILDREN REASONABLY LIKELY TO
ACCESS THE ONLINE PR ODUCT;
(2) PROFILE A CHILD BY DE FAULT, UNLESS:
(I) THE COVERED ENTITY CA N DEMONSTRATE THAT T HE
COVERED ENTITY HAS A PPROPRIATE SAFEGUARD S IN PLACE TO ENSURE THAT
PROFILING IS CONSI STENT WITH THE BEST INTERESTS OF CHILDRE N WHO ACCESS
OR ARE REASONABLY LI KELY TO ACCESS THE O NLINE PRODUCT ; AND
(II) 1. PROFILING IS NECESSAR Y TO PROVIDE THE
REQUESTED ONLINE PRODUCT , AND IS DONE ONLY WIT H RESPECT TO THE ASP ECTS
OF THE ONLINE PRODUC T THAT THE CHILD IS AC TIVELY AND KNOWINGLY ENGAGED
WITH; OR
2. THE COVERED ENTITY CA N DEMONSTRATE A
COMPELLING REASON TH AT PROFILING IS IN T HE BEST INTERESTS OF CHILDREN;
(3) PROCESS PERSONAL DATA OF A CHILD THAT IS N OT REASONABLY
NECESSARY TO PROVID E AN ONLINE PRODUCT THAT THE CHILD IS AC TIVELY AND
KNOWINGLY ENGAGED WI TH;
(4) PROCESS THE PERSONAL DATA OF A CHILD END USER FOR ANY
REASON OTHER THAN A REASON FOR WHICH THA T PERSONAL DATA WAS
COLLECTED; WES MOORE, Governor Ch. 460
– 21 –
(5) PROCESS ANY PRECISE G EOLOCATION INFORMATIO N DATA OF A
CHILD BY DEFAULT , UNLESS:
(I) THE COLLECTION OF THE PRECISE GEOLOCATION
INFORMATION DATA IS STRICTLY NECESSAR Y FOR THE COVERED EN TITY TO
PROVIDE THE ONLINE P RODUCT; AND
(II) THE PRECISE GEOLOCATI ON DATA IS PROCESSED ONLY FOR
THE LIMITED TIME THAT IS NECESSA RY TO PROVIDE THE ON LINE PRODUCT ;
(6) PROCESS ANY PRECISE G EOLOCATION INFORMATION DATA OF A
CHILD WITHOUT PROVID ING AN OBVIOUS SIGNA L TO THE CHILD FOR T HE DURATION
THAT THE PRECISE GEO LOCATION INFORMATION DATA IS BEING COLLECTED ;
(7) USE DARK PATTERNS TO :
(I) CAUSE A CHILD TO PROV IDE PERSONAL DATA BE YOND
WHAT IS REASONABLY E XPECTED TO PROVIDE T HE ONLINE PRODUCT ;
(II) CIRCUMVENT PRIVACY PR OTECTIONS; OR
(III) TAKE ANY ACTION THAT THE COVERED ENTITY K NOWS, OR
HAS REASON T O KNOW, IS NOT IN THE BEST I NTERESTS OF CHILDREN WHO ACCESS
OR ARE REASONABLY LI KELY TO ACCESS THE O NLINE PRODUCT ; OR
(8) PROCESS ANY PERSONAL DATA FOR THE PURPOSE OF
ESTIMATING THE AGE O F A CHILD THAT IS AC TIVELY AND KNOWINGLY ENGAGED
WITH AN ONLINE PRODUCT THAT IS NOT REASONABLY NECESSARY TO PROVIDE THE
ONLINE PRODUCT ; OR
(9) ALLOW A PERSON OTHER THAN A CHILD’S PARENT OR GUARDIAN
TO MONITOR THE CHILD ’S ONLINE ACTIVITY WI THOUT FIRST NOTIFYIN G THE CHILD
AND THE CHILD’S PARENT OR GUARDIAN .; OR
(9) ALLOW A CHILD’S PARENT, GUARDIAN, OR ANY OTHER CONSUME R
TO MONITOR THE CHILD ’S ONLINE ACTIVITY OR TRACK THE CHILD ’S LOCATION,
WITHOUT PROVIDING AN OBVIOUS SIGNAL TO TH E CHILD WHEN THE CHI LD IS BEING
MONITORED OR TRACKED .
(B) A COVERED ENTITY THAT PROVIDES AN ONLINE P RODUCT THAT IS
ACCESSED OR REASONAB LY LIKELY TO BE ACCE SSED BY CHILDREN MAY ALLOW A
CHILD’S PARENT OR GUARDIAN TO MONITOR THE CHILD ’S ONLINE ACTIVITY OR Ch. 460 2024 LAWS OF MARYLAND
– 22 –
TRACK THE CHILD ’S LOCATION, WITHOUT PROVIDING AN OBVIOUS SIGN AL TO THE
CHILD WHEN THE CHILD IS BEING MONITORED O R TRACKED.
(C) IN MAKING A DETERMINA TION AS TO WHETHER A N ONLINE PRODUCT IS
REASONABLY LIKELY TO BE ACCESSED BY CHILD REN, A COVERED ENTITY MAY NOT
COLLECT OR PROCESS A NY PERSONAL DATA BEY OND WHAT IS REASONABLY
NECESSARY TO MAKE TH E DETERMINATION .
14–4607.
(A) WITHIN 5 BUSINESS DAYS AFTER RECEIVING A WRITTEN REQUEST FROM
THE DIVISION, A COVERED ENTITY THA T PROVIDES AN ONLINE PRODUCT
REASONABLY LIKELY TO BE ACCESSED BY CHILD REN SHALL PROVIDE TO THE
DIVISION A LIST OF AL L DATA PROTECTION IM PACT ASSESSMENTS THE COVERED
ENTITY HAS COMPLETED UNDER § 14–4604 OF THIS SUBTITLE.
(B) (1) WITHIN 7 BUSINESS DAYS AFTER RECEIVING A WRITTEN REQUEST
FROM THE DIVISION, A COVERED ENTITY SHA LL PROVIDE TO THE DIVISION ANY
DATA PROTECTION IMPA CT ASSESSMENT COMPLE TED UNDER § 14–4604 OF THIS
SUBTITLE.
(2) THE DIVISION MAY EXTEND B EYOND 7 DAYS THE AMOUNT OF
TIME ALLOWED FOR A C OVERED ENTITY TO PRO DUCE A DATA PROTECTI ON IMPACT
ASSESSMENT .
(C) TO THE EXTENT THAT AN Y DISCLOSURE REQUIRED UNDER SUBSECTION
(B) OF THIS SECTION INCL UDES INFORMATION SUB JECT TO ATTORNEY –CLIENT
PRIVILEGE OR WORK –PRODUCT PROTECTION , THE DISCLOSURE MAY N OT
CONSTITUTE A WAIVER OF THAT PRIVILEGE OR PROTECTION.
14–4608.
(A) A VIOLATION OF THIS S UBTITLE:
(1) IS AN UNFAIR, ABUSIVE, OR DECEPTIVE TRADE P RACTICE; AND
(2) EXCEPT FOR § 13–410 OF THIS ARTICLE , IS SUBJECT TO THE
ENFORCEMENT PROVISIO NS CONTAINED IN TITLE 13 OF THIS ARTICLE.
(B) A COVERED ENTITY THAT VIOLATES THIS SUBTIT LE IS SUBJECT TO A
CIVIL PENALTY NOT EX CEEDING:
WES MOORE, Governor Ch. 460
– 23 –
(1) $2,500 PER AFFECTED CHILD F OR EACH NEGLIGENT VI OLATION;
AND
(2) $7,500 PER AFFECTED CHILD F OR EACH INTENTIONAL
VIOLATION.
(C) THE DIVISION SHALL PAY AL L FINES, PENALTIES, AND EXPENSES
COLLECTED BY THE DIVISION UNDER THIS S UBSECTION INTO THE GENERAL FUND
WITH THE INTENT THAT FINES, PENALTIES, AND EXPENSES BE USED TO FULLY
OFFSET ANY COSTS INC URRED BY THE DIVISION IN CONNECTIO N WITH THIS
SUBTITLE.
14–4609.
(A) IF A COVERED ENTITY I S IN SUBSTANTIAL COM PLIANCE WITH THE
REQUIREMENTS OF §§ 14–4604 THROUGH 14–4606 OF THIS SUBTITLE , THE
DIVISION SHALL PROVID E WRITTEN NOTICE TO THE COVERED ENTITY B EFORE
FILING AN ACTION UND ER § 14–4608 OF THIS SUBTITLE .
(B) NOTICE GIVEN UNDER SU BSECTION (A) OF THIS SECTION SH ALL
IDENTIFY THE SPECIFI C PROVISIONS OF THIS SUBTITLE THAT THE DIVISION
ALLEGES HAVE BEEN OR ARE BEING VIOLATED .
(C) A COVERED ENTITY MAY N OT BE LIABLE FOR A C IVIL PENALTY FOR A
VIOLATION FOR WHICH NOTICE IS GIVEN UNDE R SUBSECTION (A) OF THIS SECTION
IF THE COVERED ENTITY :
(1) HAS COMPLETED A DATA PROTECTION IMPACT AS SESSMENT
UNDER § 14–4604(A)(2) OF THIS SUBTITLE FOR EXISTING ONLINE PROD UCTS THAT
ARE REASONABLY LIKEL Y TO BE ACCESSED BY CHILDREN;
(2) HAS COMPLETED A DATA PROTECTION IMPACT AS SESSMENT
UNDER § 14–4604(A)(3) OF THIS SUBTITLE PRI OR TO OFFERING TO TH E PUBLIC A
NEW ONLINE PRODUCT T HAT IS REASONABLY LI KELY TO BE ACCESSED BY
CHILDREN;
(3) CURES THE VIOLATION S PECIFIED IN THE DIVISION’S NOTICE
WITHIN 90 DAYS AFTER ISSUANCE OF THE NOTICE UND ER SUBSECTION (A) OF THIS
SECTION;
(4) PROVIDES THE DIVISION WITH A WRITT EN STATEMENT THAT TH E
ALLEGED VIOLATION HA S BEEN CURED; AND
Ch. 460 2024 LAWS OF MARYLAND
– 24 –
(5) TAKES MEASURES TO PRE VENT ANY FUTURE VIOL ATION THAT
THE DIVISION AGREED TO BE SUFFICIENT.
14–4610.
NOTHING IN THIS SUBTITLE MAY BE INTERPRETED OR CONST RUED TO:
(1) PROVIDE A PRIVATE RIG HT OF ACTION UNDER T HIS SUBTITLE OR
ANY OTHER LAW ;
(2) IMPOSE LIABILITY IN A MANNER THAT IS INCON SISTENT WITH 47
U.S.C. § 230;
(3) PREVENT OR PRECLUDE A CHILD FROM DELIBERATELY OR
INDEPENDENTLY SEARCH ING FOR OR SPECIFICA LLY REQUESTING CONTE NT; OR
(4) REQUIRE A COVERED ENT ITY TO IMPLEMENT AN AGE–GATING
REQUIREMENT .
14–4611.
NOTWITHSTANDING ANY O THER LAW , A DATA PROTECTION IM PACT
ASSESSMENT IS PROTEC TED AS CONFID ENTIAL AND SHALL BE EXEMPT FROM
PUBLIC DISCLOSURE , INCLUDING UNDER THE MARYLAND PUBLIC INFORMATION
ACT.
14–4612.
(A) WHEREVER POSSIBLE , LAW RELATING TO CONS UMERS’ PERSONAL
DATA SHOULD BE CONST RUED TO HARMONIZE WI TH THE PROVISIONS OF THIS
SUBTITLE.
(B) IN THE EVENT OF A CON FLICT BETWEEN OTHER LAWS AND THIS
SUBTITLE, THE PROVISIONS OF TH E LAW THAT AFFORD TH E GREATEST PROTECTIO N
FOR THE RIGHT OF PRI VACY FOR CONSUMERS S HALL CONTROL .
14–4613.
THIS SUBTITLE MAY BE CITED AS THE MARYLAND AGE–APPROPRIATE
DESIGN CODE ACT.
SECTION 2. AND BE IT FURTHER ENACTED, That this Act shall take effect
October 1, 2024.
WES MOORE, Governor Ch. 460
– 25 –
Approved by the Governor, May 9, 2024.