Maryland Age Appropriate Design Code Act
MD. Commercial Law Code § 14-4801, et seq.
SUMMARY:
The law aims to enhance online privacy protections for children by requiring entities that offer online products likely to be accessed by minors to conduct data protection impact assessments. It mandates specific privacy measures, restricts certain data collection and sharing practices, and allows for targeted monitoring. The law reflects a growing global consensus on the need to safeguard children's digital experiences, acknowledging that different age groups have distinct needs. By ensuring online products are designed with these needs in mind, the law seeks to prevent harm to children’s physical and mental well-being and promote a safer online environment.
CITATION:
Commercial Law
Title 14 - Miscellaneous Consumer Protection Provisions
Subtitle 48 - Maryland Age–Appropriate Design Code Act
§14–4801.
(a) In this subtitle the following words have the meanings indicated.
(b) (1) “Aggregate consumer information” means information:
(i) That relates to a group or category of consumers;
(ii) From which individual consumer identities have been removed; and
(iii) That is not linked or reasonably linkable to any consumer or household, including by a device.
(2) “Aggregate consumer information” does not include individual consumer records that have been de–identified.
(c) “Best interests of children” means a covered entity’s use of the personal data of children or the design of an online product in a way that does not:
(1) Benefit the covered entity to the detriment of children; and
(2) Result in:
(i) Reasonably foreseeable and material physical or financial harm to children;
(ii) Severe and reasonably foreseeable psychological or emotional harm to children;
(iii) A highly offensive intrusion on children’s reasonable expectation of privacy; or
(iv) Discrimination against children based on race, color, religion, national origin, disability, gender identity, sex, or sexual orientation.
(d) (1) “Biometric data” means data generated by automatic measurements of an individual’s biological characteristics.
(2) “Biometric data” includes:
(i) A fingerprint;
(ii) A voiceprint;
(iii) An eye retina or iris pattern; or
(iv) Any other unique biological pattern or characteristic that is used to identify a specific individual.
(3) “Biometric data” does not include:
(i) A digital or physical photograph;
(ii) An audio or video recording; or
(iii) Data generated from a digital or physical photograph, or an audio or video recording, unless the data is generated to identify a specific individual.
(e) “Child” means a consumer who is under the age of 18 years.
(f) (1) “Collect” means to buy, rent, gather, obtain, receive, or access personal data relating to a consumer.
(2) “Collect” includes:
(i) Receiving data from the consumer; and
(ii) Observing the consumer’s behavior.
(g) (1) “Consumer” means an individual who is a resident of the State.
(2) “Consumer” does not include an individual acting in a commercial or employment context or as an employer, an owner, a director, an officer, or a contractor of a company, partnership, sole proprietorship, nonprofit organization, or governmental unit whose communications or transactions with the covered entity occur solely within the context of that individual’s role with the company, partnership, sole proprietorship, nonprofit organization, or governmental unit.
(h) (1) “Covered entity” means a sole proprietorship, a limited liability company, a corporation, an association, or any other legal entity that:
(i) Is organized or operated for the profit or financial benefit of its shareholders or other owners;
(ii) Collects consumers’ personal data or uses another entity to collect consumers’ personal data on its behalf;
(iii) Alone, or jointly with its affiliates or subsidiaries, determines the purposes and means of the processing of consumers’ personal data;
(iv) Does business in the State; and
(v) 1. Has annual gross revenues in excess of $25,000,000, adjusted every odd–numbered year to reflect adjustments in the Consumer Price Index;
2. Annually buys, receives, sells, or shares the personal data of 50,000 or more consumers, households, or devices, alone or in combination with its affiliates or subsidiaries, for the covered entity’s commercial purposes; or
3. Derives at least 50% of its annual revenues from the sale of consumers’ personal data.
(2) “Covered entity” includes:
(i) An entity that controls or is controlled by a business and that shares a name, service mark, or trademark that would cause a reasonable consumer to understand that two or more entities are commonly owned; and
(ii) A joint venture or partnership composed of businesses in which each has at least a 40% interest in the joint venture or partnership.
(i) (1) “Dark pattern” means a user interface designed or manipulated with the purpose of subverting or impairing user autonomy, decision making, or choice.
(2) “Dark pattern” includes any practice identified by the Federal Trade Commission as a dark pattern.
(j) “Data protection impact assessment” or “assessment” means a systematic survey to assess compliance with the duty to act in the best interests of children.
(k) “Default” means a preselected option adopted by the covered entity for an online product.
(l) “Division” means the Division of Consumer Protection of the Office of the Attorney General.
(m) (1) “Online product” means an online service, product, or feature.
(2) “Online product” does not include:
(i) A telecommunications service, as defined in 47 U.S.C. § 153;
(ii) The sale, delivery, or use of a physical product sold by an online retailer; or
(iii) A broadband Internet access service, as defined in 47 C.F.R. § 8.1(b).
(n) (1) “Personal data” means information that is linked or reasonably able to be linked to an identified or identifiable individual.
(2) “Personal data” does not include:
(i) De–identified data; or
(ii) Publicly available information.
(o) (1) “Precise geolocation” means information derived from technology that can precisely and accurately identify the specific location of a consumer within a radius of 1,750 feet.
(2) “Precise geolocation” includes latitude and longitude coordinates of similar precision to those produced by a global positioning system or a similar mechanism.
(3) “Precise geolocation” does not include:
(i) The content of communications;
(ii) Data generated by or connected with a utility company’s advanced metering infrastructure; or
(iii) Data generated by equipment used by a utility company.
(p) (1) “Process” means to perform an operation or set of operations by manual or automated means on personal data.
(2) “Process” includes collecting, using, storing, disclosing, analyzing, deleting, or modifying personal data.
(q) “Profiling” means any form of automated processing of personal data that uses personal data to evaluate, analyze, or predict certain aspects relating to an individual, including an individual’s economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.
(r) (1) “Publicly available information” means information that:
(i) Is lawfully made available from federal, state, or local government records; or
(ii) A covered entity has a reasonable basis to believe is lawfully made available to the general public by the consumer or by widely distributed media.
(2) “Publicly available information” does not include biometric data collected by a covered entity about a consumer without the consumer’s knowledge.
(s) “Reasonably likely to be accessed by children” means it is reasonable to expect that the online product would be accessed by children, based on satisfying any of the following criteria:
(1) The online product is directed to children as defined in the federal Children’s Online Privacy Protection Act;
(2) The online product is determined, based on competent and reliable evidence regarding audience composition, to be routinely accessed by a significant number of children;
(3) The online product is substantially similar or the same as an online product that satisfies item (2) of this subsection;
(4) The online product features advertisements marketed to children;
(5) The covered entity’s internal research findings determine that a significant amount of the online product’s audience is composed of children; or
(6) The covered entity knows or should have known that a user is a child.
(t) (1) “Sell” means to transfer, rent, release, disclose, disseminate, make available, or otherwise communicate, whether orally, in writing, or by electronic or other means, a consumer’s personal data, in a transaction for monetary or other valuable consideration between a covered entity and a third party.
(2) “Sell” does not include:
(i) The disclosure of personal data to the service provider that processes personal data on behalf of the covered entity;
(ii) The disclosure of personal data to a third party for purposes of providing a product or service requested by the consumer;
(iii) The disclosure or transfer of personal data to an affiliate or subsidiary of the covered entity;
(iv) The disclosure of personal data where the consumer directs the covered entity to disclose the personal data or intentionally uses the covered entity to interact with a third party; or
(v) The disclosure or transfer of personal data to a third party as an asset that is part of an actual or proposed merger, acquisition, bankruptcy, or other transaction, in which the third party assumes control of all or part of the covered entity’s assets.
(u) “Service provider” means a person that processes personal data on behalf of a covered entity and that receives from or on behalf of the covered entity a consumer’s personal data for business purposes in accordance with a written contract, if the contract prohibits the person from:
(1) Selling or sharing the personal data;
(2) Retaining, using, or disclosing the personal data for any purpose other than for the business purposes specified in the contract for the covered entity, including retaining, using, or disclosing the personal data for a commercial purpose other than the business purposes specified in the contract with the covered entity, or as otherwise allowed under this subtitle;
(3) Retaining, using, or disclosing the personal data outside the direct business relationship between the service provider and the covered entity; and
(4) Combining the personal data that the service provider receives from, or on behalf of, the covered entity with personal data that it receives from, or on behalf of, another person or persons, or collects from its own interaction with the consumer.
(v) “Share” means to rent, release, disseminate, make available, transfer, or otherwise communicate, whether orally, in writing, or by electronic or other means, a consumer’s personal data to a third party for cross–context behavioral advertising whether or not for monetary or other valuable consideration, including in a transaction between a covered entity and a third party for targeted advertising for the benefit of a covered entity in which no money is exchanged.
(w) “Third party” means a person who is not:
(1) The covered entity with which the consumer intentionally interacts and that collects personal data from the consumer as part of the consumer’s interaction with the covered entity; or
(2) A service provider for the covered entity.
§14–4802.
This subtitle does not apply to:
(1) Data subject to a statute or regulation identified under item (i) of this item that is controlled by a covered entity or service provider that is:
(i) Required to comply with:
1. Title V of the federal Gramm–Leach–Bliley Act;
2. The federal Health Information Technology for Economic and Clinical Health Act; or
3. Regulations promulgated under § 264(c) of the Health Insurance Portability and Accountability Act of 1996; and
(ii) In compliance with the information security requirements of applicable statutes or regulations identified in item (i) of this item; or
(2) Information collected as part of a clinical trial subject to the Federal Policy for the Protection of Human Subjects, in accordance with:
(i) Good clinical practice guidelines issued by the International Council for Harmonisation of Technical Requirements for Pharmaceuticals for Human Use; or
(ii) Human subject protection requirements of the U.S. Food and Drug Administration.
§14–4803.
It is the intent of the General Assembly that:
(1) Children should be afforded protections not only by online products specifically directed at them, but by all online products they are reasonably likely to access;
(2) Covered entities that develop and provide online products that children are reasonably likely to access shall ensure the best interests of children when designing, developing, and providing those online products;
(3) All covered entities that operate in the State and process children’s data in any capacity shall do so in a manner consistent with the best interests of children;
(4) If a conflict arises between commercial interests and the best interests of children, covered entities that develop online products likely to be accessed by children shall prioritize the privacy, safety, and well–being of children;
(5) Nothing in this subtitle may be construed to require a covered entity to monitor or censor third–party content or otherwise impact the existing rights and freedoms of any person; and
(6) Nothing in this subtitle may be construed to discriminate against children on the basis of race, color, religion, national origin, disability, gender identity, sex, or sexual orientation.
§14–4804.
(a) (1) Subject to paragraph (2) of this subsection, a covered entity that provides an online product reasonably likely to be accessed by children shall prepare a data protection impact assessment for the online product.
(2) On or before April 1, 2026, a covered entity shall prepare a data protection impact assessment for any online product that:
(i) Meets the criteria under paragraph (1) of this subsection;
(ii) Is offered to the public on or before April 1, 2026; and
(iii) Will continue to be offered to the public after July 1, 2026.
(3) For an online product that meets the criteria under paragraph (1) of this subsection and is initially offered to the public after April 1, 2026, a covered entity shall complete a data protection impact assessment.
(b) The data protection impact assessment shall:
(1) Identify the purpose of the online product;
(2) Identify how the online product uses children’s data;
(3) Determine whether the online product is designed in a manner consistent with the best interests of children reasonably likely to access the online product through consideration of:
(i) Whether the data management or processing practices of the online product could lead to children experiencing or being targeted by contacts that would result in:
1. Reasonably foreseeable and material physical or financial harm to children;
2. Reasonably foreseeable and extreme psychological or emotional harm to children;
3. A highly offensive intrusion on children’s reasonable expectation of privacy; or
4. Discrimination against children based on race, color, religion, national origin, disability, gender identity, sex, or sexual orientation;
(ii) Whether the data management or processing practices of the online product could permit children to participate in or be subject to conduct that would result in:
1. Reasonably foreseeable and material physical or financial harm to children;
2. Reasonably foreseeable and extreme psychological or emotional harm to children;
3. A highly offensive intrusion on children’s reasonable expectation of privacy; or
4. Discrimination against children based on race, color, religion, national origin, disability, gender identity, sex, or sexual orientation;
(iii) Whether the data management or processing practices of the online product are reasonably expected to allow children becoming party to or exploited by a contract through the online product that would result in:
1. Reasonably foreseeable and material physical or financial harm to children;
2. Reasonably foreseeable and extreme psychological or emotional harm to children;
3. A highly offensive intrusion on children’s reasonable expectation of privacy; or
4. Discrimination against children based on race, color, religion, national origin, disability, gender identity, sex, or sexual orientation;
(iv) Whether the online product uses system design features to increase, sustain, or extend the use of the online product, including the automatic playing of media, rewards for time spent, and notifications that would result in:
1. Reasonably foreseeable and material physical or financial harm to children;
2. Reasonably foreseeable and extreme psychological or emotional harm to children;
3. A highly offensive intrusion on children’s reasonable expectation of privacy; or
4. Discrimination against children based on race, color, religion, national origin, disability, gender identity, sex, or sexual orientation;
(v) Whether, how, and for what purpose the online product collects or processes personal data of children and whether those practices would result in:
1. Reasonably foreseeable and material physical or financial harm to children;
2. Reasonably foreseeable and extreme psychological or emotional harm to children;
3. A highly offensive intrusion on children’s reasonable expectation of privacy; or
4. Discrimination against children based on race, color, religion, national origin, disability, gender identity, sex, or sexual orientation;
(vi) Whether and how data collected to understand the experimental impact of the product reveals data management or design practices that would result in:
1. Reasonably foreseeable and material physical or financial harm to children;
2. Reasonably foreseeable and extreme psychological or emotional harm to children;
3. A highly offensive intrusion on children’s reasonable expectation of privacy; or
4. Discrimination against children based on race, color, religion, national origin, disability, gender identity, sex, or sexual orientation;
(vii) Whether algorithms used by the online product would result in:
1. Reasonably foreseeable and material physical or financial harm to children;
2. Reasonably foreseeable and extreme psychological or emotional harm to children;
3. A highly offensive intrusion on children’s reasonable expectation of privacy; or
4. Discrimination against children based on race, color, religion, national origin, disability, gender identity, sex, or sexual orientation; and
(viii) Any other factor that may indicate that the online product is designed in a manner that is inconsistent with the best interests of children; and
(4) Include a description of steps that the covered entity has taken and will take to comply with the duty to act in a manner consistent with the best interests of children.
(c) (1) A data protection impact assessment prepared by a covered entity for the purpose of compliance with any other law complies with this section if the assessment meets the requirements of this section.
(2) A single data protection impact assessment may contain multiple similar processing operations that present similar risks only if each relevant online product is addressed.
§14–4805.
A covered entity required to complete a data protection impact assessment under § 14–4804 of this subtitle shall:
(1) Maintain documentation of the assessment for as long as the online product is likely to be accessed by children;
(2) Review each data protection impact assessment as necessary to account for material changes to processing pertaining to the online product within 90 days of such material changes;
(3) Notwithstanding any other law, configure all default privacy settings provided to children by the online product to offer a high level of privacy, unless the covered entity can demonstrate a compelling reason that a different setting is in the best interests of children;
(4) Provide any privacy information, terms of service, policies, and community standards concisely, prominently, and using clear language suited to the age of children likely to access the online product; and
(5) Provide prominent, accessible, and responsive tools to help children or their parents or guardians, if applicable, exercise their privacy rights and report concerns.
§14–4806.
(a) A covered entity that provides an online product that is accessed or reasonably likely to be accessed by children may not:
(1) Process the personal data of a child in a way that is inconsistent with the best interests of children reasonably likely to access the online product;
(2) Profile a child by default, unless:
(i) The covered entity can demonstrate that the covered entity has appropriate safeguards in place to ensure that profiling is consistent with the best interests of children who access or are reasonably likely to access the online product; and
(ii) 1. Profiling is necessary to provide the requested online product, and is done only with respect to the aspects of the online product that the child is actively and knowingly engaged with; or
2. The covered entity can demonstrate a compelling reason that profiling is in the best interests of children;
(3) Process personal data of a child that is not reasonably necessary to provide an online product that the child is actively and knowingly engaged with;
(4) Process the personal data of a child end user for any reason other than a reason for which that personal data was collected;
(5) Process any precise geolocation data of a child by default, unless:
(i) The collection of the precise geolocation data is strictly necessary for the covered entity to provide the online product; and
(ii) The precise geolocation data is processed only for the limited time that is necessary to provide the online product;
(6) Process any precise geolocation data of a child without providing an obvious signal to the child for the duration that the precise geolocation data is being collected;
(7) Use dark patterns to:
(i) Cause a child to provide personal data beyond what is reasonably expected to provide the online product;
(ii) Circumvent privacy protections; or
(iii) Take any action that the covered entity knows, or has reason to know, is not in the best interests of children who access or are reasonably likely to access the online product;
(8) Process any personal data for the purpose of estimating the age of a child that is actively and knowingly engaged with an online product that is not reasonably necessary to provide the online product; or
(9) Allow a person other than a child’s parent or guardian to monitor the child’s online activity without first notifying the child and the child’s parent or guardian.
(b) A covered entity that provides an online product that is accessed or reasonably likely to be accessed by children may allow a child’s parent or guardian to monitor the child’s online activity or track the child’s location, without providing an obvious signal to the child when the child is being monitored or tracked.
(c) In making a determination as to whether an online product is reasonably likely to be accessed by children, a covered entity may not collect or process any personal data beyond what is reasonably necessary to make the determination.
§14–4807.
(a) Within 5 business days after receiving a written request from the Division, a covered entity that provides an online product reasonably likely to be accessed by children shall provide to the Division a list of all data protection impact assessments the covered entity has completed under § 14–4804 of this subtitle.
(b) (1) Within 7 business days after receiving a written request from the Division, a covered entity shall provide to the Division any data protection impact assessment completed under § 14–4804 of this subtitle.
(2) The Division may extend beyond 7 days the amount of time allowed for a covered entity to produce a data protection impact assessment.
(c) To the extent that any disclosure required under subsection (b) of this section includes information subject to attorney–client privilege or work–product protection, the disclosure may not constitute a waiver of that privilege or protection.
§14–4808.
(a) A violation of this subtitle:
(1) Is an unfair, abusive, or deceptive trade practice; and
(2) Except for § 13–410 of this article, is subject to the enforcement provisions contained in Title 13 of this article.
(b) A covered entity that violates this subtitle is subject to a civil penalty not exceeding:
(1) $2,500 per affected child for each negligent violation; and
(2) $7,500 per affected child for each intentional violation.
(c) The Division shall pay all fines, penalties, and expenses collected by the Division under this subsection into the General Fund with the intent that fines, penalties, and expenses be used to fully offset any costs incurred by the Division in connection with this subtitle.
§14–4809.
(a) If a covered entity is in substantial compliance with the requirements of §§ 14–4804 through 14–4806 of this subtitle, the Division shall provide written notice to the covered entity before filing an action under § 14–4808 of this subtitle.
(b) Notice given under subsection (a) of this section shall identify the specific provisions of this subtitle that the Division alleges have been or are being violated.
(c) A covered entity may not be liable for a civil penalty for a violation for which notice is given under subsection (a) of this section if the covered entity:
(1) Has completed a data protection impact assessment under § 14–4804(a)(2) of this subtitle for existing online products that are reasonably likely to be accessed by children;
(2) Has completed a data protection impact assessment under § 14–4804(a)(3) of this subtitle prior to offering to the public a new online product that is reasonably likely to be accessed by children;
(3) Cures the violation specified in the Division’s notice within 90 days after issuance of the notice under subsection (a) of this section;
(4) Provides the Division with a written statement that the alleged violation has been cured; and
(5) Takes measures to prevent any future violation that the Division agreed to be sufficient.
§14–4810.
Nothing in this subtitle may be interpreted or construed to:
(1) Provide a private right of action under this subtitle or any other law;
(2) Impose liability in a manner that is inconsistent with 47 U.S.C. § 230;
(3) Prevent or preclude a child from deliberately or independently searching for or specifically requesting content; or
(4) Require a covered entity to implement an age–gating requirement.
§14–4811.
Notwithstanding any other law, a data protection impact assessment is protected as confidential and shall be exempt from public disclosure, including under the Maryland Public Information Act.
§14–4812.
(a) Wherever possible, law relating to consumers’ personal data should be construed to harmonize with the provisions of this subtitle.
(b) In the event of a conflict between other laws and this subtitle, the provisions of the law that afford the greatest protection for the right of privacy for consumers shall control.
§14–4813.
This subtitle may be cited as the Maryland Age–Appropriate Design Code Act.
For more information, see here: https://mgaleg.maryland.gov/mgawebsite/Laws/StatuteText?article=gcl§ion=14-4801&enactments=True&archived=False
These materials were obtained directly from the State Government public websites and are posted here for your review and reference only. No Claim to Original State Government Works. This may not be the most recent version. The State may have more current information. We make no guarantees or warranties about the accuracy or completeness of this information, or the information linked to. Please check the linked sources directly.