Enter to open, tab to navigate, enter to select
Maryland Passes the Age-Appropriate Design Code Act to Protect Children's Privacy
Practical Law Legal Update w-043-2760 (Approx. 5 pages)
Maryland Passes the Age-Appropriate Design Code Act to Protect Children's Privacy
by Practical Law Data Privacy & Cybersecurity
| Published on 13 May 2024 • Maryland |
Maryland has enacted the Maryland Age-Appropriate Design Code Act, a children's online safety law similar to California's Age-Appropriate Design Code Act, that will impose new legal obligations on entities that provide online services, products, or features that children under age 18 are reasonably likely to access. The law takes effect October 1, 2024 and will require covered entities to adopt privacy-by-design and privacy-by-default measures for their online services.
On May 9, 2024, Maryland Governor Wes Moore signed the Maryland Age-Appropriate Design Code Act (SB 571) (Maryland AADC) into law. Effective October 1, 2024, the Maryland AADC will impose new legal obligations on entities that provide online services, products, or features (collectively, online products) that children under age 18 are reasonably likely to access.
The Maryland AADC aims to protect children's privacy, health, and well-being by requiring covered entities to provide age-appropriate design, privacy disclosures, and default settings that consider and protect children's best interests. It will also prohibit certain conduct, such as unnecessary personal data uses that are not in children's best interests.
The Maryland AADC applies to entities that conduct business in Maryland and meet at least one of the following:
- Have annual gross revenue of at least $25 million.
- Buy, receive, sell, or share the personal data of 50,000 or more consumers, households, or devices.
- Derive at least 50% of annual revenue from the sale of personal data.
The Maryland AADC broadly defines processing to include collecting, using, storing, disclosing, analyzing, deleting, or modifying personal data.
The Maryland AADC identifies several factors to determine whether children are reasonably likely to access an online product, including whether:
- The federal Children's Online Privacy Protection Act of 1998 (COPPA) considers the online product directed to children.
- Competent and reliable evidence indicates children under 18 routinely access the online product or a substantially similar online product.
- The online product serves ads marketed to children.
- The covered entity's internal research finds that children compose a significant amount of the online product's audience.
- The covered entity knows or should have known that a user is a child.
The Maryland AADC creates new obligations for entities, including requirements to:
- By April 1, 2026, complete a data protection impact assessment (DPIA) for any covered online product, identifying:
- the online product's purpose;
- how the online product uses children's data; and
- whether the online product is designed in a manner consistent with the best interests of children who are reasonably likely to access it.
- Configure all default children's privacy settings to provide a high level of privacy unless the covered entity can demonstrate a compelling reason that an alternate setting is in the children's best interests.
- Provide concise and prominent privacy information, terms of service, policies, and community standards that use child-friendly language.
- Provide prominent, accessible, and responsive tools to help children or their parents and guardians exercise their applicable privacy rights and report concerns.
The Maryland AADC permits a covered entity to allow a child's parent or guardian to monitor a child's online activity or track a child's location without providing an obvious signal to the child.
The Maryland AADC also restricts or prohibits certain data practices. For example, covered entities cannot:
- Process children's personal information in a way that is inconsistent their best interests.
- Profile children by default unless the covered entity can demonstrate that it has implemented appropriate safeguards to ensure that profiling is consistent with the best interests of children who access or are reasonably likely to access the online product, and:
- the profiling is necessary to provide the requested online product and is limited to the online product's aspects with which the child is actively and knowingly engaged; or
- the covered entity can demonstrate a compelling reason that profiling is in children's best interests.
- Process children's personal data that is not reasonably necessary to provide an online product that the child is actively and knowingly engaged with.
- Process children's personal data for any reason outside of the collection purposes.
- Process children's geolocation information by default unless it is:
- strictly necessary to provide the online product; and
- obviously signaled to the child.
- Use dark patterns that cause children to provide excess personal information, circumvent privacy protections, or take actions that are or should reasonably be known to be contrary children's best interests.
- Process personal data for the purpose of estimating the age of a child unless reasonably necessary to provide the online product.
- Allow a person other than the child's parent or guardian to monitor the child's online activity without first notifying the child and the child's parent or guardian.
The Maryland AADC does not include a private right of action. It places enforcement authority exclusively with the Maryland attorney general (AG), who may seek injunctive relief and civil penalties up to:
- $2,500 per affected child for each negligent violation.
- $7,500 per affected child for each intentional violation.
Covered entities that are in substantial compliance with the Maryland AADC's substantive requirements have a 90-day right to cure alleged violations before the AG may bring an enforcement action.