Skip to main content

Maryland Says “Don’t Mess with Kids”

As U.S. states continue to pass data privacy legislation, Maryland has gone above and beyond in signing both the Maryland Online Data Privacy Act of 2024 (MODPA) and the Maryland Age Appropriate Design Code (HB 603/SB 5712023) into law on May 9, 2024. The Kids Code will go into effect in October and the MODPA will go into effect one year thereafter. Our discussion of the MODPA is here.

The Kids Code was introduced to require certain entities that offer online products which are reasonably likely to be accessed by children to complete a data protection impact assessment under certain circumstances. The law also provides certain privacy protections for specific online products, prohibits certain data collection and sharing practices, authorizes certain monitoring practices, each generally relating to the protection of online privacy of children.  This post will provide the details and information needed to understand your compliance requirements under this new Maryland law.

Applicability Criteria

The Kids Code requires covered entities that develop and provide online products that children are reasonably likely to access to prepare a data protection assessment for that online product.

Children are consumers under the age of 18 (who need not be a resident of the State of Maryland) and are not individuals acting in a commercial or employment context.

Covered entities include any entity (a) that is organized or operated for profit, (b) collects consumer personal data or uses another entity to collect consumer personal data on its behalf, (c) determines the purposes and means of the processing of consumer personal data, (d) does business in Maryland, and (d) (i) has annual gross revenue in excess of $25 million (subject to CPI adjustment), (ii) annually buyers, receives, sells, or shares personal data of 50,000 or more consumers, households or devices for the covered entities commercial purpose, or (iii) derives at least 50% of its annual revenue from the sale of consumer personal data. Notably, covered entities include (x) an entity that controls or is controlled by a business and that shares a name, service mark or trademark that would cause a reasonable consumer to understand that the entities are commonly owned, and (y) joint ventures or partnerships composed of businesses in which each has at least 40% interest in the joint venture. The notion of “consumer” as used in the Kids Code means an individual (who need not be a resident of Maryland) and does not include individuals acting in a commercial or employment context.

An online product is reasonably likely to be accessed by children where that online product (a) is directed (as defined in COPPA) to children, (b) is determined, based on competent and reliable evidence regarding audience composition, to be routinely accessed by a significant number of children, (c) is substantially similar to an online product that satisfies (a) or (b), (d) features advertisements marketed to children, (e) has an audience significantly composed of children (based on the covered entity’s internal research findings); or (f) the online product is offered by a covered that entity knows or should have known that a user is a child.

Data Protection Impact Assessments

On or before April 1, 2026, covered entities that provide an online product reasonably likely to be accessed by children must prepare a data protection impact assessment (DPIA) for any online product that is offered to the public on or before April 1, 2026 and will continue to be offered to the public after July 1, 2026.  After April 1, 2026, covered entities that provide an online product reasonably likely to be accessed by children must prepare a DPIA that (a) identifies the purpose of the online product, (b) identify how the online product uses children’s data, (c)  determine whether the online product is designed in a manner consistent with the best interests of children reasonably likely to access the online product, and (d) include a description of the steps that the covered entity has taken and will take to comply with the duty to act in a manner consistent with the best interests of children.

To determine whether the online product is designed in a manner consistent with the best interests of children reasonably likely to access the online product ((c) above), covered entities must determine whether any of the following could result in harm or intrusion of privacy of children or discrimination against children:

  1. The data management or processing practices of the online product (a) could lead to children experiencing or being targeted by certain contacts or (b) could permit children to participate in or be subject to certain activities resulting in harm or intrusion of privacy of children or discrimination against children.
  2. The data management or processing practices of the online product are reasonably expected to allow children becoming party to or exploited by a contract through the online product.
  3. The online product uses system design features to increase to increase, sustain or extend the use of the online product, including the automatic playing of media, rewards for time spent, and notifications.
  4. The way, manner and purpose the online product collects or processes personal data of children.
  5. The way and manner data collected to understand the experimental impact of the online product, including data management or design practices.
  6. Algorithms used by the online product.

Further Requirements

Covered entities required to complete a DPIA must:

  • Maintain documentation of the DPIA for as long as the online product is likely to be accessed by children
  • Review each DPIA as necessary to account for material changes to processing pertaining to the online product within 90 days of such material changes
  • Configure all default privacy settings provided to children by the online product to offer a high level of privacy (unless the covered entity can demonstrate a compelling reason that a different setting is in the best interest of children)
  • Conspicuously, and in language suitable to the age of the children likely to access the online product, provide privacy information, terms of service, policies and community standards
  • Provide prominent, accessible and responsive tools to help children and their guardians exercise their privacy rights and report concerns

Covered entities that provide an online product that is accessed or reasonably likely to be accessed by children, with respect to each child, may not:

  • Process personal data in a way that is inconsistent with the best interests of children reasonably likely to access the online product
  • Profile by default, unless appropriate safeguards are in place to ensure profiling is in the best interests of children and is necessary to provide the requested online product and done only with respect to the aspects of the online product the child is actively and knowingly engaged with
  • Process personal data not reasonably necessary to provide the online product the child is actively and knowingly engaged with
  • Process personal data for any reason other than the reason for which the personal data was collected
  • Process any precise geolocation data of a child by default, unless (a) it is strictly necessary for the covered entity to provide the online product and (b) processed only for the limited time that is necessary to provide the online product.
  • Process precise geolocation data without providing an obvious signal to the child for the duration of collection
  • Use dark patterns to (x) cause a child to provide personal data beyond what is reasonably expected to provide the online product, (y) circumvent privacy protections or (z) take any action that the covered entity knows, or has reason to know, is not in the best interest of children who access or are reasonably likely to access the online product
  • Process personal data for the purpose of estimating the age of a child that is actively and knowingly engaged with an online product that is not reasonably necessary to provide the online product
  • Allow a person other than the parent’s parent or guardian to monitor the child’s online activity without first notifying the child and the parent or guardian

Exemptions

The Kids Code does not apply to data subject to a statute that is controlled by a covered entity or service provider:

  1. that is required to comply with the federal GLBA
  2. that is required to comply with federal HITECH or HIPAA
  3. that collects information as part of a clinical trial subject to the Federal Policy for the Protection of Human Subjects in accordance with (a) good clinical practice guidelines issued by the International Council for Harmonisation of Technical Requirements for Pharmaceuticals for Human Use, or (b) human subject protection requirements of the FDA

Other Business Obligations

The Do’s:

  • Begin preparing DPIAs prior to July 1, 2026
  • Set all default settings to the most private as necessary
  • Design age-appropriate experiences for children based on set age ranges
  • Make it easy for kids to report privacy concerns
  • Determine whether kids are reasonably likely to access their online product, service, or feature
  • Let kids know when they are being monitored or tracked
  • Provide privacy notices in clear language that young users can understand
  • Conduct a risk assessment of how you use children’s data

And the Do Not’s:

  • Sell information of children (regardless of parental consent)
  • Profile children unless profiling can be shown to be in the best interest of children
  • Collect personal information of children that is not needed to deliver a service
  • Design features detrimental to children’s well-being
  • Use children’s data in ways that you have not previously obtained explicit consent
  • Use manipulative designs to influence children to provide their information

No private right of action

The Kids Code does not provide for a private right of action.

Fines and Penalties

The Kids Code will be enforced exclusively by the Division of Consumer Protection of the Office of the Attorney General (the Division). Covered entities Covered must provide a list of all data protection impact assessments to the Division (a) within five business days with respect to entities that provide an online product reasonably likely to be accessed by children and (b) within seven business days of such request with respect to covered entities generally (and the Division may explicitly extend the required response time of requests of (b)). Covered entities in substantial compliance with the Kids Code will receive written notice from the Division before the Division brings action against that covered entity. Covered entities will not be liable for civil penalties if, (x) the covered entity cures the violation presented in the underlying notice within 90 days of receipt of the violation, (y) provides the Division of with a written statement that the violation has been cured and (z) takes measures to prevent future violation deemed sufficient by the Division. Violations of the Kids Code may subject the violator to up to $2,500 per affected child for each negligent violation and $7,500 per affected child for each intentional violation.

Effective Date for Kids Code

October 1, 2024, with the requirement for completion of data protection impact assessments by covered entities by April 1, 2026.

Subscribe To Viewpoints

Authors

Cynthia J. Larose

Member / Co-Chair, Privacy & Cybersecurity Practice

Cynthia J. Larose is Chair of the firm's Privacy & Cybersecurity Practice, a Certified Information Privacy Professional-US (CIPP-US), and a Certified Information Privacy Professional-Europe (CIPP-E). She works with clients in various industries to develop comprehensive information security programs on the front end, and provides timely counsel when it becomes necessary to respond to a data breach.

Jon Taylor

Associate

Jon S. Taylor is an Associate at Mintz who focuses on M&A, private equity deals, debt and equity financings, and general corporate matters. He advises private equity firms, financial services companies, and clients in the technology, health care, manufacturing, and retail industries.