On May 9, 2024, Maryland Governor Wes Moore signed the Maryland Age-Appropriate Design Code Act (“AADC”) into law.  The AADC will go into force on October 1, 2024.  This post summarizes the law’s key provisions.

  • Covered businesses:  The AADC covers for-profit entities doing business in Maryland (1) with at least $25 million in gross revenues; (2) when the business derives at least 50% of its revenue from the sale of consumer personal data; or (3) when the business buys, receives, sells, or shares the personal data of at least 50,000 Maryland residents.
  • Covered products:  Similar to California’s AADC, the Maryland AADC applies to online products “reasonably likely to be accessed by children.”  The statute provides several different tests to meet this standard: when the online product is directed to children under COPPA, when the product is routinely accessed by a significant number of children (or is substantially similar to a such a product), when the product markets to children, when the business’ internal research documents that a significant amount of the product’s audience is children, or the business knows or should have known the user is a child.
  • Duty of care:  The AADC imposes a “best interests of children” duty of care when designing, developing, and providing products reasonably likely to be accessed by children.  Covered businesses must process children’s data consistent with this duty.  The “best interests” standard has two parts: First, product design or use of the child’s data must not benefit the company to the detriment of the child.  Second, product design or use of the child’s data must not produce reasonably foreseeable physical or financial harm, severe emotional harm, a highly offensive intrusion on the child’s privacy, or discriminate based on a protected characteristic like race, religion, disability, gender identity, or sexual orientation.
  • Data Protection Impact Assessment (“DPIA”) requirements:  Like California’s AADC, the Maryland AADC requires a covered business to complete a DPIA for each online service, product, or feature reasonably likely to be accessed by children.  The business must update the DPIA within 90 days of making material changes to data processing pertaining to the covered product.  The DPIA must determine whether the product is designed with the best interests of children in mind.  To make this determination, the DPIA should consider the following factors: whether children could experience harmful contacts, harmful conduct, exploitative contracts, addictive features, harmful data collection or processing practices, harmful experiments in the product, harmful algorithms, and any other factor indicating that product design is inconsistent with the best interests of children.
  • Default settings:  The AADC requires all privacy settings provided to children to default to a “high level of privacy” unless the business can show a compelling reason for another default.
  • Geolocation data:  The AADC bars processing of children’s precise geolocation data by default, unless the precise geodata is strictly necessary to provide the product and the business processes the precise geodata for the limited time necessary to provide the product.  In contrast to California’s AADC, the Maryland AADC does not require products to provide a signal to the child when their parent tracks the child’s location.
  • Age gating:  The Maryland AADC does not require covered entities to implement age-gating in their products.  By contrast, California’s AADC mandates age estimation.
  • Enforcement:  The Maryland Division of Consumer Protection in the Office of the Attorney General has exclusive authority to enforce the AADC.  Businesses have 90 days to cure violations after receiving notice from the Division. If not cured, the Maryland AADC applies the same penalties as California’s AADC—up to $2,500 per child per negligent violation and up to $7,500 per child per intentional violation.
Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Lindsey Tonsager Lindsey Tonsager

Lindsey Tonsager co-chairs the firm’s global Data Privacy and Cybersecurity practice. She advises clients in their strategic and proactive engagement with the Federal Trade Commission, the U.S. Congress, the California Privacy Protection Agency, and state attorneys general on proposed changes to data protection…

Lindsey Tonsager co-chairs the firm’s global Data Privacy and Cybersecurity practice. She advises clients in their strategic and proactive engagement with the Federal Trade Commission, the U.S. Congress, the California Privacy Protection Agency, and state attorneys general on proposed changes to data protection laws, and regularly represents clients in responding to investigations and enforcement actions involving their privacy and information security practices.

Lindsey’s practice focuses on helping clients launch new products and services that implicate the laws governing the use of artificial intelligence, data processing for connected devices, biometrics, online advertising, endorsements and testimonials in advertising and social media, the collection of personal information from children and students online, e-mail marketing, disclosures of video viewing information, and new technologies.

Lindsey also assesses privacy and data security risks in complex corporate transactions where personal data is a critical asset or data processing risks are otherwise material. In light of a dynamic regulatory environment where new state, federal, and international data protection laws are always on the horizon and enforcement priorities are shifting, she focuses on designing risk-based, global privacy programs for clients that can keep pace with evolving legal requirements and efficiently leverage the clients’ existing privacy policies and practices. She conducts data protection assessments to benchmark against legal requirements and industry trends and proposes practical risk mitigation measures.

Photo of Jenna Zhang Jenna Zhang

Jenna Zhang is an associate in the firm’s San Francisco office. She is a member of the Data Privacy and Cybersecurity practice group. Jenna advises clients on a broad range of privacy and cybersecurity issues, including compliance obligations, product development, and responses to…

Jenna Zhang is an associate in the firm’s San Francisco office. She is a member of the Data Privacy and Cybersecurity practice group. Jenna advises clients on a broad range of privacy and cybersecurity issues, including compliance obligations, product development, and responses to regulatory inquiries. She also maintains an active pro bono practice with a focus on immigration.