On May 9, 2024, Maryland Governor Wes Moore signed the Maryland Age-Appropriate Design Code Act (“AADC”) into law. The AADC will go into force on October 1, 2024. This post summarizes the law’s key provisions.
- Covered businesses: The AADC covers for-profit entities doing business in Maryland (1) with at least $25 million in gross revenues; (2) when the business derives at least 50% of its revenue from the sale of consumer personal data; or (3) when the business buys, receives, sells, or shares the personal data of at least 50,000 Maryland residents.
- Covered products: Similar to California’s AADC, the Maryland AADC applies to online products “reasonably likely to be accessed by children.” The statute provides several different tests to meet this standard: when the online product is directed to children under COPPA, when the product is routinely accessed by a significant number of children (or is substantially similar to a such a product), when the product markets to children, when the business’ internal research documents that a significant amount of the product’s audience is children, or the business knows or should have known the user is a child.
- Duty of care: The AADC imposes a “best interests of children” duty of care when designing, developing, and providing products reasonably likely to be accessed by children. Covered businesses must process children’s data consistent with this duty. The “best interests” standard has two parts: First, product design or use of the child’s data must not benefit the company to the detriment of the child. Second, product design or use of the child’s data must not produce reasonably foreseeable physical or financial harm, severe emotional harm, a highly offensive intrusion on the child’s privacy, or discriminate based on a protected characteristic like race, religion, disability, gender identity, or sexual orientation.
- Data Protection Impact Assessment (“DPIA”) requirements: Like California’s AADC, the Maryland AADC requires a covered business to complete a DPIA for each online service, product, or feature reasonably likely to be accessed by children. The business must update the DPIA within 90 days of making material changes to data processing pertaining to the covered product. The DPIA must determine whether the product is designed with the best interests of children in mind. To make this determination, the DPIA should consider the following factors: whether children could experience harmful contacts, harmful conduct, exploitative contracts, addictive features, harmful data collection or processing practices, harmful experiments in the product, harmful algorithms, and any other factor indicating that product design is inconsistent with the best interests of children.
- Default settings: The AADC requires all privacy settings provided to children to default to a “high level of privacy” unless the business can show a compelling reason for another default.
- Geolocation data: The AADC bars processing of children’s precise geolocation data by default, unless the precise geodata is strictly necessary to provide the product and the business processes the precise geodata for the limited time necessary to provide the product. In contrast to California’s AADC, the Maryland AADC does not require products to provide a signal to the child when their parent tracks the child’s location.
- Age gating: The Maryland AADC does not require covered entities to implement age-gating in their products. By contrast, California’s AADC mandates age estimation.
- Enforcement: The Maryland Division of Consumer Protection in the Office of the Attorney General has exclusive authority to enforce the AADC. Businesses have 90 days to cure violations after receiving notice from the Division. If not cured, the Maryland AADC applies the same penalties as California’s AADC—up to $2,500 per child per negligent violation and up to $7,500 per child per intentional violation.