Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Maryland: Bill for Maryland Online Kids Code passed by Senate

On April 6, 2024, Senate Bill 571 for an act concerning Consumer Protection - Online Products and Services - Data of Children (Maryland Kids Code) was passed by the Senate and sent to the Governor for signing. The bill passed its third reading with amendments in the House of Representatives on April 4, 2024.

The bill would come into effect on October 1, 2024.

Scope of the bill

The bill would apply to covered entities that provide an online product reasonably likely to be accessed by children. Covered entities, according to the bill, are defined as a sole proprietorship, limited liability company, corporation, association, or any other legal entity that:

  • is organized or operated for the profit or financial benefit of its shareholders or other owners;

  • collects consumers' personal data or uses another entity to collect consumers' personal data on its behalf;

  • alone, or jointly with its affiliates or subsidiaries, determines the purposes and means of the processing of consumers' personal data; or

  • does business in the State and:

    • has annual gross revenues in excess of $25 million, adjusted every odd-numbered year to reflect adjustments in the consumer price index;

    • annually buys, receives, sells, or shares the personal data of 50,000 or more consumers, households, or devices, alone or in combination with its affiliates or subsidiaries for the covered entity's commercial purposes; or

    • derives at least 50% of its annual revenues from the sale of consumers' personal data.

Obligations

The bill outlines the following obligations on covered entities:

  • ensure the best interests of children when designing, developing, and providing online products;

  • process children's data in a manner consistent with the best interests of children; and

  • prioritize the privacy, safety, and well-being of children in cases where a conflict arises between commercial interests and the best interests of children.

Data Protection Impact Assessments

The bill details that a covered entity that provides an online product reasonably likely to be accessed by children must prepare a Data Protection Impact Assessment (DPIA) by April 1, 2026. The DPIA should:

  • identity the purpose of the online product;

  • identify how the online product processes children's data; and

  • determine whether the online product is designed in a manner consistent with the best interests of children, taking into consideration:

    • whether children could experience physical, financial, emotional, or psychological harm;

    • the processing may permit the children to participate in or be subject to conduct resulting in physical, financial, emotional, or psychological harm;

    • the processing may permit the children to be party to or exploited by a contact through the online product resulting in physical, financial, emotional, or psychological harm;

    • the online product uses designs to increase, sustain, or extend the use of the online product, including automatic playing of media, and rewards for time spent; and

    • the online product collects or processes the personal data of children.

You can read the bill here and track its progress here.