Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Maryland: What businesses need to know about the Maryland Kids Code

In its 2024 legislative session, Maryland's General Assembly passed two significant data privacy laws: the Maryland Online Data Protection Act of 2024 (MODPA)1 and the Maryland Age-Appropriate Design Code, also known as the Maryland Kids Code. Both laws are codified in the Commercial Law Article of Maryland's Annotated Code and were signed by Governor Wes Moore on May 9, 2024.

While MODPA contains restrictions and limitations on the collection, processing, use, and sale of children's data, the Maryland Kids Code aims to further protect children's online safety and privacy. It is based on similar age-appropriate design code laws enacted in the UK and California, and requires covered entities to implement Privacy by Design and Default when it comes to online products that children are reasonably likely to access. The Maryland Kids Code will become effective on October 1, 2024. Alexandra P. Moylan and Michael J. Halaiko, from Nelson Mullins Riley & Scarborough LLP, explore the key provisions of the Maryland Kids Code, how covered entities can ensure compliance, and how this law compares to similar laws.

maruco/iStock via Getty Images

Scope of the law

The Maryland Kids Code regulates 'online products' that are 'reasonably likely to be accessed by children.' The law requires online products to be age-appropriate and designed, developed, and provided in 'the best interests of children.'

The Kids Code defines a child as 'a consumer under the age of 18.' Online products include an online service, product, or feature. Physical products sold by online retailers are exempt, as are telecommunications services and broadband access internet services. An online product or service is 'reasonably likely to be accessed by children' if it satisfies any of the following criteria:

  • the online product is directed to children as defined in the federal Children's Online Privacy Protection Act (COPPA);
  • the online product is determined, based on competent and reliable evidence regarding audience composition, to be routinely accessed by a significant number of children;
  • the online product is substantially similar or the same as an online product that satisfies the above provision (i.e., determined to be routinely accessed by a significant number of children based on competent and reliable evidence regarding audience composition);
  • the online product features advertisements marketed to children;
  • the covered entity's internal research findings determine that a significant amount of the online product's audience is composed of children; or
  • the covered entity knows or should have known that a user is a child.

Notably, the law does not define the phrase 'significant number of children.' Further, it imposes a subjective standard of 'knows or should have known that a user is a child.' This standard is also incorporated into MODPA and should be reconciled with the statutory purpose of Privacy by Design and Default, as well as data minimization.

Under the Maryland Kids Code, a 'covered entity' is a for-profit legal entity, or an entity organized or operated for the financial benefit of its shareholders or owners, that does business in Maryland and meets the following additional criteria:

  • collects consumers' personal information data or uses another entity to collect such data on its behalf;
  • determines the purposes and means of processing consumers' personal data alone or jointly with its affiliates or subsidiaries; and
  • satisfies one of the following thresholds:
    • has an annual gross in excess of $25,000;
    • annually buys, receives, sells, or shares the personal data of 50,000 or more consumers, households, or devices, either alone or in combination with its affiliates or subsidiaries, for the business or legal entity's commercial purposes; or
    • derives at least 50% of its annual revenues from the sale of consumers' personal data.

A covered entity includes a legal entity that 'controls or is controlled by a business that shares a name, service mark, or trademark that would cause a reasonable consumer to understand that two or more entities are commonly owned.' It also includes a joint venture or partnership 'composed of businesses in which each has at least a 40% interest in the joint venture or partnership.'

The Maryland Kids Code does not directly apply to non-profits. However, the clause 'or for the financial benefits of its shareholders or owners' may result in certain not-for-profit entities being subject to the legislation. The Maryland Kids Code differs from MODPA in that it contains data and entity-level exemptions for businesses covered by certain federal laws, including the Gramm-Leach-Bliley Act (GLBA), the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH), and the Health Insurance Portability and Accountability Act of 1996 (HIPAA). It also exempts certain data collected as part of clinical trials subject to certain regulations.

Prohibitions and requirements for covered entities  

The purpose of the Maryland Kids Code is to create a 'best interests of children' standard for online products and services that are reasonably likely to be accessed by children. The 'best interests of children' standard means that 'a covered entity's use of the personal data of children or the design of an online product' does not:

  • benefit the covered entity at the detriment of children; or
  • result in the following harms:
    • reasonably foreseeable and material physical or financial harm to children;
    • severe and reasonably foreseeable psychological or emotional harm to children;
    • a highly offensive intrusion on children's reasonable expectation of privacy; or
    • discrimination against children based on race, color, religion, national origin, disability, gender identity, sex, or sexual orientation.

To achieve its purpose, the Maryland Kids Code aims to restrict data collection, sharing, profiling, and the use of data in ways that are detrimental to children and teenagers. The law requires Data Impact Protection Assessments (DPIA), clear and conspicuous notices to children using language that they can understand, easily accessible tools for children (or their parents/guardians) to exercise privacy rights, and high privacy settings for children by default.

DPIA requirements

The law's DPIA requirements are extensive. In the DPIA, covered entities must identify the purpose of the online product and how the product or service uses children's data. They are required to determine whether the online product is designed in a manner consistent with the best interests of children who are reasonably likely to access the online product based on the following factors:

  • whether the data management or processing practices of the online product could lead to children experiencing or being targeted by contacts;
  • whether the data management or processing practices of the online product could permit children to participate in or be subject to certain conduct;
  • whether the data management or processing practices of the online product are reasonably expected to allow children to become party to or be exploited by a contract through the online product;
  • whether the online product uses system design features to increase, sustain, or extend the use of the online product, including the automatic play of media, rewards for time spent, and notifications;
  • whether, how, and for what purposes the online product collects or processes the personal data of children and the material risks to children that may arise from those practices;
  • whether and how data collected to understand the experimental impact of the product reveals data management or design practices that could pose material risks to children;
  • whether algorithms used by the online product could result in material risks to children; and
  • any other factor that may indicate that the online product is designed in a manner that is inconsistent with the best interest of children.

Consistent with the definition of the best interests of children, evaluation of each of the above-outlined factors must include an analysis of whether they would result in:

  • reasonably foreseeable and material physical or financial harm to children;
  • severe and reasonably foreseeable psychological or emotional harm to children;
  • a highly offensive intrusion on children's reasonable expectation of privacy; or
  • discrimination against children based on race, color, religion, national origin, disability, gender identity, sex, or sexual orientation.

If a business identifies potential harm to children in a DPIA, it is required to take action to mitigate the identified harms. The DPIA must 'include a description of the steps that the covered entity has taken and will take to comply with the duty to act in a manner consistent with the best interests of children.'

Other compliance requirements regarding documentation, data collection, processing and sharing, and product design

Compliance with the Maryland Kids Code also requires that covered entities:

  • maintain documentation of the DPIA for as long as the online product is likely to be accessed by children;
  • review each DPIA as necessary to account for material changes to processing pertaining to the online product within 90 days of such material changes;
  • regardless of any other law, configure all default privacy settings provided to children by the online product to offer a high level of privacy, unless the covered entity can demonstrate a compelling reason that a different setting is in the best interests of children;
  • provide any privacy information, terms of service, policies, and community standards concisely, prominently, and using clear language suited to the age of children likely to access the online product; and
  • provide prominent, accessible, and responsive tools to help children or their parents or guardians (if applicable) exercise their privacy rights and report concerns.

The Kids Code prohibits covered entities from:

  • collecting certain data about children;
  • using addictive tactics like auto-playing videos and constant notifications;
  • tracking consumers under 18 and using manipulative techniques to keep young people online;
  • profiling a child by default unless the covered entity can demonstrate that it has appropriate safeguards in place to ensure the profiling is consistent with the best interests of children and a compelling reason that profiling is in the best interests of children;
  • processing the personal data of children that is not reasonably necessary to provide an online product that the child is actively and knowingly engaged with;
  • processing precise geolocation (within a radius of 1,750 feet) unless strictly necessary for the covered entity to provide the online product, and the geolocation data is processed only for the limited time necessary to provide the online product. Processing geolocation requires an obvious signal to the child for the duration that the precise geolocation data is being collected;
  • processing any personal data for the purpose of estimating the age of a child who is actively and knowingly engaged with an online product that is not reasonably necessary to provide the online product;
  • allowing a person other than a child's parent or guardian to monitor the child's online activity without first notifying the child and the child's parent or guardian; or
  • using dark patterns2 to:
    • cause a child to provide personal data beyond what is reasonably expected to provide the online product;
    • circumvent privacy protections; or
    • take any action that the covered entity knows, or has reason to know, is not in the best interests of children who access or are reasonably likely to access the online product.

Effective dates for compliance

The Maryland Kids Code becomes effective on October 1, 2024. Covered entities have until April 1, 2026, to complete the statutorily mandated DPIA for any online product offered to the public that:

  • is reasonably likely to be accessed by children before that date;
  • is offered to the public on or before that date; and
  • will continue to be offered to the public after July 1, 2026.

A covered entity must also perform a DPIA for products initially offered after April 1, 2026, but there is no prescribed period for compliance with that requirement - the bill originally included a 90-day period for the DPIA, but it was stricken.

Enforcement and penalties

Like MODPA, the Maryland Kids Code is enforced by the Division of Consumer Protection of the Maryland Office of the Attorney General (OAG). There is no private right of action. Violations of the Kids Code could result in civil money penalties of up to $2,500 per affected child for negligent violations, and up to $7,500 per affected child for intentional violations. Violations of the Maryland Kids Code are considered violations of unfair, abusive, or deceptive trade practices and constitute violations of the Maryland Consumer Protection Act.

Upon written request by the OAG, covered entities have seven business days to provide all of the statutorily required DPIAs that have been completed. DPIAs are confidential and exempted from public disclosure, including under the Maryland Public Information Act.

There is a safe harbor provision available for covered entities that can establish substantial compliance with the Maryland Kids Code. In such circumstances, the covered entities would have 90 days to cure an alleged violation and demonstrate future compliance. Failure to complete the required DPIA or address identified risks in the DPIA could result in the OAG pursuing enforcement actions and levying fines based on the number of children impacted and whether the violations were negligent or intentional as outlined above.

Comparing the Maryland Kids Code to other laws around the globe

Like the California Age-Appropriate Design Code enacted in 2022, and the UK Age-Appropriate Design Code enacted in 2021, the Maryland Kids Code requires online products and services to implement data management or design practices that are in the best interests of children. The laws block tech companies from collecting certain data on minors and using tactics like auto-playing videos and constant notifications. They also require products to use high privacy settings by default rather than requiring children to opt in to high privacy settings.

Overall, the Maryland Kids Code follows a similar framework to the UK and California laws. However, it adds unique provisions around non-discrimination and avoiding parental monitoring, in addition to certain definitions and language to avoid constitutional challenges. For example, the Maryland Kids Code contains provisions that allow a child's parent or guardian to monitor the child's online activity or track the child's location, without providing an obvious signal to the child when the child is being monitored or tracked.

In drafting the law, Maryland's General Assembly amended the bill to address the legal challenge to California's law as unconstitutionally infringing on tech industry groups' First Amendment free speech rights. For instance, the Maryland legislation includes language that nothing in the bill 'may be construed to require a covered entity to monitor or censor third-party content or otherwise impact the existing rights and freedoms of any person.' Further, the law states that it should not be interpreted or construed as preventing or precluding 'a child from deliberately or independently searching for or specifically requesting content.' Similarly, it specifies that covered entities are not required to implement an age-gating requirement. The Maryland Kids Code also defines terms including the best interests of children to avoid arguments of vagueness.

Alexandra Moylan Esq., CIPP/US, Shareholder
[email protected]
Michael J. Halaiko Esq., CIPP/E, Shareholder
[email protected]
Baker Donelson, Baltimore


1. A detailed overview of MODPA is available here.
2. A dark pattern is a user interface designed or manipulated with the purpose of subverting or impairing user autonomy, decision-making, or choice. It includes any practice identified by the Federal Trade Commission (FTC) as a dark pattern.