On May 9, 2024, Maryland Governor Wes Moore signed HB 603, the Maryland Age-Appropriate Design Code (Maryland AADC). The Maryland AADC builds on Maryland’s Online Data Privacy Act, which was signed into law the same day and requires companies to provide certain protections for personal data of a consumer when the company knows or has reason to know the consumer is a child under the age of 13.1 The Maryland AADC layers on additional requirements for “covered entities” and expands the definition of “child” to include individuals under the age of 18.

Minor safety on social media platforms has been a significant area of legislative focus this year. A number of states have enacted laws regulating minors’ use of social media platforms (e.g., UtahFloridaGeorgia) and other states have amended their comprehensive privacy laws to include certain protections for minors (e.g., Connecticut, Virginia). California also enacted similar age-appropriate design legislation2 in 2022, but it was preliminarily enjoined in September 2023. Since then, states have been hesitant to enact similarly structured legislation. Maryland is the first state to pass a revised AADC, though Vermont is poised to shortly follow.

The Maryland AADC’s provisions and key takeaways are summarized below.

Covered Entities Under the Maryland AADC

“Covered entities” are defined as for-profit entities that do business in Maryland, collect consumers’ personal data, determine the purposes and means of processing consumer data, and meet the law’s thresholds.

To meet the threshold, a business must:

  • have an annual gross revenue greater than $25,000,000;
  • annually buy, receive, sell, or share personal data of 50,000 or more consumers, households, or devices (alone or in combination with affiliates); or
  • derive at least 50 percent of its annual revenue from the sale of personal data.

The law’s obligations apply to covered entities that offer online products “reasonably likely” to be accessed by children per one of the law’s enumerated criteria:

  • the online product is directed to children as defined under the Children’s Online Privacy Protection Act (COPPA);
  • the online product is determined to be routinely accessed by a “significant” number of children based on audience composition evidence;
  • the online product is substantially similar to a different online product that has audience composition evidence showing routine access by children;
  • the online product includes advertisements marketed to children;
  • the covered entity’s internal research shows a “significant” amount of the online product’s audience is children; or
  • the covered entity “knows or should have known that a user is a child.”

In determining whether the online product is reasonably likely to be accessed by children, the covered entity may not collect or process any personal data beyond what is reasonably necessary to make the determination.

Data Protection Impact Assessment

Covered entities must prepare a data protection impact assessment (DPIA) for the online product(s) reasonably likely to be accessed by children. Among other requirements, the DPIA must identify the purpose of the product, how the product uses children’s data, and whether the product is designed consistent with the best interests of children, in line with proposed criteria specified in the law.

The covered entity must also describe the steps it has taken and will take to comply with its duty to act in the best interests of children.

Additional Obligations

In addition to the DPIA, covered entities must configure children’s default privacy settings to provide a high level of privacy by default and provide age-appropriate privacy information and tools to children.

Covered entities also cannot:

  • process personal data of children in a way inconsistent with the children’s best interests;
  • profile children by default unless the business has safeguards, and the profiling is necessary to provide the requested online product or there is a reason why profiling is in the best interest of children;
  • process personal data of children that is not necessary for the provision of the service;
  • process personal data of children for reasons other than for the reason collected;
  • process precise geolocation by default and, if processing, provide a signal to children;
  • use dark patterns to collect more data than necessary, circumvent privacy protections, or take actions that the entity “knows, or has reason to know, is not in the best interests of children”;
  • process data to estimate age when that is not reasonably necessary to provide the online product; or
  • allow a person other than a parent or guardian to monitor a child’s online activity without first notifying both the child and the parent or guardian.

Enforcement and Penalties

The Division of Consumer Protection of the Office of the Attorney General (the Division) has authority to investigate compliance with the law and bring enforcement actions.

If the Division issues a request, covered entities must provide a list of all DPIAs to the Division within five business days and provide the DPIAs to the Division within seven business days. If any disclosure required when providing the DPIAs includes information subject to attorney-client privilege or work-product protection, the disclosure will not constitute a waiver of that privilege or protection.

Companies in substantial compliance with the requirements will receive an opportunity to cure and will not be liable for civil penalties if the company has completed a DPIA, cures the specified violation within 90 days of receiving the notice, and takes measures to prevent future violations that the Division deems sufficient.

Violations of the Maryland AADC constitute unfair, abuse, or deceptive trade practices under the state’s law. The Division may recover civil penalties of $2,500 per affected child for each negligent violation and $7,500 per affected child for each intentional violation.

Key Takeaways

Maryland’s AADC is the latest addition to the patchwork of regulations focused on minors’ safety online. Given regulators’ focus on this area, companies should expect to see increased regulatory scrutiny and enforcement on issues pertaining to child and teen online privacy and safety.

Maryland’s AADC mirrors the California AADC in many respects, though there are some key differences.

First, the law applies when covered products are “reasonably likely to be accessed” by children, and Maryland’s factors for making this determination are arguably broader than California’s standard. For example, the Maryland law includes as a factor whether competitor products that are “substantially similar” have evidence showing them to be routinely accessed by a significant number of children. This addition appears inspired by the Federal Trade Commission’s proposed change in the COPPA notice of proposed rulemaking, which would consider “the age of users on similar websites or services.”

Second, the Maryland AADC does not require age estimation. While many state laws have advocated for some sort of age estimation or age verification model, these requirements have been scrutinized through legal challenges.

Third, the Maryland AADC arguably sweeps in more conduct, as the definition of “process” is quite broad. In the California AADC, prohibitions on processing were limited to collecting, selling, sharing, retaining, or using personal information in certain ways. Under Maryland’s law, processing includes “collecting, using, storing, disclosing, analyzing, deleting, or modifying personal data.” This definition aligns with many state comprehensive privacy laws.

Though it remains to be seen whether Maryland’s law will survive where California’s law failed, companies should pay close attention to the requirements laid out in the law.

Wilson Sonsini Goodrich & Rosati routinely helps companies navigate complex privacy and data security issues and specializes in issues pertaining to children and teen privacy and online safety. We will continue to monitor developments at the state, national, and international level in order to assist companies with compliance. For more information, please contact Libby WeingartenRebecca Weitzel Garcia, or another member of the firm’s privacy and cybersecurity practice.

[1] Children’s personal data is considered “sensitive data” under the law. See SB 541 (2024), https://mgaleg.maryland.gov/mgawebsite/Legislation/Details/sb0541.

[2]This type of legislation is often inspired by the United Kingdom’s Age-Appropriate Design Code, see https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/childrens-information/childrens-code-guidance-and-resources/age-appropriate-design-a-code-of-practice-for-online-services/