What is the Maryland Kids Code and How Does it Differ from Other Children's Codes?

It’s proving a challenge for industry to keep up with the tidal wave of child privacy and safety bills at the state level. Privacy professionals need to align the different requirements as each one passes, and online services need to shape up or face enforcement actions and fines. Children’s codes are at the center of the changing privacy landscape in relation to child privacy and safety protections.

California’s Age-Appropriate Design Code Act (CA AADCA), based on the UK Children’s Code, was due to come into force in July this year though industry and big tech push back has led to an injunction which the state is now appealing. Increasingly opposition is voicing concerns around the first amendment claiming that the CA AADCA and others that follow in its footsteps undermine free speech. The concept of best interests of the child is not defined in US law unlike in most other jurisdictions where United Nations Convention of the Rights of Children has been ratified and enshrines the best interest’s definition. The CA AADCA and other proposed state codes may be “tweaked” as a result but regardless the wave of changes to bring privacy and safety measures to protect younger users is not going to be held back.

The Maryland Age-Appropriate Design Code Act or Kid’s Code which passed in May appears to have made several “tweaks” in attempt to avoid the same push back and an injunction. For example, the best interests of the child is replaced by requirements for a “duty of care”. The means that the design of an online service should not result in: reasonably foreseeable and material physical or financial harm to children; reasonably foreseeable and severe psychological or emotional harm to children; a highly offensive intrusion on the reasonable privacy expectations of children, or discrimination against children based upon race, color, religion, national origin, disability, gender identity, sex, or sexual orientation. 

While Data Processing Impact Assessments are a requirement as they are in other Codes, Maryland Kid’s Code includes the need to describe the steps the online service has taken and will take to comply with the duty to act in the best interests of children. The Kid’s Code does not include an express mandate for age assurance.

Effective Date

The Code became effective on October 1, 2024.

Who needs to comply?

The Code applies to covered entities that provide online services, products, or features “reasonably likely to be accessed by children.”

A “covered entity” is a for-profit business doing business in Maryland which meets at least one of the following criteria:

• More than $25 million in gross annual revenue (adjusted periodically to reflect changes in the Consumer Price Index);
• Buys, receives, sells, or shares personal data of 50,000 or more consumers, households, or devices annually for commercial purposes
• Makes at least 50% of its annual revenues from the sale of consumers’ personal data.

It does not apply to ISPs, telecom services or physical products.

Covered entities are those directed to children or “likely to be accessed by them.” A child is a user under the age of 18 so 17 and under. If a service knows or should know that it attracts children based on several indicators it must comply. Those indicators include:

• Determined to be routinely accessed by a significant number of children based on competent and reliable evidence regarding audience composition;
• Is substantially similar to an online service, product, or feature determined as likely to be accessed;
• Marketed to children;
• Determined, based on internal company research, to have a significant child audience.

The key requirements include:

• Data protection impact assessment or DPIA. A service must complete a DPIA before offering any new online services, products, or features that are reasonably likely to be accessed by children. The service must provide copies of the assessments within seven business days if requested by the Maryland Attorney General.
• Ensure all default privacy settings offer a high level of privacy.
• Publish privacy policies, terms of service, and community standards which are age appropriate.
• Data processing restrictions -  no processing of a child’s personal data that is not in their best interests; no processing more personal data than is reasonably necessary; only processing for the purposes it was collected and no other purpose; no processing of precise geolocation data of a child unless strictly necessary and the service displays an obvious sign to the child when geo location data is processed; no processing of personal data for the purposes of estimating a child’s age unless reasonably necessary to provide the service.

Enforcement

Failure to comply with the Kid’s Code could result in fines up to $2,500 per affected child for negligent violations. Intentional violations carry civil penalties up to $7,500 per affected child. 

Need help to comply with the Maryland Kids Code? 
Contact PRIVO to learn more about the Children's Code program to help your company comply and ask for a demo of our compliant and easy to implement smart age gate, age verification and parental consent services. 

For more information:
>> View  Maryland Kids Code website 
>> View  Legislation