Maryland's Enactment of the Age-Appropriate Design Code Act

The Maryland Age-Appropriate Design Code Act was signed into law on May 9, 2024, with an October 1, 2024, effective date.

Introduction

The Maryland Age-Appropriate Design Code Act (SB 571 / HB 603) (MD AADC) was signed into law on May 9, 2024, with an October 1, 2024, effective date.

The law is the second of its kind in the United States, following the California Age-Appropriate Design Code Act (CA AADC), which was passed in 2022 and is currently enjoined on constitutional grounds pending appeal in the U.S. Court of Appeals for the Ninth Circuit. Similar to the CA AADC (and the U.K.'s AADC), the MD AADC provides for privacy and safety requirements for children under age 18. Notably, the MD AADC also includes changes seemingly directed at surviving constitutional challenges under U.S. law. We have outlined the major differences between the two U.S. AADCs below.

Comparison of Key Provisions

Applicability.

While Maryland has incorporated the CA AADC's "likely to be accessed by children" scoping standard, it has modified the standard slightly to refer to services, products, or features that are "reasonably likely to be accessed by children." The practical implications of this modification are not yet known.

The law also modifies the CA AADC considerations for determining that an offering is "likely to be accessed by children" by replacing "design elements known to be of interest to children" with whether the covered entity "knows or should know that a significant number of its users are children."

The MD AADC will also apply to more entities, as it lowers the threshold number of consumers, households, or devices to 50,000 (down from 100,000 for the CA AADC).

Age Estimation.

Under the MD AADC, unlike the CA AADC, age assurance is not provided as a means to determine whether services, products, or features are in scope. This change by Maryland legislators may be in reaction to the ongoing constitutional challenge against the CA AADC. The upshot of this is that covered entities in Maryland will need to rely on a qualitative assessment of their offerings using the MD AADC indicators to assess applicability.

Data Protection Assessments.

While both age-appropriate design codes require businesses to create a data protection impact assessment (DPIA) for services or products likely (or in Maryland's case, reasonably likely) to be accessed by children, only Maryland requires that DPIAs need to be completed for both new and existing products, services, or features. The CA AADC requirement is limited to new services, products, or features.

Signals for Guardian Monitoring.

Under the CA AADC, minors must be shown signals when their online activity or location is being monitored by a third party, including guardians. The MD AADC takes a slightly different approach, requiring notice to the child and their parent or guardian for certain monitoring. Covered entities in Maryland can also allow a child's guardian to monitor the child's online activity or track the child's location without providing an obvious signal to the child.

Ensuring the Best Interests of Children.

In Maryland, covered entities that provide in-scope offerings must "ensure the best interests of children when designing, developing, and providing" the offering. All covered entities operating in Maryland that process children's data must do so in a manner consistent with the best interests of children, and where a conflict arises between commercial interests and the best interests of children, covered entities are required to prioritize the privacy, safety, and well-being of children. This affirmative obligation is a departure from the CA AADC, where the "best interests" standard is used primarily to define exceptions to statutory requirements.

Data Processing Restrictions.

The MD AADC prohibits (1) processing any personal data that is not reasonably necessary to provide an online service, product, or feature with which a child is "actively and knowingly" engaged and (2) processing personal data for any reason other than a reason for which that personal data was collected. The first requirement could be particularly burdensome if the "actively and knowingly" clause is interpreted as requiring covered entities to delete all personal data relating to a child when that child stops using the online product or service. These MD AADC requirements are more restrictive than the analogous requirements under the CA AADC, which permit (1) and (2) if the processing is in the best interests of the child.

Content Regulation.

While the CA AADC requires covered businesses to enforce their published terms, policies, and community standards, the MD AADC does not include such a requirement and explicitly states that nothing may be construed to require a covered entity to monitor or censor third-party content.

Takeaway

Maryland is the latest state to adopt youth-specific privacy and safety requirements; over a dozen U.S. states and several non-U.S. jurisdictions have now adopted related laws. The MD AADC reflects that state legislatures are adapting their approach in the light of the numerous constitutional challenges to previously adopted youth-specific laws. Companies that are likely to be in scope for one or more of these laws should continue to monitor U.S. and non-U.S. developments and consider building appropriate mitigations into their product development process.