Current with changes from the 2024 Legislative Session
Section 14-4804 - Data protection impact assessment(a)(1) Subject to paragraph (2) of this subsection, a covered entity that provides an online product reasonably likely to be accessed by children shall prepare a data protection impact assessment for the online product.(2) On or before April 1, 2026, a covered entity shall prepare a data protection impact assessment for any online product that: (i) Meets the criteria under paragraph (1) of this subsection;(ii) Is offered to the public on or before April 1, 2026;and(iii) Will continue to be offered to the public after July 1, 2026.(3) For an online product that meets the criteria under paragraph (1) of this subsection and is initially offered to the public after April 1, 2026, a covered entity shall complete a data protection impact assessment .(b) The data protection impact assessment shall: (1) Identify the purpose of the online product;(2) Identify how the online product uses children's data;(3) Determine whether the online product is designed in a manner consistent with the best interests of children reasonably likely to access the online product through consideration of: (i) Whether the data management or processing practices of the online product could lead to children experiencing or being targeted by contacts that would result in: 1. Reasonably foreseeable and material physical or financial harm to children;2. Reasonably foreseeable and extreme psychological or emotional harm to children;3. A highly offensive intrusion on children's reasonable expectation of privacy; or4. Discrimination against children based on race, color, religion, national origin, disability, gender identity, sex, or sexual orientation;(ii) Whether the data management or processing practices of the online product could permit children to participate in or be subject to conduct that would result in: 1. Reasonably foreseeable and material physical or financial harm to children;2. Reasonably foreseeable and extreme psychological or emotional harm to children;3. A highly offensive intrusion on children's reasonable expectation of privacy; or4. Discrimination against children based on race, color, religion, national origin, disability, gender identity, sex, or sexual orientation;(iii) Whether the data management or processing practices of the online product are reasonably expected to allow children becoming party to or exploited by a contract through the online product that would result in:1. Reasonably foreseeable and material physical or financial harm to children;2. Reasonably foreseeable and extreme psychological or emotional harm to children;3. A highly offensive intrusion on children's reasonable expectation of privacy; or4. Discrimination against children based on race, color, religion, national origin, disability, gender identity, sex, or sexual orientation;(iv) Whether the online product uses system design features to increase, sustain, or extend the use of the online product, including the automatic playing of media, rewards for time spent, and notifications that would result in: 1. Reasonably foreseeable and material physical or financial harm to children;2. Reasonably foreseeable and extreme psychological or emotional harm to children;3. A highly offensive intrusion on children's reasonable expectation of privacy; or4. Discrimination against children based on race, color, religion, national origin, disability, gender identity, sex, or sexual orientation;(v) Whether, how, and for what purpose the online product collects or processes personal data of children and whether those practices would result in:1. Reasonably foreseeable and material physical or financial harm to children;2. Reasonably foreseeable and extreme psychological or emotional harm to children;3. A highly offensive intrusion on children's reasonable expectation of privacy; or4. Discrimination against children based on race, color, religion, national origin, disability, gender identity, sex, or sexual orientation;(vi) Whether and how data collected to understand the experimental impact of the product reveals data management or design practices that would result in:1. Reasonably foreseeable and material physical or financial harm to children;2. Reasonably foreseeable and extreme psychological or emotional harm to children;3. A highly offensive intrusion on children's reasonable expectation of privacy; or4. Discrimination against children based on race, color, religion, national origin, disability, gender identity, sex, or sexual orientation;(vii) Whether algorithms used by the online product would result in:1. Reasonably foreseeable and material physical or financial harm to children;2. Reasonably foreseeable and extreme psychological or emotional harm to children;3. A highly offensive intrusion on children's reasonable expectation of privacy; or4. Discrimination against children based on race, color, religion, national origin, disability, gender identity, sex, or sexual orientation; and(viii) Any other factor that may indicate that the online product is designed in a manner that is inconsistent with the best interests of children; and(4) Include a description of steps that the covered entity has taken and will take to comply with the duty to act in a manner consistent with the best interests of children.(c)(1) A data protection impact assessment prepared by a covered entity for the purpose of compliance with any other law complies with this section if the assessment meets the requirements of this section.(2) A single data protection impact assessment may contain multiple similar processing operations that present similar risks only if each relevant online product is addressed.Added by 2024 Md. Laws, Ch. 461,Sec. 1, eff. 10/1/2024.Added by 2024 Md. Laws, Ch. 460,Sec. 1, eff. 10/1/2024.