§14–4805.

    A covered entity required to complete a data protection impact assessment under § 14–4804 of this subtitle shall:

        (1)    Maintain documentation of the assessment for as long as the online product is likely to be accessed by children;

        (2)    Review each data protection impact assessment as necessary to account for material changes to processing pertaining to the online product within 90 days of such material changes;

        (3)    Notwithstanding any other law, configure all default privacy settings provided to children by the online product to offer a high level of privacy, unless the covered entity can demonstrate a compelling reason that a different setting is in the best interests of children;

        (4)    Provide any privacy information, terms of service, policies, and community standards concisely, prominently, and using clear language suited to the age of children likely to access the online product; and

        (5)    Provide prominent, accessible, and responsive tools to help children or their parents or guardians, if applicable, exercise their privacy rights and report concerns.