House Bill 121 for An act relating to enhancing consumer privacy was introduced, on 26 January 2023, to the Vermont State Legislature and thereafter referred, on the same date, to the Commerce and Economic Development Committee. In particular, H 121 would establish, among other things:

• general requirements for the collection and use of data;
• a new Data Broker Security Breach Notice Act;
• rules on businesses' obligations to take all reasonable steps to destroy or arrange for the destruction of a customer's records within its custody or control containing personally identifiable information that is no longer to be retained by the business;
• registration requirements for data brokers; and
• protection for the processing of biometric data.

You can read the bill here and track its progress here.

UPDATE (25 March 2024)

Bill passes House

On 22 March 2024, the bill passed the House. 

You can read the bill here and track its progress here.

UPDATE (28 March 2024)

Bill referred to Senate Committee on Economic Development, Housing and General Affairs

On 27 March 2024, the bill was referred to the Senate Committee on Economic Development, Housing and General Affairs, after being read for the first time in the Senate on the same date.

You can read the bill here and track its progress here.

UPDATE (25 April 2024)

Bill passes second reading and referred to committee

On 25 April 2024, the bill was read for a second time by the Senate following a favorable report, on the same date, by the Committee on Economic Development, Housing and General Affairs. The bill was subsequently referred to the Committee on Appropriations.

What is the scope of the bill for the Vermont Data Privacy Act?

In particular, the bill provides for the establishment of the Vermont Data Privacy Act, applicable to a person that conducts business in Vermont or a person that produces products or services that are targeted to residents of Vermont and that during the preceding calendar year:

• controlled or processed the personal data of not fewer than 25,000 consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction; or
• derived more than 50% of the person's gross revenue from the sale of personal data.

However, the bill outlines that it does not apply to, among other things:

• a federal, State, tribal, or local government entity in the ordinary course of its operation;
• protected health information processed in accordance with the Health Insurance Portability and Accountability Act (HIPAA);
• information processed or maintained solely in connection with, and for purposes of, enabling employment, application for employment; and
• information collected, processed, sold, or disclosed under and in accordance with the Driver's Privacy Protection Act of 1994, the Farm Credit Act, non-public personal information processed by a financial institution subject to the Gramm-Leach-Bliley Act (GLBA), and a non-profit organization.

What consumer rights are provided for by the bill for the Vermont Consumer Privacy Act?

The bill provides for consumer rights including the right to be informed, access, rectification, deletion, data portability, and opt out of the processing of personal data for the purposes of targeted advertising, sale of personal data, or profiling in furtherance of solely automated decisions that produce legal or similarly significant effects concerning the consumer.

Controllers must respond to consumer requests with undue delay but no later than 60 days after receiving the request, and information provided must be provided free of charge once per consumer during any 12 month period.

Notably, the bill specifies that a controller may not condition the exercise of consumer rights through:

• the use of any false, fictitious, fraudulent, or material statement or representation; or
• the employment of any dark pattern.

What controller and processor obligations fall under the bill for the Vermont Consumer Privacy Act?

The bill stipulates that controllers must, among other tasks:

• create a reasonably accessible, clear, and meaningful privacy notice with specific contents;
• process personal data in compliance with the principles of necessity and proportionality and for the specified purpose;
• establish, implement, and maintain reasonable administrative, technical, and physical data security practices;
• not process sensitive data without first obtaining consumer consent, or in the case of a known child, without processing the data in accordance with the Children's Online Privacy Protection Act (COPPA); and
• not discriminate or retaliate against a consumer who exercises a right provided to the consumer under the bill. 

The bill also elaborates on obligations relating to the processing of minors' personal data, including not processing a minor's personal data for the purposes of targeted advertising, sale of personal data, or profiling in furtherance of solely automated decisions that produce legal or similarly significant effects concerning the consumer. Such prohibitions also extend to minors' geolocation data and the employment of dark patterns. 

Processors specifically must adhere to the controller's instructions and assist them in meeting their obligations under the bill, with processing operations governed by a contract between the controller and processor. The contract must set forth specific instructions and obligations for the controller and the processor and requires a processor to ensure that any subprocessor contracted also meets the processor's obligations concerning personal data. 

What enforcement and supervisory authorities are provided for under the bill for the Vermont Consumer Privacy Act?

The Vermont Attorney General (AG) is responsible for the enforcement of the bill. 

The bill also provides for the establishment of the Artificial Intelligence and Data Privacy Advisory Council responsible for providing advice and counsel on the development, employment, and procurement of artificial intelligence (AI) in the Vermont State Government.

The provisions for the Vermont Data Privacy Act are provided to enter into effect on July 1, 2025.

Provisions related to the AI and Data Privacy Advisory Council are provided to enter into effect on July 1, 2024.

You can read the bill here and track its progress here.

UPDATE (9 May 2024)

Bill rules suspended by Senate

On 8 May 2024, the Senate suspended the rules for the bill and messaged the House on the same date.

You can read the bill as passed by the House here and track its progress here.

UPDATE (10 May 2024)

House concurs with Senate amendments to bill and proposes further amendments

On 9 May 2024, the House concurred with the Senate's amendments to the bill and on the same date, proposed further amendments.

What are the proposed Senate amendments relating to the Age-Appropriate Design Code?

Notably, the Senate proposed the addition of an Age-Appropriate Design Code under Subchapter 6 of the bill. The bill defines 'age-appropriate' as 'the recognition of the distinct needs and diversities of minor consumers at different age ranges. In order to help support the design of online services, products, and features, covered businesses should take into account the unique needs and diversities of different age ranges, including the following developmental stages:

• zero to five years of age or preliterate and early literacy;
• six to nine years of age or core primary school years;
• 10 to 12 years of age or transition years;
• 13 to 15 years of age or early teens; and
• 16 to 17 years or age or approaching adulthood.'

The bill further provides for age estimation methods and would impose a certain minimum duty of care on covered businesses that process a minor consumer's data. Additionally, the covered entities, in relation to the Age-Appropriate Design Code, would be prohibited from, among other things:

• using low-friction variable reward design features that encourage excessive and compulsive use by a minor consumer;
• permitting, by default, an unknown adult to contact a minor consumer on its platform without the minor consumer first initiating that contact;
• permitting a minor consumer to be exploited by a contract on the online service, product, or feature;
• processing personal data of a minor consumer unless it is reasonably necessary for providing an online service, product, or feature requested by a minor consumer with which a minor consumer is actively and knowingly engaged;
• profiling a minor consumer, unless provided by the bill;
• selling personal data of minors;
• processing any precise geolocation information of a minor unless provided by the bill;
• using dark patterns;
• permitting a parent or guardian of a minor consumer, or any other consumer, to monitor the online activity of a minor consumer or to track the location of the minor consumer without providing a conspicuous signal to the minor consumer when the minor consumer is being monitored or tracked; or 
• using a geofence to establish a virtual boundary that is within 1,850 feet of any health care facility, including any mental health facility or reproductive or sexual health facility, for the purpose of identifying, tracking, collecting data from, or sending any notification to a minor consumer regarding the minor consumer's consumer health data.

What are the other Senate-proposed amendments to the bill?

The Senate additionally proposed the addition of the Data Broker Security Breach Notice Act, in particular, adding credentialing requirements for data brokers. Further, the amendments propose the following effective dates if enacted: 

• 1 July 2024, for the provisions on Artificial Intelligence (AI) and Data Privacy Advisory Council; and
• 1 July 2025, for the provisions relating to the Vermont Data Privacy Act, Protection of Personal Information, and the Age-Appropriate Design Code.

You can read the bill as amended by the Senate here and view its progress here.

UPDATE (13 May 2024)

Bill passes Legislature

On 12 May 2024, the Vermont State Representative, Monique Priestley, announced via LinkedIn that the House and the Senate passed the bill. The bill will now be sent to the Governor for signature to become law.

Please note that the official bill text has not been posted on the Vermont Legislature website. 

You can read the LinkedIn post here, the bill as amended by the Senate here, and track its progress here.

UPDATE (22 May 2024)

Legislature publishes bill as passed by both Houses 

On 21 May 2024, Monique Priestley, announced via LinkedIn, that the text of the bill as passed by both Houses was published by the Legislature. 

Notably, the bill provides for comprehensive data protection, including: 

• the Vermont Data Privacy Act;
• the Public Outreach and Education, the Attorney General study;
• the Protection of Personal Information, which includes the provisions relating to Data Broker Security Breach; and
• the Age-Appropriate Design Code. 

What are the changes to the bill text?

The bill, as passed by both Houses, amends the text of the bill as amended by the Senate. Importantly, the provisions related to the establishment of the Artificial Intelligence and Data Privacy Advisory Council are deleted from the bill. The bill includes, among other things, certain amendments to the Age-Appropriate Design Code as well as the Vermont Data Privacy Act.

Vermont Data Privacy Act

The scope of the bill was modified to apply to a person that conducts business in Vermont or a person that produces products or services that are targeted to residents of Vermont and that during the preceding calendar year:

• controlled or processed the personal data of not fewer than 25,000 consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction; or
• controlled or processed the personal data of not fewer than 12,500 consumers and derived more than 25% of the person's gross revenue from the sale of personal data.

The bill further amends the duties of the controller, including towards minors, and deletes the duty that a controller shall not process the personal data of a known minor for the purpose of targeted advertising. 

Enforcement

The AG would be authorized to enforce the provisions of the bill. The bill also provides for a private right of action in certain circumstances, notably, a private right of action is available to the consumer harmed by a data broker's or large data holder's violation as provided in the bill. 

Next steps

The bill will now be sent to the Governor of Vermont for signature. If enacted, the bill provides for staggered effective dates:

• 1 July 2025, for Section 1 (Vermont Data Privacy Act) and Section 7 (Age-Appropriate Design Code);
• 1 July 2024, for Section 2 (public education and outreach), Section 3 (protection of personal information), Section 4 (data broker opt-out study), and Section 8 (study on Vermont Data Privacy Act);
• 1 July 2026, for Section 5 (Vermont Data Privacy Act middle applicability threshold) and Section 11 (utilities exemption repeal);
• 1 January 2027, for Section 9 (private right of action);
• 1 July 2027, for Section 6 (Vermont Data Privacy Act low applicability threshold); and
• 1 January 2029, for Section 10 (private right of action repeal).

You can read the LinkedIn post here, the bill as passed by both Houses here, and track its progress here.

UPDATE (10 June 2024)

Bill delivered to Governor

On 7 June 2024, the bill was delivered to the Governor for signature. 

You can read the bill as passed by both Houses here and track its progress here.

UPDATE (14 June 2024)

Bill vetoed by Governor

On 13 June 2024, the bill was vetoed by the Governor. 

According to the Governor, the bill created an unnecessary and avoidable level of risk, especially the provisions on the private right of action, which would make Vermont an exception, and affect many businesses and non-profits. The Governor added that another risk of the bill came from the Age-Appropriation Code provision, noting that the courts stopped similar legislation in California for likely First Amendment violations.

You can read the press release here, read the bill as passed by both Houses here, and view its legislative history here.

UPDATE (18 June 2024)

Senate sustains Governor's veto on bill

On 17 June 2024, the Senate sustained the Governor's veto on the bill. The Senate sustained the veto on a roll call with 14 Yeas and 15 Nays on the question of whether the bill should pass notwithstanding the Governor's refusal to approve the bill. 

You can read the bill as passed by both Houses here and view its legislative history here.