On May 12, 2024, the Vermont State Representative, Monique Priestley, announced via LinkedIn that the Vermont House of Representatives and the State Senate passed House Bill 121 for an act relating to enhancing consumer privacy. This follows the concurrence of the House with the Senate proposal of amendment to the House proposal of amendment to the Senate proposal of amendment to the bill on May 10, 2024.

Notably, the bill provides for comprehensive data protection, including: 

• the Vermont Data Privacy Act; 
• the establishment of the Artificial Intelligence and Data Privacy Advisory Council; 
• the Protection of Personal Information, which includes the provisions relating to Data Broker Security Breach; and
• the Age-Appropriate Design Code. 

Vermont Data Privacy Act

What is the scope?

The bill provides for the establishment of the Vermont Data Privacy Act, applicable to a person who conducts business in Vermont or a person who produces products or services that are targeted to residents of Vermont and that during the preceding calendar year:

• controlled or processed the personal data of not fewer than 25,000 consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction; or
• derived more than 50% of their gross revenue from the sale of personal data.

Additionally, the bill outlines exceptions from its applicability.

What are the key provisions?

The bill provides for consumer rights including the right to opt out of the processing of personal data for the purposes of targeted advertising, sale of personal data, or profiling in furtherance of solely automated decisions that produce legal or similarly significant effects concerning the consumer. Controllers must respond to consumer requests without undue delay but no later than 60 days after receiving the request, and information must be provided free of charge once per consumer during any 12-month period.

Notably, the bill specifies that a controller may not condition the exercise of consumer rights through:

• the use of any false, fictitious, fraudulent, or materially misleading statement or representation; or
• the employment of any dark pattern.

The bill also lays down the obligations of controllers and processors, including certain duties towards minors. Notably, the bill states that a controller shall not process the personal data of a known minor for the purpose of targeted advertising. 

Confidentiality of consumer health data

The bill provides that no person shall: 

• provide any employee or contractor with access to consumer health data unless the employee or contractor is subject to a contractual or statutory duty of confidentiality;
• provide any processor with access to consumer health data unless the person and processor comply with §2421 of the bill;
• use a geofence to establish a virtual boundary that is within 1,850 feet of any healthcare facility, including any mental health facility or reproductive or sexual health facility, for the purpose of identifying, tracking, collecting data from, or sending any notification to a consumer regarding the consumer's health data; or
• sell or offer to sell consumer health data without first obtaining the consumer's consent.

Artificial Intelligence and Data Privacy Advisory Council

The bill also provides for the establishment of the Artificial Intelligence and Data Privacy Advisory Council responsible for providing advice and counsel on the development, employment, and procurement of artificial intelligence (AI) in the Vermont State Government.

Protection of personal information

The bill includes provisions relating to biometric personal data, brokered personal information, and data security breach notification rules. The bill also includes data broker credentialing and registration requirements.

Age-Appropriate Design Code

The bill defines 'age-appropriate' as 'the recognition of the distinct needs and diversities of minor consumers at different age ranges. In order to help support the design of online services, products, and features, covered businesses should take into account the unique needs and diversities of different age ranges, including the following developmental stages:'

• zero to five years of age or preliterate and early literacy;
• six to nine years of age or core primary school years;
• 10 to 12 years of age or transition years;
• 13 to 15 years of age or early teens; and
• 16 to 17 years of age or approaching adulthood.

The bill further provides for age estimation methods and would impose a certain minimum duty of care on covered businesses that process a minor consumer's data. Additionally, the covered entities, in relation to the Age-Appropriate Design Code would be prohibited from, among other things:

• using low-friction variable reward design features that encourage excessive and compulsive use by a minor consumer;
• permitting, by default, an unknown adult to contact a minor consumer on its platform without the minor consumer first initiating that contact;
• permitting a minor consumer to be exploited by a contract on the online service, product, or feature;
• processing personal data of a minor consumer unless it is reasonably necessary for providing an online service, product, or feature requested by a minor consumer with which a minor consumer is actively and knowingly engaged;
• profiling a minor consumer, unless provided by the bill;
• selling personal data of minors;
• processing any precise geolocation information of a minor, unless provided by the bill;
• using dark patterns;
• permitting a parent or guardian of a minor consumer, or any other consumer, to monitor the online activity of a minor consumer or to track the location of the minor consumer without providing a conspicuous signal to the minor consumer when the minor consumer is being monitored or tracked; or 
• using a geofence to establish a virtual boundary that is within 1,850 feet of any healthcare facility, including any mental health facility or reproductive or sexual health facility, for the purpose of identifying, tracking, collecting data from, or sending any notification to a minor consumer regarding the minor consumer's health data.

Effective date and enforcement

If enacted, the bill will enter into effect on:

• July 1, 2024, for the provisions relating to the Artificial Intelligence and Data Privacy Advisory Council; and
• July 1, 2025, for the provisions relating to the Vermont Data Privacy Act, Protection of Personal Information, and the Age-Appropriate Design Code.

Next steps 

The bill would now be sent to the Governor for signature to become law.

Please note that the official bill text has not been posted on the Vermont Legislature website. 

You can read the LinkedIn post here, the bill as amended by the Senate here, and track its progress here.