Sticky Situation: Vermont Governor Puts the Lid on Privacy Bill
Jun 14 2024
UPDATE: The governor’s veto of the Vermont Data Privacy Act (VTDPA) was sustained during a special veto session of the Joint Assembly on June 17, 2024. The bill is now dead. After clearing the House, the Vermont Senate was unable to gather the 2/3 majority votes needed to override the governor’s veto. The complexity, unique definitions, and private right of action were the main issues of discussion during the Senate’s vote. A new bill will need to be reintroduced in the 2025 legislative session.
The VTDPA combined several privacy bills into one: addressing consumer protections and rights (including a limited privacy right of action), data brokers, consumer health, and children’s protections. The VTDPA would have been one of the most robust state privacy laws in the nation. The ambitious scope may serve as a model for future states’ privacy laws or a warning to state legislators that try to push the boundaries of expectations.
On Thursday, June 13, 2024, Vermont’s Governor Phil Scott vetoed the Vermont Data Privacy Act (H.121) (“VTDPA”), potentially delaying what has been hailed as one of the most robust consumer data privacy laws in the nation. The VTDPA will now head to the General Assembly where it will need a two-thirds majority in each chamber to override the veto. The General Assembly is scheduled to meet at 10 a.m. EST on Monday, June 17.
The Governor’s reasons for vetoing the bill are the same reasons that make the VTDPA unique: a private right of action, expanded protection for minors from addicting online content; and unique expansive definitions and provisions, including in relation to its unique data minimization requirements.
Specifically, according to Governor Scott’s letter to the General Assembly, the bill would create an “unnecessary and avoidable level of risk.” In the letter, the governor lists three key areas he believes are of risk:
The bill includes the following provisions:
The VTDPA is the first state law to include changing applicability thresholds, expanding applicability to more businesses each year. This graduated applicability to businesses provides small businesses more time to prepare for compliance.
The VTDPA applies to persons conducting business in Vermont or producing products or services targeted to Vermont residents, as follows:
Notably, there are no applicability thresholds for the VTDPA provisions concerning consumer health data and consumer health data controllers. Such provisions apply to any person that conducts business in this State or that produces products or services that are targeted to residents of this State.
Lastly, while the VTDPA generally includes some of the same exemptions we have come to expect from most privacy laws (e.g., GLBA, HIPAA), the bill only includes exemptions for certain types of non-profits.
Key controller obligations include, but are not limited to, the following:
Key processor obligations include, but are not limited to, the following:
The VTDPA is one of a few states to include a private right of action in specific circumstances. Beginning January 1, 2027, and expiring January 1, 2029, a limited private action is available for individuals harmed by data brokers or large data holders that (1) process sensitive data without consent, (2) sell sensitive data, (3) violate consumer health data requirements, or (4) are not complying with COPPA.
Key definitions:
The Vermont Attorney General will enforce the VTDPA.
The VTDPA requires controllers to “limit the collection of personal data to what is reasonably necessary and proportionate to provide or maintain a specific product of service requested by the consumer to whom the data pertains.” This data minimization requirement is narrower than data minimization requirements in any current U.S. state privacy law which only requires that the collection of personal data be what is reasonably necessary and proportionate to achieve the purposes for which the personal data was collected. Controllers may need to review their data processing practices for compliance.
Almost immediately—by July 1, 2024—data brokers are required to comply with VTDPA’s Data Broker Security Breach Notice Act. Additionally, the Secretary of State will establish a data broker registry coming into effect early 2025.
The consumer rights of the VTDPA are similar to other state laws, including mirroring Oregon’s right to obtain a list of third parties with whom the consumer’s personal data will be shared. If the controller does not maintain a list of third parties with whom an individual’s personal data has been shared, the controller may provide a list of all third parties with whom it shares personal data.
The VTDPA requires a reasonably accessible privacy notice providing, among other items, “a clear and conspicuous link to a website where the consumer or an authorized agent may opt out from a controller’s processing of the consumer’s personal data.”
The VTDPA also includes provisions to address the processing of consumer health data. Consumer health data is defined as “any personal data that a controller uses to identify a consumer’s physical or mental health condition or diagnosis, including gender-affirming health data and reproductive or sexual health data.” Similar to Washington’s My Health My Data Act, the following is prohibited by the VTDPA:
Following the trend of states enacting legislation to protect minors from addictive algorithms, the VTDPA includes a section covering Vermont Age-Appropriate Design Code (VAADC), establishing a minimum duty of care. A covered entity processing minor’s consumer data shall not:
Notably, the VTDPA introduces the concept of “consciously avoiding knowing” to the standard for establishing whether the controller offers any online service, product, or feature to a consumer whom the controller knows—or consciously avoids knowing—is a minor.