Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Vermont: Bill relating to age-appropriate design code referred to Committee on Economic Development, Housing and General Affairs

On January 17, 2024, Senate Bill S.289, for an act relating to age-appropriate design code was read for the first time in the Senate and on the same date, referred to the Committee on Economic Development, Housing and General Affairs. 

What is the scope of the bill?

The bill would apply to a 'covered entity' if:

  • it collects individuals' personal data or has individuals' personal data collected on its behalf by a third party;
  • alone or jointly with others, determines the purposes and means of the processing of individuals' personal data;
  • operates in Vermont; and
  • satisfies one or more of the following thresholds
    • has annual gross revenues in excess of $25 million, as adjusted every odd-numbered year to reflect the Consumer Price Index;
    • alone or in combination, annually buys, receives for the covered entity's commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal data of 50,000 or more individuals, households, or devices; or
    • derives 50% or more of its annual revenues from selling individuals' personal data.

The bill also lists entities that would be excluded from the scope of the bill. 

What are the key provisions of the bill?

More specifically, the bill states that all covered entities that process children's data in any capacity shall do so in a manner consistent with the best interests of children.

What are the obligations and prohibitions of covered entities?

The bill imposes certain obligations and prohibitions on covered entities, including:

  • to complete a Data Protection Impact Assessment (DPIA) for an online service, product, or feature that is reasonably likely to be accessed by children and maintain documentation of the DPIA for as long as the online service, product, or feature is reasonably likely to be accessed by children;
  • to configure all default privacy settings provided to children by the online service, product, or feature to settings that offer a high level of privacy, unless the covered entity can demonstrate a compelling reason that a different setting is in the best interests of children;
  • to provide privacy information, terms of service, policies, and community standards concisely, prominently, and using clear language suited to the age of children reasonably likely to access that online service, product, or feature;
  • not to profile a child by default unless the criteria provided in the bill are met;
  • not to process any precise geolocation information of children by default, unless the collection of that precise geolocation information is strictly necessary for the covered entity to provide the service, product, or feature requested and then only for the limited time that the collection of precise geolocation information is necessary to provide the service, product, or feature; and 
  • not to use dark patterns to cause children to provide personal data beyond what is reasonably expected to provide that online service, product, or feature to forego privacy protections, or to take any action that the covered entity knows, or has reason to know, is not in the best interests of children reasonably likely to access the online service, product, or feature.

Enforcement

The bill would authorize the Attorney General of Vermont to enforce the bill but does not grant a private right of action.

Next steps

If enacted, the bill would enter into effect on July 1, 2024. The bill would not apply to an online service, product, or feature that is not offered to the public on or after July 1, 2024. Additionally, on or before September 1, 2024, a covered entity would be required to complete a DPIA for any online service, product, or feature reasonably likely to be accessed by children offered to the public after July 1, 2024, unless the same is exempt.

You can read the bill here and track its progress here.

Update: March 14, 2024

Bill receives favorable report with recommendation of amendment by committee

On March 14, 2024, the bill received a favorable report with recommendation of amendment by the Committee on Economic Development, Housing and General Affairs after being read for the second time and referred to the Committee on Appropriations on the same date. 

You can read the bill here and track its progress here.

Update: March 20, 2024

Bill ordered to third reading in Senate

On March 19, 2024, the bill was ordered for third reading in the Senate after being read for the second time in the Senate and agreeing to the recommendation of amendment by the Committee on Economic Development, Housing and General Affairs on the same date.

You can read the bill here and track its progress here.

Update: March 21, 2024

Bill passes third reading in Senate

On March 20, 2024, the bill passed its third reading in the Senate. 

You can read the bill here and track its progress here.

Update: March 25, 2024

Bill referred to House Committee on Commerce and Economic Development

On March 22, 2024, the bill was read for the first time in the House and referred to the House Committee on Commerce and Economic Development on the same date. 

You can read the bill here and track its progress here.

Feedback