On April 25, 2024, House Bill 121 for the Vermont Data Privacy Act was read for a second time by the Vermont State Senate following a favorable report, on the same date, by the Committee on Economic Development, Housing and General Affairs. The bill was subsequently referred to the Committee on Appropriations.

What is the scope of the bill for the Vermont Data Privacy Act?

In particular, the bill provides for the establishment of the Vermont Data Privacy Act, applicable to a person that conducts business in Vermont or a person that produces products or services that are targeted to residents of Vermont and that during the preceding calendar year:

• controlled or processed the personal data of not fewer than 25,000 consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction; or
• derived more than 50% of the person's gross revenue from the sale of personal data.

However, the bill outlines that it does not apply to, among other things:

• a federal, State, tribal, or local government entity in the ordinary course of its operation;
• protected health information processed in accordance with the Health Insurance Portability and Accountability Act (HIPAA);
• information processed or maintained solely in connection with, and for purposes of, enabling employment, application for employment; and
• information collected, processed, sold, or disclosed under and in accordance with the Driver's Privacy Protection Act of 1994, the Farm Credit Act, non-public personal information processed by a financial institution subject to the Gramm-Leach-Bliley Act (GLBA), and a non-profit organization.

What consumer rights are provided for by the bill for the Vermont Consumer Privacy Act?

The bill provides for consumer rights including the right to be informed, access, rectification, deletion, data portability, and opt out of the processing of personal data for the purposes of targeted advertising, sale of personal data, or profiling in furtherance of solely automated decisions that produce legal or similarly significant effects concerning the consumer.

Controllers must respond to consumer requests with undue delay but no later than 60 days after receiving the request, and information provided must be provided free of charge once per consumer during any 12 month period.

Notably, the bill specifies that a controller may not condition the exercise of consumer rights through:

• the use of any false, fictitious, fraudulent, or material statement or representation; or
• the employment of any dark pattern.

What controller and processor obligations fall under the bill for the Vermont Consumer Privacy Act?

The bill stipulates that controllers must, among other tasks:

• create a reasonably accessible, clear, and meaningful privacy notice with specific contents;
• process personal data in compliance with the principles of necessity and proportionality and for the specified purpose;
• establish, implement, and maintain reasonable administrative, technical, and physical data security practices;
• not process sensitive data without first obtaining consumer consent, or in the case of a known child, without processing the data in accordance with the Children's Online Privacy Protection Act (COPPA); and
• not discriminate or retaliate against a consumer who exercises a right provided to the consumer under the bill. 

The bill also elaborates on obligations relating to the processing of minors' personal data, including not processing a minor's personal data for the purposes of targeted advertising, sale of personal data, or profiling in furtherance of solely automated decisions that produce legal or similarly significant effects concerning the consumer. Such prohibitions also extend to minors' geolocation data and the employment of dark patterns. 

Processors specifically must adhere to controllers' instructions and assist them in meeting their obligations under the bill, with processing operations governed by a contract between the controller and processor. The contract must set forth specific instructions and obligations for the controller and processor and requires a processor to ensure that any subprocessor contracted also meets the processor's obligations concerning personal data. 

What enforcement and supervisory authorities are provided for under the bill for the Vermont Consumer Privacy Act?

The Vermont Attorney General (AG) is responsible for the enforcement of the bill. 

The bill also provides for the establishment of the Artificial Intelligence and Data Privacy Advisory Council responsible for providing advice and counsel on the development, employment, and procurement of artificial intelligence (AI) in the Vermont State Government.

The provisions for the Vermont Data Privacy Act are provided to enter into effect on July 1, 2025.

Provisions related to the AI and Data Privacy Advisory Council are provided to enter into effect on July 1, 2024.

You can read the bill here and track its progress here.