Just past midnight on May 11, 2024, the Vermont Legislature passed H.121, the Vermont Data Privacy Act (VDPA). If signed into law, the VDPA would become the most onerous state comprehensive privacy law in the country. Among other things, the bill contains a private right of action (that will only last from 2027 through 2029), which is leading to some suspense as to whether it will become law. The bill awaits the signature of Vermont Governor Phil Scott, who is said to be considering a veto.

If Governor Scott signs the VDPA, most of its provisions would take effect July 1, 2025, but the private right of action would take effect January 1, 2027.

IN DEPTH

WHO DOES THE VDPA APPLY TO?

The VDPA is a long and complicated bill, and the applicability layers are no exception. There are multiple layers of applicability to VDPA, which we use in this article as follows:

Controllers: The VDPA generally applies to controllers, which are defined as a person that conducts business in Vermont or a person that produces products or services that are targeted to Vermont residents and that during the preceding calendar year:

• Controlled or processed the personal data of not fewer than 25,000 consumers (to be lowered to 12,500 consumers on July 1, 2026, and then to 6,250 consumers on July 1, 2027), excluding personal data controlled or processed solely for the purpose of completing a payment transaction; or
• Controlled or processed the personal data of not fewer than 12,500 consumers (to be lowered to 6,250 consumers on July 1, 2026, and then to 3,125 consumers on July 1, 2027) and derived more than 25% (to be lowered to 20% on July 1, 2026) of the person’s gross revenue from the sale of personal data.

Covered persons: Certain sections of the VDPA – including the provisions relating to consumer health data; consumer health data controllers; the duties of controllers to minors, data protection assessments for online services, products or features offered to minors; and the confidentiality of consumer health data – apply more generally to covered persons conducting business in Vermont or producing products or services targeted to Vermont residents without any additional limitations.

Online service providers: The VDPA also contains requirements applicable to controllers that offer any product, service or feature online that is not (1) a telecommunications service subject to the Communications Act of 1934, (2) a broadband internet service or (3) the delivery or use of a physical product. That last exception is unquestionably odd and subject to multiple interpretations.

Large data holders: A large data holder is a person who, during the preceding calendar year, processed the personal information of 100,000 or more Vermont residents.

WHO IS A “CONSUMER”?

A consumer is an individual who is a resident of Vermont. However, a consumer is not an individual acting in a commercial or employment context or as an employee, owner, director, officer or contractor of a company, partnership, sole proprietorship, nonprofit or government agency whose communications or transactions with the controller occur solely within the context of that individual’s role with the company, partnership, sole proprietorship, nonprofit or government agency.

WHAT IS “PERSONAL DATA”?

Personal data means any information, including derived data and unique identifiers, that is linked or reasonably linkable to an identified or identifiable individual or to a device that identifies, is linked to or is reasonably linkable to one or more identified or identifiable individuals in a household. Personal data does not include de-identified data or publicly available information.

The wrinkle is that, as drafted, the VDPA appears to require all entities that want to assert that information is de-identified to comply with the Health Insurance Portability and Accountability Act (HIPAA) de-identification standards. It is difficult to believe that the Vermont Legislature meant to impose HIPAA de-identification standards on all entities, but one potential reading of the VDPA is exactly that.

WHO CAN ENFORCE?

Notably, the VDPA creates a private right of action for a consumer who is harmed by a data broker or large data holder’s:

• Processing of sensitive data without first obtaining the consumer’s consent;
• Processing of the sensitive data of a known child in a manner that does not comply with the Children’s Online Privacy Protection Act (COPPA);
• Sale of sensitive data; or
• Violation of the confidentiality obligations relating to consumer health data.

The Vermont attorney general has the authority to enforce violations. Prior to initiating an action for a violation, the attorney general may issue a notice extending a 60-day cure period for the alleged violation.

WHO IS EXEMPT?

The VDPA has several entity-level exemptions, including for:

• Federal, state, tribal or local government entities in the ordinary course of their operation;
• Covered entities that are not hybrid entities, healthcare components of a hybrid entity or business associates;
• Financial institutions, credit unions, independent trust companies, broker-dealers, investment advisers, or their affiliates or subsidiaries that are exclusively and directly engaged in financial activities; and
• Nonprofit organizations established to detect and prevent fraudulent acts in connection with insurance.

The VDPA’s list of data-level exemptions includes data processed in accordance with a variety of federal laws, such as HIPAA, the Common Rule and other research laws and regulations, the Driver’s Privacy Protection Act, the Family Educational Rights and Privacy Act, the Farm Credit Act, the Gramm-Leach-Bliley Act and the Fair Credit Reporting Act.

There are also what can only be described as special interest exemptions that are unique to the VDPA. For example, publishers and editors, television and radio stations holding Federal Communications Commission licenses, and press and wire services are all exempt.

WHAT CONSUMER RIGHTS ARE CREATED BY THE VDPA?

The VDPA grants Vermont residents the right to:

• Confirm whether a controller is processing the consumer’s personal data and to access that data, if processed;
• Obtain from a controller a list of third parties to which the controller has disclosed the consumer’s personal data or, if the controller does not maintain this information in a format specific to the consumer, a list of third parties to which the controller has disclosed personal data;
• Correct inaccuracies in the consumer’s personal data, taking into account the nature of the personal data and the purposes of the processing of the consumer’s personal data;
• Delete personal data provided by, or obtained about, the consumer unless retention of the personal data is required by law;
• Data portability, if the processing of personal data is done by automatic means; and
• Opt out of the processing of personal data for purposes of (1) targeted advertising, (2) the sale of personal data or (3) profiling in furtherance of solely automated decisions that produce legal or similarly significant effects concerning the consumer.

The VDPA allows consumers to designate an authorized agent for the purposes of exercising only the consumer’s right to delete or opt out of the processing of their personal data.

Targeted advertising under the VDPA tracks the CCPA model definition in that “targeted advertising” is considered to be the targeting of an advertisement based on activity across distinctly branded websites even if those websites belong to affiliated entities.

Additionally, the requirement that a controller provide a “list of third parties” to whom personal information has been disclosed is likely to be an incredibly burdensome exercise for most businesses.

WHAT OBLIGATIONS ARE IMPOSED?

Controllers are subject to a number of obligations, including requirements to:

• Not sell sensitive data (like in Maryland’s privacy law);
• Not process sensitive data about a consumer without first obtaining the consumer’s consent or, if the controller knows the consumer is a child, without processing the sensitive data in accordance with COPPA;
• Establish a process by which a consumer may appeal the controller’s refusal to take action on a request;
• Limit the collection of personal data to what is reasonably necessary and proportionate to provide or maintain a specific product or service requested by the consumer to whom the data pertains;
• Have reasonable administrative, technical and physical data security practices to protect the personal data;
• Provide an effective mechanism for a consumer to revoke consent to the controller’s processing of the consumer’s personal data;
• Not process personal data for a purpose not disclosed in the privacy notice unless the controller obtains the consumer’s consent or the purpose is reasonably necessary to and compatible with a disclosed purpose;
• Not discriminate or retaliate against consumers for exercising their rights, for refusing to consent to the processing of personal data for a separate product or service, and in certain other circumstances;
• Provide a privacy notice with certain disclosures (e.g., categories of personal data that the controller possesses; purposes for processing; how to exercise consumer rights; categories of personal data shared; categories of third parties with which the personal data is shared; online contact method that the controller actively monitors; business name and assumed business name of the controller; description of processing engaged for the purposes of targeted advertising, sale of personal data or profiling; opt-out procedures; and methods for submitting a consumer request); and
• If in possession of de-identified data, take reasonable measures to ensure that the data cannot be used to re-identify an individual or be associated with an individual or device that identifies, is linked or is reasonably linkable to an individual or household; publicly commit to maintaining and using de-identified data without attempting to re-identify the data; and contractually obligate any recipients of the de-identified data to comply with the VDPA.

Additionally, a covered person who offers any online service, product or feature to a consumer whom the covered person knows or consciously avoids knowing is a minor must:

• Not process the minor’s personal data for longer than is reasonably necessary to provide the online service, product or feature;
• If the minor has consented to the processing of precise geolocation data, collect the minor’s precise geolocation data only as reasonably necessary to provide the online service, product or feature; and provide to the minor a conspicuous signal indicating that the covered person is collecting such data and make the signal available for the entire duration of the collection.

Again, the requirements of the VDPA appear to pose significant implementation burdens on any covered person who collects information about minors.

The VDPA also requires that, subject to applicable exceptions, no covered person may:

• Provide an employee or contractor with access to consumer health data unless the employee or contractor is subject to a contractual or statutory duty of confidentiality;
• Provide any processor with access to consumer health data unless the person and processor comply with the above duties of a processor; or
• Use a geofence to establish a virtual boundary that is within 1,850 feet of any healthcare facility, including any mental health facility or reproductive or sexual health facility, for the purpose of identifying, tracking, collecting data from or sending any notification to a consumer regarding their health data.

WHAT IS “SENSITIVE DATA”?

Sensitive data is personal data that:

• Reveals a consumer’s government-issued identifier – such as a Social Security, passport, state identification card or driver’s license number – that is not required by law to be publicly displayed;
• Reveals a consumer’s racial or ethnic origin, national origin, citizenship or immigration status, religious or philosophical beliefs, or union membership;
• Reveals a consumer’s sexual orientation, sex life, sexuality or status as transgender or nonbinary;
• Reveals a consumer’s status as a victim of a crime;
• Is financial information – including a consumer’s tax return and account number, financial account login credentials, financial account, debit card number, or credit card number in combination with any required security or access code, password or other credentials allowing access to an account;
• Is consumer health data;
• Is personal data collected and analyzed concerning consumer health data or personal data that describes or reveals a past, present or future mental or physical health condition, treatment, disability or diagnosis, including pregnancy, to the extent the personal data is not used by the controller to identify a specific consumer’s physical or mental health condition or diagnosis;
• Is biometric or genetic data;
• Is personal data collected from a known minor; or
• Is precise geolocation data (within a radius of 1,850 feet).

RESPONSE TO CONSUMER REQUESTS

The VDPA follows most other states by requiring controllers to respond to consumer requests within 45 days after receipt. The VDPA allows for a 45-day extension when reasonably necessary, provided the controller informs the consumer of the extension within the initial 45-day response period and the reason for the extension. If the controller declines to take action regarding the request, the controller must inform the consumer within 45 days after receipt of the request of the justification for declining to take action and provide instructions for appealing the decision. The appeal must be approved or denied within 45 days after receipt. If the controller denies the appeal, the notice to the consumer must provide or specify information enabling the consumer to contact the Vermont attorney general to submit a complaint.

DATA PROTECTION ASSESSMENTS 

The VDPA requires controllers to conduct and document a data protection assessment for each processing activity that presents a heightened risk of harm to a consumer, which includes:

• Processing personal data for targeted advertising;
• Selling personal data;
• Processing personal data for profiling, where the profiling presents a reasonably foreseeable risk of unfair or deceptive treatment of, or unlawful disparate impact on, consumers; financial, physical or reputational injury to consumers; a physical or other intrusion upon the solitude or seclusion, or the private affairs or concerns, of consumers, where the intrusion would be offensive to a reasonable person; or other substantial injury to consumers; and
• Processing sensitive data.

The assessments must identify and weigh the processing activity’s benefits that may flow to the controller, consumer, other stakeholders and the public against the potential risks to the consumer, as mitigated by safeguards that can be employed by the controller to reduce the risks.

A covered person who offers an online service, product or feature to a consumer who the covered person knows or consciously avoids knowing is a minor must also include in its assessment for the online service, product or feature a variety of additional analyses, including a mitigation plan under certain circumstances.

One saving grace is that, like other state privacy laws, the VDPA allows data protection assessments conducted to comply with other existing laws to satisfy its requirements if the assessment is reasonably similar in scope and effect.

WHEN DOES THE VDPA TAKE EFFECT?

The bill provides for staggered effective dates. If signed, the sections relating to the Vermont attorney general’s public education, outreach and assistance program; assessment of the VDPA; and policy recommendations will come into effect on July 1, 2024. For controllers and covered persons, most of the VDPA will take effect on July 1, 2025. The private right of action will take effect on January 1, 2027, and sunset on January 1, 2029. The VDPA’s applicability thresholds will lower on July 1, 2026, and then again on July 1, 2027.