On Thursday, June 13, 2024, Vermont’s Governor Phil Scott vetoed the Vermont Data Privacy Act (H.121) (“VTDPA”), potentially delaying what has been hailed as one of the most robust consumer data privacy laws in the nation. The VTDPA will now head to the General Assembly where it will need a two-thirds majority in each chamber to override the veto. The General Assembly is scheduled to meet at 10 a.m. EST on Monday, June 17.

The Governor’s reasons for vetoing the bill are the same reasons that make the VTDPA unique: a private right of action, expanded protection for minors from addicting online content; and unique expansive definitions and provisions, including in relation to its unique data minimization requirements.

Specifically, according to Governor Scott’s letter to the General Assembly, the bill would create an “unnecessary and avoidable level of risk.” In the letter, the governor lists three key areas he believes are of risk:

1. the private right of action, which would make Vermont hostile to businesses and negatively impact employers in the state;
    
2. the expanded protection for children, which could open Vermont to expensive and unnecessary litigation similar to litigation over California’s challenged Age-Appropriate Design Code Act; and
    
3. big and expensive new burdens and competitive disadvantages for small and mid-sized business, due mainly to the VTDPA’s complexity and unique expansive definitions and provisions.

The bill includes the following provisions:

Broad Applicability

The VTDPA is the first state law to include changing applicability thresholds, expanding applicability to more businesses each year. This graduated applicability to businesses provides small businesses more time to prepare for compliance.

The VTDPA applies to persons conducting business in Vermont or producing products or services targeted to Vermont residents, as follows:

• July 1, 2025: Controls or processes personal data of at least 25,000 residents; or in the preceding year, controlled or processed personal data of at least 12,500 residents and derived more than 25% of total revenue from the sale of Personal Information.
   
• July 1, 2026: Controls or processes personal data of at least 12,500 residents; or in the preceding year, controlled or processed personal data of at least 6,250 residents and derived more than 20% of total revenue from the sale of Personal Information, introduced in the bill as the “middle applicability threshold”.
   
• July 1, 2027: Controls or processes personal data of at least 6,250 residents; or in the past year, controlled or processed personal data of at least 3,125 residents and derived more than 20% of total revenue from the sale of Personal Information, introduced in the bill as the “low applicability threshold”.

Notably, there are no applicability thresholds for the VTDPA provisions concerning consumer health data and consumer health data controllers. Such provisions apply to any person that conducts business in this State or that produces products or services that are targeted to residents of this State.

Lastly, while the VTDPA generally includes some of the same exemptions we have come to expect from most privacy laws (e.g., GLBA, HIPAA), the bill only includes exemptions for certain types of non-profits.

Definitions of Consumer, Personal Data, and Sensitive Personal Data

• “Consumer” means “an individual who is a resident of the State.” Consumer does not include an individual acting in a capacity of employee or in the B2B context.
   
• “Personal data” means “any information, including derived data and unique identifiers, that is linked or reasonably linkable to an identified or identifiable individual or to a device that identifies, is linked to or is reasonably linked to one or more identifiable individuals in a household.” Personal data does not include de-identified data or publicly available information.
   
• “Sensitive data” means Personal data that reveals:
  • a government issued identifier, race, ethnic origin, national origin, citizenship or immigration status, religious or philosophical beliefs, or union membership
  • sexual orientation, sex life, sexuality, or status as transgender or nonbinary
  • status as victim of a crime
  • consumer health data
  • personal data collected and analyzed to concerning consumer health data or personal data relating to past, present, or future mental or physical condition, treatment, disability, or diagnosis
  • biometric or genetic data
  • personal data collected from a minor
  • precise location data

Key Controller and Processor Obligations

Key controller obligations include, but are not limited to, the following:

• Limit the collection of personal data to what is reasonably necessary and proportionate to provide or maintain a specific product or service requested by the consumer to whom the data pertains; 
• Only process sensitive data about a consumer with prior opt-in consent;
• Not sell sensitive data (this is a blanket prohibition);
• Not discriminate against a consumer; 
• Implement reasonable and appropriate technical and organizations measures for data security; 
• Honor consumer requests;
• Implement written contracts with data processors; and 
• Conduct data protection assessments, where required.

Key processor obligations include, but are not limited to, the following:

• Adhere to a controller’s instructions and assist the controller in meeting its obligations under the law; 
• Enable the controller to respond to consumer requests;
• Only process personal information on behalf of the controller subject to a written contract between controller and processor; 
• Implement reasonable and appropriate technical and organizations measures for data security; and 
• Assist controller in conducting data protection assessments.

Private Right of Action – Limited to Data Brokers and Large Data Holders

The VTDPA is one of a few states to include a private right of action in specific circumstances. Beginning January 1, 2027, and expiring January 1, 2029, a limited private action is available for individuals harmed by data brokers or large data holders that (1) process sensitive data without consent, (2) sell sensitive data, (3) violate consumer health data requirements, or (4) are not complying with COPPA.

Key definitions:

• Data broker: a business that collects, sells, or licenses to third parties the personal data of a consumer with whom the business does not have a direct relationship, subject to certain exemptions.
   
• Large Data Holder: a business or person that during the preceding year processed the personal data of at least 100,000 consumers.

The Vermont Attorney General will enforce the VTDPA.

Novel Data Minimization Requirements

The VTDPA requires controllers to “limit the collection of personal data to what is reasonably necessary and proportionate to provide or maintain a specific product of service requested by the consumer to whom the data pertains.” This data minimization requirement is narrower than data minimization requirements in any current U.S. state privacy law which only requires that the collection of personal data be what is reasonably necessary and proportionate to achieve the purposes for which the personal data was collected. Controllers may need to review their data processing practices for compliance.

Data Broker Requirements in July 2024

Almost immediately—by July 1, 2024—data brokers are required to comply with VTDPA’s Data Broker Security Breach Notice Act. Additionally, the Secretary of State will establish a data broker registry coming into effect early 2025.

Consumer Rights

The consumer rights of the VTDPA are similar to other state laws, including mirroring Oregon’s right to obtain a list of third parties with whom the consumer’s personal data will be shared. If the controller does not maintain a list of third parties with whom an individual’s personal data has been shared, the controller may provide a list of all third parties with whom it shares personal data.

The VTDPA requires a reasonably accessible privacy notice providing, among other items, “a clear and conspicuous link to a website where the consumer or an authorized agent may opt out from a controller’s processing of the consumer’s personal data.”

Consumer Health Data Provisions

The VTDPA also includes provisions to address the processing of consumer health data. Consumer health data is defined as “any personal data that a controller uses to identify a consumer’s physical or mental health condition or diagnosis, including gender-affirming health data and reproductive or sexual health data.” Similar to Washington’s My Health My Data Act, the following is prohibited by the VTDPA:

• providing an employee or contractor with consumer health data unless the employee or contractor is subject to a contractual or statutory duty of confidentiality;
   
• providing a processor with consumer health data unless the processor is subject to certain contractual requirements; and
   
• using a geofence within 1,850 feet of any healthcare facility to identify, track, collect data from, or sending any notification to a consumer regarding the consumer’s health data.

More Protections for Minors

Following the trend of states enacting legislation to protect minors from addictive algorithms, the VTDPA includes a section covering Vermont Age-Appropriate Design Code (VAADC), establishing a minimum duty of care. A covered entity processing minor’s consumer data shall not:

• use a “low-friction” reward (intermittently rewards consumers for scrolling, tapping, opening, or continuously engaging in an online service, product, or feature) design feature that encourages “excessive and compulsive” use by a minor;
   
• permit an adult contact a minor without the minor initiating the contact;
   
• permit a minor from being exploited by a contract on the online service;
   
• use dark patterns; and
   
• allow a parent or guardian to track the location of a minor, without making the tracking conspicuous.

Notably, the VTDPA introduces the concept of “consciously avoiding knowing” to the standard for establishing whether the controller offers any online service, product, or feature to a consumer whom the controller knows—or consciously avoids knowing—is a minor.

Effective dates

• July 1, 2024
  • State-run public education and outreach begins
  • General provisions relating to protection of personal data and data broker breach notification obligations begin
  • Data broker study begins, and data broker registration follows
• July 1, 2025
  • General provisions and consumer rights go into effect
  • Age-Appropriate Design Code goes into effect
• July 1, 2026
  • Middle applicability threshold goes into effect
  • Utilities exemption sunsets
• January 1, 2027
  • Private right of action goes into effect
• July 1, 2027
  • Low applicability threshold goes into effect
• January 1, 2029 
  • Private right of action sunsets