On June 12, 2025, Vermont Governor Phil Scott signed into law the Vermont Age-Appropriate Design Code Act (S.B. 69) (the “Code”). The Code takes effect on January 1, 2027.

The Code requires “covered businesses” that develop or provide online services, products, or features “reasonably likely to be accessed” by minors under the age of 18 to refrain from using privacy-invasive design features in their online services. The Code requires covered businesses to use age-assurance methods specified in rules to be issued by the Vermont Attorney General to verify the age of users.

“Covered business” is defined as “a sole proprietorship, partnership, limited liability company, corporation, association, other legal entity, or an affiliate thereof” that:

• conducts business in the state of Vermont;
• generates a majority of its revenue from online services;
• employs online products, services or features that are “reasonably likely to be accessed” by a minor under the age of 18;
• collects Vermont consumers’ personal data or has such data collected on its behalf by a processor; and
• alone or jointly with others determines the purposes and means of the processing of Vermont consumers’ personal data.

The Code indicates that an online service is “reasonably likely to be accessed” by a “covered minor” if it meets one or more of the following criteria:

1. the online service is “directed to children” as defined under COPPA;
2. the online service is determined to be routinely accessed by an audience composed of at least two percent of minors ages two through 17, based on competent and reliable evidence of audience composition;
3. the audience of the online service is determined to be composed of at least two percent minors ages two through 17, based on internal company research; or
4. the covered business knew or should have known that at least two percent of the audience of the online service includes minors ages two through 17.

“Covered minor” is defined as a Vermont consumer who a covered business “actually knows” is a minor or labels as a minor pursuant to age assurance methods in rules adopted by the Vermont Attorney General.

The Code requires covered businesses to meet a “minimum duty of care” with respect to covered minors, by ensuring that a covered business’s use of minors’ personal data and the design of an online service will not result in: (1) reasonably foreseeable emotional distress to a covered minor; (2) reasonably foreseeable compulsive use of the online service by a covered minor; or (3) identity-based discrimination against a covered minor (i.e., based on race, ethnicity, sex, disability, sexual orientation, gender identity, gender expression, religion, or national origin). The Code further requires covered businesses to ensure that the content viewed by a covered minor does not cause emotional distress, compulsive use or discrimination to covered minors.

To meet this minimum duty of care, the Code requires covered businesses to configure all default privacy settings to the highest level of privacy for covered minors, including by:

1. not displaying the existence of a covered minor’s account on a social media platform to any “known adult” user unless the covered minor has expressly and unambiguously allowed a specific adult user to view their account or made their account public;
2. not displaying content created or posted by a covered minor on a social media platform to any known adult user unless the covered minor has expressly and unambiguously allowed a specific known adult user to view their content or chosen to make their content publicly available;
3. prohibiting known adult users from liking, commenting on, or otherwise providing feedback on a covered minor’s social media content unless the covered minor has expressly and unambiguously allowed a specific known adult user to do so;
4. prohibiting known adult users from direct messaging a covered minor on a social media platform unless the covered minor has expressly and unambiguously decided to allow direct messaging with a specific known adult user;
5. not displaying a covered minor’s location to other users, unless the covered minor has expressly and unambiguously shared their location with a specific user;
6. not displaying users connected to a covered minor on a social media platform unless the covered minor expressly and unambiguously chooses to share the information with a specific user;
7. disabling search engine indexing of a covered minor’s account profile; and
8. not sending push notifications to covered minors.

A covered business shall not provide covered minors with a singular setting that would make all of the default privacy settings less protective at once, nor shall they request that covered minors reduce their privacy settings unless given express consent. “Known adult” is defined as a Vermont consumer who a covered business “actually knows” is an adult or labels as an adult pursuant to age assurance methods in rules adopted by the Vermont Attorney General.

In addition, the Code requires covered businesses to:

• provide a prominent, accessible and responsive mechanism to delete a covered minor’s social media account and honor such deletion requests within 15 days;
• provide detailed privacy disclosures prominently and clearly on their websites or mobile applications, including specific information about the use of algorithmic recommendation systems;
• refrain from collecting, selling, sharing, or retaining any personal data of a covered minor that is not necessary to provide the online service with which the covered minor is actively and knowingly engaged;
• use previously collected personal data of a covered minor only for the purpose for which it was collected, unless necessary to comply with the Code;
• provide a conspicuous signal to the covered minor if their online activity or location is being monitored by any individual, including a parent or guardian;
• refrain from using a covered minor’s personal data to select, recommend, or prioritize content unless the selection is based on:
  • the minor’s express and unambiguous request for specific content, such as:
    • content from a specific account, feed, or user;
    • a specific category of content (e.g., “cat videos” or “breaking news”); or
    • content with characteristics similar to the media currently being viewed;
  • user-selected privacy or accessibility settings; or
  • a search query initiated by the covered minor, which may be used only to select and prioritize media in response to that search;
• refrain from sending push notifications to covered minors between 12:00 midnight and 6:00 a.m.;
• limit the collection of personal data for age assurance to that which is strictly necessary for the verification process;
• immediately delete any personal data collected for age assurance upon determining whether the user is a covered minor, except for the determination of the user’s age range;
• refrain from using age assurance data for any other purpose or combining it with other personal data, aside from the age range determination;
• avoid disclosing age assurance data to any third party that is not a processor; and
• implement a review process that allows users to appeal their age determination.

The Vermont Attorney General has the authority to enforce the Code.

The enactment of the Code mirrors the actions of other states that have passed similar legislation, including California, Maryland and Nebraska, and reflects a broader movement to implement legal structures that guide the use of minors’ online data in an effort to minimize potentially harmful effects of certain online platforms to minor users. The California and Maryland laws have been the subject of lawsuits on First Amendment grounds, with the California law currently fully enjoined.