Vermont’s Amendments to Data Breach Law and New Student Privacy Law Effective July 1, 2020


On July 1, 2020, amendments to Vermont’s data breach notification law, signed into law earlier this year, will take effect along with Vermont’s new student privacy law.

Security Breach Notice Act

The amendments to Vermont’s Security Breach Notice Act include expanding the definition of Personally Identifiable Information (“PII”), expanding the definition of a breach to include login credentials and narrowing the permissible circumstances under which substitute notice may be used. Notably, the amendments:

Read Vermont’s explanation of the amendments.

Student Data Privacy

Vermont’s Student Data Privacy law, modeled after California’s Student Online Personal Information Protection Act, generally, will prohibit certain “operators” of websites, online services and online or mobile applications used primarily by, and designed and marketed to, PreK-12 schools from knowingly:

Operators also are required to:

The law also allows operators to use covered information to comply with applicable law or for legitimate research purposes (in certain circumstances), and to disclose covered information to a State or local educational agency for PreK-12 school purposes, as permitted by State or federal law.

The law further clarifies that an operator may use covered information that is not associated with an identified student to improve the operator’s educational products and to demonstrate the effectiveness of the operator’s products or services, including in its marketing. An operator also may share covered information that is not associated with an identified student for the development and improvement of its educational sites, services or applications. Additionally, an operator may use recommendation engines to recommend to a student additional content or services related to an educational, other learning, or employment opportunity within an online site, service or application, if the recommendation is not determined by payment or other consideration from a third party.

The law is enforceable by the Vermont Attorney General. The law calls for the Vermont Attorney General, in consultation with the Vermont Agency of Education, to examine the issue of student data privacy as it relates to the Family Educational Rights and Privacy Act and access to student data by data brokers, and determine whether to make any recommendations.


Copyright © 2025, Hunton Andrews Kurth LLP. All Rights Reserved.
National Law Review, Volume X, Number 174