Peak Privacy: Vermont’s Summit on Data Privacy

Immediately prior to the close of the state legislative session on May 10, 2024, the Vermont legislature passed H. 121, “An act relating to enhancing consumer privacy and the age-appropriate design code.” If enacted by Governor Scott, Vermont could become the state with the farthest-reaching comprehensive privacy law. While the Vermont Data Privacy Act (VDPA) is modeled after the popular Connecticut privacy framework, it goes further in many places, drawing inspiration from a variety of sources. Vermont adds data minimization provisions inspired by Maryland’s new privacy law, new digital civil rights protections pulled from the American Data Privacy and Protection Act, a trimmed-down Age-Appropriate Design Code (AADC) focused on design features, and an entirely novel private right of action. 

Applicability

At over 100 pages, determining whether and how an organization will be covered by the H. 121 is a more complicated question than under most state privacy laws.  The VDPA contains unique scoping provisions and tiered effective dates tied to an organization’s size and the types of data it processes, and the AADC scope is entirely distinct from the rest of the VDPA. 

1. Tiered effective dates

The Vermont Data Privacy Act establishes a tiered timeline for applicability. For larger organizations that process data of 25,000+ Vermont consumers or process data for 12,500 consumers and get more than 25% of their revenue from selling personal data, the law will go into force on July 1, 2025. Come July 1, 2027, the law will apply to organizations that either process data of 6,250+ consumers, or process data of 3,125 consumers and get more than 20% of their revenue from selling personal data. Despite Vermont’s small population, proportionally speaking these are the lowest coverage applicability thresholds across all comprehensive state privacy laws.

2. No revenue and data processing thresholds for health data and kids data

The VDPA contains heightened protections for minors’ data and provisions concerning consumer health data that are not tied to the above revenue and data processing thresholds. As a result, small businesses could potentially have obligations under these provisions. Vermont joins an emerging trend originating in Connecticut of making certain protections for the most sensitive categories of personal information generally applicable, rather than being subject to a small business exception. 

3. Separate applicability for Age-Appropriate Design Code

The standalone AADC section also contains a unique applicability threshold. Rather than apply to controllers, the AADC section applies to “covered businesses” that collect consumers’ personal data, determine the purposes and means of processing that data, and, alone or in combination, buy, receive for commercial purposes, sell, or share the personal data of at least 50% of their consumers. Given that this section specifies businesses and the revenue threshold is 50%, it will likely apply to a smaller subset of organizations than those covered under the VDPA. The ultimate scope of this provision is likely to be substantially shaped by how the term “receive for commercial purposes” is interpreted.

Notable protections for Vermonters

Much ink has been spilled over the “state privacy patchwork,” but the Vermont law itself is a bit of a patchwork, given that it draws inspiration from multiple sources, such as Connecticut, Maryland, and the American Data Privacy and Protection Act. Many rights given to individuals may be familiar, such as accessing, correcting, and deleting personal information. However, Vermont’s patchwork bill creates notable differences, including data minimization, prohibitions on selling sensitive data, and prohibitions on discriminatory processing.  

1. Data minimization

The VDPA places default limits on the collection of personal data to what is reasonably necessary and proportionate to provide or maintain a specific product or service requested by the individual. This limit matches Maryland – however, Vermont lacks Maryland’s requirement that the processing of sensitive data must be strictly necessary, making Vermont somewhat less restrictive. Vermont further limits any processing for a purpose not disclosed in a privacy notice unless an individual’s consent is obtained or the purpose is reasonably necessary to and compatible with a disclosed purpose.   

2. Prohibitions on selling sensitive data

Similar to Maryland, the VDPA prohibits the sale of sensitive data. Under the VDPA, sensitive data includes, among other things, consumer health data, biometric or genetic data, and personal data collected from a known minor. While the privacy protections for minors’ data and consumer health data largely follow Connecticut’s, Vermont goes further by not allowing the sale of sensitive data even with consent. Vermont may go further than even Maryland because it defines “sale” more broadly than any state privacy law to date, including the exchange of personal information not just for monetary value or other valuable consideration, but for a commercial purpose. 

3. Prohibitions on discriminatory processing

Vermont prohibits processing an individual’s personal data in violation of State or federal laws that prohibit unlawful discrimination or in a manner that discriminates against individuals or otherwise restricts the enjoyment of goods and services based on protected classes. There are limited exceptions for self-testing and diversity applicant pools. These civil rights protections, derived from the American Data Privacy and Protection Act (ADPPA) and the American Privacy Rights Act discussion draft, go further than existing state privacy laws because the prohibition is not strictly tried to discrimination that is already unlawful. One minor difference from ADPPA is that Vermont prohibits discrimination against individuals, rather than “in a manner that discriminates,” though this distinction may not have a practical impact. 

4. Broad Right to Opt out of Targeted Advertising

Like the Connecticut framework, the VDPA allows for the option to opt out of targeted advertising. However, the VDPA broadens the definition of targeted advertising to include first-party data shared between distinctly branded websites, including websites operated by the same controller. This expanded definition goes much further than any existing state privacy law.

A limited private right of action

To date, the only comprehensive state privacy law with any private right of action is California, which narrowly provides that certain data breaches can be the basis for a cause of action. Otherwise, comprehensive privacy laws are solely enforced by government regulators such as State Attorneys General. Vermont would break this mold by allowing individuals to bring suit against “large data holders” and data brokers in instances where there were alleged violations involving sensitive data or confidentiality of consumer health data. Vermont defines large data holders as organizations that process the data of more than 100,000 Vermont residents. This is noteworthy because as of the 2020 census, the Vermont population is 643,000. By limiting the private right of action to specific types of entities and particular kinds of privacy violations, the private right of action reflects a compromise between lawmakers in the House who wanted a broad private right of action and lawmakers in the Senate who struck it entirely in an earlier draft. 

In a further act of compromise, Vermont legislators took a creative approach to the timeframe for bringing any lawsuits. The private right of action goes into effect January 1, 2027, which is 18 months after when the largest organizations will have come into compliance with the law. The private right of action will sunset after two years unless the Vermont legislature passes a new law to affirmatively reauthorize it. Separately, the Attorney General is charged with conducting a study and developing recommendations to the legislature on implementing a private right of action, including applicability thresholds to ensure that a private right of action does not harm good-faith actors or small businesses and damages that balance the consumer interest in enforcing rights against any incentives provided to litigants with frivolous claims. The report is due by January 15, 2026, a year before the private right of action takes effect and as the legislature begins its next session.

Heightened protections for minors, including two duties of care

Because Vermont draws from Connecticut’s framework, the VDPA includes heightened protections for children and teens that largely mirror Connecticut. These protections include a duty to avoid a “heightened risk of harm” to minors, restrictions on selling minors’ data, and additional risk assessment requirements for controllers who process minors’ data. One subtle but significant difference is that Vermont adds additional harm to be considered in the duty of care and data protection impact assessments. Covered organizations will need to consider any “unintended disclosure of personal data of a minor.” Interestingly, this is language that was considered in Colorado this legislative session, but was ultimately rejected in favor of “unauthorized disclosure of the personal data of minors as a result of a security breach.” The harm articulated in Vermont is much broader and could cover inadvertent disclosures, not just disclosures due to a security breach. 

However, the protections focused on children and teens do not end there. During the 2024 session, Vermont lawmakers pursued parallel efforts to protect children online: H. 121, a comprehensive privacy bill, which passed, and S. 289, an AADC. A slimmed-down version of S. 289 was appended to H.121, resulting in the passage of both. The Vermont Data Privacy Act provisions address minors’ data protection, while the AADC addresses safety and design features of online services for minors. A key example of this delineation is that while the VDPA restricts dark patterns specifically related to exercising data rights, the Vermont AADC bans all dark patterns. The AADC defines dark patterns broadly as any user interface that undermines user autonomy. Without attaching this restriction to data rights or any specifically identified harm, the prohibition can be interpreted quite broadly. Additionally, the AADC further prohibits “low-friction variable rewards” that “encourage excessive and compulsive use by a minor.” A low-friction variable reward is defined as “design features or virtual items that intermittently reward consumers for scrolling, tapping, opening, or continuing to engage” in a service, with examples including endless scroll and autoplay. 

Another additional wrinkle of the attached AADC is that Vermont actually creates two duties of care for minors. In the comprehensive privacy section, companies have a duty to avoid heightened risk of harm to minors. The AADC separately requires an affirmative minimum duty of care owed to minors by a business that processes a minor’s data in any capacity. 

Lastly, the AADC disclaims that age verification is not required to comply with the obligations of this section. This may be a proactive effort to avoid any litigation regarding the constitutionality of age verification mandates. However, the AADC instead clarifies that the obligations imposed should be done with age estimation techniques. Given how age estimation is defined, this would provide a novel question for a court to consider, should there be any litigation. However, it is worth noting that age estimation often includes additional data collection, so covered organizations will need to take care in reconciling these obligations with the data minimization provisions of the VDPA. 

Next steps

H. 121 has not yet been presented to the Governor for consideration. Once received, the Governor will have merely five days to consider the bill. Given the novelty of several provisions of the bill, it may be cause for concern or may be an opportunity for Vermont to raise the bar across the nation. Should the Governor veto, the bill passed both chambers with the votes necessary to support a veto override. Organizations in scope and Vermonters should take note that the bill also calls for the Attorney General to lead a public education, outreach, and assistance program, which would begin to take effect July 1, 2024.