Just past midnight on May 11, 2024, the Vermont legislature passed the Vermont Data Privacy Act (VDPA). VDPA, if signed by Governor Phil Scott, will take effect on July 1, 2025, and will make Vermont the 18th state to establish consumer privacy rights in the same vein as the California Consumer Privacy Act (CCPA). Although many state consumer privacy laws feel cookie cutter at this point, VDPA contains nuances that will require companies to strategize data management intake and processing.

VDPA contains many of the same data subject rights that organizations have come to expect from comprehensive consumer privacy laws. Consumers have the right to request deletion, access, correction, and opt-outs of certain sharing and selling. However, VDPA is unique in that it also provides consumers with a private right of action if the business misuses data about the consumer’s race, religion, sexual orientation, health, or other categories of sensitive information (collectively, “Sensitive Information”). VDPA also includes data minimization requirements barring businesses from collecting consumer personal information for any purpose beyond providing the business’s product or service.

Who is regulated under VDPA?

VDPA regulates any organization (regardless of geographic location) conducting business in Vermont, or producing products or services that are targeted to Vermont residents, and during the preceding calendar year: (1) controlled or processed the personal data of 25,000 or more Vermont consumers (excluding personal data controlled or processed for purposes of completing a payment transaction); OR (2) derived more than 50% gross revenue from the sale of personal data.

Much like consumer privacy laws already on the books, VDPA contains the usual exemptions for organizations already regulated by Gramm-Leach-Bliley Act (GLBA), Health Insurance Portability Act of 1996 (HIPAA), or the Fair Credit Reporting Act (FCRA).

What does VDPA regulate?

Quite a bit. VDPA affords the data subject rights identified above and commonly afforded under state consumer privacy laws. Organizations must respond to consumer requests “without undue delay, but no later than 60 days after receiving the request.” Regulated entities are prohibited from conditioning the exercise of consumer rights through the employment of any dark pattern or through the use of any false, fictious, or materially misleading statement or representation.

In addition to requirements to safeguard the confidentiality of, and restrict transmission of, consumer health data (in a similar vein to Washington’s My Health My Data Act), notify consumers of data security breaches, and provide “clear and conspicuous notice” before obtaining consent for collection of biometric identifiers, VDPA also provides for establishment of the Artificial Intelligence and Data Privacy Advisory Council (the “Council”). The Council is responsible for providing advice and counsel on the development, employment, and procurement of artificial intelligence (“AI”) in the Vermont State Government, which could lead to further regulatory requirements or legislation.

Finally, VDPA establishes “age appropriate design codes,” which standardizes how online services must protect children’s privacy and ensure online safety. The codes, based on age-ranges below 18 (for example, 0 to 5 years of age or preliterate and early literacy; 6 to 9 years of age or core primary school years; 10 to 12 years of age or transition years; 13 to 15 years of age or early teens; and 16 to 17 years of age or approaching adulthood), outline certain prohibitions such as use of dark patterns, profiling a minor consumer, or selling the personal data of minors.

Data minimization

Taking a page from last month’s California Privacy Protection Agency’s enforcement advisory, VDPA establishes data minimization requirements. These requirements go further than CCPA’s data minimization principle in that regulated businesses are barred from collecting personal information for ANY purpose outside of providing the offered product or service. As a result, businesses will need to prepare evidence for how data collection practices are “reasonably necessary and proportionate.” Note, however, that the minimization requirements do not apply to “Sensitive Information,” which requires consumer consent. The minimization requirements also prohibit companies from selling consumers’ sensitive data, and allows those consumers to file suit if they believe businesses have done so.

Private right of action

Perhaps the most notorious aspect of VDPA is its private right of action. Under VDPA, consumers may file suit against companies that allegedly violated the consumer’s data subject rights. The scope, however, is limited. The private right of action is applicable to any “large data holder” (defined as a business or person that processes more than 100,000 consumer records of Vermont residents), or is defined as a “data broker” (which, in turn, must be registered with the state as part of Vermont’s Data Broker Act). This is distinguished from CCPA’s private right of action, which only applies to data breaches and not uses surrounding Sensitive Information. In Vermont, consumers may only bring suit against data brokers and large data holders, but they can seek direct relief for alleged violations through the courts rather than request governmental agencies to file enforcement actions.

Although the private right of action is a novel attribute of VDPA, it appears experimental in nature. After two years, the Vermont legislature must reauthorize the private right of action provision or it will expire.

What’s next?

Vermont’s swing at a consumer data privacy legislation is a shot across the bow. The applicability is incredibly broad, but the permitted uses for personal information are heavily restricted. Further, allowing for a private right of action could result in a deluge of litigation with the plaintiff’s bar actively pursuing allegations of VDPA violations. If VDPA is signed into law, regulated entities will want to conduct a comprehensive review of data collection and processing practices to determine what changes will be necessary. In addition, online privacy policies will continue to be heavily scrutinized, and will likely act as “Exhibit A” in any filed suit. Plus, 32 states remain without a comprehensive consumer privacy law; some, or maybe even all of them, may find inspiration in VDPA’s private right of action. Whatever you do, do not sleep on these changes.

Taft’s Privacy & Data Security team has extensive experience counseling clients on consumer data privacy laws, data minimization strategies, and data governance program development. We will continue to monitor updates about VDPA. For more data privacy & security-related updates, please visit Taft’s Privacy & Data Security Insights blog and the Taft Privacy & Data Security Mobile Application.