Last week, Vermont Governor Phil Scott vetoed one of the most-watched pieces of privacy legislation in the United States: the Vermont Data Privacy Act (VDPA). Described in H.121 as “an act relating to enhancing consumer privacy and the age-appropriate design code,” was passed by the Vermont legislature in the early morning hours on May 11, 2024. The act represented a seismic change in domestic consumer privacy rights. However, Governor Scott returned H.121 without signature, effectively vetoing the would-be watershed bill.
What was the VDPA?
As described in last month’s blog article, VDPA contained many of the same data subject rights that organizations have come to expect from comprehensive consumer privacy laws. Consumers would have had the right to request deletion, access, correction, and opt-outs of certain sharing and selling. However, VDPA was unique in that it also provided consumers with a private right of action if the business misuses data about the consumer’s race, religion, sexual orientation, health, or other categories of sensitive information (collectively referred to in H.121 as “Sensitive Information”). VDPA also included data minimization requirements barring businesses from collecting consumer personal information for any purpose beyond providing the business’s product or service.
Further, the VDPA included provisions relating to age-appropriate design codes, or “kids code.” This code standardizes how online services must protect children’s privacy and ensure online safety. The codes, based on age ranges below 18 (for example, 0 to 5 years of age or preliterate and early literacy; 6 to 9 years of age or core primary school years; 10 to 12 years of age or transition years; 13 to 15 years of age or early teens; and 16 to 17 years of age or approaching adulthood), outline certain prohibitions such as use of dark patterns, profiling a minor consumer, or selling the personal data of minors. A similar law was passed in California, but it was later stayed by the federal courts.
Why did Gov. Scott Veto VDPA?
In vetoing VDPA, Governor Scott noted that, as written, the bill creates an “unnecessary and avoidable level of risk.” The first area of risk, largely considered VDPA’s distinguishing attribute, was its private right of action. Per Governor Scott, including a private right of action “would make Vermont a national outlier and more hostile than any other state to many businesses and non-profits…” To be sure, the controversial element of VDPA is that of the 17 other states to enact comprehensive privacy legislation, none have passed a private right of action for qualified violations (California Privacy Rights Act, however, does allow consumers to bring legal action against businesses for unauthorized access and disclosure of certain personal information).
Governor Scott also objected to the “Kids Code” provision of VDPA. Governor Scott noted that a similar provision in California legislation has been stayed by the courts for First Amendment reasons. Instead, Governor Scott suggested waiting to see how California’s Children’s Digital Privacy Law fares in the courts, and then “craft a bill that addresses known legal pitfalls before charging ahead with policy likely to trigger high risk and expensive lawsuits.”
What’s Next?
In our last blog post analyzing the VDPA legislative passage, we noted that the inclusion of a private right of action could be included in future bills for any of the 32 states that have, to date, failed to pass a comprehensive privacy law. However, Governor Scott’s veto will likely give other state legislatures pause before including any private right of action in a consumer privacy law. In addition, although many states have experimented with various age-appropriate design code laws, no meaningful developments are expected until the courts have resolved whether California’s children’s law is constitutional.
In his veto announcement, Governor Scott recommended that “Vermont should adopt Connecticut’s privacy law, which New Hampshire has largely done with its new law.” Governor Scott concluded that “[s]uch regional consistency is good for both consumers and the economy.” A regional approach to privacy legislation is a novel approach; with many states choosing to model their own laws after California, Virginia, and Colorado – the first three states to pass comprehensive consumer privacy laws. Regional consistency may soon emerge as a trend while nearly three dozen states consider similar legislation.
Contact Us
Taft’s Privacy & Data Security team has extensive experience counseling clients on consumer data privacy laws, data minimization strategies, and data governance program development. We will continue to monitor updates about Vermont’s privacy law efforts. For more data privacy & security-related updates, please visit Taft’s Privacy & Data Security Insights blog and the Taft Privacy & Data Security Mobile Application