Vermont becomes 23rd state to enact consumer privacy law

Vermont became the 23rd state to enact a comprehensive state privacy law. Gov. Phil Scott, R-Vt., signed Senate Bill 71, the Vermont Data Privacy and Online Surveillance Act into law 16 June. 

With Scott's signature, Vermont becomes the fourth state to pass a comprehensive privacy law this year, joining Alabama, Louisiana and Oklahoma. The law will enter into force 1 Jan. 2028. Along with the signing of SB71, Scott signed a data broker registration bill; a day prior, he signed a bill restricting the sale of customers' genetic data by commercial testing companies. 

Under Vermont's new privacy law, enforcement power is granted exclusively to the state attorney general with no private right of action. The state attorney general must submit an annual report containing information on its enforcement to the Vermont General Assembly. The law features a 60-day cure period for violations that expires 30 June 2029. 

The law applies to data controllers or processors that handle the personal data of more than 35,000 state residents, those processing the sensitive personal data of at least 3,000 state residents or selling the personal data of at least 3,000 residents.

Additionally, the new law contains requirements for controllers and processors to respect users' opt-out preference signals as well as those submitted by authorized agents. The Vermont Data Privacy and Online Surveillance Act also requires privacy notice requirements that disclose whether a controller collects, uses or sells personal data to train large language models, but not a state-specific privacy notice if the entity's general notice complies with the law. 

Stauss PLLC Founder David Stauss, CIPP/E, CIPP/US, CIPT, FIP, said that Vermont's privacy law most closely resembles Connecticut's privacy law regime, such as provisions covering the sale and processing of sensitive personal data and requiring data protection impact assessments. He said it departs from Connecticut by setting a threshold that triggers the sensitive data processing provisions — something Connecticut does not include. 

According to Stauss, Vermont's 35,000-consumer threshold is on the "lower end among state laws," and represents 5.4% of the state population of roughly 645,000 people. He said this low applicability threshold makes the law the "highest percentage (covered under) any state consumer data privacy law."

New data broker registration law

Scott signed the other privacy-related bill, House Bill 211, 16 June.

The law establishes registration requirements for data brokers and education technology providers. Under the law, data brokers will need to annually register with the Vermont Secretary of State's office and pay a USD900 fee. The Secretary of State will be charged with maintaining a public registry of all data brokers operating in the state.

Sections 1 and 4 of HB211, which cover requirements for data brokers and edtech providers, enters into force 1 Jan. 2027. Sections 2 and 3, respectively, direct the Sectary of State to study a state-wide deletion mechanism and establish a state Cybersecurity Advisory Council. These sections enter into force 1 July of this year.

Gov. signs genetic data privacy law

On 15 June, Scott signed House Bill 639, the Genetic Information Privacy Act, into law, which also enters into force 1 July. 

The law restricts the sale of state residents' genetic data by direct-to-consumer genetic testing companies unless the company obtains an individual's explicit consent to share their data with third parties. The law states that "Express consent cannot be inferred from inaction," and that, "Agreement obtained through the use of dark patterns does not constitute express consent."

The law also requires genetic testing companies to destroy customer DNA samples and delete associated data upon request by the individual.

"The resulting legislation will ensure that Vermont consumers are in the best possible position to control and protect their genetic data and privacy at all times," state Rep. Herb Olson, D-Vt., said when the bill was introduced in the state House of Representatives in February, according to MyChamplainValley.com. 

The IAPP's Research & Insight team maintains a state privacy legislation tracker to help keep up with the latest developments.