On May 10, 2024, the Vermont legislature passed HB 121, which was delivered to Governor Phil Scott for his signature. HB 121 would enact the Vermont Data Privacy Act (“VDPA”), the Vermont Data Broker Breach Notification Act, and the Vermont Age-Appropriate Design Code. If enacted, the VDPA will provide a private right of action to consumers for certain violations of the VDPA.
Applicability
The VDPA’s applicability thresholds will change over time: On July 1, 2024, the VDPA will apply to a person who conducts business in Vermont or produces products or services directed to Vermont residents and who during the preceding calendar year: ( 1) controlled or processed the personal data of no less than 25,000 consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction; or (2) controlled or processed the personal data of no less than 12,500 consumers and derived more than 25 percent of the person’s gross income from the sale of personal data. On July 1, 2026, the “medium applicability threshold” will reduce the first criterion to 12,500 consumers and the second criterion to 6,250 consumers and 20 percent, respectively. On July 1, 2027, the “low applicability threshold” will reduce the first criterion to 6,250 consumers and the second criterion to 3,125 consumers and 20 percent, respectively.
In particular, for persons who conduct business or direct products/services to Vermonters, there are no additional thresholds for the VDPA provisions related to the personal data of minors, including data protection assessments, and to the data consumer health data controllers and consumer health data controllers.
Controller Obligations
With some notable differences, the VDPA contains obligations for controllers that largely follow the model established by other comprehensive state privacy laws, including obligations related to the implementation of reasonable security measures and data protection impact assessments, the obtaining consent to process sensitive data and providing privacy. notices with certain specific content. Similar to the Oregon Consumer Privacy Act (OCPA) and the Colorado Privacy Act (CPA) and their implementing regulations, the privacy notice must describe the categories of third parties to which the controller has disclosed the data. personal data of the consumer “with a level of detail that allows the consumer to understand what type of entity each third party is and, to the extent possible, how each third party may process personal data.” The VDPA, like the Maryland Online Data Privacy Act (MODPA), contains robust data minimization requirements that go beyond what other states require, i.e., limiting the collection of personal data to what is reasonably necessary and proportionate to provide or maintain specific information. product or service
requested by the consumer to whom the data belongs. The VDPA would also require controllers to provide an effective mechanism for a consumer to revoke their consent to the processing of personal data and to act on revocation requests within 15 days. Controllers are prohibited from certain activities, including the sale of sensitive data (which MODPA also prohibits).
Consumer rights
The VDPA follows a fairly familiar formula in terms of the rights it grants to consumers, with rights similar to those found, for example, in the OCPA (DPDPA). In particular, like several recent laws (e.g., OCPA, DPDPA, and the Maryland Online Data Privacy Act (MODPA)), the VDPA specifically includes the right to obtain a list of third parties to whom the controller has disclosed the consumer’s personal data or, if the controller does not maintain this information in a consumer-specific format, a list of third parties to which the controller has disclosed personal data. Controllers have 45 days to respond to consumer rights requests, with a possible extension of 45 days where reasonably necessary.
Consumer health data
HB 121 contains a section dedicated to the confidentiality of consumer health data, which includes prohibitions on (1) providing any employee or contractor with access to consumer health data (unless the employee or contractor is subject to a contractual or legal duty of confidentiality); (2) provide any processor with access to consumer health data (unless the person and processor meet the requirements established by the VDPA); and (3) use a geofence to establish a virtual boundary that is within 1,850 feet of any health care facility, including any mental health facility or sexual or reproductive health facility, for the purposes of identifying, tracking, collecting data or send any notification. to a consumer in relation to the consumer’s health data.
Age-appropriate design code
Subchapter 6 of HB 121 establishes the Vermont Age-Appropriate Design Code (VAADC), which covers the minimum duty of care for covered businesses that process a minor consumer’s data, and obligations and prohibitions for covered businesses subject to VAADC. The prohibitions include, but are not limited to, using dark patterns, using design features that “encourage excessive and compulsive use by a minor consumer,” allowing adults to monitor/track minors online, and allowing that unknown adults communicate with minors.
Application
The VDPA will be enforced by the Vermont Attorney General, who also has some rulemaking authority. However, unlike the vast majority of other comprehensive state privacy laws to date, the VDPA establishes a private right of action for any consumer who is harmed by a data broker or a data broker’s violation of the following: big data holder:
- Process sensitive data without consent.
- Sell sensitive data.
- Violation of provisions relating to the confidentiality of consumer health data.
The private right of action would begin on January 1, 2027 and expire on January 1, 2029.
Effective dates
If enacted, HB 121 will take effect as follows:
- July 1, 2024: Section 2 (public education and outreach), Section 3 (protection of personal information), Section 4 (data broker opt-out study), and Section 8 (Vermont Data Privacy Law study ).
- July 1, 2025: Section 1 (VDPA) and Section 7 (Age Appropriate Design Code).
- July 1, 2026: Section 5 (median threshold of applicability of the VDPA) and Section 11 (repeal of utility exemption).
- January 1, 2027: Article 9 (right of private action).
- July 1, 2027: Section 6 (lower applicability threshold of the VDPA).
- January 1, 2029: Article 10 (repeal of the right of private action).
[fifu]
Keynote USA
For the Latest Local News, Follow Keynote USA Local on Twitter.