Senior Content Marketing Manager II
June 20, 2024•8 min read
Editor’s Note (June 2024): In a surprise turn, Vermont Governor Phil Scott vetoed the Vermont Data Privacy Act, returning it to the legislature without signature.
In his comments about the decision, Gov. Scott called out the bill’s limited private right of action, noting it would make Vermont “a national outlier and more hostile than any other state to many businesses and nonprofits.”
The Vermont legislature attempted a veto override—winning 128-17 in the House, but losing the motion 14-15 in the Senate. It would have 20 Senate votes for the override to go through.
As it stands, the law will not go into effect.
The Vermont Data Privacy Act (VDPA) applies to businesses that conduct operations in Vermont or target their products or services to Vermont residents. To fall under the law's scope, a business must meet one of the following thresholds during the preceding calendar year:
One unique thing to note about Vermont’s privacy law is that its applicability thresholds (based on consumer count) will decrease over time. By July 1, 2026, the threshold will drop to 12,500 consumers for the first criteria and 6,250 consumers for the second. Then, by July 1, 2027 it will decrease again to 6,250 and 3,125 consumers, respectively.
The Vermont Data Privacy Act imposes several compliance requirements on businesses, including:
Vermont’s privacy law grants consumers a comprehensive set of novel rights, including the right to access, confirm, correct, delete, and transfer their personal data. Businesses must also give consumers a way to opt-out of targeted advertising, data sales, and profiling.
In alignment with the Children's Online Privacy Protection Act (COPPA), the Vermont Data Privacy Act mandates additional data protections for children aged 13 to 17. Businesses must obtain parental consent before processing personal data for minors in this age range for targeted advertising or data sales. For children under 13, verifiable parental consent is required for any data processing.
Businesses must conduct data protection impact assessments before engaging in high-risk data processing activities, such as processing sensitive data, targeted advertising, data sales, and profiling.
Businesses must recognize and respect universal opt-out signals, like the Global Privacy Control, to allow consumers to easily opt-out of targeted advertising, data sales, and profiling.
Businesses must limit the collection of personal data to what is reasonably necessary and proportionate to provide or maintain a specific product or service requested by the consumer.
The VDPA sets itself apart from other state privacy laws through several key distinctions.
Perhaps the most noteworthy difference between the VDPA and other state privacy laws was the inclusion of a limited private right of action. This would have allowed individuals to sue companies for certain privacy violations, unlike most other state laws, which only permit enforcement by state authorities.
It’s important to note, however, that this private right of action could have only been applied to "large data holders" processing data of over 100,000 Vermont residents, and is further limited to violations involving sensitive or consumer health data.
The VDPA strictly prohibits the sale of sensitive data, even with consumer consent—setting it apart from other states where such sales are often permitted with explicit consent. Despite this strict stance on sensitive data sales, Vermont’s privacy law still requires obtaining consent for processing sensitive data for other purposes, which aligns with provisions in other states.
The law also emphasizes data minimization by limiting data collection to what is necessary for providing services. It also enforces stricter purpose limitations on data processing, demanding either explicit consent or a clear, disclosed purpose for any secondary use of data.
Vermont's privacy law features an expanded definition of "sale" that includes not only monetary exchanges, but also transfers for other valuable considerations and any transactions for "a commercial purpose."
This broader scope is distinctive compared to other states, such as California, Colorado, Virginia, and Connecticut, which define "sale" primarily in terms of monetary or other valuable consideration. By encompassing transactions with commercial intent, Vermont's definition potentially captures a wider range of data transfers under its regulations.
This expanded definition implies that more data exchanges may fall under the law's restrictions on selling data, meaning businesses will need to reevaluate their data sharing practices and how they structure agreements with third-parties. The broader scope could lead to an increase in transactions requiring consumer consent and may limit data exchanges deemed permissible by other states' regulations.
The Vermont Data Privacy Act enhances protections for minors by requiring robust privacy measures, such as a duty for data controllers to mitigate heightened risks to minors, restrictions on selling their data, and additional risk assessment requirements.
The VDPA takes a dual approach to protecting children online, combining comprehensive data protection under the VDPA with a streamlined version of California’s Age-Appropriate Design Code (AADC). This integration includes broad prohibitions against dark patterns and specific restrictions against addictive design features, such as endless scrolling.
By establishing separate duties of care within both the privacy and AADC sections, Vermont’s law offers a more layered and holistic approach to safeguarding minors' online experiences compared to other state privacy regulations.
In addition to these key differences, the VDPA also sports:
While sharing some common elements with other state privacy laws, these unique features make Vermont's law one of the most comprehensive and stringent in the country.
For businesses operating in or targeting Vermont residents, compliance with the Vermont Data Privacy Act is essential. Here's a step-by-step checklist to help navigate the law's requirements:
Begin by thoroughly reviewing your company's data practices to determine if you fall under the scope of the Vermont Data Privacy Act. Assess whether you meet the applicability thresholds outlined in the legislation, which are based on the number of Vermont consumers whose personal data you control or process.
Creating a comprehensive inventory of the personal data your business collects, processes, and stores is a crucial first step. Identify the types of data involved, the processing activities, and the legal basis for each. This will help you conduct a gap analysis to assess your compliance risk.
Develop robust processes to fulfill consumers' requests for data access, correction, deletion, and transfer. Ensure these processes include effective verification of consumer identity and prompt response times.
Implement a consent management platform across all your digital interfaces, including websites, web apps, mobile apps, and backend data stores. This will enable you to consistently enforce consumer consent preferences and honor browser-based signals like the Global Privacy Control (GPC) and "Do Not Sell" requests.
Before engaging in high-risk data processing activities, such as selling personal data, targeted advertising, or profiling, you must conduct data protection impact assessments. Make sure to document the assessment outcomes, including risk analysis and mitigation strategies.
Develop clear and concise privacy notices that inform Vermont consumers about your data practices. Include details on the purposes of data collection, categories of data processed, and the specific rights granted to consumers under the VDPA.
Prepare your systems and processes to acknowledge and respect universal opt-out signals for targeted advertising, data sales, and profiling activities. Ensure your procedures seamlessly integrate these opt-out preferences to comply with Vermont's regulatory requirements.
The Vermont Data Privacy Act imposes strict limitations on the use of sensitive data, including prohibiting the sale of such information, even with consumer consent. Carefully review your data processing activities to ensure you are adhering to these heightened protections.
Vermont’s privacy law includes enhanced safeguards and duties of care related to the processing of personal data belonging to minors. Ensure your compliance efforts address these specialized requirements, including obtaining parental consent for certain data processing activities.
By following this comprehensive compliance checklist, businesses can effectively navigate the complexities of the Vermont Data Privacy Act, safeguarding consumer data and upholding the state's rigorous regulatory standards.
Senior Content Marketing Manager II