The Democrat-controlled Vermont legislature has passed one of the strongest data privacy measures in the country aimed at cracking down on companies’ use of online personal data, which would let consumers file civil lawsuits against companies that break certain privacy rules.
However, Republican Gov. Phil Scott has concerns about how part of the legislation could affect small businesses. He hasn’t seen the final bill that passed early Saturday before the Legislature adjourned. He will make a decision once he’s had a chance to review it, his spokesperson Jason Maulucci said Tuesday.
The bill prohibits the sale of sensitive data, such as social security and drivers’ license numbers, financial or health information. It also sets meaningful limits on the amount of personal data that companies can collect and use, according to the nonprofit Electronic Privacy Information Center based in Washington, D.C.
More than a dozen states have comprehensive data privacy laws. Vermont’s is “among the strongest, if not the strongest” in the country, said Caitriona Fitzgerald, deputy director of EPIC.
The Vermont Statehouse is shown Jan. 2, 2024, in Montpelier, Vt. The Democrat-controlled Vermont legislature on Saturday passed one of the strongest data privacy measures in the country, aimed at cracking down on companies’ use of online personal data, that would let consumers file civil lawsuits against companies that break certain privacy rules. (AP Photo/Lisa Rathke)
State Rep. Monique Priestley, a Democrat and a sponsor of the bill, told colleagues Friday night that without thoughtful and comprehensive measures, gaps can be exploited, undermining the protections legislators were seeking.
“At a time when everything we do and everything we are is monetized in a surveillance economy, the urgency of this moment cannot be overstated,” she said, according to EPIC.
A big step in the legislation is allowing consumers to sue, which Fitzgerald said has been the most effective way to ensure that companies comply with privacy laws. State attorneys general do not have the resources to enforce these privacy regulations, Fitzgerald said.
If there is a violation and a person wants to sue, the company has 60 days to remedy that problem, Priestley said Tuesday. The governor has been concerned about the private right of action and what it could mean for Vermont small businesses and “mom and pop” shops, his spokesperson said.
The Vermont Chamber of Commerce said Tuesday that it shares the governor’s concerns. “Ultimately this will make it harder and more expensive for Vermont businesses to compete,” said Megan Sullivan, vice president for government affairs, by email Tuesday.
Legislators decided to limit that action to violations by data brokers, which are companies that make a majority of their revenue selling data, as well as large data holders, which are companies processing data from 100,000 Vermonters or more a year, Priestley said.
“The biggest feedback we were getting is that this would catch small businesses before they’re ready basically. We haven’t had any data privacy policies in place, so they really need to learn what good data standards,” she said. “But the big companies, they already know.”
The bill also includes parts of previous legislation aimed at protecting children.
“What’s left is really a product and safety liability bill as far as minimizing addictive features and things like that,” Priestley said.
The passage of Vermont’s legislation came the week after Maryland’s governor signed two measures into law aimed at better protecting personal data online from Big Tech, including a bill to try to create limits on information collected on children. The other Maryland law will create consumer protections and rights as well as disclosure obligations relating to online personal data controlled or processed by certain entities that conduct business in Maryland or provide services or products that are targeted to residents of the state.
Much of Vermont’s bill, if signed by the governor, would go into effect in 2025. The ability for consumers to sue wouldn’t take effect until 2026 and would sunset in 2028, with a study to look at its effectiveness and risks, Priestley said.