The evolution of the U.S. comprehensive state privacy law network may have finally reached a watershed moment. The elusive private right of action that state lawmakers could never seem to make stick in their proposals over recent years is on the verge of breaking through in Vermont.
The Vermont General Assembly took House Bill 121 down to the final days of the legislative session before the House and Senate concurred 11 May on a comprehensive framework containing a groundbreaking right of action with limits on applicability and a required review of its use effectiveness. Additionally, the bill carries data minimization standards resembling those found in Maryland's comprehensive law, explicit protections on children's and consumer health data, required user opt-out mechanisms and required data protection assessments.
According to state Rep. Monique Priestley, D-Vt., HB 121's sponsor, the final bill text is under a legislative review and is expected to be published 15 May before transmission to Gov. Phil Scott, R-Vt., who will have five days to act. If enacted, the proposed law would take effect 1 July 2025.
"It felt like we were 20 years behind on getting a data privacy policy out there in general," said Priestley, who is in her first term as a state legislator. "This bill is actually more like five in one. I wanted to come out of all this as up to date as we could. For me, this was the base we needed to be at despite the fact it normally takes states multiple tries to get each of these bills individually."
Despite bipartisan compromise to get the bill through the legislature, Scott has reservations regarding HB 121. His spokesperson, Jason Maulucci, told Vermont Public the governor is "uncomfortable" with the limited PRA.
“The governor has not yet decided what he’ll do when the bill reaches him,” Maulucci added.
HB 121's applicability brings a three-year stepdown approach that will increase coverage each year with the hope of eventually reaching full coverage to all Vermont businesses. In the first year, the proposed law would cover businesses controlling or processing data on more than 25,000 residents or those holding data on more than 12,500 residents and generating 25% of gross revenue from that data.
To date, no enacted comprehensive state privacy law applies to all businesses with services in the state.
"After talking with (legislators in other states), I was trending to get to zero," Priestley said. "I had a whole chart of where all the percentages for thresholds versus state population were. ... I'm really proud and happy that made it through since it was an area that almost got taken out.
PRA breakthrough
Lawmakers landed on a PRA that considers consumer protection while avoiding unintended consequences on Vermont businesses.
Consumers will be allowed to bring lawsuits against data brokers and "large data holders," which are defined as companies processing data on more than 100,000 Vermonters. The PRA is set to take effect in 2027, giving businesses a year to prepare compliance programs.
Involved parties settled on the targeted PRA in the days leading up to legislators' final votes. Priestley indicated she presented the business community with three potential coverage options that she pulled from U.S. Congress' American Privacy Rights Act discussion draft.
The threshold for large data holders was "very arbitrary" but "felt massive enough" to avoid hurting small businesses, according to Priestley.
"They could pick one or all of those (three potential thresholds). If this is really about small business then none of those should worry them anymore," she said. "We're really trying to be intentional with not trying to put a burden on the little guys, but there are actual harms from businesses that we need to protect."
The limitations around the right of action are designed to avoid a rush of frivolous lawsuits against unsuspecting companies, like those stemming from the broad PRA in the Illinois Biometric Information Privacy Act.
Another layer to Vermont's PRA is the two-year review that will come in 2029. State legislators will consider a sunset or a potential extension that either weakens or strengthens the PRA based on mandated implementation reports from the attorney general's office.
"The sunset feels scary, but that's a standard in Vermont commerce that we deal with all the time," Priestley said. "If it feels like it's not as risky as the world is making it seem to be then I assume and expect to extend or make it permanent when we hit 2028."
Despite the passage
The inclusion of the PRA marks a win for privacy advocates, which have long lobbied for consumers to have the right to seek damages for alleged data misuse. Consumer Reports Policy Analyst Matt Schwartz said in a statement that Vermont's work is "enormously significant" and shouldn't be overlooked by other states still working toward passing comprehensive privacy legislation of their own.
"It means that consumers who have been harmed by Big Tech's data abuses will actually be granted the ability to defend their rights," Schwartz added. "We hope this marks a turning point in state privacy law, where lawmakers will become more comfortable with the idea of providing strong enforcement remedies for consumers, instead of punting the issue to under-resourced (attorneys general offices)."
Businesses that fall under the PRA thresholds have much to consider as far as business models and whether to continue services in Vermont given new litigation risks. Kelley Drye & Warren Partner Alysa Hutnik, CIPP/US, called particular attention to those companies dealing with sensitive health data that will now fall under Vermont's scope in addition to the PRA under Washington's My Health My Data Act.
"To the extent My Health My Data hasn't created urgency, this may be a tipping point for companies to granularly assess whether the data they possess and how they use it tip the scales into sensitive data," Hutnik said. "Would sentiment-related data be consumer health data because it concerns an individual's mental condition? If a consumer is purchasing diabetes or pregnancy testing related supplies from a retail store, the store has that purchase data. Even if they don't use it to infer that the individual has diabetes or may be pregnant, they may provide a coupon or promote previously purchased items to their customers."
Novelties and areas of interest
Priestley and co-sponsors did their due diligence as far as generating a protective bill. She said there were many conversations across state lines with fellow state lawmakers with questions regarding "What did you wish you had done?" and "What did you do that we should keep pushing forward and trending?"
Notable among the takes from other states is the data minimization requirements, which focus on limiting data collection to "what is reasonably necessary and proportionate to provide or maintain a specific product or service requested by the consumer to whom the data pertains." These requirements align with Maryland's recently-enacted law while U.S. Congress' proposed APRA also has similar minimization ties.
There's some risk around any lack of uniformity among data minimization language from state to state, but Washington University School of Law Koch Distinguished Professor in Law Neil Richards is optimistic about the impacts of minimization policies proliferating.
"It could create a 'race to the top' the way we have seen with state data breach notification variance or the (EU General Data Protection Regulation) in which firms have incentives to comply with the most stringent consumer protections," Richards said. "While ease of compliance is certainly an important virtue in a law, it's not the most important virtue, as we're talking about the protection of a fundamental right of privacy — and data minimization is one of the most important elements of meaningful, substantive privacy protection."
Tweaks to established definitions used in other states show some of the nuances in the bill. Priestley said she made the definition of sensitive data "more comprehensive" with 10 categories outlined in the bill. The definition of biometric data is also made more clear with a list of specific covered and exempted areas.
Hutnik found the interplay between Vermont's proposed requirements for targeted advertising and pseudonymous data arguably raises positive compliance considerations with the use of first-party data.
"There is potential circular logic when those two concepts are put together," She said. "In a more practical sense, however, this could mean that targeted advertising is defined broadly to include some first party data monetization concepts that are growing in popularity, but opt-out rights may not need to be applied to such practices if pseudonymous data is being used and personal data to support those use cases is not being disclosed in a way that conflicts with the law."
Priestley indicated the Vermont House Committee on Commerce and Economic Development is committed to HB 121 as a "housekeeping bill" moving forward, meaning it will revisit the bill annually to address potential improvements. She also indicated she may look to build on the bill in the 2025 legislative session before it takes effect.
