Vermont’s Data Privacy Act Passes, But May Face Hurdles On Way To Governor’s Desk

Last Friday, at the eleventh hour on the final day of Vermont’s legislative session, state lawmakers passed what’s being hailed as one of the strongest data privacy bills in the country and a win for child online safety advocates. Sponsored by Republican Representative Michael Marcotte, who chairs the House Committee on Commerce and Economic Development, the bipartisan Vermont Data Privacy Act (H.121) includes a private right of action, a minimum duty of care for minors, and limits the amount of personal data companies can collect on consumers.

Passing a data privacy bill that includes a private right of action, which allows individuals to file suits against businesses violating the act, is a major feat for its proponents. It’s also one of the main concerns Republican Gov. Phil Scott has expressed as the legislation makes its way to his desk to either be signed into law or vetoed.

The business community often opposes including a private right of action over fears of frivolous, costly lawsuits. To address this concern, Democratic Representative Monique Priestley, who co-sponsored the bill and sits on the House Committee on Commerce and Economic Development, said H.121 was written so that a private right of action is only available to consumers who are harmed by “large data holders” and data brokers over sensitive and consumer health data. “That was inspired by the Federal APRA [The American Privacy Rights Act] drafts, but we right-sized it for us to avoid interstate commerce issues,” Rep. Priestley said. “Large data holders” are defined as entities that process the records of at least 100,000 Vermont residents per year – about a sixth of Vermont’s total population. A 60-day cure period was also added to provide businesses with an opportunity to remedy any violations.

The legislation also minimizes the amount of data businesses can collect on its customers and prohibits the sale of sensitive data, two more wins, according to Rep. Priestley.

It appears that an April hearing organized by the House Committee on Commerce and Economic Development may have emboldened some of the privacy bill’s champions to push for a stronger bill. The hearing gathered testimony from five out-of-state lawmakers who worked, with varying levels of success, to pass data privacy laws in their states. The Republican State Senator from Kentucky, Whitney Westerfield, appears to have been particularly influential on the issue of a private right to action.

“Our federal constitution, Kentucky state constitution, provides courts to give us a place to find redress of grievances,” Westerfield told the committee. “And so I think just at a fundamental level for us to limit the ability to use the courts for what our constitutions made our courts for, runs counter to what we ought to be standing for. And again, that's not a partisan position, that's what our constitution says our courts are for.”

Rep. Marcotte noted feeling “re-energized” after the hearing. “You think of a private right of action as a partisan thing where Republicans would be against something like that, and Democrats would be for it,” Rep. Marcotte said. He took this energy to the House floor in an impassioned speech on Thursday afternoon, telling his colleagues that a vote against H.121 is a vote that extinguishes their constituents’ rights. The amended version of the bill passed the House 139-3 by a roll call vote. “I think that helped change the course in the Senate as well,” Marcotte added.

The Act applies to businesses that control and process the personal data of at least 25,000 consumers in the first year it applies, but the legislation includes language to lower the threshold over time. According to Rep. Marcotte, the threshold is one of the lowest in the country. “I mean, our goal is that it should be zero, that everyone's data should be protected,” he said. “Everybody should have the right to opt in or opt out. Also, to determine whether or not they [businesses] can sell your data and be able to tell them to delete your data if that's what you want.”

The Age Appropriate Design Code (S.289), also known as the Vermont Kids Code, was added to H.121 as Subchapter 6 of the Data Privacy Act during final negotiations. This makes Vermont the third state to pass some version of this legislation. While it’s significant that the AADC made it into the House bill, it’s a notably pared-back version of what first passed in California and later in Maryland. The AADC only makes up a small portion of the bill and focuses mainly on design and features. In contrast, most provisions regarding minors’ data are covered by the legislation’s data consumer privacy sections.

The minimum duty of care requirement was, however, included in the AADC provision. It applies to the use of minor consumer’s personal data and the design of an online service, product, or feature that could result in emotional distress, discrimination, and more of minors.

The legislation will arrive on the governor’s desk within a few weeks. It’s unclear whether Gov. Scott, who has already signaled concerns over the private right of action provisions, will veto the bill. “The governor has not yet decided what he’ll do when the bill reaches him,” Scott’s Spokesperson, Jason Maulucci, told Vermont Public on Monday.

Just days after H.121 was passed, NetChoice, a trade association that represents tech platforms like Meta and TikTok, issued a letter to Gov. Scott asking him to veto the bill. The group claims that the AADC provisions would “chill lawful speech online and negatively impact Vermont’s vibrant small business community.” NetChoice additionally requested that, to avoid unnecessary litigation, Vermont should wait to sign H.121 into law until its lawsuit over the constitutionality of California’s AADC (NetChoice v. Bonta) is resolved in the courts.

“I suspect that there will be a [lobbying] push by the business community, and I think all of this is coming from Big Tech, through their associations and into the business associations,” Rep. Marcotte said. After consulting with legislators around the country, the Republican lawmaker is convinced “that the playbook is the same in every state.”

Indeed, this playbook is well-documented. Despite bipartisan support for privacy laws, industry often wins the legislative battle thanks to overwhelming resources and common tactics designed to slow down the process, exaggerate concerns, and water down meaningful protections, Tech Policy Press’ Ben Lennett recently wrote. In the same April hearing, Maine Rep. Maggie O’Neil described seeing “more lobbyists hired in the building than I have ever seen on bills before” while working on her state’s competing privacy bills. Former Oklahoma Representative Collin Walke also told Vermont lawmakers that one tech company “hired about 30 more lobbyists” to lobby against the privacy bill he tried to pass.

Rep. Priestley had a similar experience getting H.121 passed. Despite sitting down with a large number of lobbyists in the building, some of which represent major tech companies like Google and Amazon, to address expected concerns around exemptions and threshold adjustments, Priestley says she was up against a wider misinformation campaign. This included repeated efforts by a few Vermont business leaders to convince lawmakers that the private right of action would create a pathway for lawyers to prey on small to mid-sized Vermont businesses and threaten their livelihood.

The lobbying campaign further ratcheted up when H.121 hit the Senate, particularly in the final week of the bill’s passage. “There's always voices in the room telling you to do things a certain way. In this case, there were like forty voices in the room using more extreme tactics and [spreading] misinformation,” Rep. Priestley said. “At one point, a lobbyist told one of our committee members that we’re going to ‘break the internet.’ So it was just like straight up misinformation and fear.”

If Gov. Scott signs H.121 into law, most of the legislation will become effective on July 1, 2025. By 2026, Vermont’s attorney general must conduct a study and make policy recommendations for implementing a private right of action by examining other states’ approaches. The private right of action will become effective on Jan 1, 2027, but it has a two-year sunset provision with an option for renewal.

Related reading:

• In the Trenches with State Policymakers Working to Pass Data Privacy Laws
• Maryland Kids Code Signed Into Law, But May Face Legal Challenges
• Evaluating the Argument Over the California Age Appropriate Design Code Act