Vermont Governor Vetoes Comprehensive Data Privacy Bill

On Thursday, June 13, 2024, Vermont Governor Phil Scott vetoed one of the most comprehensive consumer privacy bills the US has seen to date. The Vermont Data Privacy Act (H.121), or “an act relating to enhancing consumer privacy and the age-appropriate design code,” will now return to the General Assembly, needing a two-thirds vote in each chamber to override the veto.

Gov. Scott took issue with the bill’s private right of action, its Kids Code provisions, and its “expansive definitions” that he believes “create big and expensive new burdens and competitive disadvantages for the small and mid-sized businesses Vermont communities rely on,” according to a press release by his office. He urged lawmakers to consider adopting a privacy law more like Connecticut’s. The governor considers that kind of bill to be less risky for the state, but it is also preferred by industry.

It was largely expected that the Republican governor would take such action, despite the bill passing with near-unanimous support in the House. Its inclusion of a novel private right of action, which allows individuals to file suits against businesses that violate the act, made it the target of several pro-business and tech lobbying groups looking to squash the bill in the months leading up to its passage. Gov. Scott later expressed discomfort over this same provision, with a spokesperson telling Vermont Public in May that the governor has “not yet decided what he’ll do when the bill reaches him.”

Just days after the legislature passed H.121, NetChoice, a tech industry trade group representing companies like Meta and TikTok, urged Gov. Scott to veto the bill. It claimed the bill would “chill lawful speech online and negatively impact Vermont’s vibrant small business community” and bring about unnecessary litigation. Vermont Country Store CEO Jim Hall similarly called for a veto after months of lobbying state lawmakers to kill the private right of action.

On June 7, the day H.121 landed on Gov. Scott’s desk to await signature, the Connected Commerce Council (3C), a national lobbying group funded by big tech giants like Amazon and Google that represents small businesses, began running Facebook and Instagram ads rallying users to oppose the bill. This campaign included ads with forms where users could add their name to a letter urging Gov. Scott to “reconsider the bill” until it “can be fixed next year.” The advertisements, which ran for less than a week, claimed that H.121 would make it “harder and more expensive to know and communicate with customers, advertise online, and use powerful analytics from your advertising, e-commerce, and email marketing partners.” (3C came under fire in 2022 for including dozens of small businesses in its membership directory who had never heard of the organization.)

"I am deeply disappointed, though not surprised, that the governor succumbed to lobbyist pressures and failed to pass legislation vital to protecting Vermonters of all ages from the sale and abuse of their sensitive data,” said Rep. Monique Priestley, one of the bill’s main sponsors, in a written statement to Tech Policy Press. “I urge my colleagues to demonstrate the strength and leadership needed to pass H.121."

H.121 also contains minimum duties of care for minors and limits the amount of personal data companies can collect on consumers. Specifically, The Vermont Kids Code (S.289) was added to the House bill during final negotiations, making Vermont the third state to pass legislation based on safety by design. Although the final legislation pared back the requirements in the original Senate bill, H.121 includes two distinct “duty of care” provisions: one requiring covered businesses that collect minors’ personal data to “determine the purposes and means” for processing it, and the other “to avoid any heightened risk of harm to minors.”

Only a week prior to Vermont passing its Data Privacy Act, Maryland Governor Wes Moore signed the Maryland Kids Code (HB 603/SB 571) into law. While Maryland is bracing for a legal challenge similar to the one brought by NetChoice against California’s Age Appropriate Design Code, new reporting from the Washington Post has stirred confusion. A lawyer from a firm that represents Meta sent an email to Maryland Delegate Jared Solomon (D-18), one of the Kids Code’s main sponsors, pledging it wouldn’t support any efforts to block the law in court, according to an email obtained by the Post. The social media platform didn’t, however, indicate whether it would urge its partners, such as NetChoice, to stand down in the courts or if it would withhold financial support. Neither NetChoice nor Meta responded to the Post’s request for comment.

Whether Vermont will face a legal challenge will depend on whether the General Assembly can nullify the Governor’s opposition.

Related Reading:

• Vermont’s Data Privacy Act Passes, But May Face Hurdles On Way To Governor’s Desk
• In the Trenches with State Policymakers Working to Pass Data Privacy Laws
• Big Tech Tried to Kill My State’s Privacy Bill. Here’s What I Learned.
• Maryland Kids Code Signed Into Law, But May Face Legal Challenges