More than just maple syrup: Vermont passes consumer privacy bill

Who does the Act apply to?

The Act applies to anyone who does business in Vermont or offers products or services to Vermont residents and who, in the preceding calendar year, engaged in any of the following:

• Controlled or processed the personal data of at least 35,000 Vermont residents; or
• Controlled or processed the sensitive personal data of at least 3,000 Vermont residents; or
• Offered to sell the personal data of at least 3,000 consumers.

The Act’s consumer health data provisions (described below) apply more broadly. Provisions in the Act relating to health data dispense with the numerical thresholds and apply to anyone that does business in Vermont or, when offering products or services, targets Vermont residents.

Two notable aspects of the Act’s applicability threshold include the relatively low number of consumers that trigger application of the Act, and the fact that the mere offering to sell or process sensitive data for a collection of state residents alone would be sufficient to trigger application of the Act.

Who is a “consumer”?

The definition of “consumer” in the Act aligns with the majority of other state consumer privacy laws. A “consumer” is “an individual who is a resident of [Vermont].” The term does not include individuals acting in a commercial or employment context.

What is “personal data”?

“Personal data” means any information, including derived data and unique identifiers, that is linked or reasonably linkable to an identified or identifiable individual or to a device that identifies or is reasonably linkable to one or more individuals. This excludes de-identified data or publicly available information.

As with the 2024 version of Vermont’s law, the “derived data” is a twist on the normal definition of personal data, and it is not at all clear what precisely it is meant to cover.

Who can enforce the Act?

The Vermont attorney general has exclusive enforcement authority. Civil penalties may reach $10,000 per violation. From January 1, 2028, through June 30, 2029, prior to initiating an enforcement action, the attorney general must provide a written notice and give a 60-day cure period.

Who is exempt?

The Act contains entity-level and data-level exemptions. At the entity level, it exempts, among others:

• Federal, state, tribal, and local government entities;
• Institutions of higher education;
• Newspapers, magazines, periodicals, radio and television stations (and related nonprofits), press associates, and wire services; and
• Air carriers regulated under the Federal Aviation Act and Airline Deregulation Act.

Data-specific exemptions include:

• HIPAA-covered entities, excluding hybrid entities, and business associates;
• Personal information consistent with human subject protection requirements of the US Food and Drug Administration (FDA), FDA clinical investigations of human subjects, and institutional review boards;
• Information collected for purposes of evaluating creditworthiness, in compliance with the Fair Credit Reporting Act;
• Financial institutions subject to the Gramm-Leach Bliley Act;
• Data subject to the Family Educational Rights and Privacy Act; and
• Agents, broker-dealers, investment advisers, or investment adviser representatives regulated by the Securities and Exchange Commission.

What obligations are imposed on controllers?

Controllers are required to comply with a number of obligations that are typical of consumer data privacy laws. Notable obligations include requirements to:

• Establish reasonable data security practices;
• Obtain consumer consent for processing or selling sensitive data;
• Not sell or process for targeted advertising purposes the data of an individual between 13 and 18 years old where the controller has actual knowledge of or willfully disregards their age; and
• Provide a privacy policy on the website using the term “privacy” in the link.

Borrowing from other states, the privacy policy requirements include (1) a disclosure as to whether personal information is used to train large language models, and (2) the month and date of the last update. The Act also requires that privacy policies be made available in settings features and download pages of mobile apps.

What is “sensitive data”?

Sensitive data includes the following types of personal data that identifies or reveals:

• A consumer’s racial or ethnic origin, religious beliefs, sex life, sexual orientation, status as nonbinary or transgender, or citizenship or immigration status;
• A mental or physical health condition, diagnosis, disability, or treatment;
• Consumer health data;
• Genetic or biometric data or information derived therefrom;
• Personal data collected from a known child;
• Precise geolocation data (within a radius of 1,750 feet);
• Neural data;
• A consumer’s financial account number, financial account login information, or credit card or debit card number that, in combination with any required access or security code, password, or credential would allow access to a consumer’s financial account; or
• A government-issued identification number, including but not limited to, Social Security number, passport number, state identification card number, or driver’s license number that applicable law does not require to be publicly displayed.

As can be seen from the above, Vermont borrowed concepts from a number of different states in compiling its definition of sensitive data.

What obligations relating to consumer health data apply?

Borrowing from recent Connecticut privacy law amendments, the act imposes several obligations and limitations on any individual or legal entity that processes consumer health data:

1. Employees accessing consumer health data must be subject to a duty of confidentiality.
2. Companies cannot deploy a geofence to establish a virtual boundary within 1,850 feet of any healthcare facility.
3. Companies cannot sell or offer to sell consumer health data without prior consent from the consumer.

“Consumer health data” is defined as personal data that any controller uses to identify a consumer’s physical or mental health condition, diagnoses, or status, including gender-affirming health data and reproductive or sexual health data.

Data-protection and impact assessments

The Act requires controllers to conduct and document data-protection assessments for processing activities that present a heightened risk of harm, including (1) processing for targeted advertising; (2) the sale of personal data; (3) profiling that presents a reasonably foreseeable risk of unfair treatment, financial or reputational injury, intrusion on privacy, or other substantial injury; and (4) the processing of sensitive data.

In addition, Vermont goes further than most states by requiring a separate impact assessment for any profiling used to make decisions producing legal or similarly significant effects, with prescribed components including purpose disclosure, risk analysis, categories of data used, performance metrics, transparency measures, and post-deployment monitoring. Assessments are confidential but may be requested by the state attorney general. Data protection assessment requirements apply prospectively to processing activities created after January 1, 2028.

What consumer rights are created by the Act?

The Act grants consumers the following rights:

1. Access and confirmation: The rights to access and confirm whether a controller is processing the consumer’s personal data, including any inferences derived from the data and whether profiling is being used to make decisions producing legal or similarly significant effects.
2. Correct: The right to correct inaccuracies in personal data, considering the nature of the data and the purposes of processing.
3. Delete: The right to delete personal data provided by, or obtained about, the consumer.
4. Data portability: The right to obtain a copy of personal data in a portable, readily usable format that allows transmission to another controller without hindrance.
5. Opt out of targeted ads, sales, and profiling: The right to opt out of targeted advertising, the sale of personal data, and profiling in furtherance of automated decisions producing legal or similarly significant effects.
6. Human review and appeal of profiling: If the consumer’s personal data were profiled in furtherance of a decision producing a legal or similarly significant effect, the right to question the result, be informed of the reasoning, review the data used, and, for housing decisions, correct inaccurate data and have the decision reevaluated.
7. Specific third parties: The right to obtain a list of third parties to which the controller has sold the consumer’s personal data.

As can be seen from the above, Vermont not only provides the “basic” consumer privacy rights, but has also included additional rights, borrowing Minnesota’s automated decision-making rights, and Oregon’s third-party disclosure requirements.

Responding to consumer requests

The Act follows most other states by requiring controllers to respond to consumer requests within 45 days after receipt. The Act allows for a 45-day extension when reasonably necessary, provided the controller informs the consumer of the extension within the initial 45-day response period and the reason for the extension. If the controller declines to take action regarding the request, the controller must inform the consumer within 45 days after receipt of the request of the justification for declining to take action and provide instructions for appealing the decision. The appeal must be approved or denied within 60 days after receipt. If the controller denies the appeal, the notice to the consumer must provide or specify information enabling the consumer to contact the Vermont attorney general to submit a complaint.

When does the Act take effect?

If signed into law, the Act takes effect January 1, 2028.

If you have questions or need assistance with readiness work for new state consumer privacy laws, please contact the authors or your regular McDermott lawyer.