Vermont Data Privacy Act (VDPA) H.121: Manifest Destiny Data Protection

On May 10, 2024, Vermont’s House and Senate released an unofficial 105-page version of Bill H.121, and it’s already making waves. Coming in close second to California’s Consumer Privacy Protection Act & California Privacy Rights Act, the unofficial Vermont Data Privacy Act is robust. The bill aims to combat the aggressive data-gathering economy and the use of addictive algorithms by various social media platforms targeting children. As it awaits Governor Phil Scott’s signature, let’s delve into some of its key provisions and implications.

Who It Affects

The Act affects a wide range of entities due to a relatively low compliance threshold. It applies to businesses that control or process the personal data of at least 100,000 consumers or derive more than 50 percent of their gross revenue from the sale of personal data. Consumers are plainly defined as Vermont residents. Specifically impacted businesses include data brokers, data controllers, consumer health data controllers, processors, and other commercial entities meeting the above criteria.

New Private Cause of Action

The Act creates a private cause of action against “large data holders” or data brokers in instances where there were alleged violations involving sensitive data or confidentiality of consumer health data for violations. It creates a new classification called “Large Data Holders” that are entities that processed the personal data of not fewer than 100,000 consumers in the preceding calendar year.

These Large Data Brokers will face civil liability to consumers either individually or collectively through class action. Notably, the private right of action takes effect on January 1, 2027, and sunset two years later if the legislature does not extend it.

New Data Broker Compliance Requirements

Data brokers are defined as businesses that collect and sell or license consumer information without a direct relationship with the consumer, face new compliance mandates. These include annual registration, credentialing, and ensuring that their data practices are “legitimate and legal.”

There are prohibitions on collecting certain data, additional assessment requirements for activities that present a heightened risk of harm to consumers, and brokers must disclose their data practices then provide consumers with methods to opt out of data collection. Of the many new requirements, a handful of novelties are the prohibition on the sale of sensitive data even with consent and a more European approach to consent.

Tackling Dark Patterns: Not Only for Children

Another mechanism for keeping consumers safe is a codification of new consent requirements that mandate that consent be specific and informed, rather than broad or obtained through dark patterns. Social media companies are specifically targeted to make their platforms less addictive to children and to mitigate the abuse of dark patterns.

The Act includes formal duties for controllers to protect minors, requiring special care to avoid heightened risks and mandating clearer data collection disclosures when gathering sensitive data. These provisions aim to make online services less addictive and safer for everyone.

Non-Compliance

Violation of the VDPA constitutes unfair and deceptive acts in commerce. The State Attorney General is empowered to conduct investigations, adopt rules, bring civil actions, and take other enforcement measures as needed. It is solely within the Attorney General’s discretion to allow an opportunity to cure violations. There are a variety of civil penalties for non-compliance ranging between $125/day for non-registration as a data broker to $25,000 for filing materially incorrect with compounding penalties. Not to mention further exposure arising from newly created individual civil causes of action.

An educational program led by the Attorney General will also be established to educate Vermont residents on their rights under the Act and mechanisms for exercising their twelve newly enumerated personal data rights.

Effective Dates

The Act will have a staggered entry into force over the course of three years. As early as July 1, 2024, the sections on Public Education and Outreach, Protection of Personal Information, and Data Broker Opt-Out will become effective. One year later, the Age-Appropriate Design Code becomes effective July 1, 2025. Data protection assessment requirements only apply to processing activities created or generated after July 1, 2025, and are not retroactive.

Applicability Thresholds

The staggered effective dates based on thresholds are as follows:

• Controlled or processed the personal data of not fewer than 25,000 consumers (to be lowered to 12,500 consumers on July 1, 2026, and then to 6,250 consumers on July 1, 2027), excluding personal data controlled or processed solely for the purpose of completing a payment transaction; or
• Controlled or processed the personal data of not fewer than 12,500 consumers (to be lowered to 6,250 consumers on July 1, 2026, and then to 3,125 consumers on July 1, 2027) and derived more than 25% (to be lowered to 20% on July 1, 2026) of the person’s gross revenue from the sale of personal data.

Likelihood of Passage

Despite widespread support, the bill faces opposition due to the proposed cause of action against companies that misuse personal data. Vermont Governor Phil Scott’s stance remains uncertain, adding suspense to the bill’s future.

Compliance with the Vermont Data Privacy Act requires in-depth understanding of corporate data-handling and rising legislation. Hall Booth Smith is committed to helping our clients anticipate and comply with emerging regulations. Reach out to our Data Privacy & Cybersecurity team for an evaluation to prepare for this rapidly changing digital economy.

Disclaimer

This material is provided for informational purposes only. It is not intended to constitute legal advice nor does it create a client-lawyer relationship between Hall Booth Smith, P.C. and any recipient. Recipients should consult with counsel before taking any actions based on the information contained within this material. This material may be considered attorney advertising in some jurisdictions. Prior results do not guarantee a similar outcome.