Following the Vermont Senate’s failure to override Governor Phil Scott’s veto of the Vermont Data Privacy Act (VDPA), the much-discussed bill will not be enacted into law – at least in its current form. As passed by the legislature, the VDPA was largely considered the strongest (i.e., most onerous) comprehensive data privacy law in the United States, at least since the California Consumer Privacy Act (CCPA).
In his June 13 letter to the Vermont General Assembly, Governor Scott outlined his areas of concern with the VDPA as well another proposed law, the Age-Appropriate Design Code (AADC). Governor Scott focused on three main areas of concern.
Private Right of Action
First, Governor Scott stated the VDPA’s private right of action “would make Vermont a national outlier, and more hostile than any other state to many businesses and non-profits[.]” The bill provided a private right of action for consumers who were harmed by a data broker or large data holder (defined as a person that processed the personal data of more than 100,000 consumers in the last calendar year) that:
- Processed consumers’ sensitive data without their consent;
- Sold consumers’ sensitive data;
- Disclosed consumer health data without complying with the bill’s confidentiality requirements; or
- Used geofencing within 1850 feet of any health care facility for the purpose of identifying, tracking, collecting data from, or sending any notification to a consumer regarding the consumer’s consumer health data.
The only comprehensive state consumer data privacy law with a private right of action is the CCPA, which is limited to data breaches. Washington’s My Health My Data Act, which is more limited in scope in that it applies only to consumer health data, also has a private right of action.
Age-Appropriate Design Code
Second, with regard to the AADC portion of the bill, the Governor noted similar laws are being reviewed by courts under the First Amendment and Vermont should wait to pass such a law until it can “craft a bill that addresses known legal pitfalls.”
The Vermont AADC more clearly defines the types of harms to children that would be covered and therefore could avoid some of the First Amendment pitfalls of similar laws:
- Reasonably foreseeable emotional distress;
- Encouragement of addictive behavior; and
- Discrimination based upon race, ethnicity, sex, disability, sexual orientation, gender identity, gender expression, or national origin.
The bill also more clearly defines the obligations of businesses, rather than requiring them to consider the best interests of a child. This may prevent the law from being ruled unconstitutionally overbroad. The AADC also expressly disclaims an age-verification requirement in favor of less intrusive “age estimation,” meaning a process that estimates the consumer is likely to be of a certain age, fall within an age range, or be over or under a certain age. This may limit the restrictions on adults’ speech in a manner that helps the AADC survive court review.
Complexity Compared to Similar Laws
Third, Governor Scott noted the bill’s complexity and uniqueness would burden small and mid-sized businesses. Governor Scott stated, “Vermont should adopt Connecticut’s data privacy law, which New Hampshire has largely done with its new law.” Here are just a few of the ways in which the VDPA differs, or is more complex than, the majority of states’ consumer data privacy laws:
- The triggering thresholds are lower than most state consumer data privacy laws (although a few states, like Texas, have no threshold). The VPDA as proposed would have applied to any entity that conducts business in Vermont or produces products or services that are targeted to Vermont residents and met at least one of the following thresholds during the last calendar year: (i) controlled or processed the personal data of 25,000 or more Vermont consumers (excluding personal data controlled or processed solely for the purpose of completing a payment transaction), or (ii) controlled or processed the personal data of 12,500 or more Vermont consumers and derived more than 25% of the entity’s gross revenue from the sale of personal data. These thresholds would have been lowered in 2026, and again in 2027.
- A “sale of personal data,” like in the CCPA, “means the exchange of a consumer’s personal data by the controller to a third party for monetary or other valuable consideration.” However, the VDPA also adds “or otherwise for a commercial purpose.” VDPA defines “commercial purpose” as advancing an entity’s “commercial or economic interests.” This addition would broaden the scope of “sale” beyond the traditional definition in other laws.
- Controllers would be required to “limit the collection of personal data to what is reasonably necessary and proportionate to provide or maintain a specific product or service requested by the consumer to whom the data pertains.” This wording may create stronger data minimization requirements as compared to most other states’ laws.
- The bill as proposed did not contain an exemption for nonprofits (although certain non-profits would be exempt). Most state consumer data privacy laws – although not all – exempt nonprofit entities.
Overall Impact on Businesses
This veto is a win for the businesses that would have needed to comply with the VDPA, given its nuances and additional compliance obligations as compared to other states’ laws — in addition to the private right of action. However, it is unlikely that the Vermont legislature will abandon its efforts to pass a comprehensive data privacy law. Businesses should expect another bill to pass the legislature, although it will likely be revised to address certain concerns noted by Governor Scott.
For more information about the requirements of the VDPA or any other state privacy law mentioned in this article, please contact any of the Partners or Senior Counsel in Foley & Lardner’s Cybersecurity and Data Privacy team.
The author gratefully acknowledges the contributions of Gabe Wild, a 2024 summer associate at Foley & Lardner LLP.