BILL AS INTRODUCED H.208
2025 Page 1 of 65
VT LEG #378938 v.1
H.208 1
Introduced by Representatives Priestley of Bradford, Marcotte of Coventry, 2
Arsenault of Williston, Austin of Colchester, Berbeco of 3
Winooski, Bos-Lun of Westminster, Bosch of Clarendon, 4
Boyden of Cambridge, Brown of Richmond, Burke of 5
Brattleboro, Burrows of West Windsor, Campbell of St. 6
Johnsbury, Carris-Duncan of Whitingham, Casey of 7
Montpelier, Chapin of East Montpelier, Cina of Burlington, 8
Cole of Hartford, Cordes of Bristol, Donahue of Northfield, 9
Duke of Burlington, Eastes of Guilford, Goldman of 10
Rockingham, Graning of Jericho, Greer of Bennington, Harple 11
of Glover, Headrick of Burlington, Holcombe of Norwich, 12
Krasnow of South Burlington, Lipsky of Stowe, Masland of 13
Thetford, McCann of Montpelier, McGill of Bridport, Micklus 14
of Milton, Mihaly of Calais, Minier of South Burlington, 15
Mrowicki of Putney, Nugent of South Burlington, O’Brien of 16
Tunbridge, Ode of Burlington, Olson of Starksboro, Pezzo of 17
Colchester, Pouech of Hinesburg, Rachelson of Burlington, 18
Satcowitz of Randolph, Sibilia of Dover, Stevens of Waterbury, 19
Surprenant of Barnard, Tomlinson of Winooski, Torre of 20
Moretown, Waszazak of Barre City, and White of Bethel 21 BILL AS INTRODUCED H.208
2025 Page 2 of 65
VT LEG #378938 v.1
Referred to Committee on 1
Date: 2
Subject: Commerce and trade; consumer protection; data privacy 3
Statement of purpose of bill as introduced: This bill proposes to provide data 4
privacy and online surveillance protections to Vermonters. 5
An act relating to consumer data privacy and online surveillance 6
It is hereby enacted by the General Assembly of the State of Vermont: 7
Sec. 1. 9 V.S.A. chapter 61A is added to read: 8
CHAPTER 61A. VERMONT DATA PRIVACY AND ONLINE 9
SURVEILLANCE ACT 10
§ 2415. DEFINITIONS 11
As used in this chapter: 12
(1)(A) “Affiliate” means a legal entity that shares common branding 13
with another legal entity or controls, is controlled by, or is under common 14
control with another legal entity. 15
(B) As used in subdivision (A) of this subdivision (1), “control” or 16
“controlled” means: 17
(i) ownership of, or the power to vote, more than 50 percent of the 18
outstanding shares of any class of voting security of a company; 19 BILL AS INTRODUCED H.208
2025 Page 3 of 65
VT LEG #378938 v.1
(ii) control in any manner over the election of a majority of the 1
directors or of individuals exercising similar functions; or 2
(iii) the power to exercise controlling influence over the 3
management of a company. 4
(2) “Authenticate” means to use reasonable means to determine that a 5
request to exercise any of the rights afforded under subdivisions 2418(a)(1)–6
(6) of this title is being made by, or on behalf of, the consumer who is entitled 7
to exercise the consumer rights with respect to the personal data at issue. 8
(3)(A) “Biometric data” means data generated from the technological 9
processing of an individual’s unique biological, physical, or physiological 10
characteristics that allow or confirm the unique identification of the consumer, 11
including: 12
(i) iris or retina scans; 13
(ii) fingerprints; 14
(iii) facial or hand mapping, geometry, or templates; 15
(iv) vein patterns; 16
(v) voice prints or vocal biomarkers; and 17
(vi) gait or personally identifying physical movement or patterns. 18
(B) “Biometric data” does not include: 19
(i) a digital or physical photograph; 20
(ii) an audio or video recording; or 21 BILL AS INTRODUCED H.208
2025 Page 4 of 65
VT LEG #378938 v.1
(iii) any data generated from a digital or physical photograph, or 1
an audio or video recording, unless such data is generated to identify a specific 2
individual. 3
(4) “Business associate” has the same meaning as in HIPAA. 4
(5) “Child” has the same meaning as in COPPA. 5
(6)(A) “Consent” means a clear affirmative act signifying a consumer’s 6
freely given, specific, informed, and unambiguous agreement to allow the 7
processing of personal data relating to the consumer in response to a specific 8
request, provided the request: 9
(i) is provided to the consumer in a clear and conspicuous 10
disclosure; 11
(ii) includes a description of the processing purpose for which the 12
consumer’s consent is sought; 13
(iii) clearly distinguishes between an act or practice that is 14
necessary to fulfill a request of the consumer and an act or practice that is for 15
another purpose; 16
(iv) clearly states the specific categories of personal data that the 17
controller intends to collect or process under each act or practice; 18
(v) clearly states the specific categories of personal data that the 19
controller intends to collect or process under each act or practice; and 20
(vi) is accessible to a consumer with disabilities. 21 BILL AS INTRODUCED H.208
2025 Page 5 of 65
VT LEG #378938 v.1
(B) “Consent” may include a written statement, including by 1
electronic means, or any other unambiguous affirmative action. 2
(C) “Consent” does not include: 3
(i) acceptance of a general or broad terms of use or similar 4
document that contains descriptions of personal data processing along with 5
other, unrelated information; 6
(ii) hovering over, muting, pausing, or closing a given piece of 7
content; 8
(iii) inaction of the consumer or the consumer’s continued use of a 9
service or product provided by the controller; or 10
(iv) an agreement obtained through the use of dark patterns. 11
(7)(A) “Consumer” means an individual who is a resident of the State. 12
(B) “Consumer” does not include an individual acting in a 13
commercial capacity or as an owner, director, officer, or contractor of a 14
company, partnership, sole proprietorship, nonprofit, or government agency 15
whose communications or transactions with the controller occur solely within 16
the context of that individual’s role with the company, partnership, sole 17
proprietorship, nonprofit, or government agency. 18
(8) “Consumer health data” means any personal data that a controller 19
uses to identify a consumer’s physical or mental health condition or diagnosis, 20
including gender-affirming health data and reproductive or sexual health data. 21 BILL AS INTRODUCED H.208
2025 Page 6 of 65
VT LEG #378938 v.1
(9) “Consumer health data controller” means any controller that, alone 1
or jointly with others, determines the purpose and means of processing 2
consumer health data. 3
(10) “Consumer reporting agency” has the same meaning as in the Fair 4
Credit Reporting Act, 15 U.S.C. § 1681a(f); 5
(11) “Contextual advertising” or “contextual advertisement,” as subject 6
to provisions set forth in subsection 2418(g) of this chapter, means displaying 7
or presenting an advertisement that does not vary based on the identity of the 8
individual recipient and is based solely on: 9
(A) the immediate content of a web page or online service within 10
which the advertisement appears; or 11
(B) a specific request of the consumer for information or feedback. 12
(12) “Controller” means a person who, alone or jointly with others, 13
determines the purpose and means of processing personal data. 14
(13) “COPPA” means the Children’s Online Privacy Protection Act of 15
1998, 15 U.S.C. § 6501–6506, and any regulations, rules, guidance, and 16
exemptions promulgated pursuant to the act, as the act and regulations, rules, 17
guidance, and exemptions may be amended. 18
(14) “Covered entity” has the same meaning as in HIPAA. 19
(15) “Credit union” has the same meaning as in 8 V.S.A. § 30101. 20 BILL AS INTRODUCED H.208
2025 Page 7 of 65
VT LEG #378938 v.1
(16) “Dark pattern” means a user interface designed or manipulated with 1
the substantial effect of subverting or impairing user autonomy, decision-2
making, or choice and includes any practice the Federal Trade Commission 3
refers to as a “dark pattern.” 4
(17) “Data broker” has the same meaning as in section 2430 of this title. 5
(18) “Decisions that produce legal or similarly significant effects 6
concerning the consumer” means decisions that result in or materially affect 7
access to, the provision or denial of, or the terms and conditions of financial or 8
lending services, housing, insurance, education enrollment or opportunity, 9
criminal justice, employment opportunities, health care services, or access to 10
essential goods or services. 11
(19) “De-identified data” means data that does not identify and cannot 12
reasonably be used to infer information about, or otherwise be linked to, an 13
identified or identifiable individual, or a device linked to the individual, if the 14
controller that possesses the data: 15
(A) takes reasonable physical, technical, or administrative measures 16
to ensure that the data cannot be used to reidentify an identified or identifiable 17
individual or be associated with an individual or device that identifies or is 18
linked or reasonably linkable to an individual or household, provided that such 19
reasonable measures for protected health information covered by HIPAA shall 20
include the de-identification requirements set forth under 45 C.F.R. § 164.514 21 BILL AS INTRODUCED H.208
2025 Page 8 of 65
VT LEG #378938 v.1
(other requirements relating to uses and disclosures of protected health 1
information); 2
(B) publicly commits to process the data only in a de-identified 3
fashion and not attempt to reidentify the data; and 4
(C) contractually obligates any recipients of the data to satisfy the 5
criteria set forth in subdivisions (A) and (B) of this subdivision (19). 6
(20) “Financial institution” as used in subdivision 2417(a)(11) of this 7
title, has the same meaning as in 15 U.S.C. § 6809; 8
(21) “First party” means a consumer-facing controller with which the 9
consumer intends or expects to interact. 10
(22) “First-party advertising” means processing by a first party of its 11
own first-party data for the purposes of advertising and marketing and is 12
carried out: 13
(A) through direct communications with a consumer, such as direct 14
mail, email, or text message communications; 15
(B) in a physical location operated by the first party; or 16
(C) through display or presentation of an advertisement on the first 17
party’s own website, application, or its other online content. 18
(23) “First-party data” means personal data collected directly from a 19
consumer by a first party in compliance with this chapter, including based on a 20 BILL AS INTRODUCED H.208
2025 Page 9 of 65
VT LEG #378938 v.1
visit by the consumer to or use by the consumer of a website, a physical 1
location, or an online service operated by the first party. 2
(24) “Gender-affirming health care services” has the same meaning as in 3
1 V.S.A. § 150. 4
(25) “Gender-affirming health data” means any personal data 5
concerning a past, present, or future effort made by a consumer to seek, or a 6
consumer’s receipt of, gender-affirming health care services, including: 7
(A) precise geolocation data that is used for determining a 8
consumer’s attempt to acquire or receive gender-affirming health care services; 9
(B) efforts to research or obtain gender-affirming health care 10
services; and 11
(C) any gender-affirming health data that is derived from nonhealth 12
information. 13
(26) “Genetic data” means any data, regardless of its format, that results 14
from the analysis of a biological sample of an individual, or from another 15
source enabling equivalent information to be obtained, and concerns genetic 16
material, including deoxyribonucleic acids (DNA), ribonucleic acids (RNA), 17
genes, chromosomes, alleles, genomes, alterations or modifications to DNA or 18
RNA, single nucleotide polymorphisms (SNPs), epigenetic markers, 19
uninterpreted data that results from analysis of the biological sample or other 20
source, and any information extrapolated, derived, or inferred therefrom. 21 BILL AS INTRODUCED H.208
2025 Page 10 of 65
VT LEG #378938 v.1
(27) “Geofence” means any technology that uses global positioning 1
coordinates, cell tower connectivity, cellular data, radio frequency 2
identification, wireless fidelity technology data, or any other form of location 3
detection, or any combination of such coordinates, connectivity, data, 4
identification, or other form of location detection, to establish a virtual 5
boundary. 6
(28) “Health care component” has the same meaning as in HIPAA. 7
(29) “Health care facility” has the same meaning as in 18 V.S.A. § 9432. 8
(30) “HIPAA” means the Health Insurance Portability and 9
Accountability Act of 1996, Pub. L. No. 104-191, and any regulations 10
promulgated pursuant to the act, as may be amended. 11
(31) “Hybrid entity” has the same meaning as in HIPAA. 12
(32) “Identified or identifiable individual” means an individual who can 13
be readily identified, directly or indirectly, including by reference to an 14
identifier such as a name, an identification number, specific or historical 15
pattern of geolocation data, or an online identifier. 16
(33) “Independent trust company” has the same meaning as in 8 V.S.A. 17
§ 2401. 18
(34) “Investment adviser” has the same meaning as in 9 V.S.A. § 5102. 19 BILL AS INTRODUCED H.208
2025 Page 11 of 65
VT LEG #378938 v.1
(35) “Large data holder” means a person who during the preceding 1
calendar year processed the personal data of not fewer than 100,000 2
consumers. 3
(36) “Marketing measurement” means measuring and reporting on 4
marketing performance or media performance by the controller, including 5
processing personal data for measurement and reporting of frequency, 6
attribution, and performance, provided that such measurement data is not 7
processed or transferred for any other purpose. 8
(37) “Mental health facility” means any health care facility in which at 9
least 70 percent of the health care services provided in the facility are mental 10
health services. 11
(38) “Minor” means any consumer who is younger than 18 years of age. 12
(39) “Neural data” means information that is collected through 13
biosensors and that could be processed to infer or predict mental states. 14
(40) “Nonpublic personal information” has the same meaning as in 15
15 U.S.C. § 6809. 16
(41)(A) “Online service, product, or feature” means any service, 17
product, or feature that is provided online, except as provided in subdivision 18
(B) of this subdivision (41). 19
(B) “Online service, product, or feature” does not include: 20 BILL AS INTRODUCED H.208
2025 Page 12 of 65
VT LEG #378938 v.1
(i) telecommunications service, as that term is defined in the 1
Communications Act of 1934, 47 U.S.C. § 153; 2
(ii) broadband internet access service, as that term is defined in 3
47 C.F.R. § 54.400 (universal service support); or 4
(iii) the delivery or use of a physical product, but not including the 5
provision or use of an online service, product, or feature through use of an 6
internet-connected physical product. 7
(42) “Patient identifying information” has the same meaning as in 8
42 C.F.R. § 2.11 (confidentiality of substance use disorder patient records). 9
(43) “Patient safety work product” has the same meaning as in 42 C.F.R. 10
§ 3.20 (patient safety organizations and patient safety work product). 11
(44)(A) “Personal data” means any information, including derived data 12
and unique identifiers, that is linked or reasonably linkable, alone or in 13
combination with other information, to an identified or identifiable individual 14
or to a device that identifies, is linked to, or is reasonably linkable to one or 15
more identified or identifiable individuals in a household. 16
(B) “Personal data” does not include de-identified data or publicly 17
available information. 18
(45)(A) “Precise geolocation data” means information derived from 19
technology that reveals the past or present physical location of a consumer or 20 BILL AS INTRODUCED H.208
2025 Page 13 of 65
VT LEG #378938 v.1
device that identifies or is linked or reasonably linkable to one or more 1
consumers with precision and accuracy within a radius of 1,850 feet. 2
(B) “Precise geolocation data” does not include: 3
(i) the content of communications; 4
(ii) data generated by or connected to an advanced utility metering 5
infrastructure system; 6
(iii) a photograph, or metadata associated with a photograph or 7
video, that cannot be linked to an individual; or 8
(iv) data generated by equipment used by a utility company. 9
(46) “Process” or “processing” means any operation or set of operations 10
performed, whether by manual or automated means, on personal data or on sets 11
of personal data, such as the collection, use, storage, disclosure, analysis, 12
deletion, or modification of personal data. 13
(47) “Processor” means a person who processes personal data on behalf 14
of: 15
(A) a controller; 16
(B) another processor; or 17
(C) a federal, state, tribal, or local government entity. 18
(48) “Profiling” means any form of automated processing performed on 19
personal data to evaluate, analyze, or predict personal aspects, including an 20 BILL AS INTRODUCED H.208
2025 Page 14 of 65
VT LEG #378938 v.1
individual’s economic situation, health, personal preferences, interests, 1
reliability, behavior, location, movements, or identifying characteristics. 2
(49) “Protected health information” has the same meaning as in HIPAA. 3
(50)(A) “Publicly available information” means information that: 4
(i) is made available: 5
(I) through federal, state, or local government records; or 6
(II) to the general public from widely distributed media; or 7
(ii) a controller has a reasonable basis to believe that the consumer 8
has lawfully made available to the general public. 9
(B) “Publicly available information” does not include: 10
(i) biometric data collected by a business about a consumer 11
without the consumer’s knowledge; 12
(ii) information that is collated and combined to create a consumer 13
profile that is made available to a user of a publicly available website either in 14
exchange for payment or free of charge; 15
(iii) information that is made available for sale; 16
(iv) an inference that is generated from the information described 17
in subdivision (ii) or (iii) of this subdivision (50)(B); 18
(v) any obscene visual depiction, as defined in 18 U.S.C. § 1460; 19 BILL AS INTRODUCED H.208
2025 Page 15 of 65
VT LEG #378938 v.1
(vi) any inference made exclusively from multiple independent 1
sources of publicly available information that reveals sensitive data with 2
respect to a consumer; 3
(vii) personal data that is created through the combination of 4
personal data with publicly available information; 5
(viii) genetic data, unless otherwise made publicly available by the 6
consumer to whom the information pertains; 7
(ix) information provided by a consumer on a website or online 8
service made available to all members of the public, for free or for a fee, where 9
the consumer has maintained a reasonable expectation of privacy in the 10
information, such as by restricting the information to a specific audience; or 11
(x) intimate images, authentic or computer-generated, known to be 12
nonconsensual. 13
(51) “Qualified service organization” has the same meaning as in 14
42 C.F.R. § 2.11 (confidentiality of substance use disorder patient records). 15
(52) “Reproductive or sexual health care” has the same meaning as 16
“reproductive health care services” in 1 V.S.A. § 150(c)(1). 17
(53) “Reproductive or sexual health data” means any personal data 18
concerning a past, present, or future effort made by a consumer to seek, or a 19
consumer’s receipt of, reproductive or sexual health care. 20 BILL AS INTRODUCED H.208
2025 Page 16 of 65
VT LEG #378938 v.1
(54) “Reproductive or sexual health facility” means any health care 1
facility in which at least 70 percent of the health care-related services or 2
products rendered or provided in the facility are reproductive or sexual health 3
care. 4
(55)(A) “Sale of personal data” means the exchange of a consumer’s 5
personal data by the controller to a third party for monetary or other valuable 6
consideration. 7
(B) “Sale of personal data” does not include: 8
(i) the disclosure of personal data to a processor that processes the 9
personal data on behalf of the controller; 10
(ii) the disclosure of personal data to a third party for purposes of 11
providing a product or service requested by the consumer; 12
(iii) the disclosure or transfer of personal data to an affiliate of the 13
controller; 14
(iv) the disclosure, with the consumer’s consent, of personal data 15
where the consumer directs the controller to disclose the personal data or 16
intentionally uses the controller to interact with a third party; 17
(v) the disclosure of publicly available information; 18
(vi) the disclosure or transfer of personal data to a third party as an 19
asset that is part of a merger, acquisition, bankruptcy or other transaction, or a 20 BILL AS INTRODUCED H.208
2025 Page 17 of 65
VT LEG #378938 v.1
proposed merger, acquisition, bankruptcy, or other transaction, in which the 1
third party assumes control of all or part of the controller’s assets. 2
(56) “Sensitive data” means personal data that: 3
(A) reveals a consumer’s government-issued identifier, such as a 4
Social Security number, passport number, state identification card, or driver’s 5
license number, that is not required by law to be publicly displayed; 6
(B) reveals a consumer’s racial or ethnic origin, national origin, 7
citizenship or immigration status, religious or philosophical beliefs, a mental or 8
physical health condition, diagnosis, disability or treatment, status as pregnant, 9
income level or indebtedness, or union membership; 10
(C) reveals a consumer’s sexual orientation, sex life, sexuality, or 11
status as transgender or nonbinary; 12
(D) reveals a consumer’s status as a victim of a crime; 13
(E) is a consumer’s tax return and account number, financial account 14
log-in, financial account, debit card number, or credit card number in 15
combination with any required security or access code, password, or 16
credentials allowing access to an account; 17
(F) is consumer health data; 18
(G) is collected and analyzed concerning consumer health data that 19
describes or reveals a past, present, or future mental or physical health 20
condition, treatment, disability, or diagnosis, including pregnancy, to the extent 21 BILL AS INTRODUCED H.208
2025 Page 18 of 65
VT LEG #378938 v.1
the personal data is used by the controller for a purpose other than to identify a 1
specific consumer’s physical or mental health condition or diagnosis; 2
(H) is biometric or genetic data; 3
(I) is collected from a consumer that a controller knew or should have 4
known is a minor; 5
(J) is precise geolocation data; 6
(K) are keystrokes; 7
(L) is driving behavior; 8
(M) is neural data; or 9
(N) are the online activities of a consumer over time and across 10
devices, websites, online applications, and mobile applications, that do not 11
share common branding, or data generated by, profiling performed on such 12
data. 13
(57)(A) “Targeted advertising” means displaying or presenting an online 14
advertisement to a consumer or to a device identified by a unique persistent 15
identifier, if the advertisement is selected based, in whole or in part, on known 16
or predicted preferences, characteristics, behavior, or interests associated with 17
the consumer or a device identified by a unique persistent identifier. “Targeted 18
advertising” includes displaying or presenting an online advertisement for a 19
product or service based on the previous interaction of a consumer or a device 20
identified by a unique persistent identifier with such product or service on a 21 BILL AS INTRODUCED H.208
2025 Page 19 of 65
VT LEG #378938 v.1
website or online service that does not share common branding with the 1
website or online service displaying or presenting the advertisement, and 2
marketing measurement related to such advertisements. 3
(B) “Targeted advertising” does not include: 4
(i) first-party advertising; or 5
(ii) contextual advertising. 6
(58) “Third party” means a person who collects personal data from 7
another person who is not the consumer to whom the data pertains and is not a 8
processor with respect to such data. “Third party” does not include a person 9
who collects personal data from another entity if the entities are affiliates. 10
(59) “Trade secret” has the same meaning as in section 4601 of this title. 11
(60)(A) “Unique persistent identifier” means a technologically created 12
identifier to the extent that such identifier is reasonably linkable to a consumer 13
or a device that identifies or is linked or reasonably linkable to one or more 14
consumers, including device identifiers, internet protocol addresses, cookies, 15
beacons, pixel tags, mobile ad identifiers or similar technology customer 16
numbers, unique pseudonyms, user aliases, telephone numbers, or other forms 17
of persistent or probabilistic identifiers that are linked or reasonably linkable to 18
one or more consumers or devices. 19
(B) “Unique persistent identifier” does not include an identifier 20
assigned by a controller for the sole purpose of giving effect to the exercise of 21 BILL AS INTRODUCED H.208
2025 Page 20 of 65
VT LEG #378938 v.1
affirmative consent or opt out by a consumer with respect to the collection or 1
processing of personal data or otherwise limiting the collection or processing 2
of personal data. 3
(61) “Victim services organization” means a nonprofit organization that 4
is established to provide services to victims or witnesses of child abuse, 5
domestic violence, human trafficking, sexual assault, violent felony, or 6
stalking. 7
§ 2416. APPLICABILITY 8
(a) Except as provided in subsection (b) of this section, this chapter applies 9
to a person who conducts business in this State or a person who produces 10
products or services that are targeted to residents of this State and that during 11
the preceding calendar year: 12
(1) controlled or processed the personal data of not fewer than 25,000 13
consumers, excluding personal data controlled or processed solely for the 14
purpose of completing a payment transaction; or 15
(2) controlled or processed the personal data of not fewer than 12,500 16
consumers and derived more than 25 percent of the person’s gross revenue 17
from the sale of personal data. 18
(b) Section 2425 of this chapter and the provisions of this chapter 19
concerning consumer health data and consumer health data controllers apply to 20 BILL AS INTRODUCED H.208
2025 Page 21 of 65
VT LEG #378938 v.1
a person who conducts business in this State or a person who produces 1
products or services that are targeted to residents of this State. 2
§ 2417. EXEMPTIONS 3
(a) This chapter does not apply to: 4
(1) a federal, state, tribal, or local government entity in the ordinary 5
course of its operation; 6
(2) protected health information under HIPAA; 7
(3) patient–identifying information, for purposes of 42 U.S.C. 8
§ 290DD–2; 9
(4)(A) information to the extent it is used for public health, community 10
health, or population health activities and purposes, as authorized by HIPAA, 11
when provided by or to a covered entity or when provided by or to a business 12
associate in accordance with the business associate agreement with a covered 13
entity; 14
(B) information that is a health care record, as that term is defined in 15
18 V.S.A. § 9419, if the information is held by an entity that is a covered entity 16
or business associate under HIPAA because it collects, uses, or discloses 17
protected health information; 18
(C) information that is de-identified in accordance with the 19
requirements for de-identification set forth in 45 C.F.R. 164.514 and that is 20 BILL AS INTRODUCED H.208
2025 Page 22 of 65
VT LEG #378938 v.1
derived from individually identifiable health information as described in 1
HIPAA; and 2
(D) personal information consistent with the human subject 3
protection requirements of the U.S. Food and Drug Administration; 4
(5) information used only for public health activities and purposes 5
described in 45 C.F.R. § 164.512 (disclosure of protected health information 6
without authorization); 7
(6) information that identifies a consumer in connection with: 8
(A) activities that are subject to the Federal Policy for the Protection 9
of Human Subjects, codified as 45 C.F.R. Part 46 (HHS protection of human 10
subjects) and in various other federal regulations; 11
(B) activities that are subject to the protections provided in 21 C.F.R. 12
Parts 50 (FDA clinical investigations protection of human subjects) and 13
56 (FDA clinical investigations institutional review boards); or 14
(C) research conducted in accordance with the requirements set forth 15
in subdivisions (A) and (B) of this subdivision (a)(6) or otherwise in 16
accordance with applicable law; 17
(7) patient identifying information that is collected and processed in 18
accordance with 42 C.F.R. Part 2 (confidentiality of substance use disorder 19
patient records); 20 BILL AS INTRODUCED H.208
2025 Page 23 of 65
VT LEG #378938 v.1
(8) patient safety work product that is created and used for purposes of 1
patient safety improvement in accordance with 42 C.F.R. § 3, established in 2
accordance with 42 U.S.C. §§ 299b–21 through 299b–26; 3
(9) information or documents created for the purposes of the Healthcare 4
Quality Improvement Act of 1986, 42 U.S.C. § 11101–11152, and regulations 5
adopted to implement that act; 6
(10) information processed or maintained solely in connection with, and 7
for the purpose of, enabling notice of an emergency to persons that an 8
individual specifies; 9
(11) any activity that involves collecting, maintaining, disclosing, 10
selling, communicating, or using information for the purpose of evaluating a 11
consumer’s creditworthiness, credit standing, credit capacity, character, 12
general reputation, personal characteristics, or mode of living if done strictly in 13
accordance with the provisions of the Fair Credit Reporting Act, 15 U.S.C. 14
§ 1681–1681x, as may be amended, by: 15
(A) a consumer reporting agency; 16
(B) a person who furnishes information to a consumer reporting 17
agency under 15 U.S.C. § 1681s-2 (responsibilities of furnishers of 18
information to consumer reporting agencies); or 19
(C) a person who uses a consumer report as provided in 15 U.S.C. 20
§ 1681b(a)(3) (permissible purposes of consumer reports); 21 BILL AS INTRODUCED H.208
2025 Page 24 of 65
VT LEG #378938 v.1
(12) information collected, processed, sold, or disclosed under and in 1
accordance with the following laws and regulations: 2
(A) the Driver’s Privacy Protection Act of 1994, 18 U.S.C. § 2721–3
2725; 4
(B) data that is subject to the Family Educational Rights and Privacy 5
Act, 20 U.S.C. § 1232g, and regulations adopted to implement that act; 6
(C) data that is subject to the Airline Deregulation Act, Pub. L. No. 7
95-504, only to the extent that an air carrier collects information related to 8
prices, routes, or services, and only to the extent that the provisions of the 9
Airline Deregulation Act preempt this chapter; 10
(D) data that is subject to the Farm Credit Act, Pub. L. No. 92-181, as 11
may be amended; 12
(E) data that is subject to federal policy under 21 U.S.C. § 830 13
(regulation of listed chemicals and certain machines); 14
(13) nonpublic personal information that is processed by a financial 15
institution subject to the Gramm-Leach-Bliley Act, Pub. L. No. 106-102, and 16
regulations adopted to implement that act; 17
(14) a state or federally chartered bank or credit union, or an affiliate or 18
subsidiary that is principally engaged in financial activities, as described in 19
18 U.S.C. § 1843(k); 20 BILL AS INTRODUCED H.208
2025 Page 25 of 65
VT LEG #378938 v.1
(15) a person regulated pursuant to 8 V.S.A. part 3 (chapters 101–165) 1
other than a person who, alone or in combination with another person, 2
establishes and maintains a self-insurance program and who does not otherwise 3
engage in the business of entering into policies of insurance; 4
(16) a third-party administrator, as that term is defined in the Third Party 5
Administrator Rule adopted pursuant to 18 V.S.A. § 9417; 6
(17) personal data of a victim or witness of child abuse, domestic 7
violence, human trafficking, sexual assault, violent felony, or stalking that a 8
victim services organization collects, processes, or maintains in the course of 9
its operation; 10
(18) a nonprofit organization that is established to detect and prevent 11
fraudulent acts in connection with insurance; 12
(19) information that is processed for purposes of compliance, 13
enrollment or degree verification, or research services by a nonprofit 14
organization that is established to provide enrollment data reporting services 15
on behalf of postsecondary schools as that term is defined in 16 V.S.A. § 176; 16
or 17
(20) noncommercial activity of: 18
(A) a publisher, editor, reporter, or other person who is connected 19
with or employed by a newspaper, magazine, periodical, newsletter, pamphlet, 20
report, or other publication in general circulation; 21 BILL AS INTRODUCED H.208
2025 Page 26 of 65
VT LEG #378938 v.1
(B) a radio or television station that holds a license issued by the 1
Federal Communications Commission; 2
(C) a nonprofit organization that provides programming to radio or 3
television networks; or 4
(D) a press association or wire service. 5
(b) Controllers, processors, and consumer health data controllers that 6
comply with the verifiable parental consent requirements of COPPA shall be 7
deemed compliant with any obligation to obtain parental consent pursuant to 8
this chapter. 9
§ 2418. CONSUMER PERSONAL DATA RIGHTS 10
(a) A consumer shall have the right to: 11
(1) confirm whether a controller is processing the consumer’s personal 12
data and, if a controller is processing the consumer’s personal data, access the 13
personal data; 14
(2) know whether a consumer’s personal data is or will be used in any 15
artificial intelligence system and for what purpose; 16
(3) obtain from a controller a list of third parties to which the controller 17
has disclosed the consumer’s personal data or, if the controller does not 18
maintain this information in a format specific to the consumer, a list of third 19
parties to which the controller has disclosed personal data; 20 BILL AS INTRODUCED H.208
2025 Page 27 of 65
VT LEG #378938 v.1
(4) correct inaccuracies in the consumer’s personal data, taking into 1
account the nature of the personal data and the purposes of the processing of 2
the consumer’s personal data; 3
(5) delete personal data, including derived data, provided by, or obtained 4
about, the consumer unless retention of the personal data is required by law; 5
(6) obtain a copy of the consumer’s personal data processed by the 6
controller in a portable and, to the extent technically feasible, readily usable 7
format that allows the consumer to transmit the data to another controller 8
without hindrance; and 9
(7) opt out of the processing of personal data for purposes of: 10
(A) targeted advertising; 11
(B) the sale of personal data; or 12
(C) profiling in furtherance of automated decisions that produce legal 13
or similarly significant effects concerning the consumer. 14
(b)(1) A consumer may exercise rights under this section by submitting a 15
request to a controller using the method that the controller specifies in the 16
privacy notice under section 2419 of this title. 17
(2) A controller shall not require a consumer to create an account for the 18
purpose described in subdivision (1) of this subsection, but the controller may 19
require the consumer to use an account the consumer previously created. 20 BILL AS INTRODUCED H.208
2025 Page 28 of 65
VT LEG #378938 v.1
(3) A parent or legal guardian may exercise rights under this section on 1
behalf of the parent’s child or on behalf of a child for whom the guardian has 2
legal responsibility. A guardian or conservator may exercise the rights under 3
this section on behalf of a consumer that is subject to a guardianship, 4
conservatorship, or other protective arrangement. 5
(4)(A) A consumer may designate another person to act on the 6
consumer’s behalf as the consumer’s authorized agent for the purpose of 7
exercising the consumer’s rights under subdivision (a)(5) or (a)(7) of this 8
section. 9
(B) The consumer may designate an authorized agent by means of an 10
internet link, browser setting, browser extension, global device setting, or other 11
technology that enables the consumer to exercise the consumer’s rights under 12
subdivision (a)(5) or (a)(7) of this section. 13
(c) Except as otherwise provided in this chapter, a controller shall comply 14
with a request by a consumer to exercise the consumer rights authorized 15
pursuant to this chapter as follows: 16
(1)(A) A controller shall respond to the consumer without undue delay, 17
but not later than 45 days after receipt of the request. 18
(B) The controller may extend the response period by 45 additional 19
days when reasonably necessary, considering the complexity and number of 20
the consumer’s requests, provided the controller informs the consumer of the 21 BILL AS INTRODUCED H.208
2025 Page 29 of 65
VT LEG #378938 v.1
extension within the initial 45-day response period and of the reason for the 1
extension. 2
(C) If the consumer appointed an agent, the controller shall interact 3
with the agent throughout the process and, with the exclusion of a data access 4
request, not require the consumer to be involved in the fulfillment of the 5
request. 6
(2) If a controller declines to take action regarding the consumer’s 7
request, the controller shall inform the consumer without undue delay, but not 8
later than 45 days after receipt of the request, of the justification for declining 9
to take action and instructions for how to appeal the decision. 10
(3)(A) Information provided in response to a consumer request shall be 11
provided by a controller, free of charge, once per consumer during any 12-12
month period or after every time the controller makes material changes to its 13
personal data practices and policies. 14
(B) If requests from a consumer are manifestly unfounded, excessive, 15
or repetitive, the controller may charge the consumer a reasonable fee to cover 16
the administrative costs of complying with the request or decline to act on the 17
request. 18
(C) The controller bears the burden of demonstrating the manifestly 19
unfounded, excessive, or repetitive nature of the request. 20 BILL AS INTRODUCED H.208
2025 Page 30 of 65
VT LEG #378938 v.1
(D) When a controller determines a consumer request is manifestly 1
unfounded, excessive, or repetitive, the controller shall inform the consumer 2
and share the controller’s justification prior to disregarding the request or 3
charging the consumer a processing fee. That notice shall include instructions 4
for appealing the decision. 5
(4)(A) If a controller is unable to authenticate a request to exercise any 6
of the rights afforded under subdivisions (a)(1)–(6) of this section, the 7
controller shall not be required to comply with a request to initiate an action 8
pursuant to this section and shall provide notice to the consumer or the 9
consumer’s agent that the controller is unable to authenticate the request to 10
exercise the right or rights until the consumer provides additional information 11
reasonably necessary to authenticate the consumer and the consumer’s request 12
to exercise the right or rights. 13
(B) A controller shall not require authentication to exercise an opt-14
out request, but a controller may deny an opt-out request if the controller has a 15
good faith, reasonable, and documented belief that the request is fraudulent. 16
(C) If a controller denies an opt-out request because the controller 17
believes the request is fraudulent, the controller shall send a notice to the 18
person who made the request disclosing that the controller believes the request 19
is fraudulent, why the controller believes the request is fraudulent, and that the 20
controller shall not comply with the request. If the request was placed through 21 BILL AS INTRODUCED H.208
2025 Page 31 of 65
VT LEG #378938 v.1
an agent, both the agent and the person who appointed the agent shall receive 1
that notice. 2
(5) A controller shall not condition the exercise of a right under this 3
section through: 4
(A) the use of any false, fictitious, fraudulent, or materially 5
misleading statement or representation; or 6
(B) the employment of any dark pattern. 7
(d) A controller shall establish a process by means of which a consumer 8
may appeal the controller’s refusal to take action on a request under 9
subsection (b) of this section. The controller’s process shall: 10
(1) Allow a reasonable period of time after the consumer receives the 11
controller’s refusal within which to appeal. 12
(2) Be conspicuously available to the consumer. 13
(3) Be similar to the manner in which a consumer must submit a request 14
under subsection (b) of this section. 15
(4) Require the controller to approve or deny the appeal within 45 days 16
after the date on which the controller received the appeal and to notify the 17
consumer in writing of the controller’s decision and the reasons for the 18
decision. If the controller denies the appeal, the notice must provide or specify 19
information that enables the consumer to contact the Attorney General to 20
submit a complaint. 21 BILL AS INTRODUCED H.208
2025 Page 32 of 65
VT LEG #378938 v.1
(e) Nothing in this section shall be construed to require a controller to 1
reveal a trade secret. 2
(f) In response to a consumer request under subdivision (a)(1) of this 3
section, a controller shall not disclose the following information about a 4
consumer, but shall instead inform the consumer with sufficient particularity 5
that the controller has collected that type of information: 6
(1) Social Security number; 7
(2) driver’s license number or other government-issued identification 8
number; 9
(3) financial account number; 10
(4) health insurance account number or medical identification number; 11
(5) account password, security questions, or answers; or 12
(6) biometric data. 13
(g)(1) A controller may use the following types of information to display a 14
contextual advertisement: 15
(A) technical specifications as are necessary for the ad to be 16
delivered and displayed properly on a given device; 17
(B) a consumer’s immediate presence in a geographic area with a 18
radius not smaller than 10 miles, or an area reasonably estimated to include 19
online activity from at least 5,000 users, but not including precise geolocation 20
data; and 21 BILL AS INTRODUCED H.208
2025 Page 33 of 65
VT LEG #378938 v.1
(C) the consumer’s language preferences, as inferred from context, 1
browser settings, or user settings. 2
(2) A controller using information pursuant to subdivision (1) of this 3
subsection to display a contextual advertisement shall not use that information 4
to make inferences about a consumer, profile a consumer, or for any other 5
purpose, and the controller shall not prohibit a consumer from using technical 6
means to obfuscate or change a consumer’s physical location to specify a 7
language preference. 8
§ 2419. DUTIES OF CONTROLLERS 9
(a) A controller shall: 10
(1) limit the collection and processing of personal data to what is 11
reasonably necessary and proportionate to provide or maintain: 12
(A) a specific product or service requested by the consumer to whom 13
the data pertains; and 14
(B) a communication, that is not an advertisement, by the controller 15
to the consumer that is reasonably anticipated within the context of the 16
relationship between the controller and the consumer; 17
(2) establish, implement, and maintain reasonable administrative, 18
technical, and physical data security practices to protect the confidentiality, 19
integrity, and accessibility of personal data appropriate to the volume and 20
nature of the personal data at issue, including disposing of personal data in 21 BILL AS INTRODUCED H.208
2025 Page 34 of 65
VT LEG #378938 v.1
accordance with a retention schedule that requires the deletion of personal data 1
when the data is required to be deleted by law or is no longer necessary for the 2
purpose for which the data was collected or processed; and 3
(3) provide an effective mechanism for a consumer to withdraw consent 4
provided pursuant to this chapter that is at least as easy as the mechanism by 5
which the consumer provided the consent. 6
(b)(1) A controller that offers any online service, product, or feature to a 7
consumer whom the controller knows is a minor shall: 8
(A) use reasonable care to avoid any heightened risk of harm to 9
minors caused by processing of personal data in the course of providing the 10
online service, product, or feature; 11
(B) provide to the minor a conspicuous signal indicating that the 12
controller is collecting the minor’s precise geolocation data and make the 13
signal available to the minor for the entire duration of the collection of the 14
minor’s precise geolocation data; and 15
(C) not process the personal data of a minor for the purposes of 16
targeted advertising or sell the personal data of a minor. 17
(2) For purposes of this subsection, “knows” means a controller knew or 18
should have known the consumer is a minor, including based on: 19
(A) information collected about the age of the consumer; or 20 BILL AS INTRODUCED H.208
2025 Page 35 of 65
VT LEG #378938 v.1
(B) any age or closely related proxy the business knows or has 1
inferred, derived, attributed to, or associated with the consumer for any 2
purpose, including marketing, advertising, or product development. 3
(3) Nothing in this chapter shall be construed to require: 4
(A) the affirmative collection of any personal data with respect to the 5
age of users that a controller is not already collecting in the normal course of 6
business; or 7
(B) a controller to implement an age gating or age verification 8
functionality. 9
(c) A controller shall not: 10
(1) process sensitive data concerning a consumer except when the 11
processing is strictly necessary to provide or maintain a specific product or 12
service requested by the consumer to whom the sensitive data pertains; 13
(2) sell sensitive data; 14
(3) discriminate or retaliate against a consumer who exercises a right 15
provided to the consumer under this chapter or refuses to consent to the 16
processing of personal data for a separate product or service, including by: 17
(A) denying goods or services; 18
(B) charging different prices or rates for goods or services; or 19
(C) providing a different level of quality or selection of goods or 20
services to the consumer; 21 BILL AS INTRODUCED H.208
2025 Page 36 of 65
VT LEG #378938 v.1
(4) process personal data in violation of State or federal laws that 1
prohibit unlawful discrimination; or 2
(5)(A) except as provided in subdivision (B) of this subdivision (5), 3
process a consumer’s personal data in a manner that discriminates against 4
individuals or otherwise makes unavailable the equal enjoyment of goods or 5
services on the basis of an individual’s actual or perceived race, color, sex, 6
sexual orientation or gender identity, physical or mental disability, religion, 7
ancestry, or national origin; 8
(B) subdivision (A) of this subdivision (5) shall not apply to: 9
(i) a private establishment, as that term is used in 42 U.S.C. 10
§ 2000a(e) (prohibition against discrimination or segregation in places of 11
public accommodation); 12
(ii) processing for the purpose of a controller’s or processor’s self-13
testing to prevent or mitigate unlawful discrimination or otherwise to ensure 14
compliance with State or federal law; or 15
(iii) processing for the purpose of diversifying an applicant, 16
participant, or consumer pool. 17
(d) Subsections (a)–(c) of this section shall not be construed to: 18
(1) require a controller to provide a good or service that requires 19
personal data from a consumer that the controller does not collect or maintain; 20
or 21 BILL AS INTRODUCED H.208
2025 Page 37 of 65
VT LEG #378938 v.1
(2) prohibit a controller from offering a different price, rate, level of 1
quality, or selection of goods or services to a consumer, including an offer for 2
no fee or charge, in connection with a consumer’s participation, with consent, 3
in a financial incentive program, such as a bona fide loyalty, rewards, premium 4
features, discount, or club card program, provided that the controller may not 5
transfer personal data to a third party as part of the program unless: 6
(A) the transfer is necessary to enable the third party to provide a 7
benefit to which the consumer is entitled; and 8
(B)(i) the terms of the program clearly disclose that personal data 9
will be transferred to the third party or to a category of third parties of which 10
the third party belongs; and 11
(ii) the third party uses the personal data only for purposes of 12
facilitating a benefit to which the consumer is entitled and does not process or 13
transfer the personal data for any other purpose. 14
(e) The sale of personal data shall not be considered functionally necessary 15
to provide a financial incentive program. A controller shall not use financial 16
incentive practices that are unjust, unreasonable, coercive, or usurious in 17
nature. 18
(f)(1) A controller shall provide to consumers a reasonably accessible, 19
clear, and meaningful privacy notice that: 20 BILL AS INTRODUCED H.208
2025 Page 38 of 65
VT LEG #378938 v.1
(A) lists the categories of personal data, including the categories of 1
sensitive data, that the controller processes with a clear description of what 2
data each category includes; 3
(B) describes the controller’s purposes for processing each category 4
of personal data the controller processes in a way that gives consumers a 5
meaningful understanding of how each category of their personal data will be 6
used; 7
(C) describes how a consumer may exercise the consumer’s rights 8
under this chapter, including how a consumer may appeal a controller’s denial 9
of a consumer’s request under section 2418 of this title; 10
(D) lists all categories of personal data, including the categories of 11
sensitive data, that the controller sells or shares with third parties; 12
(E) describes all categories of third parties with which the controller 13
sells or shares personal data at a level of detail that enables the consumer to 14
understand what type of entity each third party is and, to the extent possible, 15
how each third party may process personal data; 16
(F) describes the length of time the controller intends to retain each 17
category of personal data or, if it is not possible to identify the length of time, 18
the criteria used to determine the length of time the controller intends to retain 19
categories of personal data; 20 BILL AS INTRODUCED H.208
2025 Page 39 of 65
VT LEG #378938 v.1
(G) specifies an email address or other online method by which a 1
consumer can contact the controller that the controller actively monitors; 2
(H) identifies the controller, including any business name under 3
which the controller registered with the Secretary of State and any assumed 4
business name that the controller uses in this State; 5
(I) describes any collection, processing, selling, or sharing of 6
personal data for training or use of artificial intelligence systems, if applicable; 7
(J) provides a clear and conspicuous description of any processing of 8
personal data in which the controller engages for the purposes of targeted 9
advertising, sale of personal data to third parties, or profiling the consumer in 10
furtherance of decisions that produce legal or similarly significant effects 11
concerning the consumer, and a procedure by which the consumer may opt out 12
of this type of processing; and 13
(K) describes the method or methods the controller has established 14
for a consumer to submit a request under subdivision 2418(b)(1) of this title. 15
(2) The privacy notice shall adhere to the accessibility and usability 16
guidelines recommended under 42 U.S.C. chapter 126 (the Americans with 17
Disabilities Act) and 29 U.S.C. § 794d (section 508 of the Rehabilitation Act 18
of 1973), including ensuring readability for individuals with disabilities across 19
various screen resolutions and devices and employing design practices that 20
facilitate easy comprehension and navigation for all users. 21 BILL AS INTRODUCED H.208
2025 Page 40 of 65
VT LEG #378938 v.1
(3) Whenever a controller makes a material change to the controller’s 1
privacy notice or practices, the controller must notify consumers affected by 2
the material change with respect to any prospectively collected personal data 3
and provide a reasonable opportunity for consumers to withdraw consent to 4
any further materially different transfer of previously collected personal data 5
under the changed policy. The controller shall take all reasonable electronic 6
measures to provide notification regarding material changes to affected 7
consumers, taking into account available technology and the nature of the 8
relationship. 9
(4) A controller is not required to provide a separate Vermont-specific 10
privacy notice or section of a privacy notice if the controller’s general privacy 11
notice contains all the information required by this subsection. 12
(5) The privacy notice must be posted online through a conspicuous 13
hyperlink using the word “privacy” or “surveillance,” or both words if 14
applicable, on the controller’s website home page or on a mobile application’s 15
app store page or download page. A controller that maintains an application 16
on a mobile or other device shall also include a hyperlink to the privacy notice 17
in the application’s settings menu or in a similarly conspicuous and accessible 18
location. A controller that does not operate a website shall make the privacy 19
notice conspicuously available to consumers through a medium regularly used 20
by the controller to interact with consumers, including email. 21 BILL AS INTRODUCED H.208
2025 Page 41 of 65
VT LEG #378938 v.1
(g) The method or methods under subdivision (f)(1)(J) of this section for 1
submitting a consumer’s request to a controller must: 2
(1) take into account the ways in which consumers normally interact 3
with the controller, the need for security and reliability in communications 4
related to the request, and the controller’s ability to authenticate the identity of 5
the consumer that makes the request; 6
(2) provide a clear and conspicuous link to a website where the 7
consumer or an authorized agent may opt out from a controller’s processing of 8
the consumer’s personal data pursuant to subdivision 2418(a)(7) of this title or, 9
solely if the controller does not have a capacity needed for linking to a web 10
page, provide another method the consumer can use to opt out, which may 11
include an internet hyperlink clearly labeled “Your Opt-Out Rights” or “Your 12
Privacy Rights” that directly effectuates the opt-out request or takes consumers 13
to a web page where the consumer can make the opt-out request; and 14
(3) allow a consumer or authorized agent to send a signal to the 15
controller that indicates the consumer’s preference to opt out of the sale of 16
personal data or targeted advertising pursuant to subdivision 2418(a)(7) of this 17
title by means of a platform, technology, or mechanism that: 18
(A) is consumer friendly and easy for an average consumer to use; 19 BILL AS INTRODUCED H.208
2025 Page 42 of 65
VT LEG #378938 v.1
(B)(i) enables the controller to reasonably determine whether the 1
consumer has made a legitimate request pursuant to subsection 2418(b) of this 2
title to opt out pursuant to subdivision 2418(a)(7) of this title; and 3
(ii) for purposes of subdivision (i) of this subdivision (B), use of 4
an internet protocol address to estimate the consumer’s location may be 5
considered sufficient to accurately determine residency. 6
(h) If a consumer or authorized agent uses a method under subdivision 7
(f)(1)(J) of this section to opt out of a controller’s processing of the consumer’s 8
personal data pursuant to subdivision 2418(a)(7) of this title and the decision 9
conflicts with a consumer’s existing controller-specific privacy setting or 10
voluntary participation in a bona fide reward, club card, or loyalty program or 11
a program that provides premium features or discounts, the controller shall 12
comply with the consumer’s opt-out preference signal but may notify the 13
consumer of the conflict and provide to the consumer the choice to confirm the 14
controller-specific privacy setting or participation in the program. 15
§ 2420. DUTIES OF PROCESSORS 16
(a) A processor shall adhere to a controller’s instructions and shall assist 17
the controller in meeting the controller’s obligations under this chapter. In 18
assisting the controller, the processor must: 19
(1) enable the controller to respond to requests from consumers pursuant 20
to subsection 2418(b) of this title by means that: 21 BILL AS INTRODUCED H.208
2025 Page 43 of 65
VT LEG #378938 v.1
(A) take into account how the processor processes personal data and 1
the information available to the processor; and 2
(B) use appropriate technical and organizational measures to the 3
extent reasonably practicable; 4
(2) adopt administrative, technical, and physical safeguards that are 5
reasonably designed to protect the security and confidentiality of the personal 6
data the processor processes, taking into account how the processor processes 7
the personal data and the information available to the processor; and 8
(3) provide information reasonably necessary for the controller to 9
conduct and document data protection assessments. 10
(b) Processing by a processor must be governed by a contract between the 11
controller and the processor. The contract must: 12
(1) be valid and binding on both parties; 13
(2) set forth clear instructions for processing data, the nature and 14
purpose of the processing, the type of data that is subject to processing, 15
limitations, and the duration of the processing; 16
(3) specify the rights and obligations of both parties with respect to the 17
subject matter of the contract; 18
(4) ensure that each person that processes personal data is subject to a 19
duty of confidentiality with respect to the personal data; 20 BILL AS INTRODUCED H.208
2025 Page 44 of 65
VT LEG #378938 v.1
(5) require the processor to delete the personal data or return the 1
personal data to the controller at the controller’s direction or at the end of the 2
provision of services, unless a law requires the processor to retain the personal 3
data; 4
(6) require the processor to make available to the controller, at the 5
controller’s request, all information the controller needs to verify that the 6
processor has complied with all obligations the processor has under this 7
chapter; 8
(7) require the processor to enter into a subcontract with a person the 9
processor engages to assist with processing personal data on the controller’s 10
behalf and in the subcontract require the subcontractor to meet the processor’s 11
obligations concerning personal data; 12
(8)(A) allow the controller, the controller’s designee, or a qualified and 13
independent person the processor engages, in accordance with an appropriate 14
and accepted control standard, framework, or procedure, to assess the 15
processor’s policies and technical and organizational measures for complying 16
with the processor’s obligations under this chapter; 17
(B) require the processor to cooperate with the assessment; and 18
(C) at the controller’s request, report the results of the assessment to 19
the controller; 20 BILL AS INTRODUCED H.208
2025 Page 45 of 65
VT LEG #378938 v.1
(9) prohibit the processor from combining personal data obtained from 1
the controller with personal data that the processor: 2
(A) receives from or on behalf of another controller or person; or 3
(B) collects directly from an individual; and 4
(10) require the processor to adhere to equivalent or greater de-5
identification standards. 6
(c) This section does not relieve a controller or processor from any liability 7
that accrues under this chapter as a result of the controller’s or processor’s 8
actions in processing personal data. 9
(d)(1) For purposes of determining obligations under this chapter, a person 10
is a controller with respect to processing a set of personal data and is subject to 11
an action under section 2424 of this title to punish a violation of this chapter, if 12
the person: 13
(A) does not adhere to a controller’s instructions to process the 14
personal data; or 15
(B) begins at any point to determine the purposes and means for 16
processing the personal data, alone or in concert with another person. 17
(2) A determination under this subsection is a fact-based determination 18
that must take account of the context in which a set of personal data is 19
processed. 20 BILL AS INTRODUCED H.208
2025 Page 46 of 65
VT LEG #378938 v.1
(3) A processor that adheres to a controller’s instructions with respect to 1
a specific processing of personal data remains a processor. 2
§ 2421. DATA PROTECTION ASSESSMENTS FOR PROCESSING 3
ACTIVITIES THAT PRESENT A HEIGHTENED RISK OF HARM 4
TO A CONSUMER 5
(a) A controller shall conduct and document a data protection assessment 6
for each of the controller’s processing activities that presents a heightened risk 7
of harm to a consumer, which, for the purposes of this section, includes: 8
(1) the processing of personal data for the purposes of targeted 9
advertising; 10
(2) the sale of personal data; 11
(3) the processing of personal data for the purposes of profiling, where 12
the profiling presents a reasonably foreseeable risk of: 13
(A) unfair or deceptive treatment of, or unlawful disparate impact on, 14
consumers; 15
(B) financial, physical, or reputational injury to consumers; 16
(C) a physical or other intrusion upon the solitude or seclusion, or the 17
private affairs or concerns, of consumers, where the intrusion would be 18
offensive to a reasonable person; or 19
(D) other substantial injury to consumers; and 20
(4) the processing of sensitive data. 21 BILL AS INTRODUCED H.208
2025 Page 47 of 65
VT LEG #378938 v.1
(b)(1) Data protection assessments conducted pursuant to subsection (a) of 1
this section shall: 2
(A) identify the categories of personal data processed, the purposes 3
for processing the personal data, and whether the personal data is being 4
transferred to third parties; and 5
(B) identify and weigh the benefits that may flow, directly and 6
indirectly, from the processing to the controller, the consumer, other 7
stakeholders, and the public against the potential risks to the consumer 8
associated with the processing, as mitigated by safeguards that can be 9
employed by the controller to reduce the risks. 10
(2) The controller shall factor into any data protection assessment the 11
use of de-identified data and the reasonable expectations of consumers, as well 12
as the context of the processing and the relationship between the controller and 13
the consumer whose personal data will be processed. 14
(c)(1) The Attorney General may require that a controller disclose any data 15
protection assessment that is relevant to an investigation conducted by the 16
Attorney General pursuant to section 2424 of this title, and the controller shall 17
make the data protection assessment available to the Attorney General. 18
(2) The Attorney General may evaluate the data protection assessment 19
for compliance with the responsibilities set forth in this chapter. 20 BILL AS INTRODUCED H.208
2025 Page 48 of 65
VT LEG #378938 v.1
(3) Data protection assessments shall be confidential and shall be 1
exempt from disclosure and copying under the Public Records Act. 2
(4) To the extent any information contained in a data protection 3
assessment disclosed to the Attorney General includes information subject to 4
attorney-client privilege or work product protection, the disclosure shall not 5
constitute a waiver of the privilege or protection. 6
(d) A single data protection assessment may address a comparable set of 7
processing operations that present a similar heightened risk of harm. 8
(e) If a controller conducts a data protection assessment for the purpose of 9
complying with another applicable law or regulation, the data protection 10
assessment shall be deemed to satisfy the requirements established in this 11
section if the data protection assessment is reasonably similar in scope and 12
effect to the data protection assessment that would otherwise be conducted 13
pursuant to this section. 14
(f) A controller shall update the data protection assessment as often as 15
appropriate considering the type, amount, and sensitivity of personal data 16
collected or processed and level of risk presented by the processing throughout 17
the processing activity’s lifecycle in order to: 18
(1) monitor for harm caused by the processing and adjust safeguards 19
accordingly; and 20 BILL AS INTRODUCED H.208
2025 Page 49 of 65
VT LEG #378938 v.1
(2) ensure that data protection and privacy are considered as the 1
controller makes new decisions with respect to the processing. 2
(g) A controller shall retain for at least three years all data protection 3
assessments the controller conducts under this section. 4
§ 2422. DE-IDENTIFIED DATA 5
(a) A controller in possession of de-identified data shall: 6
(1) take reasonable measures to ensure that the data cannot be used to 7
reidentify an identified or identifiable individual or be associated with an 8
individual or device that identifies or is linked or reasonably linkable to an 9
individual or household; 10
(2) publicly commit to maintaining and using de-identified data without 11
attempting to reidentify the data; and 12
(3) contractually obligate any recipients of the de-identified data to 13
comply with the provisions of this chapter. 14
(b) This section does not prohibit a controller from attempting to reidentify 15
de-identified data solely for the purpose of testing the controller’s methods for 16
de-identifying data. 17
(c) This chapter shall not be construed to require a controller or processor 18
to: 19
(1) reidentify de-identified data; or 20 BILL AS INTRODUCED H.208
2025 Page 50 of 65
VT LEG #378938 v.1
(2) maintain data in identifiable form, or collect, obtain, retain, or access 1
any data or technology, in order to associate a consumer with personal data in 2
order to authenticate the consumer’s request under subsection 2418(b) of this 3
title; or 4
(3) comply with an authenticated consumer rights request if the 5
controller: 6
(A) is not reasonably capable of associating the request with the 7
personal data or it would be unreasonably burdensome for the controller to 8
associate the request with the personal data; and 9
(B) does not use the personal data to recognize or respond to the 10
specific consumer who is the subject of the personal data or associate the 11
personal data with other personal data about the same specific consumer. 12
(d) A controller that discloses or transfers de-identified data shall exercise 13
reasonable oversight to monitor compliance with any contractual commitments 14
to which the de-identified data is subject and shall take appropriate steps to 15
address any breaches of those contractual commitments. 16
§ 2423. CONSTRUCTION OF DUTIES OF CONTROLLERS AND 17
PROCESSORS 18
(a) This chapter shall not be construed to restrict a controller’s, processor’s, 19
or consumer health data controller’s ability to: 20 BILL AS INTRODUCED H.208
2025 Page 51 of 65
VT LEG #378938 v.1
(1) comply with federal, state, or municipal laws, ordinances, or 1
regulations, except as prohibited by 1 V.S.A. § 150; 2
(2) comply with a civil, criminal, or regulatory inquiry, investigation, 3
subpoena, or summons by federal, state, municipal, or other governmental 4
authorities; 5
(3) cooperate with law enforcement agencies concerning conduct or 6
activity that the controller, processor, or consumer health data controller 7
reasonably and in good faith believes may violate federal, state, or municipal 8
laws, ordinances, or regulations; 9
(4) carry out obligations under a contract under subsection 2420(b) of 10
this title for a federal or State agency or local unit of government; 11
(5) investigate, establish, exercise, prepare for, or defend legal claims; 12
(6) provide a product or service specifically requested by the consumer 13
to whom the personal data pertains consistent with section 2419 of this title; 14
(7) perform under a contract to which a consumer is a party, including 15
fulfilling the terms of a written warranty; 16
(8) take steps at the request of a consumer prior to entering into a 17
contract; 18
(9) take immediate steps to protect an interest that is essential for the life 19
or physical safety of the consumer or another individual, and where the 20
processing cannot be manifestly based on another legal basis; 21 BILL AS INTRODUCED H.208
2025 Page 52 of 65
VT LEG #378938 v.1
(10) prevent, detect, protect against, or respond to a network security or 1
physical security incident, including an intrusion or trespass, medical alert, or 2
fire alarm; 3
(11) prevent, detect, protect against, or respond to identity theft, fraud, 4
harassment, malicious or deceptive activity, or any criminal activity targeted at 5
or involving the controller or processor or its services, preserve the integrity or 6
security of systems, or investigate, report, or prosecute those responsible for 7
the action; 8
(12) assist another controller, processor, consumer health data 9
controller, or third party with any of the obligations under this chapter; 10
(13) process personal data for reasons of public interest in the area of 11
public health, community health, or population health, but solely to the extent 12
that the processing is: 13
(A) subject to suitable and specific measures to safeguard the rights 14
of the consumer whose personal data is being processed; and 15
(B) under the responsibility of a professional subject to 16
confidentiality obligations under federal, state, or local law; 17
(14) effectuate a product recall; or 18
(15) process personal data previously collected in accordance with this 19
chapter such that the personal data becomes de-identified data, including to: 20 BILL AS INTRODUCED H.208
2025 Page 53 of 65
VT LEG #378938 v.1
(A) conduct internal research to develop, improve, or repair products, 1
services, or technology; 2
(B) identify and repair technical errors that impair existing or 3
intended functionality; 4
(C) perform internal operations that are reasonably aligned with the 5
expectations of the consumer or reasonably anticipated based on the 6
consumer’s existing relationship with the controller, or are otherwise 7
compatible with processing data in furtherance of the provision of a product or 8
service specifically requested by a consumer or the performance of a contract 9
to which the consumer is a party; or 10
(D) conduct a public or peer-reviewed scientific, historical, or 11
statistical research project that is in the public interest and adheres to all 12
relevant laws and regulations governing such research, including regulations 13
for the protection of human subjects. 14
(b)(1) The obligations imposed on controllers, processors, or consumer 15
health data controllers under this chapter shall not apply where compliance by 16
the controller, processor, or consumer health data controller with this chapter 17
would violate an evidentiary privilege under the laws of this State. 18
(2) This chapter shall not be construed to prevent a controller, processor, 19
or consumer health data controller from providing personal data concerning a 20 BILL AS INTRODUCED H.208
2025 Page 54 of 65
VT LEG #378938 v.1
consumer to a person covered by an evidentiary privilege under the laws of the 1
State as part of a privileged communication. 2
(3) Nothing in this chapter modifies 2020 Acts and Resolves No. 166, 3
Sec. 14 or authorizes the use of facial recognition technology by law 4
enforcement. 5
(c)(1) A controller, processor, or consumer health data controller that 6
discloses personal data to a processor or third-party controller pursuant to this 7
chapter shall not be deemed to have violated this chapter if the processor or 8
third-party controller that receives and processes the personal data violates this 9
chapter, provided that at the time the disclosing controller, processor, or 10
consumer health data controller disclosed the personal data, the disclosing 11
controller, processor, or consumer health data controller did not have actual 12
knowledge that the receiving processor or third-party controller would violate 13
this chapter. 14
(2) A third-party controller or processor receiving personal data from a 15
controller, processor, or consumer health data controller in compliance with 16
this chapter is not in violation of this chapter for the transgressions of the 17
controller, processor, or consumer health data controller from which the third-18
party controller or processor receives the personal data. 19
(d) This chapter shall not be construed to: 20 BILL AS INTRODUCED H.208
2025 Page 55 of 65
VT LEG #378938 v.1
(1) impose any obligation on a controller, processor, or consumer health 1
data controller that adversely affects the rights or freedoms of any person, 2
including the rights of any person: 3
(A) to freedom of speech or freedom of the press guaranteed in the 4
First Amendment to the U.S. Constitution; or 5
(B) under 12 V.S.A. § 1615; 6
(2) apply to any person’s processing of personal data in the course of the 7
person’s solely personal or household activities; 8
(3) require an independent school as defined in 16 V.S.A. § 11(a)(8) or a 9
private institution of higher education, as defined in 20 U.S.C. § 1001 et seq., 10
to delete personal data or opt out of processing of personal data that would 11
unreasonably interfere with the provision of education services by or the 12
ordinary operation of the school or institution; 13
(4) require, for employee data, deletion of personal data that would 14
unreasonably interfere with the ordinary business operations of the controller 15
or unreasonably adversely affect the rights of another employee, including 16
under this chapter or pursuant to the protections set forth in 21 V.S.A 17
chapter 5; or 18
(5) require, for processors acting on the behalf of a federal, State, tribal, 19
or local government entity, deletion of personal data or opt out of the 20
processing of personal data that would unreasonably interfere with the 21 BILL AS INTRODUCED H.208
2025 Page 56 of 65
VT LEG #378938 v.1
provision of government services by or the ordinary operation of a government 1
entity. 2
(e)(1) Personal data processed by a controller or consumer health data 3
controller pursuant to this section may be processed to the extent that the 4
processing is: 5
(A)(i) reasonably necessary and proportionate to the purposes listed 6
in this section; or 7
(ii) in the case of sensitive data, strictly necessary to the purposes 8
listed in this section; 9
(B) adequate, relevant, and limited to what is necessary in relation to 10
the specific purposes listed in this section; and 11
(C) compliant with the antidiscrimination provisions set forth in 12
subdivision 2419(c)(5) of this title. 13
(2)(A) Personal data collected, used, or retained pursuant to subsection 14
(b) of this section shall, where applicable, take into account the nature and 15
purpose or purposes of the collection, use, or retention. 16
(B) Personal data collected, used, or retained pursuant to subsection 17
(b) of this section shall be subject to reasonable administrative, technical, and 18
physical measures to protect the confidentiality, integrity, and accessibility of 19
the personal data and to reduce reasonably foreseeable risks of harm to 20
consumers relating to the collection, use, or retention of personal data. 21 BILL AS INTRODUCED H.208
2025 Page 57 of 65
VT LEG #378938 v.1
(f) If a controller or consumer health data controller processes personal data 1
pursuant to an exemption in this section, the controller or consumer health data 2
controller bears the burden of demonstrating that the processing qualifies for 3
the exemption and complies with the requirements in subsection (e) of this 4
section. 5
(g) This chapter shall not be construed to require a controller, processor, or 6
consumer health data controller to implement an age-verification or age-gating 7
system or otherwise affirmatively collect the age of consumers. 8
§ 2424. ENFORCEMENT; ATTORNEY GENERAL ’S POWERS 9
(a) A person who violates this chapter or rules adopted pursuant to this 10
chapter commits an unfair and deceptive act in commerce in violation of 11
section 2453 of this title, and the Attorney General shall have exclusive 12
authority to enforce such violations except as provided in subsection (d) of this 13
section. 14
(b) The Attorney General has the same authority to adopt rules to 15
implement the provisions of this section and to conduct civil investigations, 16
enter into assurances of discontinuance, bring civil actions, and take other 17
enforcement actions as provided under chapter 63, subchapter 1 of this title. 18
(c)(1) If the Attorney General determines that a violation of this chapter or 19
rules adopted pursuant to this chapter may be cured, the Attorney General may, 20
prior to initiating any action for the violation, issue a notice of violation 21 BILL AS INTRODUCED H.208
2025 Page 58 of 65
VT LEG #378938 v.1
extending a 60-day cure period to the controller, processor, or consumer health 1
data controller alleged to have violated this chapter or rules adopted pursuant 2
to this chapter. 3
(2) The Attorney General may, in determining whether to grant a 4
controller, processor, or consumer health data controller the opportunity to 5
cure an alleged violation described in subdivision (1) of this subsection, 6
consider: 7
(A) the number of violations; 8
(B) the size and complexity of the controller, processor, or consumer 9
health data controller; 10
(C) the nature and extent of the controller’s, processor’s, or consumer 11
health data controller’s processing activities; 12
(D) the substantial likelihood of injury to the public; 13
(E) the safety of persons or property; 14
(F) whether the alleged violation was likely caused by human or 15
technical error; and 16
(G) the sensitivity of the data. 17
(d)(1) The private right of action available to a consumer for violations of 18
this chapter or rules adopted pursuant to this chapter shall be exclusively as 19
provided under this subsection. 20 BILL AS INTRODUCED H.208
2025 Page 59 of 65
VT LEG #378938 v.1
(2)(A) Subject to the requirements of subdivisions (3) and (4) of this 1
subsection (d), a consumer who is harmed by a data broker’s or large data 2
holder’s violation of subsection 2419(c) of this title or section 2425 of this title 3
may bring an action under subsection 2461(b) of this title in Superior Court 4
for: 5
(i) the greater of $5,000.00 or actual damages; 6
(ii) injunctive relief; 7
(iii) punitive damages, in the case of an intentional violation; 8
(iv) reasonable costs and attorney’s fees; and 9
(v) any other relief the court deems proper. 10
(B) No action may be taken under subsection 2461(b) of this title: 11
(i) for a violation of any provision of this chapter or rules adopted 12
pursuant to this chapter other than what is specifically permitted in subdivision 13
(A) of this subdivision (2); or 14
(ii) against a controller that is registered in the State and that 15
earned less than $25 million in revenue in the previous calendar year. 16
(3) At least 65 days prior to the filing of any action pursuant to 17
subdivision (2)(A) of this subsection, the consumer shall: 18
(A) only once notify the Attorney General of the alleged harm in a 19
form and manner prescribed by the Attorney General, which, at minimum, 20 BILL AS INTRODUCED H.208
2025 Page 60 of 65
VT LEG #378938 v.1
shall require the name of the consumer and a reasonable description of the 1
alleged violation and the harm suffered; and 2
(B) mail to the alleged violator a written demand letter that identifies 3
the consumer and reasonably describes the alleged violation and the harm 4
suffered, unless the alleged violator does not maintain a place of business in 5
Vermont or does not keep assets in Vermont. 6
(4) Within 65 days after receiving the notice required by subdivision 7
(3)(A) of this subsection, the Attorney General shall review the alleged harm to 8
determine whether the claim is frivolous or nonfrivolous. 9
(A) If the Attorney General determines that the claim is frivolous, the 10
Attorney General shall notify the consumer in writing, and the consumer is 11
prohibited from proceeding with an action under subsection 2461(b) of this 12
title for the alleged harm. 13
(B) If the Attorney General determines that the claim is nonfrivolous 14
or does not issue a determination within 65 days after receiving notice, the 15
consumer may proceed with an action pursuant to subdivision (2)(A) of this 16
subsection (d). 17
(e) Annually, on or before February 1, the Attorney General shall submit a 18
report to the General Assembly disclosing: 19
(1) the number of notices of violation the Attorney General has issued; 20
(2) the nature of each violation; 21 BILL AS INTRODUCED H.208
2025 Page 61 of 65
VT LEG #378938 v.1
(3) the number of violations that were cured during the available cure 1
period; 2
(4) the number of actions brought under subsection (d) of this section; 3
(5) the proportion of actions brought under subsection (d) of this section 4
that proceed to trial; 5
(6) the data brokers or large data holders most frequently sued under 6
subsection (d) of this section; and 7
(7) any other matter the Attorney General deems relevant for the 8
purposes of the report. 9
§ 2425. CONFIDENTIALITY OF CONSUMER HEALTH DATA 10
Except as provided in subsections 2417(a) and (b) of this title and section 11
2423 of this title, no person shall: 12
(1) provide any employee or contractor with access to consumer health 13
data unless the employee or contractor is subject to a contractual or statutory 14
duty of confidentiality; 15
(2) provide any processor with access to consumer health data unless the 16
person and processor comply with section 2420 of this title; or 17
(3) use a geofence to establish a virtual boundary that is within 1,850 18
feet of any health care facility, including any mental health facility or 19
reproductive or sexual health facility, for the purpose of identifying, tracking, 20 BILL AS INTRODUCED H.208
2025 Page 62 of 65
VT LEG #378938 v.1
collecting data from, or sending any notification to a consumer regarding the 1
consumer’s consumer health data. 2
Sec. 2. PUBLIC EDUCATION AND OUTREACH; ATTORNEY GENERAL 3
STUDY 4
(a) The Attorney General shall implement a comprehensive public 5
education, outreach, and assistance program for controllers and processors as 6
those terms are defined in 9 V.S.A. § 2415. The program shall focus on: 7
(1) the requirements and obligations of controllers and processors under 8
the Vermont Data Privacy and Online Surveillance Act; 9
(2) data protection assessments under 9 V.S.A. § 2421; 10
(3) enhanced protections that apply to children, minors, sensitive data, 11
or consumer health data as those terms are defined in 9 V.S.A. § 2415; 12
(4) a controller’s obligations to law enforcement agencies and the 13
Attorney General’s office; 14
(5) methods for conducting data inventories; and 15
(6) any other matters the Attorney General deems appropriate. 16
(b) The Attorney General shall provide guidance to controllers for 17
establishing data privacy notices and opt-out mechanisms, which may be in the 18
form of templates. 19 BILL AS INTRODUCED H.208
2025 Page 63 of 65
VT LEG #378938 v.1
(c) The Attorney General shall implement a comprehensive public 1
education, outreach, and assistance program for consumers as that term is 2
defined in 9 V.S.A. § 2415. The program shall focus on: 3
(1) the rights afforded consumers under the Vermont Data Privacy and 4
Online Surveillance Act, including: 5
(A) the methods available for exercising data privacy rights; and 6
(B) the opt-out mechanism available to consumers; 7
(2) the obligations controllers have to consumers; 8
(3) different treatment of children, minors, and other consumers under 9
the Act, including the different consent mechanisms in place for children and 10
other consumers; 11
(4) understanding a privacy notice provided under the Act; 12
(5) the different enforcement mechanisms available under the Act, 13
including the consumer’s private right of action; and 14
(6) any other matters the Attorney General deems appropriate. 15
(d) The Attorney General shall cooperate with states with comparable data 16
privacy regimes to develop any outreach, assistance, and education programs, 17
where appropriate. 18
(e) The Attorney General may have the assistance of the Vermont Law and 19
Graduate School in developing education, outreach, and assistance programs 20
under this section. 21 BILL AS INTRODUCED H.208
2025 Page 64 of 65
VT LEG #378938 v.1
(f) On or before December 15, 2027, the Attorney General shall assess the 1
effectiveness of the implementation of the Act and submit a report to the 2
House Committee on Commerce and Economic Development, the House 3
Committee on Energy and Digital Infrastructure, the Senate Committee on 4
Economic Development, Housing and General Affairs, and the Senate 5
Committee on Institutions with its findings and recommendations, including 6
any proposed draft legislation to address issues that have arisen since 7
implementation. 8
Sec. 3. 9 V.S.A. § 2416(a) is amended to read: 9
(a) Except as provided in subsection (b) of this section, this chapter applies 10
to a person that conducts business in this State or a person that produces 11
products or services that are targeted to residents of this State and that during 12
the preceding calendar year: 13
(1) controlled or processed the personal data of not fewer than 25,000 14
12,500 consumers, excluding personal data controlled or processed solely for 15
the purpose of completing a payment transaction; or 16
(2) controlled or processed the personal data of not fewer than 12,500 17
6,250 consumers and derived more than 25 20 percent of the person’s gross 18
revenue from the sale of personal data. 19 BILL AS INTRODUCED H.208
2025 Page 65 of 65
VT LEG #378938 v.1
Sec. 4. 9 V.S.A. § 2416(a) is amended to read: 1
(a) Except as provided in subsection (b) of this section, this chapter applies 2
to a person that conducts business in this State or a person that produces 3
products or services that are targeted to residents of this State and that during 4
the preceding calendar year: 5
(1) controlled or processed the personal data of not fewer than 12,500 6
6,250 consumers, excluding personal data controlled or processed solely for 7
the purpose of completing a payment transaction; or 8
(2) controlled or processed the personal data of not fewer than 6,250 9
3,125 consumers and derived more than 20 percent of the person’s gross 10
revenue from the sale of personal data. 11
Sec. 5. EFFECTIVE DATES 12
(a) This section and Sec. 2 (public education and outreach) shall take effect 13
on July 1, 2025. 14
(b) Sec. 1 (Vermont Data Privacy and Online Surveillance Act) shall take 15
effect on July 1, 2026. 16
(c) Sec. 3 (Vermont Data Privacy Online Surveillance Act middle 17
applicability threshold) shall take effect on July 1, 2027. 18
(d) Sec. 4 (Vermont Data Privacy Online Surveillance Act low 19
applicability threshold) shall take effect on July 1, 2028. 20