VT
Vermont House Bill H0210

Vermont 2025-2026 Regular Session

Vermont House Bill H0210 Compare Versions

Only one version of the bill is available at this time.
OldNewDifferences
11 BILL AS INTRODUCED H.210
22 2025 Page 1 of 24
33
44
55 VT LEG #378939 v.1
66 H.210 1
77 Introduced by Representatives Priestley of Bradford, Marcotte of Coventry, 2
88 Arsenault of Williston, Austin of Colchester, Berbeco of 3
99 Winooski, Bos-Lun of Westminster, Bosch of Clarendon, 4
1010 Boutin of Barre City, Boyden of Cambridge, Brown of 5
1111 Richmond, Burke of Brattleboro, Burrows of West Windsor, 6
1212 Campbell of St. Johnsbury, Carris-Duncan of Whitingham, 7
1313 Casey of Montpelier, Chapin of East Montpelier, Cina of 8
1414 Burlington, Cole of Hartford, Cordes of Bristol, Donahue of 9
1515 Northfield, Duke of Burlington, Eastes of Guilford, Goldman of 10
1616 Rockingham, Graning of Jericho, Greer of Bennington, Harple 11
1717 of Glover, Headrick of Burlington, Holcombe of Norwich, 12
1818 Krasnow of South Burlington, Lalley of Shelburne, Lipsky of 13
1919 Stowe, Masland of Thetford, McCann of Montpelier, McGill of 14
2020 Bridport, Micklus of Milton, Mihaly of Calais, Minier of South 15
2121 Burlington, Mrowicki of Putney, Nugent of South Burlington, 16
2222 O’Brien of Tunbridge, Ode of Burlington, Olson of Starksboro, 17
2323 Pezzo of Colchester, Pouech of Hinesburg, Rachelson of 18
2424 Burlington, Satcowitz of Randolph, Sibilia of Dover, Stevens of 19
2525 Waterbury, Surprenant of Barnard, Tomlinson of Winooski, 20 BILL AS INTRODUCED H.210
2626 2025 Page 2 of 24
2727
2828
2929 VT LEG #378939 v.1
3030 Torre of Moretown, Waszazak of Barre City, and White of 1
3131 Bethel 2
3232 Referred to Committee on 3
3333 Date: 4
3434 Subject: Commerce and trade; protection of personal information; privacy of 5
3535 minors 6
3636 Statement of purpose of bill as introduced: This bill proposes to require that 7
3737 any covered business that develops and provides online services, products, or 8
3838 features that children are reasonably likely to access must not use abusive or 9
3939 privacy-invasive design features on children. 10
4040 An act relating to an age-appropriate design code 11
4141 It is hereby enacted by the General Assembly of the State of Vermont: 12
4242 Sec. 1. 9 V.S.A. chapter 62, subchapter 6 is added to read: 13
4343 Subchapter 6. Vermont Age-Appropriate Design Code Act 14
4444 § 2449a. DEFINITIONS 15
4545 As used in this subchapter: 16
4646 (1)(A) “Affiliate” means a legal entity that shares common branding 17
4747 with another legal entity or controls, is controlled by, or is under common 18
4848 control with another legal entity. 19 BILL AS INTRODUCED H.210
4949 2025 Page 3 of 24
5050
5151
5252 VT LEG #378939 v.1
5353 (B) As used in subdivision (A) of this subdivision (1), “control” or 1
5454 “controlled” means: 2
5555 (i) ownership of, or the power to vote, more than 50 percent of the 3
5656 outstanding shares of any class of voting security of a company; 4
5757 (ii) control in any manner over the election of a majority of the 5
5858 directors or of individuals exercising similar functions; or 6
5959 (iii) the power to exercise controlling influence over the 7
6060 management of a company. 8
6161 (2) “Age assurance” encompasses a range of methods used to determine, 9
6262 estimate, or communicate the age or an age range of an online user. 10
6363 (3) “Algorithmic recommendation system” means a system that uses an 11
6464 algorithm to select, filter, and arrange media on a covered business’s website 12
6565 for the purpose of selecting, recommending, or prioritizing media for a user. 13
6666 (4)(A) “Biometric data” means data generated from the technological 14
6767 processing of an individual’s unique biological, physical, or physiological 15
6868 characteristics that allow or confirm the unique identification of the consumer, 16
6969 including: 17
7070 (i) iris or retina scans; 18
7171 (ii) fingerprints; 19
7272 (iii) facial or hand mapping, geometry, or templates; 20
7373 (iv) vein patterns; 21 BILL AS INTRODUCED H.210
7474 2025 Page 4 of 24
7575
7676
7777 VT LEG #378939 v.1
7878 (v) voice prints or vocal biomarkers; and 1
7979 (vi) gait or personally identifying physical movement or patterns. 2
8080 (B) “Biometric data” does not include: 3
8181 (i) a digital or physical photograph; 4
8282 (ii) an audio or video recording; or 5
8383 (iii) any data generated from a digital or physical photograph, or 6
8484 an audio or video recording, unless such data is generated to identify a specific 7
8585 individual. 8
8686 (5) “Business associate” has the same meaning as in HIPAA. 9
8787 (6) “Collect” means buying, renting, gathering, obtaining, receiving, or 10
8888 accessing any personal data by any means. This includes receiving data from 11
8989 the consumer, either actively or passively, or by observing the consumer’s 12
9090 behavior. 13
9191 (7) “Compulsive use” means the repetitive use of a covered business’s 14
9292 service that materially disrupts one or more major life activities of a minor, 15
9393 including sleeping, eating, learning, reading, concentrating, communicating, or 16
9494 working. 17
9595 (8)(A) “Consumer” means an individual who is a resident of the State. 18
9696 (B) “Consumer” does not include an individual acting in a 19
9797 commercial or employment context or as an employee, owner, director, officer, 20
9898 or contractor of a company, partnership, sole proprietorship, nonprofit, or 21 BILL AS INTRODUCED H.210
9999 2025 Page 5 of 24
100100
101101
102102 VT LEG #378939 v.1
103103 government agency whose communications or transactions with the covered 1
104104 business occur solely within the context of that individual’s role with the 2
105105 company, partnership, sole proprietorship, nonprofit, or government agency. 3
106106 (9) “Consumer health data” means any personal data that a controller 4
107107 uses to identify a consumer’s physical or mental health condition or diagnosis, 5
108108 including gender-affirming health data and reproductive or sexual health data. 6
109109 (10) “Controller” means a person who, alone or jointly with others, 7
110110 determines the purpose and means of processing personal data. 8
111111 (11) “Covered business” means a sole proprietorship, partnership, 9
112112 limited liability company, corporation, association, other legal entity, or an 10
113113 affiliate thereof, that conducts business in this State and whose online products, 11
114114 services, or features are reasonably likely to be accessed by a minor and that: 12
115115 (A) collects consumers’ personal data or has consumers’ personal 13
116116 data collected on its behalf by a processor; and 14
117117 (B) alone or jointly with others determines the purposes and means of 15
118118 the processing of consumers personal data. 16
119119 (12) “Covered entity” has the same meaning as in HIPAA. 17
120120 (13) “Covered minor” is a consumer who a covered business actually 18
121121 knows is a minor or labels as a minor pursuant to age assurance methods in 19
122122 rules adopted by the Attorney General. 20 BILL AS INTRODUCED H.210
123123 2025 Page 6 of 24
124124
125125
126126 VT LEG #378939 v.1
127127 (14) “Default” means a preselected option adopted by the covered 1
128128 business for the online service, product, or feature. 2
129129 (15) “De-identified data” means data that does not identify and cannot 3
130130 reasonably be used to infer information about, or otherwise be linked to, an 4
131131 identified or identifiable individual, or a device linked to the individual, if the 5
132132 covered business that possesses the data: 6
133133 (A)(i) takes reasonable measures to ensure that the data cannot be 7
134134 used to reidentify an identified or identifiable individual or be associated with 8
135135 an individual or device that identifies or is linked or reasonably linkable to an 9
136136 individual or household; and 10
137137 (ii) for purposes of this subdivision (A), “reasonable measures” 11
138138 shall include the de-identification requirements set forth under 45 C.F.R. 12
139139 § 164.514 (other requirements relating to uses and disclosures of protected 13
140140 health information); 14
141141 (B) publicly commits to process the data only in a de-identified 15
142142 fashion and not attempt to reidentify the data; and 16
143143 (C) contractually obligates any recipients of the data to comply with 17
144144 all provisions of this subchapter. 18
145145 (16) “Derived data” means data that is created by the derivation of 19
146146 information, data, assumptions, correlations, inferences, predictions, or 20 BILL AS INTRODUCED H.210
147147 2025 Page 7 of 24
148148
149149
150150 VT LEG #378939 v.1
151151 conclusions from facts, evidence, or another source of information or data 1
152152 about a minor or a minor’s device. 2
153153 (17) “Genetic data” means any data, regardless of its format, that results 3
154154 from the analysis of a biological sample of an individual, or from another 4
155155 source enabling equivalent information to be obtained, and concerns genetic 5
156156 material, including deoxyribonucleic acids (DNA), ribonucleic acids (RNA), 6
157157 genes, chromosomes, alleles, genomes, alterations or modifications to DNA or 7
158158 RNA, single nucleotide polymorphisms (SNPs), epigenetic markers, 8
159159 uninterpreted data that results from analysis of the biological sample or other 9
160160 source, and any information extrapolated, derived, or inferred therefrom. 10
161161 (18) “Identified or identifiable individual” means an individual who can 11
162162 be readily identified, directly or indirectly, including by reference to an 12
163163 identifier such as a name, an identification number, specific geolocation data, 13
164164 or an online identifier. 14
165165 (19) “Known adult” is a consumer who a covered business actually 15
166166 knows is an adult or labels as an adult pursuant to age assurance methods in 16
167167 rules adopted by the Attorney General. 17
168168 (20) “Minor” means an individual under 18 years of age who is a 18
169169 resident of the State. 19
170170 (21) “Neural data” means information that is collected through 20
171171 biosensors and that could be processed to infer or predict mental states. 21 BILL AS INTRODUCED H.210
172172 2025 Page 8 of 24
173173
174174
175175 VT LEG #378939 v.1
176176 (22) “Online service, product, or feature” means a digital product that is 1
177177 accessible to the public via the internet, including a website or application, and 2
178178 does not mean any of the following: 3
179179 (A) telecommunications service, as defined in 47 U.S.C. § 153; 4
180180 (B) a broadband internet access service as defined in 47 C.F.R. 5
181181 § 54.400; or 6
182182 (C) the sale, delivery, or use of a physical product. 7
183183 (23)(A) “Personal data” means any information, including derived data 8
184184 and unique identifiers, that is linked or reasonably linkable to an identified or 9
185185 identifiable individual or to a device that identifies, is linked to, or is 10
186186 reasonably linkable to one or more identified or identifiable individuals in a 11
187187 household. 12
188188 (B) Personal data does not include de-identified data or publicly 13
189189 available information. 14
190190 (24)(A) “Precise geolocation data” means information derived from 15
191191 technology that reveals the past or present physical location of a consumer or 16
192192 device that identifies or is linked or reasonably linkable to one or more 17
193193 consumers with precision and accuracy within a radius of 1,850 feet. 18
194194 (B) “Precise geolocation data” does not include: 19
195195 (i) the content of communications; 20 BILL AS INTRODUCED H.210
196196 2025 Page 9 of 24
197197
198198
199199 VT LEG #378939 v.1
200200 (ii) data generated by or connected to an advanced utility metering 1
201201 infrastructure system; 2
202202 (iii) a photograph, or metadata associated with a photograph or 3
203203 video, that cannot be linked to an individual; or 4
204204 (iv) data generated by equipment used by a utility company. 5
205205 (25) “Process” or “processing” means any operation or set of operations 6
206206 performed, whether by manual or automated means, on personal data or on sets 7
207207 of personal data, such as the collection, use, storage, disclosure, analysis, 8
208208 deletion, modification, or otherwise handling of personal data. 9
209209 (26) “Processor” means a person who processes personal data on behalf 10
210210 of a covered business. 11
211211 (27) “Profiling” means any form of automated processing performed on 12
212212 personal data to evaluate, analyze, or predict personal aspects related to an 13
213213 identified or identifiable individual’s economic situation, health, personal 14
214214 preferences, interests, reliability, behavior, location, or movements. 15
215215 (28)(A) “Publicly available information” means information that: 16
216216 (i) is made available through federal, state, or local government 17
217217 records; or 18
218218 (ii) a controller has a reasonable basis to believe that the consumer 19
219219 has lawfully made available to the general public. 20
220220 (B) “Publicly available information” does not include: 21 BILL AS INTRODUCED H.210
221221 2025 Page 10 of 24
222222
223223
224224 VT LEG #378939 v.1
225225 (i) biometric data collected by a business about a consumer 1
226226 without the consumer’s knowledge; 2
227227 (ii) information that is collated and combined to create a consumer 3
228228 profile that is made available to a user of a publicly available website either in 4
229229 exchange for payment or free of charge; 5
230230 (iii) information that is made available for sale; 6
231231 (iv) an inference that is generated from the information described 7
232232 in subdivision (ii) or (iii) of this subdivision (28)(B); 8
233233 (v) any obscene visual depiction, as defined in 18 U.S.C. § 1460; 9
234234 (vi) any inference made exclusively from multiple independent 10
235235 sources of publicly available information that reveals sensitive data with 11
236236 respect to a consumer; 12
237237 (vii) personal data that is created through the combination of 13
238238 personal data with publicly available information; 14
239239 (viii) genetic data, unless otherwise made publicly available by the 15
240240 consumer to whom the information pertains; 16
241241 (ix) information provided by a consumer on a website or online 17
242242 service made available to all members of the public, for free or for a fee, where 18
243243 the consumer has maintained a reasonable expectation of privacy in the 19
244244 information, such as by restricting the information to a specific audience; or 20 BILL AS INTRODUCED H.210
245245 2025 Page 11 of 24
246246
247247
248248 VT LEG #378939 v.1
249249 (x) intimate images, authentic or computer-generated, known to be 1
250250 nonconsensual. 2
251251 (29) “Reasonably likely to be accessed” means an online service, 3
252252 product, or feature that is reasonably likely to be accessed by a covered minor 4
253253 based on any of the following indicators: 5
254254 (A) the online service, product, or feature is directed to children, as 6
255255 defined by the Children’s Online Privacy Protection Act, 15 U.S.C. §§ 6501–7
256256 6506 and the Federal Trade Commission rules implementing that Act; 8
257257 (B) the online service, product, or feature is determined, based on 9
258258 competent and reliable evidence regarding audience composition, to be 10
259259 routinely accessed by an audience that is composed of at least two percent 11
260260 minors two through 17 years of age; 12
261261 (C) the online service, product, or feature contains advertisements 13
262262 marketed to minors; 14
263263 (D) the audience of the online service, product, or feature is 15
264264 determined, based on internal company research, to be composed of at least 16
265265 two percent minors two through 17 years of age; or 17
266266 (E) the covered business knew or should have known that at least two 18
267267 percent of the audience of the online service, product, or feature includes 19
268268 minors two through 17 years of age, provided that, in making this assessment, 20
269269 the business shall not collect or process any personal data that is not reasonably 21 BILL AS INTRODUCED H.210
270270 2025 Page 12 of 24
271271
272272
273273 VT LEG #378939 v.1
274274 necessary to provide an online service, product, or feature with which a minor 1
275275 is actively and knowingly engaged. 2
276276 (30) “Sensitive data” means personal data that: 3
277277 (A) reveals a consumer’s government-issued identifier, such as a 4
278278 Social Security number, passport number, state identification card, or driver’s 5
279279 license number, that is not required by law to be publicly displayed; 6
280280 (B) reveals a consumer’s racial or ethnic origin; national origin; 7
281281 citizenship or immigration status; religious or philosophical beliefs; a mental 8
282282 or physical health condition, diagnosis, disability or treatment; status as 9
283283 pregnant; income level or indebtedness; or union membership; 10
284284 (C) reveals a consumer’s sexual orientation, sex life, sexuality, or 11
285285 status as transgender or nonbinary; 12
286286 (D) reveals a consumer’s status as a victim of a crime; 13
287287 (E) is a consumer’s tax return and account number, financial account 14
288288 log-in, financial account, debit card number, or credit card number in 15
289289 combination with any required security or access code, password, or 16
290290 credentials allowing access to an account; 17
291291 (F) is consumer health data; 18
292292 (G) is collected and analyzed concerning consumer health data that 19
293293 describes or reveals a past, present, or future mental or physical health 20
294294 condition, treatment, disability, or diagnosis, including pregnancy, to the extent 21 BILL AS INTRODUCED H.210
295295 2025 Page 13 of 24
296296
297297
298298 VT LEG #378939 v.1
299299 the personal data is used by the controller for a purpose other than to identify a 1
300300 specific consumer’s physical or mental health condition or diagnosis; 2
301301 (H) is biometric or genetic data; 3
302302 (I) is collected from a covered minor; 4
303303 (J) is precise geolocation data; 5
304304 (K) are keystrokes; 6
305305 (L) is driving behavior; or 7
306306 (M) is neural data. 8
307307 (31)(A) “Social media platform” means a public or semipublic internet-9
308308 based service or application that is primarily intended to connect and allow a 10
309309 user to socially interact within such service or application and enables a user 11
310310 to: 12
311311 (i) construct a public or semipublic profile for the purposes of 13
312312 signing into and using such service or application; 14
313313 (ii) populate a public list of other users with whom the user shares 15
314314 a social connection within such service or application; or 16
315315 (iii) create or post content that is viewable by other users, 17
316316 including content on message boards and in chat rooms, and that presents the 18
317317 user with content generated by other users. 19
318318 (B) “Social media platform” does not mean a public or semipublic 20
319319 internet-based service or application that: 21 BILL AS INTRODUCED H.210
320320 2025 Page 14 of 24
321321
322322
323323 VT LEG #378939 v.1
324324 (i) exclusively provides email or direct messaging services; 1
325325 (ii) primarily consists of news, sports, entertainment, interactive 2
326326 video games, electronic commerce, or content that is preselected by the 3
327327 provider for which any interactive functionality is incidental to, directly related 4
328328 to, or dependent on the provision of such content; or 5
329329 (iii) is used by and under the direction of an educational entity, 6
330330 including a learning management system or a student engagement program. 7
331331 (32) “Third party” means a natural or legal person, public authority, 8
332332 agency, or body other than the covered minor or the covered business. 9
333333 § 2449b. EXCLUSIONS 10
334334 This subchapter does not apply to: 11
335335 (1) a federal, state, tribal, or local government entity in the ordinary 12
336336 course of its operation; 13
337337 (2) protected health information that a covered entity or business 14
338338 associate processes in accordance with, or documents that a covered entity or 15
339339 business associate creates for the purpose of complying with, HIPAA; 16
340340 (3) information used only for public health activities and purposes 17
341341 described in 45 C.F.R. § 164.512; 18
342342 (4) information that identifies a consumer in connection with: 19
343343 (A) activities that are subject to the Federal Policy for the Protection 20
344344 of Human Subjects as set forth in 45 C.F.R. Part 46; 21 BILL AS INTRODUCED H.210
345345 2025 Page 15 of 24
346346
347347
348348 VT LEG #378939 v.1
349349 (B) research on human subjects undertaken in accordance with good 1
350350 clinical practice guidelines issued by the International Council for 2
351351 Harmonisation of Technical Requirements for Pharmaceuticals for Human 3
352352 Use; 4
353353 (C) activities that are subject to the protections provided in 21 C.F.R. 5
354354 Part 50 and 21 C.F.R. Part 56; or 6
355355 (D) research conducted in accordance with the requirements set forth 7
356356 in subdivisions (A)–(C) of this subdivision (4) or otherwise in accordance with 8
357357 State or federal law; and 9
358358 (5) an entity whose primary purpose is journalism as defined in 10
359359 12 V.S.A. § 1615(a)(2) and that has a majority of its workforce consisting of 11
360360 individuals engaging in journalism. 12
361361 § 2449c. MINIMUM DUTY OF CARE 13
362362 (a) A covered business that processes a covered minor’s data in any 14
363363 capacity owes a minimum duty of care to the covered minor. 15
364364 (b) As used in this subchapter, “a minimum duty of care” means the use of 16
365365 the personal data of a covered minor and the design of an online service, 17
366366 product, or feature will not result in: 18
367367 (1) reasonably foreseeable emotional distress as defined in 13 V.S.A. 19
368368 § 1061(2) to a covered minor; 20 BILL AS INTRODUCED H.210
369369 2025 Page 16 of 24
370370
371371
372372 VT LEG #378939 v.1
373373 (2) reasonably foreseeable compulsive use of the online service, 1
374374 product, or feature by a covered minor; or 2
375375 (3) discrimination against a covered minor based upon race, ethnicity, 3
376376 sex, disability, sexual orientation, gender identity, gender expression, or 4
377377 national origin. 5
378378 (c) The content of the media viewed by a covered minor shall not establish 6
379379 emotional distress or compulsive use as those terms are used in subsection (b) 7
380380 of this section. 8
381381 (d) Nothing in this section shall be construed to require a covered business 9
382382 to prevent or preclude a covered minor from accessing or viewing any piece of 10
383383 media or category of media. 11
384384 § 2449d. REQUIRED DEFAULT PRIVACY SETTINGS AND TOOLS 12
385385 (a) Default privacy settings. 13
386386 (1) A covered business shall configure all default privacy settings 14
387387 provided to a covered minor through the online service, product, or feature to 15
388388 the highest level of privacy, including the following default settings: 16
389389 (A) not displaying the existence of the covered minor’s social media 17
390390 account to any known adult user unless the covered minor has expressly and 18
391391 unambiguously allowed a specific known adult user to view their account or 19
392392 has expressly and unambiguously chosen to make their account’s existence 20
393393 public; 21 BILL AS INTRODUCED H.210
394394 2025 Page 17 of 24
395395
396396
397397 VT LEG #378939 v.1
398398 (B) not displaying media created or posted by the covered minor on 1
399399 a social media platform to any known adult user unless the covered minor has 2
400400 expressly and unambiguously allowed a specific known adult user to view their 3
401401 media or has expressly and unambiguously chosen to make their media 4
402402 publicly available; 5
403403 (C) not permitting any known adult users to like, comment on, or 6
404404 otherwise provide feedback on the covered minor’s media on a social media 7
405405 platform unless the covered minor has expressly and unambiguously allowed a 8
406406 specific known adult user to do so; 9
407407 (D) not permitting direct messaging on a social media platform 10
408408 between the covered minor and any known adult user unless the covered minor 11
409409 has expressly and unambiguously decided to allow direct messaging with a 12
410410 specific known adult user; 13
411411 (E) not displaying the covered minor’s location to other users, unless 14
412412 the covered minor expressly and unambiguously shares their location with a 15
413413 specific user; 16
414414 (F) not displaying the users connected to the covered minor on a 17
415415 social media platform unless the covered minor expressly and unambiguously 18
416416 chooses to share the information with a specific user; 19
417417 (G) disabling search engine indexing of the covered minor’s account 20
418418 profile; and 21 BILL AS INTRODUCED H.210
419419 2025 Page 18 of 24
420420
421421
422422 VT LEG #378939 v.1
423423 (H) not sending push notifications to the covered minors. 1
424424 (2) A covered business shall not: 2
425425 (A) provide a covered minor with a single setting that makes all of 3
426426 the default privacy settings less protective at once; or 4
427427 (B) request or prompt a covered minor to make their privacy settings 5
428428 less protective, unless the change is strictly necessary for the covered minor to 6
429429 access a service or feature they have expressly and unambiguously requested. 7
430430 (b) Timely deletion of account. A covered business shall: 8
431431 (1) provide a prominent, accessible, and responsive tool to allow a 9
432432 covered minor to request the covered minor’s social media account be 10
433433 unpublished or deleted; and 11
434434 (2) honor that request not later than 15 days after a covered business 12
435435 receives the request. 13
436436 § 2449e. TRANSPARENCY 14
437437 (a) A covered business shall prominently and clearly provide on their 15
438438 website or mobile application: 16
439439 (1) the covered business’ privacy information, terms of service, policies, 17
440440 and community standards; 18
441441 (2) detailed descriptions of each algorithmic recommendation system in 19
442442 use by the covered business, including the factors used by the algorithmic 20
443443 recommendation system and how each factor: 21 BILL AS INTRODUCED H.210
444444 2025 Page 19 of 24
445445
446446
447447 VT LEG #378939 v.1
448448 (A) is measured or determined; 1
449449 (B) uses the personal data of covered minors; 2
450450 (C) influences the recommendation issued by the system; and 3
451451 (D) is weighed relative to the other factors listed in this subdivision 4
452452 (2); and 5
453453 (3) descriptions, for every feature of the service that uses the personal 6
454454 data of covered minors, of: 7
455455 (A) the purpose of the service feature; 8
456456 (B) the personal data collected by the service feature; 9
457457 (C) the personal data used by the service feature; 10
458458 (D) how the personal data is used by the service feature; 11
459459 (E) any personal data transferred to or shared with a processor or 12
460460 third party by the service feature, the identity of the processor or third party, 13
461461 and the purpose of the transfer or sharing; and 14
462462 (F) how long the personal data is retained. 15
463463 § 2449f. PROHIBITED DATA AND DESIGN PRACTICES 16
464464 (a) Data privacy. A covered business shall not: 17
465465 (1) collect, sell, share, or retain any personal data of a covered minor 18
466466 that is not necessary to provide an online service, product, or feature with 19
467467 which the covered minor is actively and knowingly engaged; 20 BILL AS INTRODUCED H.210
468468 2025 Page 20 of 24
469469
470470
471471 VT LEG #378939 v.1
472472 (2) use previously collected personal data of a covered minor for any 1
473473 purpose other than a purpose for which the personal data was collected, unless 2
474474 necessary to comply with any obligation under this chapter; 3
475475 (3) permit any consumer, including a parent or guardian of a covered 4
476476 minor, to monitor the online activity of a covered minor or to track the location 5
477477 of the covered minor without providing a conspicuous signal to the covered 6
478478 minor when the covered minor is being monitored or tracked; 7
479479 (4) use the personal data of a covered minor to select, recommend, or 8
480480 prioritize media for the covered minor, unless the personal data is: 9
481481 (A) the covered minor’s express and unambiguous request to receive: 10
482482 (i) media from a specific account, feed, or user, or to receive more 11
483483 or less media from that account, feed, or user; 12
484484 (ii) a specific category of media, such as “cat videos” or “breaking 13
485485 news,” or to see more or less of that category of media; or 14
486486 (iii) more or less media with similar characteristics as the media 15
487487 they are currently viewing; 16
488488 (B) user-selected privacy or accessibility settings; or 17
489489 (C) a search query, as long as the search query is only used to select 18
490490 and prioritize media in response to the search; or 19
491491 (5) send push notifications to a covered minor between 12:00 a.m. and 20
492492 6:00 a.m. 21 BILL AS INTRODUCED H.210
493493 2025 Page 21 of 24
494494
495495
496496 VT LEG #378939 v.1
497497 (b) Rulemaking. The Attorney General shall have the authority to adopt 1
498498 rules pursuant to this subchapter that prohibits data processing or design 2
499499 practices of a covered business that, in the opinion of the Attorney General, 3
500500 lead to compulsive use or subvert or impair user autonomy, decision making, 4
501501 or choice during the use of an online service, product, or feature of the covered 5
502502 business. The Attorney General shall, at least once every two years, review 6
503503 and update these rules as necessary to keep pace with emerging technology. 7
504504 § 2449g. AGE ASSURANCE PRIVACY 8
505505 (a) Privacy protections for age assurance data. Covered businesses and 9
506506 processors shall: 10
507507 (1) only collect personal data of a user that is strictly necessary for age 11
508508 assurance; 12
509509 (2) immediately upon determining whether a user is a covered minor, 13
510510 delete any personal data collected of that user for age assurance, except 14
511511 whether the user is or is not determined to be a covered minor; 15
512512 (3) not use any personal data of a user collected for age assurance for 16
513513 any other purpose; 17
514514 (4) not combine personal data of a user collected for age assurance with 18
515515 any other personal data of the user, except whether the user is or is not 19
516516 determined to be a covered minor; and 20 BILL AS INTRODUCED H.210
517517 2025 Page 22 of 24
518518
519519
520520 VT LEG #378939 v.1
521521 (5) implement a review process to allow users to appeal their age 1
522522 designation. 2
523523 (b) Rulemaking. 3
524524 (1) Subject to subdivision (2) of this subsection, the Attorney General 4
525525 shall, on or before July 1, 2027, adopt rules identifying commercially 5
526526 reasonable and technically feasible methods for covered businesses and 6
527527 processors to determine if a user is a covered minor, describing appropriate 7
528528 review processes for users appealing their age designations, and providing any 8
529529 additional privacy protections for age assurance data. The Attorney General 9
530530 shall periodically review and update these rules as necessary to keep pace with 10
531531 emerging technology. 11
532532 (2) In adopting these rules, the Attorney General shall: 12
533533 (A) prioritize user privacy and accessibility over the accuracy of age 13
534534 assurance methods; and 14
535535 (B) consider: 15
536536 (i) the size, financial resources, and technical capabilities of 16
537537 covered businesses and processors; 17
538538 (ii) the costs and effectiveness of available age assurance methods; 18
539539 (iii) the impact of age assurance methods on users’ safety, utility, 19
540540 and experience; 20 BILL AS INTRODUCED H.210
541541 2025 Page 23 of 24
542542
543543
544544 VT LEG #378939 v.1
545545 (iv) whether and to what extent transparency measures would 1
546546 increase consumer trust in an age assurance method; and 2
547547 (v) the efficacy of requiring covered businesses and processors to: 3
548548 (I) use previously collected data to determine user age; 4
549549 (II) adopt interoperable age assurance methods; and 5
550550 (III) provide users with multiple options for age assurance. 6
551551 § 2449h. ENFORCEMENT 7
552552 (a) A covered business or processor that violates this subchapter or rules 8
553553 adopted pursuant to this subchapter commits an unfair and deceptive act in 9
554554 commerce in violation of section 2453 of this title. 10
555555 (b) The Attorney General shall have the same authority under this 11
556556 subchapter to make rules, conduct civil investigations, bring civil actions, 12
557557 and enter into assurances of discontinuance as provided under chapter 63 of 13
558558 this title. 14
559559 § 2449i. LIMITATIONS 15
560560 Nothing in this subchapter shall be interpreted or construed to: 16
561561 (1) impose liability in a manner that is inconsistent with 47 U.S.C. 17
562562 § 230; or 18
563563 (2) prevent or preclude any covered minor from deliberately or 19
564564 independently searching for, or specifically requesting, any media. 20 BILL AS INTRODUCED H.210
565565 2025 Page 24 of 24
566566
567567
568568 VT LEG #378939 v.1
569569 § 2449j. RIGHTS AND FREEDOMS OF COVERED MINORS 1
570570 It is the intent of the General Assembly that nothing in this act may be 2
571571 construed to infringe on the existing rights and freedoms of covered minors or 3
572572 be construed to discriminate against the covered minors based on race, 4
573573 ethnicity, sex, disability, sexual orientation, gender identity, gender expression, 5
574574 or national origin. 6
575575 Sec. 2. EFFECTIVE DATE 7
576576 This act shall take effect on July 1, 2026. 8