BILL AS INTRODUCED H.211
2025 Page 1 of 31
VT LEG #378943 v.1
H.211 1
Introduced by Representatives Priestley of Bradford, Marcotte of Coventry, 2
Arsenault of Williston, Austin of Colchester, Berbeco of 3
Winooski, Bos-Lun of Westminster, Bosch of Clarendon, 4
Boutin of Barre City, Boyden of Cambridge, Brown of 5
Richmond, Burke of Brattleboro, Burrows of West Windsor, 6
Campbell of St. Johnsbury, Carris-Duncan of Whitingham, 7
Casey of Montpelier, Chapin of East Montpelier, Cina of 8
Burlington, Cole of Hartford, Cordes of Bristol, Donahue of 9
Northfield, Duke of Burlington, Eastes of Guilford, Goldman of 10
Rockingham, Graning of Jericho, Greer of Bennington, Harple 11
of Glover, Headrick of Burlington, Holcombe of Norwich, 12
Krasnow of South Burlington, Lalley of Shelburne, Lipsky of 13
Stowe, Masland of Thetford, McCann of Montpelier, McGill of 14
Bridport, Micklus of Milton, Mihaly of Calais, Minier of South 15
Burlington, Mrowicki of Putney, Nugent of South Burlington, 16
O’Brien of Tunbridge, Ode of Burlington, Olson of Starksboro, 17
Pezzo of Colchester, Pouech of Hinesburg, Rachelson of 18
Burlington, Satcowitz of Randolph, Sibilia of Dover, Stevens of 19
Waterbury, Surprenant of Barnard, Tomlinson of Winooski, 20 BILL AS INTRODUCED H.211
2025 Page 2 of 31
VT LEG #378943 v.1
Torre of Moretown, Waszazak of Barre City, and White of 1
Bethel 2
Referred to Committee on 3
Date: 4
Subject: Commerce and trade; protection of personal information; data brokers 5
Statement of purpose of bill as introduced: This bill proposes to add various 6
provisions to Vermont’s laws that protect the personal information of its 7
residents, including requiring data brokers to provide notice of security 8
breaches, to certify that the personal information it discloses will be used for a 9
legitimate purpose, and to delete the personal information of consumers who 10
make such a request through the use of an accessible deletion mechanism. 11
An act relating to data brokers and personal information 12
It is hereby enacted by the General Assembly of the State of Vermont: 13
Sec. 1. 9 V.S.A. chapter 62 is amended to read: 14
CHAPTER 62. PROTECTION OF PERSONAL INFORMATION 15
Subchapter 1. General Provisions 16
§ 2430. DEFINITIONS 17
As used in this chapter: 18
(1) “Authorized agent” means: 19 BILL AS INTRODUCED H.211
2025 Page 3 of 31
VT LEG #378943 v.1
(A) a person designated by a consumer to act on the consumer’s 1
behalf; 2
(B) a parent or legal guardian that acts on behalf of the parent’s child 3
or on behalf of a child for whom the guardian has legal responsibility; or 4
(C) a guardian or conservator that acts on behalf of a consumer that is 5
subject to a guardianship, conservatorship, or other protective arrangement. 6
(2)(A) “Biometric data” means data generated from the technological 7
processing of an individual’s unique biological, physical, or physiological 8
characteristics that is linked or reasonably linkable to an individual, including: 9
(i) iris or retina scans; 10
(ii) fingerprints; 11
(iii) facial or hand mapping, geometry, or templates; 12
(iv) vein patterns; 13
(v) voice prints; and 14
(vi) gait or personally identifying physical movement or patterns. 15
(B) “Biometric data” does not include: 16
(i) a digital or physical photograph; 17
(ii) an audio or video recording; or 18
(iii) any data generated from a digital or physical photograph, or 19
an audio or video recording, unless such data is generated to identify a specific 20
individual. 21 BILL AS INTRODUCED H.211
2025 Page 4 of 31
VT LEG #378943 v.1
(3)(A) “Brokered personal information” means one or more of the 1
following computerized data elements about a consumer, if categorized or 2
organized for dissemination to third parties: 3
(i) name; 4
(ii) address; 5
(iii) date of birth; 6
(iv) place of birth; 7
(v) mother’s maiden name; 8
(vi) unique biometric data generated from measurements or 9
technical analysis of human body characteristics used by the owner or licensee 10
of the data to identify or authenticate the consumer, such as a fingerprint, retina 11
or iris image, or other unique physical representation or digital representation 12
of biometric data; 13
(vii) name or address of a member of the consumer’s immediate 14
family or household; 15
(viii) Social Security number or other government-issued 16
identification number; or 17
(ix) phone number; or 18
(x) other information that, alone or in combination with the other 19
information sold or licensed, would allow a reasonable person to identify the 20
consumer with reasonable certainty. 21 BILL AS INTRODUCED H.211
2025 Page 5 of 31
VT LEG #378943 v.1
(B) “Brokered personal information” does not include publicly 1
available information to the extent that it is related to a consumer’s business or 2
profession. 3
(2)(4) “Business” means a controller, a consumer health data controller, 4
a processor, or a commercial entity, including a sole proprietorship, 5
partnership, corporation, association, limited liability company, or other group, 6
however organized and whether or not organized to operate at a profit, 7
including a financial institution organized, chartered, or holding a license or 8
authorization certificate under the laws of this State, any other state, the United 9
States, or any other country, or the parent, affiliate, or subsidiary of a financial 10
institution, but does not include the State, a State agency, any political 11
subdivision of the State, or a vendor acting solely on behalf of, and at the 12
direction of, the State. 13
(3)(5) “Consumer” means an individual residing in this State. 14
(6) “Consumer health data controller” means any controller that, alone 15
or jointly with others, determines the purpose and means of processing 16
consumer health data. 17
(7) “Controller” means a person who, alone or jointly with others, 18
determines the purpose and means of processing personal data. 19
(4)(8)(A) “Data broker” means a business, or unit or units of a business, 20
separately or together, that knowingly collects and sells or licenses to third 21 BILL AS INTRODUCED H.211
2025 Page 6 of 31
VT LEG #378943 v.1
parties the brokered personal information of a consumer with whom the 1
business does not have a direct relationship. 2
(B) Examples of a direct relationship with a business include if the 3
consumer is a past or present: 4
(i) customer, client, subscriber, user, or registered user of the 5
business’s goods or services within the last five calendar years; 6
(ii) employee, contractor, or agent of the business; 7
(iii) investor in the business; or 8
(iv) donor to the business. 9
(C) The following activities conducted by a business, and the 10
collection and sale or licensing of brokered personal information incidental to 11
conducting these activities, do not qualify the business as a data broker: 12
(i) developing or maintaining third-party e-commerce or 13
application platforms; 14
(ii) providing 411 directory assistance or directory information 15
services, including name, address, and telephone number, on behalf of or as a 16
function of a telecommunications carrier; 17
(iii) providing publicly available information related to a 18
consumer’s business or profession; or 19
(iv) providing publicly available information via real-time or near-20
real-time alert services for health or safety purposes. 21 BILL AS INTRODUCED H.211
2025 Page 7 of 31
VT LEG #378943 v.1
(D) The phrase “sells or licenses” does not include: 1
(i) a one-time or occasional sale of assets of a business as part of a 2
transfer of control of those assets that is not part of the ordinary conduct of the 3
business; or 4
(ii) a sale or license of data that is merely incidental to the 5
business. 6
(5)(9)(A) “Data broker security breach” means an unauthorized 7
acquisition or a reasonable belief of an unauthorized acquisition of more than 8
one element of brokered personal information maintained by a data broker 9
when the brokered personal information is not encrypted, redacted, or 10
protected by another method that renders the information unreadable or 11
unusable by an unauthorized person. 12
(B) “Data broker security breach” does not include good faith but 13
unauthorized acquisition of brokered personal information by an employee or 14
agent of the data broker for a legitimate purpose of the data broker, provided 15
that the brokered personal information is not used for a purpose unrelated to 16
the data broker’s business or subject to further unauthorized disclosure. 17
(C) In determining whether brokered personal information has been 18
acquired or is reasonably believed to have been acquired by a person without 19
valid authorization, a data broker may consider the following factors, among 20
others: 21 BILL AS INTRODUCED H.211
2025 Page 8 of 31
VT LEG #378943 v.1
(i) indications that the brokered personal information is in the 1
physical possession and control of a person without valid authorization, such 2
as a lost or stolen computer or other device containing brokered personal 3
information; 4
(ii) indications that the brokered personal information has been 5
downloaded or copied; 6
(iii) indications that the brokered personal information was used 7
by an unauthorized person, such as fraudulent accounts opened or instances of 8
identity theft reported; or 9
(iv) that the brokered personal information has been made public. 10
(6)(10) “Data collector” means a person who, for any purpose, whether 11
by automated collection or otherwise, handles, collects, disseminates, or 12
otherwise deals with personally identifiable information, and includes the 13
State, State agencies, political subdivisions of the State, public and private 14
universities, privately and publicly held corporations, limited liability 15
companies, financial institutions, and retail operators. 16
(7)(11) “Encryption” means use of an algorithmic process to transform 17
data into a form in which the data is rendered unreadable or unusable without 18
use of a confidential process or key. 19
(8)(12) “License” means a grant of access to, or distribution of, data by 20
one person to another in exchange for consideration. A use of data for the sole 21 BILL AS INTRODUCED H.211
2025 Page 9 of 31
VT LEG #378943 v.1
benefit of the data provider, where the data provider maintains control over the 1
use of the data, is not a license. 2
(9)(13) “Login credentials” means a consumer’s user name or e-mail 3
email address, in combination with a password or an answer to a security 4
question, that together permit access to an online account. 5
(10)(14)(A) “Personally identifiable information” means a consumer’s 6
first name or first initial and last name in combination with one or more of the 7
following digital data elements, when the data elements are not encrypted, 8
redacted, or protected by another method that renders them unreadable or 9
unusable by unauthorized persons: 10
(i) a Social Security number; 11
(ii) a driver license or nondriver State identification card number, 12
individual taxpayer identification number, passport number, military 13
identification card number, or other identification number that originates from 14
a government identification document that is commonly used to verify identity 15
for a commercial transaction; 16
(iii) a financial account number or credit or debit card number, if 17
the number could be used without additional identifying information, access 18
codes, or passwords; 19
(iv) a password, personal identification number, or other access 20
code for a financial account; 21 BILL AS INTRODUCED H.211
2025 Page 10 of 31
VT LEG #378943 v.1
(v) unique biometric data generated from measurements or 1
technical analysis of human body characteristics used by the owner or licensee 2
of the data to identify or authenticate the consumer, such as a fingerprint, retina 3
or iris image, or other unique physical representation or digital representation 4
of biometric data; 5
(vi) genetic information; and 6
(vii)(I) health records or records of a wellness program or similar 7
program of health promotion or disease prevention; 8
(II) a health care professional’s medical diagnosis or treatment 9
of the consumer; or 10
(III) a health insurance policy number. 11
(B) “Personally identifiable information” does not mean publicly 12
available information that is lawfully made available to the general public from 13
federal, State, or local government records. 14
(15) “Precise geolocation” means information derived from technology 15
that can precisely and accurately identify the specific location of a consumer 16
within a radius of 1,850 feet. 17
(16) “Processor” means a person who processes personal data on behalf 18
of a controller. 19 BILL AS INTRODUCED H.211
2025 Page 11 of 31
VT LEG #378943 v.1
(11)(17) “Record” means any material on which written, drawn, spoken, 1
visual, or electromagnetic information is recorded or preserved, regardless of 2
physical form or characteristics. 3
(12)(18) “Redaction” means the rendering of data so that the data are 4
unreadable or are truncated so that no not more than the last four digits of the 5
identification number are accessible as part of the data. 6
(13)(19)(A) “Security breach” means unauthorized acquisition of 7
electronic data, or a reasonable belief of an unauthorized acquisition of 8
electronic data, that compromises the security, confidentiality, or integrity of a 9
consumer’s personally identifiable information or login credentials maintained 10
by a data collector. 11
(B) “Security breach” does not include good faith but unauthorized 12
acquisition of personally identifiable information or login credentials by an 13
employee or agent of the data collector for a legitimate purpose of the data 14
collector, provided that the personally identifiable information or login 15
credentials are not used for a purpose unrelated to the data collector’s business 16
or subject to further unauthorized disclosure. 17
(C) In determining whether personally identifiable information or 18
login credentials have been acquired or is reasonably believed to have been 19
acquired by a person without valid authorization, a data collector may consider 20
the following factors, among others: 21 BILL AS INTRODUCED H.211
2025 Page 12 of 31
VT LEG #378943 v.1
(i) indications that the information is in the physical possession 1
and control of a person without valid authorization, such as a lost or stolen 2
computer or other device containing information; 3
(ii) indications that the information has been downloaded or 4
copied; 5
(iii) indications that the information was used by an unauthorized 6
person, such as fraudulent accounts opened or instances of identity theft 7
reported; or 8
(iv) that the information has been made public. 9
* * * 10
Subchapter 2. Security Breach Notice Act Breaches 11
§ 2435. NOTICE OF SECURITY BREACHES 12
* * * 13
(h) Enforcement. 14
(1) With respect to all data collectors and other entities subject to this 15
subchapter, other than a person or entity licensed or registered with the 16
Department of Financial Regulation under Title 8 or this title, the Attorney 17
General and State’s Attorney shall have sole and full authority to investigate 18
potential violations of this subchapter and to enforce, prosecute, obtain, and 19
impose remedies for a violation of this subchapter or any rules or regulations 20
made pursuant to this subchapter as the Attorney General and State’s Attorney 21 BILL AS INTRODUCED H.211
2025 Page 13 of 31
VT LEG #378943 v.1
have under chapter 63 of this title. With respect to a controller or processor 1
other than a controller or processor licensed or registered with the Department 2
of Financial Regulation under Title 8 or this title, the Attorney General has the 3
same authority to adopt rules to implement the provisions of this section and to 4
conduct civil investigations, enter into assurances of discontinuance, bring civil 5
actions, and take other enforcement actions as provided under chapter 63, 6
subchapter 1 of this title. The Attorney General may refer the matter to the 7
State’s Attorney in an appropriate case. The Superior Courts shall have 8
jurisdiction over any enforcement matter brought by the Attorney General or a 9
State’s Attorney under this subsection. 10
(2) With respect to a data collector that is a person or entity licensed or 11
registered with the Department of Financial Regulation under Title 8 or this 12
title, the Department of Financial Regulation shall have the full authority to 13
investigate potential violations of this subchapter and to prosecute, obtain, and 14
impose remedies for a violation of this subchapter or any rules or regulations 15
adopted pursuant to this subchapter, as the Department has under Title 8 or this 16
title or any other applicable law or regulation. With respect to a controller or 17
processor that is licensed or registered with the Department of Financial 18
Regulation under Title 8 or this title, the Department of Financial Regulation 19
has the same authority to adopt rules to implement the provisions of this 20
section and to conduct civil investigations, enter into assurances of 21 BILL AS INTRODUCED H.211
2025 Page 14 of 31
VT LEG #378943 v.1
discontinuance, bring civil actions, and take other enforcement actions as 1
provided under Title 8 or this title or any other applicable law or regulation. 2
* * * 3
§ 2436. NOTICE OF DATA BROKER SECURITY BREACH ES 4
(a) Short title. This section shall be known as the “Data Broker Security 5
Breach Notice Act.” 6
(b) Notice of breach to consumers. 7
(1) Except as otherwise provided in subsection (c) of this section, a data 8
broker shall, following discovery or notification to the data broker of a security 9
breach affecting a consumer, notify the consumer that there has been a data 10
broker security breach. Notice of the security breach shall be made in the most 11
expedient time possible and without unreasonable delay, but not later than 45 12
days after the discovery or notification, consistent with the legitimate needs of 13
the law enforcement agency, as provided in subdivisions (3) and (4) of this 14
subsection, or with any measures necessary to determine the scope of the 15
security breach and restore the reasonable integrity, security, and 16
confidentiality of the data system. 17
(2) A data broker shall provide notice of a breach to the Attorney 18
General as follows: 19
(A)(i) The data broker shall notify the Attorney General of the date of 20
the security breach and the date of discovery of the breach and shall provide a 21 BILL AS INTRODUCED H.211
2025 Page 15 of 31
VT LEG #378943 v.1
preliminary description of the breach within 14 business days, consistent with 1
the legitimate needs of the law enforcement agency, as provided in 2
subdivisions (3) and (4) of this subsection (b), after the data broker’s discovery 3
of the security breach. 4
(ii) If the date of the breach is unknown at the time notice is sent 5
to the Attorney General, the data broker shall send the Attorney General the 6
date of the breach as soon as it is known. 7
(iii) Unless otherwise ordered by a court of this State for good 8
cause shown, a notice provided under this subdivision (2)(A) shall not be 9
disclosed, without the consent of the data broker, to any person other than the 10
authorized agent or representative of the Attorney General, a State’s Attorney, 11
or another law enforcement officer engaged in legitimate law enforcement 12
activities. 13
(B)(i) When the data broker provides notice of the breach pursuant to 14
subdivision (1) of this subsection, the data broker shall notify the Attorney 15
General of the number of Vermont consumers affected, if known to the data 16
broker, and shall provide a copy of the notice provided to consumers under 17
subdivision (1) of this subsection (b). 18
(ii) The data broker may send to the Attorney General a second 19
copy of the consumer notice, from which is redacted the type of brokered 20 BILL AS INTRODUCED H.211
2025 Page 16 of 31
VT LEG #378943 v.1
personal information that was subject to the breach, that the Attorney General 1
shall use for any public disclosure of the breach. 2
(3) The notice to the Attorney General and a consumer required by this 3
subsection shall be delayed upon request of a law enforcement agency. A law 4
enforcement agency may request the delay if it believes that notification may 5
impede a law enforcement investigation or a national or Homeland Security 6
investigation or jeopardize public safety or national or Homeland Security 7
interests. In the event law enforcement makes the request for a delay in a 8
manner other than in writing, the data broker shall document the request 9
contemporaneously in writing and include the name of the law enforcement 10
officer making the request and the officer’s law enforcement agency engaged 11
in the investigation. A law enforcement agency shall promptly notify the data 12
broker in writing when the law enforcement agency no longer believes that 13
notification may impede a law enforcement investigation or a national or 14
Homeland Security investigation or jeopardize public safety or national or 15
Homeland Security interests. The data broker shall provide notice required by 16
this subsection without unreasonable delay upon receipt of a written 17
communication, which includes facsimile or electronic communication, from 18
the law enforcement agency withdrawing its request for delay. 19
(4) The notice to a consumer required in subdivision (1) of this 20
subsection shall be clear and conspicuous. A notice to a consumer of a 21 BILL AS INTRODUCED H.211
2025 Page 17 of 31
VT LEG #378943 v.1
security breach involving brokered personal information shall include a 1
description of each of the following, if known to the data broker: 2
(A) the incident in general terms; 3
(B) the categories of brokered personal information that was subject 4
to the security breach; 5
(C) the general acts of the data broker to protect the brokered 6
personal information from further security breach; 7
(D) a telephone number, toll-free if available, that the consumer may 8
call for further information and assistance; 9
(E) advice that directs the consumer to remain vigilant by reviewing 10
account statements and monitoring free credit reports; and 11
(F) the approximate date of the data broker security breach. 12
(5) A data broker may provide notice of a security breach involving 13
brokered personal information to a consumer by two or more of the following 14
methods: 15
(A) written notice mailed to the consumer’s residence; 16
(B) electronic notice, for those consumers for whom the data broker 17
has a valid email address, if: 18
(i) the data broker’s primary method of communication with the 19
consumer is by electronic means, the electronic notice does not request or 20
contain a hypertext link to a request that the consumer provide personal 21 BILL AS INTRODUCED H.211
2025 Page 18 of 31
VT LEG #378943 v.1
information, and the electronic notice conspicuously warns consumers not to 1
provide personal information in response to electronic communications 2
regarding security breaches; or 3
(ii) the notice is consistent with the provisions regarding electronic 4
records and signatures for notices in 15 U.S.C. § 7001; 5
(C) telephonic notice, provided that telephonic contact is made 6
directly with each affected consumer and not through a prerecorded message; 7
or 8
(D) notice by publication in a newspaper of statewide circulation in 9
the event the data broker cannot effectuate notice by any other means. 10
(c) Exception. 11
(1) Notice of a security breach pursuant to subsection (b) of this section 12
is not required if the data broker establishes that misuse of brokered personal 13
information is not reasonably possible and the data broker provides notice of 14
the determination that the misuse of the brokered personal information is not 15
reasonably possible pursuant to the requirements of this subsection. If the data 16
broker establishes that misuse of the brokered personal information is not 17
reasonably possible, the data broker shall provide notice of its determination 18
that misuse of the brokered personal information is not reasonably possible and 19
a detailed explanation for said determination to the Attorney General. The data 20
broker may designate its notice and detailed explanation to the Attorney 21 BILL AS INTRODUCED H.211
2025 Page 19 of 31
VT LEG #378943 v.1
General as a trade secret if the notice and detailed explanation meet the 1
definition of trade secret contained in 1 V.S.A. § 317(c)(9). 2
(2) If a data broker established that misuse of brokered personal 3
information was not reasonably possible under subdivision (1) of this 4
subsection and subsequently obtains facts indicating that misuse of the 5
brokered personal information has occurred or is occurring, the data broker 6
shall provide notice of the security breach pursuant to subsection (b) of this 7
section. 8
(d) Waiver. Any waiver of the provisions of this subchapter is contrary to 9
public policy and is void and unenforceable. 10
(e) Enforcement. 11
(1) With respect to a controller or processor other than a controller or 12
processor licensed or registered with the Department of Financial Regulation 13
under Title 8 or this title, the Attorney General has the same authority to adopt 14
rules to implement the provisions of this section and to conduct civil 15
investigations, enter into assurances of discontinuance, bring civil actions, and 16
take other enforcement actions as provided under chapter 63, subchapter 1 of 17
this title. The Attorney General may refer the matter to the State’s Attorney in 18
an appropriate case. The Superior Courts shall have jurisdiction over any 19
enforcement matter brought by the Attorney General or a State’s Attorney 20
under this subsection. 21 BILL AS INTRODUCED H.211
2025 Page 20 of 31
VT LEG #378943 v.1
(2) With respect to a controller or processor that is licensed or registered 1
with the Department of Financial Regulation under Title 8 or this title, the 2
Department of Financial Regulation has the same authority to adopt rules to 3
implement the provisions of this section and to conduct civil investigations, 4
enter into assurances of discontinuance, bring civil actions, and take other 5
enforcement actions as provided under Title 8 or this title or any other 6
applicable law or regulation. 7
* * * 8
Subchapter 5. Data Brokers 9
§ 2446. DATA BROKERS; ANNUAL REGISTRATION 10
(a) Registration. Annually, on or before January 31 following a year in 11
which a person meets the definition of data broker as provided in section 2430 12
of this title, a data broker shall: 13
(1) register with the Secretary of State; 14
(2) pay a registration fee of $100.00; and pay a registration fee in an 15
amount determined by the Secretary of State which shall: 16
(A) not exceed the reasonable costs of: 17
(i) establishing and maintaining the informational website set forth 18
in subsection (f) of this section; and 19
(ii) establishing, maintaining, and providing access to the 20
accessible deletion mechanism set forth in section 2446b of this title; and 21 BILL AS INTRODUCED H.211
2025 Page 21 of 31
VT LEG #378943 v.1
(B) be deposited by the Secretary of State into the Data Brokers 1
Registry Fund established in section 2446b of this title; and 2
(3) provide the following information to the Secretary of State: 3
(A) the name and primary physical, e-mail email, phone number, and 4
Internet internet addresses of the data broker; 5
(B) if the data broker permits a consumer to opt out of the data 6
broker’s collection of brokered personal information, opt out of its databases, 7
or opt out of certain sales of data: 8
(i) the method for requesting an opt-out; 9
(ii) if the opt-out applies to only certain activities or sales, which 10
ones; and 11
(iii) whether the data broker permits a consumer to authorize a 12
third party an authorized agent to perform the opt-out on the consumer’s 13
behalf; 14
(C) a statement specifying the data collection, databases, or sales 15
activities from which a consumer may not opt out; 16
(D) a statement whether the data broker implements a purchaser 17
credentialing process; 18
(E) the number of data broker security breaches that the data broker 19
has experienced during the prior year, and if known, the total number of 20
consumers affected by the breaches; 21 BILL AS INTRODUCED H.211
2025 Page 22 of 31
VT LEG #378943 v.1
(F) where the data broker has actual knowledge that it possesses the 1
brokered personal information of minors, a separate statement detailing the 2
data collection practices, databases, sales activities, and opt-out policies that 3
are applicable to the brokered personal information of minors; and 4
(G) whether the data broker collects: 5
(i) precise geolocation of consumers; 6
(ii) reproductive health care data of consumers; 7
(iii) Social Security numbers of consumers; 8
(iv) driver’s license information of consumers; 9
(v) biometric data of consumers; 10
(vi) immigration status of consumers; 11
(vii) sexual orientation of consumers; or 12
(viii) union membership status of consumers; 13
(H) beginning on January 1, 2031, whether the data broker has 14
undergone an audit pursuant to subsection 2449a(e) of this title and if so, the 15
most recent year that the data broker has submitted a report resulting from the 16
audit to the Secretary of State; 17
(I) beginning on January 1, 2029, the following annual metrics 18
pursuant to section 2449a of this title: 19
(i) the number of deletion requests received; 20
(ii) the number of deletion requests processed; 21 BILL AS INTRODUCED H.211
2025 Page 23 of 31
VT LEG #378943 v.1
(iii) the number of deletion requests denied because the consumer 1
request cannot be verified; and 2
(iv) the number of deletion requests denied because retention of 3
the consumer’s brokered personal information is required by law; and 4
(J) any additional information or explanation the data broker chooses 5
to provide concerning its data collection practices. 6
(b) Penalties. A data broker that fails to register pursuant to subsection (a) 7
of this section is liable to the State for: 8
(1) a civil penalty of $50.00 for each day, not to exceed a total of 9
$10,000.00 for each year, it fails to register pursuant to this section; 10
(2) an amount equal to the fees due under this section during the period 11
it failed to register pursuant to this section; and 12
(3) other penalties imposed by law. 13
(1) A data broker that fails to register as required by subsection (a) of 14
this section is liable to the State for: 15
(A) an administrative fine of $200.00 for each day the data broker 16
fails to register; 17
(B) an amount equal to the fees that were due during the period the 18
data broker failed to register; and 19
(C) any reasonable costs incurred by the State in the investigation 20
and administration of the action as the court deems appropriate. 21 BILL AS INTRODUCED H.211
2025 Page 24 of 31
VT LEG #378943 v.1
(2) A data broker that fails to provide all registration information 1
required in subdivision (a)(3) of this section shall file an amendment that 2
includes any omitted information not later than 30 days after receiving 3
notification of the omission from the Secretary of State and is liable to the 4
State for a civil penalty of $1,000.00 per day for each day thereafter that the 5
data broker does not file an amendment providing the omitted information. 6
(3) A data broker that files materially incorrect information in its 7
registration: 8
(A) is liable to the State for a civil penalty of $25,000.00; and 9
(B) shall correct the incorrect information not later than 30 days after 10
notification of the incorrect information, and, if it fails to correct the 11
information, the data broker shall be liable for an additional civil penalty of 12
$1,000.00 per day for each day the data broker fails to correct the information. 13
(4) All penalties, fines, fees, and expenses recovered in an action 14
pursuant to this section shall be deposited in the Data Brokers Registry Fund. 15
(c) Enforcement. The Attorney General and the Secretary of State may 16
maintain an action in the Civil Division of the Superior Court to collect the 17
penalties imposed in this section and to seek appropriate injunctive relief. 18
(d) Public web page. The Secretary of State shall create a publicly 19
accessible page on its website where it lists the registration information 20 BILL AS INTRODUCED H.211
2025 Page 25 of 31
VT LEG #378943 v.1
provided by data brokers pursuant to this section and the accessible deletion 1
mechanism set forth in section 2446a of this title. 2
§ 2446a. ACCESSIBLE DELETION MECHANISM 3
(a) Creation of mechanism. On or before January 1, 2028, the Secretary of 4
State shall establish an accessible deletion mechanism that: 5
(1) implements and maintains reasonable security procedures and 6
practices, including administrative, physical, and technical safeguards 7
appropriate to the nature of the information and the purposes for which the 8
brokered personal information will be used and to protect a consumer’s 9
brokered personal information from unauthorized use, disclosure, access, 10
destruction, or modification; 11
(2) allows a consumer, through a single verifiable consumer request, to 12
request that every data broker that maintains any brokered personal 13
information about the consumer delete the brokered personal information; 14
(3) allows a consumer to selectively exclude specific data brokers from 15
a request made under subdivision (2) of this subsection; 16
(4) allows a consumer to alter a previous request made pursuant to 17
subdivision (2) of this subsection after at least 45 days have passed since the 18
consumer last made a request; 19 BILL AS INTRODUCED H.211
2025 Page 26 of 31
VT LEG #378943 v.1
(5) allows a consumer to request the deletion of all brokered personal 1
information related to that consumer all at once through a single deletion 2
request; 3
(6) permits a consumer to securely submit information in one or more 4
privacy-protecting ways, as determined by the Secretary of State, to aid in the 5
deletion request; 6
(7) allows a data broker registered with the Secretary of State to 7
determine whether a consumer has submitted a verifiable request to delete the 8
brokered personal information related to that consumer as described in 9
subdivision (2) of this subsection; 10
(8) does not allow the disclosure of any additional brokered personal 11
information of a consumer when the data broker accesses the accessible 12
deletion mechanism, unless otherwise specified in this subchapter; 13
(9) allows a consumer to make a request described in subdivision (2) of 14
this subsection using a website operated by the Secretary of State; 15
(10) does not charge a consumer to make a request described in 16
subdivision (2) of this subsection; 17
(11) is readily accessible and usable by consumers with disabilities; 18
(12) supports the ability of a consumer’s authorized agents to aid in the 19
deletion request; 20 BILL AS INTRODUCED H.211
2025 Page 27 of 31
VT LEG #378943 v.1
(13) allows the consumer or their authorized agent to verify the status of 1
the consumer’s deletion request; and 2
(14) provides a description of the following: 3
(A) the deletion permitted by this section; 4
(B) the process for submitting a deletion request pursuant to this 5
section; and 6
(C) examples of the types of information that may be deleted. 7
(b) Data broker access. 8
(1) Beginning on August 1, 2028, a data broker shall access the 9
accessible deletion mechanism established in subsection (a) of this section at 10
least once every 45 days and shall: 11
(A) process all verifiable deletion requests the data broker has 12
received from consumers in the previous 45 days and delete such brokered 13
personal information; 14
(B) process a request as an opt-out of the sale or sharing of the 15
consumer’s brokered personal information; 16
(C) direct all service providers and contractors associated with the 17
data broker to: 18
(i) delete all brokered personal information related to a consumer 19
who has made a verifiable deletion request; and 20 BILL AS INTRODUCED H.211
2025 Page 28 of 31
VT LEG #378943 v.1
(ii) process a request as an opt-out of the sale or sharing of the 1
consumer’s brokered personal information; and 2
(D) not use or disclose any information submitted by a consumer 3
through the accessible deletion mechanism for any other purpose besides the 4
authority provided in this subsection (b), including for marketing purposes. 5
(2) A data broker may deny a consumer’s request to delete a consumer’s 6
brokered personal information made pursuant to this section if retention of the 7
consumer’s brokered personal information is required by law. 8
(3) The Secretary of State may charge an access fee to a data broker to 9
use the accessible deletion mechanism that does not exceed the reasonable 10
costs of providing access. 11
(4) Any fees collected pursuant to subdivision (3) of this subsection 12
shall be deposited into the Data Brokers Registry Fund. 13
(c) Continuing obligation to consumers. Beginning on August 1, 2028, 14
once a data broker has processed a verifiable consumer request to delete a 15
consumer’s brokered personal information, the data broker shall: 16
(1) delete all brokered personal information of the consumer at least 17
once every 45 days unless: 18
(A) the consumer alters the consumer’s decision pursuant to 19
subdivision (a)(4) of this section; or 20 BILL AS INTRODUCED H.211
2025 Page 29 of 31
VT LEG #378943 v.1
(B) retention of the consumer’s brokered personal information is 1
required by law; and 2
(2) not sell or share new brokered personal information of the consumer 3
unless the consumer expressly requests otherwise in writing; 4
(d) Audits. 5
(1) A data broker shall undergo an audit by an independent third party to 6
determine compliance with this section at least once every three years, with the 7
first audit taking place on or before December 31, 2030. 8
(2) For an audit completed pursuant to subdivision (1) of this 9
subsection, the data broker shall submit the report resulting from the audit and 10
any related materials to the Secretary of State within five business days of a 11
written request from the Secretary of State. 12
(3) A data broker shall maintain all reports and materials resulting from 13
audits conducted pursuant to this subsection for at least six years. 14
(e) Rules. The Secretary of State may adopt rules to implement the 15
provisions of this subchapter, except it shall not be permitted to create a rule 16
that establishes a new fee that is not authorized in this section. 17
(f) Penalties. 18
(1) A data broker that fails to comply with the requirements of this 19
section is liable to the State for: 20 BILL AS INTRODUCED H.211
2025 Page 30 of 31
VT LEG #378943 v.1
(A) an administrative fine of $200.00 per day for each deletion 1
request the data broker fails to complete as required by subsection (b) of this 2
section; and 3
(B) reasonable expenses incurred by the State in the investigation and 4
administration of the action. 5
(2) All penalties, fines, fees, and expenses recovered in an action 6
pursuant to subdivision (1) of this subsection shall be deposited in the Data 7
Brokers Registry Fund. 8
§ 2446b. DATA BROKERS REGISTRY FUND 9
There is established the Data Brokers Registry Fund within the State 10
Treasury. The Fund shall be administered by the Secretary of State. All 11
moneys collected or received by the Secretary of State and the Attorney 12
General pursuant to this subchapter shall be deposited into the Fund and shall 13
be made available for expenditure by the Secretary of State upon appropriation 14
by the General Assembly to offset the following costs: 15
(1) the reasonable costs of establishing and maintaining the 16
informational website as set forth in subsection 2446(d) of this title; 17
(2) the costs incurred by State courts and the Secretary of State in 18
connection with enforcing this subchapter; and 19 BILL AS INTRODUCED H.211
2025 Page 31 of 31
VT LEG #378943 v.1
(3) the reasonable costs of establishing, maintaining, and providing 1
access to the accessible deletion mechanism described in section 2446a of this 2
title. 3
§ 2446c. CREDENTIALING 4
(a) A data broker shall maintain reasonable procedures designed to ensure 5
that the brokered personal information it discloses is used for a legitimate and 6
legal purpose. 7
(b) These procedures shall require that prospective users of the brokered 8
information identify themselves, certify the purposes for which the information 9
is sought, and certify that the information shall be used for no other purpose. 10
(c) A data broker shall make a reasonable effort to verify the identity of a 11
new prospective user and the uses certified by the prospective user prior to 12
furnishing the user brokered personal information. 13
(d) A data broker shall not furnish brokered personal information to any 14
person if it has reasonable grounds for believing that the brokered personal 15
information will not be used for a legitimate and legal purpose. 16
§ 2447. DATA BROKER DUTY TO PROTECT INFORMATION; 17
STANDARDS; TECHNICAL REQUIREMENTS 18
* * * 19
Sec. 3. EFFECTIVE DATE 20
This act shall take effect on July 1, 2025. 21