VT
Vermont House Bill H0211

Vermont 2025-2026 Regular Session

Vermont House Bill H0211 Compare Versions

Only one version of the bill is available at this time.
OldNewDifferences
11 BILL AS INTRODUCED H.211
22 2025 Page 1 of 31
33
44
55 VT LEG #378943 v.1
66 H.211 1
77 Introduced by Representatives Priestley of Bradford, Marcotte of Coventry, 2
88 Arsenault of Williston, Austin of Colchester, Berbeco of 3
99 Winooski, Bos-Lun of Westminster, Bosch of Clarendon, 4
1010 Boutin of Barre City, Boyden of Cambridge, Brown of 5
1111 Richmond, Burke of Brattleboro, Burrows of West Windsor, 6
1212 Campbell of St. Johnsbury, Carris-Duncan of Whitingham, 7
1313 Casey of Montpelier, Chapin of East Montpelier, Cina of 8
1414 Burlington, Cole of Hartford, Cordes of Bristol, Donahue of 9
1515 Northfield, Duke of Burlington, Eastes of Guilford, Goldman of 10
1616 Rockingham, Graning of Jericho, Greer of Bennington, Harple 11
1717 of Glover, Headrick of Burlington, Holcombe of Norwich, 12
1818 Krasnow of South Burlington, Lalley of Shelburne, Lipsky of 13
1919 Stowe, Masland of Thetford, McCann of Montpelier, McGill of 14
2020 Bridport, Micklus of Milton, Mihaly of Calais, Minier of South 15
2121 Burlington, Mrowicki of Putney, Nugent of South Burlington, 16
2222 O’Brien of Tunbridge, Ode of Burlington, Olson of Starksboro, 17
2323 Pezzo of Colchester, Pouech of Hinesburg, Rachelson of 18
2424 Burlington, Satcowitz of Randolph, Sibilia of Dover, Stevens of 19
2525 Waterbury, Surprenant of Barnard, Tomlinson of Winooski, 20 BILL AS INTRODUCED H.211
2626 2025 Page 2 of 31
2727
2828
2929 VT LEG #378943 v.1
3030 Torre of Moretown, Waszazak of Barre City, and White of 1
3131 Bethel 2
3232 Referred to Committee on 3
3333 Date: 4
3434 Subject: Commerce and trade; protection of personal information; data brokers 5
3535 Statement of purpose of bill as introduced: This bill proposes to add various 6
3636 provisions to Vermont’s laws that protect the personal information of its 7
3737 residents, including requiring data brokers to provide notice of security 8
3838 breaches, to certify that the personal information it discloses will be used for a 9
3939 legitimate purpose, and to delete the personal information of consumers who 10
4040 make such a request through the use of an accessible deletion mechanism. 11
4141 An act relating to data brokers and personal information 12
4242 It is hereby enacted by the General Assembly of the State of Vermont: 13
4343 Sec. 1. 9 V.S.A. chapter 62 is amended to read: 14
4444 CHAPTER 62. PROTECTION OF PERSONAL INFORMATION 15
4545 Subchapter 1. General Provisions 16
4646 § 2430. DEFINITIONS 17
4747 As used in this chapter: 18
4848 (1) “Authorized agent” means: 19 BILL AS INTRODUCED H.211
4949 2025 Page 3 of 31
5050
5151
5252 VT LEG #378943 v.1
5353 (A) a person designated by a consumer to act on the consumer’s 1
5454 behalf; 2
5555 (B) a parent or legal guardian that acts on behalf of the parent’s child 3
5656 or on behalf of a child for whom the guardian has legal responsibility; or 4
5757 (C) a guardian or conservator that acts on behalf of a consumer that is 5
5858 subject to a guardianship, conservatorship, or other protective arrangement. 6
5959 (2)(A) “Biometric data” means data generated from the technological 7
6060 processing of an individual’s unique biological, physical, or physiological 8
6161 characteristics that is linked or reasonably linkable to an individual, including: 9
6262 (i) iris or retina scans; 10
6363 (ii) fingerprints; 11
6464 (iii) facial or hand mapping, geometry, or templates; 12
6565 (iv) vein patterns; 13
6666 (v) voice prints; and 14
6767 (vi) gait or personally identifying physical movement or patterns. 15
6868 (B) “Biometric data” does not include: 16
6969 (i) a digital or physical photograph; 17
7070 (ii) an audio or video recording; or 18
7171 (iii) any data generated from a digital or physical photograph, or 19
7272 an audio or video recording, unless such data is generated to identify a specific 20
7373 individual. 21 BILL AS INTRODUCED H.211
7474 2025 Page 4 of 31
7575
7676
7777 VT LEG #378943 v.1
7878 (3)(A) “Brokered personal information” means one or more of the 1
7979 following computerized data elements about a consumer, if categorized or 2
8080 organized for dissemination to third parties: 3
8181 (i) name; 4
8282 (ii) address; 5
8383 (iii) date of birth; 6
8484 (iv) place of birth; 7
8585 (v) mother’s maiden name; 8
8686 (vi) unique biometric data generated from measurements or 9
8787 technical analysis of human body characteristics used by the owner or licensee 10
8888 of the data to identify or authenticate the consumer, such as a fingerprint, retina 11
8989 or iris image, or other unique physical representation or digital representation 12
9090 of biometric data; 13
9191 (vii) name or address of a member of the consumer’s immediate 14
9292 family or household; 15
9393 (viii) Social Security number or other government-issued 16
9494 identification number; or 17
9595 (ix) phone number; or 18
9696 (x) other information that, alone or in combination with the other 19
9797 information sold or licensed, would allow a reasonable person to identify the 20
9898 consumer with reasonable certainty. 21 BILL AS INTRODUCED H.211
9999 2025 Page 5 of 31
100100
101101
102102 VT LEG #378943 v.1
103103 (B) “Brokered personal information” does not include publicly 1
104104 available information to the extent that it is related to a consumer’s business or 2
105105 profession. 3
106106 (2)(4) “Business” means a controller, a consumer health data controller, 4
107107 a processor, or a commercial entity, including a sole proprietorship, 5
108108 partnership, corporation, association, limited liability company, or other group, 6
109109 however organized and whether or not organized to operate at a profit, 7
110110 including a financial institution organized, chartered, or holding a license or 8
111111 authorization certificate under the laws of this State, any other state, the United 9
112112 States, or any other country, or the parent, affiliate, or subsidiary of a financial 10
113113 institution, but does not include the State, a State agency, any political 11
114114 subdivision of the State, or a vendor acting solely on behalf of, and at the 12
115115 direction of, the State. 13
116116 (3)(5) “Consumer” means an individual residing in this State. 14
117117 (6) “Consumer health data controller” means any controller that, alone 15
118118 or jointly with others, determines the purpose and means of processing 16
119119 consumer health data. 17
120120 (7) “Controller” means a person who, alone or jointly with others, 18
121121 determines the purpose and means of processing personal data. 19
122122 (4)(8)(A) “Data broker” means a business, or unit or units of a business, 20
123123 separately or together, that knowingly collects and sells or licenses to third 21 BILL AS INTRODUCED H.211
124124 2025 Page 6 of 31
125125
126126
127127 VT LEG #378943 v.1
128128 parties the brokered personal information of a consumer with whom the 1
129129 business does not have a direct relationship. 2
130130 (B) Examples of a direct relationship with a business include if the 3
131131 consumer is a past or present: 4
132132 (i) customer, client, subscriber, user, or registered user of the 5
133133 business’s goods or services within the last five calendar years; 6
134134 (ii) employee, contractor, or agent of the business; 7
135135 (iii) investor in the business; or 8
136136 (iv) donor to the business. 9
137137 (C) The following activities conducted by a business, and the 10
138138 collection and sale or licensing of brokered personal information incidental to 11
139139 conducting these activities, do not qualify the business as a data broker: 12
140140 (i) developing or maintaining third-party e-commerce or 13
141141 application platforms; 14
142142 (ii) providing 411 directory assistance or directory information 15
143143 services, including name, address, and telephone number, on behalf of or as a 16
144144 function of a telecommunications carrier; 17
145145 (iii) providing publicly available information related to a 18
146146 consumer’s business or profession; or 19
147147 (iv) providing publicly available information via real-time or near-20
148148 real-time alert services for health or safety purposes. 21 BILL AS INTRODUCED H.211
149149 2025 Page 7 of 31
150150
151151
152152 VT LEG #378943 v.1
153153 (D) The phrase “sells or licenses” does not include: 1
154154 (i) a one-time or occasional sale of assets of a business as part of a 2
155155 transfer of control of those assets that is not part of the ordinary conduct of the 3
156156 business; or 4
157157 (ii) a sale or license of data that is merely incidental to the 5
158158 business. 6
159159 (5)(9)(A) “Data broker security breach” means an unauthorized 7
160160 acquisition or a reasonable belief of an unauthorized acquisition of more than 8
161161 one element of brokered personal information maintained by a data broker 9
162162 when the brokered personal information is not encrypted, redacted, or 10
163163 protected by another method that renders the information unreadable or 11
164164 unusable by an unauthorized person. 12
165165 (B) “Data broker security breach” does not include good faith but 13
166166 unauthorized acquisition of brokered personal information by an employee or 14
167167 agent of the data broker for a legitimate purpose of the data broker, provided 15
168168 that the brokered personal information is not used for a purpose unrelated to 16
169169 the data broker’s business or subject to further unauthorized disclosure. 17
170170 (C) In determining whether brokered personal information has been 18
171171 acquired or is reasonably believed to have been acquired by a person without 19
172172 valid authorization, a data broker may consider the following factors, among 20
173173 others: 21 BILL AS INTRODUCED H.211
174174 2025 Page 8 of 31
175175
176176
177177 VT LEG #378943 v.1
178178 (i) indications that the brokered personal information is in the 1
179179 physical possession and control of a person without valid authorization, such 2
180180 as a lost or stolen computer or other device containing brokered personal 3
181181 information; 4
182182 (ii) indications that the brokered personal information has been 5
183183 downloaded or copied; 6
184184 (iii) indications that the brokered personal information was used 7
185185 by an unauthorized person, such as fraudulent accounts opened or instances of 8
186186 identity theft reported; or 9
187187 (iv) that the brokered personal information has been made public. 10
188188 (6)(10) “Data collector” means a person who, for any purpose, whether 11
189189 by automated collection or otherwise, handles, collects, disseminates, or 12
190190 otherwise deals with personally identifiable information, and includes the 13
191191 State, State agencies, political subdivisions of the State, public and private 14
192192 universities, privately and publicly held corporations, limited liability 15
193193 companies, financial institutions, and retail operators. 16
194194 (7)(11) “Encryption” means use of an algorithmic process to transform 17
195195 data into a form in which the data is rendered unreadable or unusable without 18
196196 use of a confidential process or key. 19
197197 (8)(12) “License” means a grant of access to, or distribution of, data by 20
198198 one person to another in exchange for consideration. A use of data for the sole 21 BILL AS INTRODUCED H.211
199199 2025 Page 9 of 31
200200
201201
202202 VT LEG #378943 v.1
203203 benefit of the data provider, where the data provider maintains control over the 1
204204 use of the data, is not a license. 2
205205 (9)(13) “Login credentials” means a consumer’s user name or e-mail 3
206206 email address, in combination with a password or an answer to a security 4
207207 question, that together permit access to an online account. 5
208208 (10)(14)(A) “Personally identifiable information” means a consumer’s 6
209209 first name or first initial and last name in combination with one or more of the 7
210210 following digital data elements, when the data elements are not encrypted, 8
211211 redacted, or protected by another method that renders them unreadable or 9
212212 unusable by unauthorized persons: 10
213213 (i) a Social Security number; 11
214214 (ii) a driver license or nondriver State identification card number, 12
215215 individual taxpayer identification number, passport number, military 13
216216 identification card number, or other identification number that originates from 14
217217 a government identification document that is commonly used to verify identity 15
218218 for a commercial transaction; 16
219219 (iii) a financial account number or credit or debit card number, if 17
220220 the number could be used without additional identifying information, access 18
221221 codes, or passwords; 19
222222 (iv) a password, personal identification number, or other access 20
223223 code for a financial account; 21 BILL AS INTRODUCED H.211
224224 2025 Page 10 of 31
225225
226226
227227 VT LEG #378943 v.1
228228 (v) unique biometric data generated from measurements or 1
229229 technical analysis of human body characteristics used by the owner or licensee 2
230230 of the data to identify or authenticate the consumer, such as a fingerprint, retina 3
231231 or iris image, or other unique physical representation or digital representation 4
232232 of biometric data; 5
233233 (vi) genetic information; and 6
234234 (vii)(I) health records or records of a wellness program or similar 7
235235 program of health promotion or disease prevention; 8
236236 (II) a health care professional’s medical diagnosis or treatment 9
237237 of the consumer; or 10
238238 (III) a health insurance policy number. 11
239239 (B) “Personally identifiable information” does not mean publicly 12
240240 available information that is lawfully made available to the general public from 13
241241 federal, State, or local government records. 14
242242 (15) “Precise geolocation” means information derived from technology 15
243243 that can precisely and accurately identify the specific location of a consumer 16
244244 within a radius of 1,850 feet. 17
245245 (16) “Processor” means a person who processes personal data on behalf 18
246246 of a controller. 19 BILL AS INTRODUCED H.211
247247 2025 Page 11 of 31
248248
249249
250250 VT LEG #378943 v.1
251251 (11)(17) “Record” means any material on which written, drawn, spoken, 1
252252 visual, or electromagnetic information is recorded or preserved, regardless of 2
253253 physical form or characteristics. 3
254254 (12)(18) “Redaction” means the rendering of data so that the data are 4
255255 unreadable or are truncated so that no not more than the last four digits of the 5
256256 identification number are accessible as part of the data. 6
257257 (13)(19)(A) “Security breach” means unauthorized acquisition of 7
258258 electronic data, or a reasonable belief of an unauthorized acquisition of 8
259259 electronic data, that compromises the security, confidentiality, or integrity of a 9
260260 consumer’s personally identifiable information or login credentials maintained 10
261261 by a data collector. 11
262262 (B) “Security breach” does not include good faith but unauthorized 12
263263 acquisition of personally identifiable information or login credentials by an 13
264264 employee or agent of the data collector for a legitimate purpose of the data 14
265265 collector, provided that the personally identifiable information or login 15
266266 credentials are not used for a purpose unrelated to the data collector’s business 16
267267 or subject to further unauthorized disclosure. 17
268268 (C) In determining whether personally identifiable information or 18
269269 login credentials have been acquired or is reasonably believed to have been 19
270270 acquired by a person without valid authorization, a data collector may consider 20
271271 the following factors, among others: 21 BILL AS INTRODUCED H.211
272272 2025 Page 12 of 31
273273
274274
275275 VT LEG #378943 v.1
276276 (i) indications that the information is in the physical possession 1
277277 and control of a person without valid authorization, such as a lost or stolen 2
278278 computer or other device containing information; 3
279279 (ii) indications that the information has been downloaded or 4
280280 copied; 5
281281 (iii) indications that the information was used by an unauthorized 6
282282 person, such as fraudulent accounts opened or instances of identity theft 7
283283 reported; or 8
284284 (iv) that the information has been made public. 9
285285 * * * 10
286286 Subchapter 2. Security Breach Notice Act Breaches 11
287287 § 2435. NOTICE OF SECURITY BREACHES 12
288288 * * * 13
289289 (h) Enforcement. 14
290290 (1) With respect to all data collectors and other entities subject to this 15
291291 subchapter, other than a person or entity licensed or registered with the 16
292292 Department of Financial Regulation under Title 8 or this title, the Attorney 17
293293 General and State’s Attorney shall have sole and full authority to investigate 18
294294 potential violations of this subchapter and to enforce, prosecute, obtain, and 19
295295 impose remedies for a violation of this subchapter or any rules or regulations 20
296296 made pursuant to this subchapter as the Attorney General and State’s Attorney 21 BILL AS INTRODUCED H.211
297297 2025 Page 13 of 31
298298
299299
300300 VT LEG #378943 v.1
301301 have under chapter 63 of this title. With respect to a controller or processor 1
302302 other than a controller or processor licensed or registered with the Department 2
303303 of Financial Regulation under Title 8 or this title, the Attorney General has the 3
304304 same authority to adopt rules to implement the provisions of this section and to 4
305305 conduct civil investigations, enter into assurances of discontinuance, bring civil 5
306306 actions, and take other enforcement actions as provided under chapter 63, 6
307307 subchapter 1 of this title. The Attorney General may refer the matter to the 7
308308 State’s Attorney in an appropriate case. The Superior Courts shall have 8
309309 jurisdiction over any enforcement matter brought by the Attorney General or a 9
310310 State’s Attorney under this subsection. 10
311311 (2) With respect to a data collector that is a person or entity licensed or 11
312312 registered with the Department of Financial Regulation under Title 8 or this 12
313313 title, the Department of Financial Regulation shall have the full authority to 13
314314 investigate potential violations of this subchapter and to prosecute, obtain, and 14
315315 impose remedies for a violation of this subchapter or any rules or regulations 15
316316 adopted pursuant to this subchapter, as the Department has under Title 8 or this 16
317317 title or any other applicable law or regulation. With respect to a controller or 17
318318 processor that is licensed or registered with the Department of Financial 18
319319 Regulation under Title 8 or this title, the Department of Financial Regulation 19
320320 has the same authority to adopt rules to implement the provisions of this 20
321321 section and to conduct civil investigations, enter into assurances of 21 BILL AS INTRODUCED H.211
322322 2025 Page 14 of 31
323323
324324
325325 VT LEG #378943 v.1
326326 discontinuance, bring civil actions, and take other enforcement actions as 1
327327 provided under Title 8 or this title or any other applicable law or regulation. 2
328328 * * * 3
329329 § 2436. NOTICE OF DATA BROKER SECURITY BREACH ES 4
330330 (a) Short title. This section shall be known as the “Data Broker Security 5
331331 Breach Notice Act.” 6
332332 (b) Notice of breach to consumers. 7
333333 (1) Except as otherwise provided in subsection (c) of this section, a data 8
334334 broker shall, following discovery or notification to the data broker of a security 9
335335 breach affecting a consumer, notify the consumer that there has been a data 10
336336 broker security breach. Notice of the security breach shall be made in the most 11
337337 expedient time possible and without unreasonable delay, but not later than 45 12
338338 days after the discovery or notification, consistent with the legitimate needs of 13
339339 the law enforcement agency, as provided in subdivisions (3) and (4) of this 14
340340 subsection, or with any measures necessary to determine the scope of the 15
341341 security breach and restore the reasonable integrity, security, and 16
342342 confidentiality of the data system. 17
343343 (2) A data broker shall provide notice of a breach to the Attorney 18
344344 General as follows: 19
345345 (A)(i) The data broker shall notify the Attorney General of the date of 20
346346 the security breach and the date of discovery of the breach and shall provide a 21 BILL AS INTRODUCED H.211
347347 2025 Page 15 of 31
348348
349349
350350 VT LEG #378943 v.1
351351 preliminary description of the breach within 14 business days, consistent with 1
352352 the legitimate needs of the law enforcement agency, as provided in 2
353353 subdivisions (3) and (4) of this subsection (b), after the data broker’s discovery 3
354354 of the security breach. 4
355355 (ii) If the date of the breach is unknown at the time notice is sent 5
356356 to the Attorney General, the data broker shall send the Attorney General the 6
357357 date of the breach as soon as it is known. 7
358358 (iii) Unless otherwise ordered by a court of this State for good 8
359359 cause shown, a notice provided under this subdivision (2)(A) shall not be 9
360360 disclosed, without the consent of the data broker, to any person other than the 10
361361 authorized agent or representative of the Attorney General, a State’s Attorney, 11
362362 or another law enforcement officer engaged in legitimate law enforcement 12
363363 activities. 13
364364 (B)(i) When the data broker provides notice of the breach pursuant to 14
365365 subdivision (1) of this subsection, the data broker shall notify the Attorney 15
366366 General of the number of Vermont consumers affected, if known to the data 16
367367 broker, and shall provide a copy of the notice provided to consumers under 17
368368 subdivision (1) of this subsection (b). 18
369369 (ii) The data broker may send to the Attorney General a second 19
370370 copy of the consumer notice, from which is redacted the type of brokered 20 BILL AS INTRODUCED H.211
371371 2025 Page 16 of 31
372372
373373
374374 VT LEG #378943 v.1
375375 personal information that was subject to the breach, that the Attorney General 1
376376 shall use for any public disclosure of the breach. 2
377377 (3) The notice to the Attorney General and a consumer required by this 3
378378 subsection shall be delayed upon request of a law enforcement agency. A law 4
379379 enforcement agency may request the delay if it believes that notification may 5
380380 impede a law enforcement investigation or a national or Homeland Security 6
381381 investigation or jeopardize public safety or national or Homeland Security 7
382382 interests. In the event law enforcement makes the request for a delay in a 8
383383 manner other than in writing, the data broker shall document the request 9
384384 contemporaneously in writing and include the name of the law enforcement 10
385385 officer making the request and the officer’s law enforcement agency engaged 11
386386 in the investigation. A law enforcement agency shall promptly notify the data 12
387387 broker in writing when the law enforcement agency no longer believes that 13
388388 notification may impede a law enforcement investigation or a national or 14
389389 Homeland Security investigation or jeopardize public safety or national or 15
390390 Homeland Security interests. The data broker shall provide notice required by 16
391391 this subsection without unreasonable delay upon receipt of a written 17
392392 communication, which includes facsimile or electronic communication, from 18
393393 the law enforcement agency withdrawing its request for delay. 19
394394 (4) The notice to a consumer required in subdivision (1) of this 20
395395 subsection shall be clear and conspicuous. A notice to a consumer of a 21 BILL AS INTRODUCED H.211
396396 2025 Page 17 of 31
397397
398398
399399 VT LEG #378943 v.1
400400 security breach involving brokered personal information shall include a 1
401401 description of each of the following, if known to the data broker: 2
402402 (A) the incident in general terms; 3
403403 (B) the categories of brokered personal information that was subject 4
404404 to the security breach; 5
405405 (C) the general acts of the data broker to protect the brokered 6
406406 personal information from further security breach; 7
407407 (D) a telephone number, toll-free if available, that the consumer may 8
408408 call for further information and assistance; 9
409409 (E) advice that directs the consumer to remain vigilant by reviewing 10
410410 account statements and monitoring free credit reports; and 11
411411 (F) the approximate date of the data broker security breach. 12
412412 (5) A data broker may provide notice of a security breach involving 13
413413 brokered personal information to a consumer by two or more of the following 14
414414 methods: 15
415415 (A) written notice mailed to the consumer’s residence; 16
416416 (B) electronic notice, for those consumers for whom the data broker 17
417417 has a valid email address, if: 18
418418 (i) the data broker’s primary method of communication with the 19
419419 consumer is by electronic means, the electronic notice does not request or 20
420420 contain a hypertext link to a request that the consumer provide personal 21 BILL AS INTRODUCED H.211
421421 2025 Page 18 of 31
422422
423423
424424 VT LEG #378943 v.1
425425 information, and the electronic notice conspicuously warns consumers not to 1
426426 provide personal information in response to electronic communications 2
427427 regarding security breaches; or 3
428428 (ii) the notice is consistent with the provisions regarding electronic 4
429429 records and signatures for notices in 15 U.S.C. § 7001; 5
430430 (C) telephonic notice, provided that telephonic contact is made 6
431431 directly with each affected consumer and not through a prerecorded message; 7
432432 or 8
433433 (D) notice by publication in a newspaper of statewide circulation in 9
434434 the event the data broker cannot effectuate notice by any other means. 10
435435 (c) Exception. 11
436436 (1) Notice of a security breach pursuant to subsection (b) of this section 12
437437 is not required if the data broker establishes that misuse of brokered personal 13
438438 information is not reasonably possible and the data broker provides notice of 14
439439 the determination that the misuse of the brokered personal information is not 15
440440 reasonably possible pursuant to the requirements of this subsection. If the data 16
441441 broker establishes that misuse of the brokered personal information is not 17
442442 reasonably possible, the data broker shall provide notice of its determination 18
443443 that misuse of the brokered personal information is not reasonably possible and 19
444444 a detailed explanation for said determination to the Attorney General. The data 20
445445 broker may designate its notice and detailed explanation to the Attorney 21 BILL AS INTRODUCED H.211
446446 2025 Page 19 of 31
447447
448448
449449 VT LEG #378943 v.1
450450 General as a trade secret if the notice and detailed explanation meet the 1
451451 definition of trade secret contained in 1 V.S.A. § 317(c)(9). 2
452452 (2) If a data broker established that misuse of brokered personal 3
453453 information was not reasonably possible under subdivision (1) of this 4
454454 subsection and subsequently obtains facts indicating that misuse of the 5
455455 brokered personal information has occurred or is occurring, the data broker 6
456456 shall provide notice of the security breach pursuant to subsection (b) of this 7
457457 section. 8
458458 (d) Waiver. Any waiver of the provisions of this subchapter is contrary to 9
459459 public policy and is void and unenforceable. 10
460460 (e) Enforcement. 11
461461 (1) With respect to a controller or processor other than a controller or 12
462462 processor licensed or registered with the Department of Financial Regulation 13
463463 under Title 8 or this title, the Attorney General has the same authority to adopt 14
464464 rules to implement the provisions of this section and to conduct civil 15
465465 investigations, enter into assurances of discontinuance, bring civil actions, and 16
466466 take other enforcement actions as provided under chapter 63, subchapter 1 of 17
467467 this title. The Attorney General may refer the matter to the State’s Attorney in 18
468468 an appropriate case. The Superior Courts shall have jurisdiction over any 19
469469 enforcement matter brought by the Attorney General or a State’s Attorney 20
470470 under this subsection. 21 BILL AS INTRODUCED H.211
471471 2025 Page 20 of 31
472472
473473
474474 VT LEG #378943 v.1
475475 (2) With respect to a controller or processor that is licensed or registered 1
476476 with the Department of Financial Regulation under Title 8 or this title, the 2
477477 Department of Financial Regulation has the same authority to adopt rules to 3
478478 implement the provisions of this section and to conduct civil investigations, 4
479479 enter into assurances of discontinuance, bring civil actions, and take other 5
480480 enforcement actions as provided under Title 8 or this title or any other 6
481481 applicable law or regulation. 7
482482 * * * 8
483483 Subchapter 5. Data Brokers 9
484484 § 2446. DATA BROKERS; ANNUAL REGISTRATION 10
485485 (a) Registration. Annually, on or before January 31 following a year in 11
486486 which a person meets the definition of data broker as provided in section 2430 12
487487 of this title, a data broker shall: 13
488488 (1) register with the Secretary of State; 14
489489 (2) pay a registration fee of $100.00; and pay a registration fee in an 15
490490 amount determined by the Secretary of State which shall: 16
491491 (A) not exceed the reasonable costs of: 17
492492 (i) establishing and maintaining the informational website set forth 18
493493 in subsection (f) of this section; and 19
494494 (ii) establishing, maintaining, and providing access to the 20
495495 accessible deletion mechanism set forth in section 2446b of this title; and 21 BILL AS INTRODUCED H.211
496496 2025 Page 21 of 31
497497
498498
499499 VT LEG #378943 v.1
500500 (B) be deposited by the Secretary of State into the Data Brokers 1
501501 Registry Fund established in section 2446b of this title; and 2
502502 (3) provide the following information to the Secretary of State: 3
503503 (A) the name and primary physical, e-mail email, phone number, and 4
504504 Internet internet addresses of the data broker; 5
505505 (B) if the data broker permits a consumer to opt out of the data 6
506506 broker’s collection of brokered personal information, opt out of its databases, 7
507507 or opt out of certain sales of data: 8
508508 (i) the method for requesting an opt-out; 9
509509 (ii) if the opt-out applies to only certain activities or sales, which 10
510510 ones; and 11
511511 (iii) whether the data broker permits a consumer to authorize a 12
512512 third party an authorized agent to perform the opt-out on the consumer’s 13
513513 behalf; 14
514514 (C) a statement specifying the data collection, databases, or sales 15
515515 activities from which a consumer may not opt out; 16
516516 (D) a statement whether the data broker implements a purchaser 17
517517 credentialing process; 18
518518 (E) the number of data broker security breaches that the data broker 19
519519 has experienced during the prior year, and if known, the total number of 20
520520 consumers affected by the breaches; 21 BILL AS INTRODUCED H.211
521521 2025 Page 22 of 31
522522
523523
524524 VT LEG #378943 v.1
525525 (F) where the data broker has actual knowledge that it possesses the 1
526526 brokered personal information of minors, a separate statement detailing the 2
527527 data collection practices, databases, sales activities, and opt-out policies that 3
528528 are applicable to the brokered personal information of minors; and 4
529529 (G) whether the data broker collects: 5
530530 (i) precise geolocation of consumers; 6
531531 (ii) reproductive health care data of consumers; 7
532532 (iii) Social Security numbers of consumers; 8
533533 (iv) driver’s license information of consumers; 9
534534 (v) biometric data of consumers; 10
535535 (vi) immigration status of consumers; 11
536536 (vii) sexual orientation of consumers; or 12
537537 (viii) union membership status of consumers; 13
538538 (H) beginning on January 1, 2031, whether the data broker has 14
539539 undergone an audit pursuant to subsection 2449a(e) of this title and if so, the 15
540540 most recent year that the data broker has submitted a report resulting from the 16
541541 audit to the Secretary of State; 17
542542 (I) beginning on January 1, 2029, the following annual metrics 18
543543 pursuant to section 2449a of this title: 19
544544 (i) the number of deletion requests received; 20
545545 (ii) the number of deletion requests processed; 21 BILL AS INTRODUCED H.211
546546 2025 Page 23 of 31
547547
548548
549549 VT LEG #378943 v.1
550550 (iii) the number of deletion requests denied because the consumer 1
551551 request cannot be verified; and 2
552552 (iv) the number of deletion requests denied because retention of 3
553553 the consumer’s brokered personal information is required by law; and 4
554554 (J) any additional information or explanation the data broker chooses 5
555555 to provide concerning its data collection practices. 6
556556 (b) Penalties. A data broker that fails to register pursuant to subsection (a) 7
557557 of this section is liable to the State for: 8
558558 (1) a civil penalty of $50.00 for each day, not to exceed a total of 9
559559 $10,000.00 for each year, it fails to register pursuant to this section; 10
560560 (2) an amount equal to the fees due under this section during the period 11
561561 it failed to register pursuant to this section; and 12
562562 (3) other penalties imposed by law. 13
563563 (1) A data broker that fails to register as required by subsection (a) of 14
564564 this section is liable to the State for: 15
565565 (A) an administrative fine of $200.00 for each day the data broker 16
566566 fails to register; 17
567567 (B) an amount equal to the fees that were due during the period the 18
568568 data broker failed to register; and 19
569569 (C) any reasonable costs incurred by the State in the investigation 20
570570 and administration of the action as the court deems appropriate. 21 BILL AS INTRODUCED H.211
571571 2025 Page 24 of 31
572572
573573
574574 VT LEG #378943 v.1
575575 (2) A data broker that fails to provide all registration information 1
576576 required in subdivision (a)(3) of this section shall file an amendment that 2
577577 includes any omitted information not later than 30 days after receiving 3
578578 notification of the omission from the Secretary of State and is liable to the 4
579579 State for a civil penalty of $1,000.00 per day for each day thereafter that the 5
580580 data broker does not file an amendment providing the omitted information. 6
581581 (3) A data broker that files materially incorrect information in its 7
582582 registration: 8
583583 (A) is liable to the State for a civil penalty of $25,000.00; and 9
584584 (B) shall correct the incorrect information not later than 30 days after 10
585585 notification of the incorrect information, and, if it fails to correct the 11
586586 information, the data broker shall be liable for an additional civil penalty of 12
587587 $1,000.00 per day for each day the data broker fails to correct the information. 13
588588 (4) All penalties, fines, fees, and expenses recovered in an action 14
589589 pursuant to this section shall be deposited in the Data Brokers Registry Fund. 15
590590 (c) Enforcement. The Attorney General and the Secretary of State may 16
591591 maintain an action in the Civil Division of the Superior Court to collect the 17
592592 penalties imposed in this section and to seek appropriate injunctive relief. 18
593593 (d) Public web page. The Secretary of State shall create a publicly 19
594594 accessible page on its website where it lists the registration information 20 BILL AS INTRODUCED H.211
595595 2025 Page 25 of 31
596596
597597
598598 VT LEG #378943 v.1
599599 provided by data brokers pursuant to this section and the accessible deletion 1
600600 mechanism set forth in section 2446a of this title. 2
601601 § 2446a. ACCESSIBLE DELETION MECHANISM 3
602602 (a) Creation of mechanism. On or before January 1, 2028, the Secretary of 4
603603 State shall establish an accessible deletion mechanism that: 5
604604 (1) implements and maintains reasonable security procedures and 6
605605 practices, including administrative, physical, and technical safeguards 7
606606 appropriate to the nature of the information and the purposes for which the 8
607607 brokered personal information will be used and to protect a consumer’s 9
608608 brokered personal information from unauthorized use, disclosure, access, 10
609609 destruction, or modification; 11
610610 (2) allows a consumer, through a single verifiable consumer request, to 12
611611 request that every data broker that maintains any brokered personal 13
612612 information about the consumer delete the brokered personal information; 14
613613 (3) allows a consumer to selectively exclude specific data brokers from 15
614614 a request made under subdivision (2) of this subsection; 16
615615 (4) allows a consumer to alter a previous request made pursuant to 17
616616 subdivision (2) of this subsection after at least 45 days have passed since the 18
617617 consumer last made a request; 19 BILL AS INTRODUCED H.211
618618 2025 Page 26 of 31
619619
620620
621621 VT LEG #378943 v.1
622622 (5) allows a consumer to request the deletion of all brokered personal 1
623623 information related to that consumer all at once through a single deletion 2
624624 request; 3
625625 (6) permits a consumer to securely submit information in one or more 4
626626 privacy-protecting ways, as determined by the Secretary of State, to aid in the 5
627627 deletion request; 6
628628 (7) allows a data broker registered with the Secretary of State to 7
629629 determine whether a consumer has submitted a verifiable request to delete the 8
630630 brokered personal information related to that consumer as described in 9
631631 subdivision (2) of this subsection; 10
632632 (8) does not allow the disclosure of any additional brokered personal 11
633633 information of a consumer when the data broker accesses the accessible 12
634634 deletion mechanism, unless otherwise specified in this subchapter; 13
635635 (9) allows a consumer to make a request described in subdivision (2) of 14
636636 this subsection using a website operated by the Secretary of State; 15
637637 (10) does not charge a consumer to make a request described in 16
638638 subdivision (2) of this subsection; 17
639639 (11) is readily accessible and usable by consumers with disabilities; 18
640640 (12) supports the ability of a consumer’s authorized agents to aid in the 19
641641 deletion request; 20 BILL AS INTRODUCED H.211
642642 2025 Page 27 of 31
643643
644644
645645 VT LEG #378943 v.1
646646 (13) allows the consumer or their authorized agent to verify the status of 1
647647 the consumer’s deletion request; and 2
648648 (14) provides a description of the following: 3
649649 (A) the deletion permitted by this section; 4
650650 (B) the process for submitting a deletion request pursuant to this 5
651651 section; and 6
652652 (C) examples of the types of information that may be deleted. 7
653653 (b) Data broker access. 8
654654 (1) Beginning on August 1, 2028, a data broker shall access the 9
655655 accessible deletion mechanism established in subsection (a) of this section at 10
656656 least once every 45 days and shall: 11
657657 (A) process all verifiable deletion requests the data broker has 12
658658 received from consumers in the previous 45 days and delete such brokered 13
659659 personal information; 14
660660 (B) process a request as an opt-out of the sale or sharing of the 15
661661 consumer’s brokered personal information; 16
662662 (C) direct all service providers and contractors associated with the 17
663663 data broker to: 18
664664 (i) delete all brokered personal information related to a consumer 19
665665 who has made a verifiable deletion request; and 20 BILL AS INTRODUCED H.211
666666 2025 Page 28 of 31
667667
668668
669669 VT LEG #378943 v.1
670670 (ii) process a request as an opt-out of the sale or sharing of the 1
671671 consumer’s brokered personal information; and 2
672672 (D) not use or disclose any information submitted by a consumer 3
673673 through the accessible deletion mechanism for any other purpose besides the 4
674674 authority provided in this subsection (b), including for marketing purposes. 5
675675 (2) A data broker may deny a consumer’s request to delete a consumer’s 6
676676 brokered personal information made pursuant to this section if retention of the 7
677677 consumer’s brokered personal information is required by law. 8
678678 (3) The Secretary of State may charge an access fee to a data broker to 9
679679 use the accessible deletion mechanism that does not exceed the reasonable 10
680680 costs of providing access. 11
681681 (4) Any fees collected pursuant to subdivision (3) of this subsection 12
682682 shall be deposited into the Data Brokers Registry Fund. 13
683683 (c) Continuing obligation to consumers. Beginning on August 1, 2028, 14
684684 once a data broker has processed a verifiable consumer request to delete a 15
685685 consumer’s brokered personal information, the data broker shall: 16
686686 (1) delete all brokered personal information of the consumer at least 17
687687 once every 45 days unless: 18
688688 (A) the consumer alters the consumer’s decision pursuant to 19
689689 subdivision (a)(4) of this section; or 20 BILL AS INTRODUCED H.211
690690 2025 Page 29 of 31
691691
692692
693693 VT LEG #378943 v.1
694694 (B) retention of the consumer’s brokered personal information is 1
695695 required by law; and 2
696696 (2) not sell or share new brokered personal information of the consumer 3
697697 unless the consumer expressly requests otherwise in writing; 4
698698 (d) Audits. 5
699699 (1) A data broker shall undergo an audit by an independent third party to 6
700700 determine compliance with this section at least once every three years, with the 7
701701 first audit taking place on or before December 31, 2030. 8
702702 (2) For an audit completed pursuant to subdivision (1) of this 9
703703 subsection, the data broker shall submit the report resulting from the audit and 10
704704 any related materials to the Secretary of State within five business days of a 11
705705 written request from the Secretary of State. 12
706706 (3) A data broker shall maintain all reports and materials resulting from 13
707707 audits conducted pursuant to this subsection for at least six years. 14
708708 (e) Rules. The Secretary of State may adopt rules to implement the 15
709709 provisions of this subchapter, except it shall not be permitted to create a rule 16
710710 that establishes a new fee that is not authorized in this section. 17
711711 (f) Penalties. 18
712712 (1) A data broker that fails to comply with the requirements of this 19
713713 section is liable to the State for: 20 BILL AS INTRODUCED H.211
714714 2025 Page 30 of 31
715715
716716
717717 VT LEG #378943 v.1
718718 (A) an administrative fine of $200.00 per day for each deletion 1
719719 request the data broker fails to complete as required by subsection (b) of this 2
720720 section; and 3
721721 (B) reasonable expenses incurred by the State in the investigation and 4
722722 administration of the action. 5
723723 (2) All penalties, fines, fees, and expenses recovered in an action 6
724724 pursuant to subdivision (1) of this subsection shall be deposited in the Data 7
725725 Brokers Registry Fund. 8
726726 § 2446b. DATA BROKERS REGISTRY FUND 9
727727 There is established the Data Brokers Registry Fund within the State 10
728728 Treasury. The Fund shall be administered by the Secretary of State. All 11
729729 moneys collected or received by the Secretary of State and the Attorney 12
730730 General pursuant to this subchapter shall be deposited into the Fund and shall 13
731731 be made available for expenditure by the Secretary of State upon appropriation 14
732732 by the General Assembly to offset the following costs: 15
733733 (1) the reasonable costs of establishing and maintaining the 16
734734 informational website as set forth in subsection 2446(d) of this title; 17
735735 (2) the costs incurred by State courts and the Secretary of State in 18
736736 connection with enforcing this subchapter; and 19 BILL AS INTRODUCED H.211
737737 2025 Page 31 of 31
738738
739739
740740 VT LEG #378943 v.1
741741 (3) the reasonable costs of establishing, maintaining, and providing 1
742742 access to the accessible deletion mechanism described in section 2446a of this 2
743743 title. 3
744744 § 2446c. CREDENTIALING 4
745745 (a) A data broker shall maintain reasonable procedures designed to ensure 5
746746 that the brokered personal information it discloses is used for a legitimate and 6
747747 legal purpose. 7
748748 (b) These procedures shall require that prospective users of the brokered 8
749749 information identify themselves, certify the purposes for which the information 9
750750 is sought, and certify that the information shall be used for no other purpose. 10
751751 (c) A data broker shall make a reasonable effort to verify the identity of a 11
752752 new prospective user and the uses certified by the prospective user prior to 12
753753 furnishing the user brokered personal information. 13
754754 (d) A data broker shall not furnish brokered personal information to any 14
755755 person if it has reasonable grounds for believing that the brokered personal 15
756756 information will not be used for a legitimate and legal purpose. 16
757757 § 2447. DATA BROKER DUTY TO PROTECT INFORMATION; 17
758758 STANDARDS; TECHNICAL REQUIREMENTS 18
759759 * * * 19
760760 Sec. 3. EFFECTIVE DATE 20
761761 This act shall take effect on July 1, 2025. 21