Vermont 2025-2026 Regular Session

Vermont Senate Bill S0069 Compare Versions

Version 1 (Old)

Version 2 (New)

Old	New		Differences
1		-	BILLASINTRODUCEDANDPASSEDBYSENATE S.69
2		-	2025 Page1of25
3		-	S.69
4		-	IntroducedbySenatorsHarrison,Bongartz,Brennan,Clarkson,Collamore,
5		-	Cummings,Hashim,Lyons,Major,Perchlik,Plunkett,Watson,
6		-	Weeks,WestmanandWhite
7		-	ReferredtoCommitteeonInstitutions
8		-	Date:February13,2025
9		-	Subject:Commerceandtrade;protectionofpersonalinformation;privacyof
10		-	minors
11		-	Statementofpurposeofbillasintroduced:Thisbillproposestorequirethat
12		-	anycoveredbusinessthatdevelopsandprovidesonlineservices,products,or
13		-	featuresthatchildrenarereasonablylikelytoaccessmustnotuseabusiveor
14		-	privacy-invasivedesignfeaturesonchildren.
15		-	Anactrelatingtoanage-appropriatedesigncode
16		-	ItisherebyenactedbytheGeneralAssemblyoftheStateofVermont:
17		-	Sec.1.9V.S.A.chapter62,subchapter6isaddedtoread:
18		-	Subchapter6.VermontAge-AppropriateDesignCodeAct
19		-	§ 2449a.DEFINITIONS
20		-	Asusedinthissubchapter:
21		-	1
22		-	2
23		-	3
24		-	4
25		-	5
26		-	6
27		-	7
28		-	8
29		-	9
30		-	10
31		-	11
32		-	12
33		-	13
34		-	14
35		-	15
36		-	16
37		-	17
38		-	18 BILLASINTRODUCEDANDPASSEDBYSENATE S.69
39		-	2025 Page2of25
40		-	(1)(A)“Affiliate”meansalegalentitythatsharescommonbranding
41		-	withanotherlegalentityorcontrols,iscontrolledby,orisundercommon
42		-	controlwithanotherlegalentity.
43		-	(B)Asusedinsubdivision(A)ofthissubdivision(1),“control”or
44		-	“controlled”means:
45		-	(i)ownershipof,orthepowertovote,morethan50percentofthe
46		-	outstandingsharesofanyclassofvotingsecurityofacompany;
47		-	(ii)controlinanymannerovertheelectionofamajorityofthe
48		-	directorsorofindividualsexercisingsimilarfunctions;or
49		-	(iii)thepowertoexercisecontrollinginfluenceoverthe
50		-	managementofacompany.
51		-	(2)“Ageassurance”encompassesarangeofmethodsusedtodetermine,
52		-	estimate,orcommunicatetheageoranagerangeofanonlineuser.
53		-	(3)“Algorithmicrecommendationsystem”meansasystemthatusesan
54		-	algorithmtoselect,filter,andarrangemediaonacoveredbusiness’swebsite
55		-	forthepurposeofselecting,recommending,orprioritizingmediaforauser.
56		-	(4)(A)“Biometricdata”meansdatageneratedfromthetechnological
57		-	processingofanindividual’suniquebiological,physical,orphysiological
58		-	characteristicsthatalloworconfirmtheuniqueidentificationoftheconsumer,
59		-	including:
60		-	1
61		-	2
62		-	3
63		-	4
64		-	5
65		-	6
66		-	7
67		-	8
68		-	9
69		-	10
70		-	11
71		-	12
72		-	13
73		-	14
74		-	15
75		-	16
76		-	17
77		-	18
78		-	19
79		-	20 BILLASINTRODUCEDANDPASSEDBYSENATE S.69
80		-	2025 Page3of25
81		-	(i)irisorretinascans;
82		-	(ii)fingerprints;
83		-	(iii)facialorhandmapping,geometry,ortemplates;
84		-	(iv)veinpatterns;
85		-	(v)voiceprintsorvocalbiomarkers;and
86		-	(vi)gaitorpersonallyidentifyingphysicalmovementorpatterns.
87		-	(B)“Biometricdata”doesnotinclude:
88		-	(i)adigitalorphysicalphotograph;
89		-	(ii)anaudioorvideorecording;or
90		-	(iii)anydatageneratedfromadigitalorphysicalphotograph,or
91		-	anaudioorvideorecording,unlesssuchdataisgeneratedtoidentifyaspecific
92		-	individual.
93		-	(5)“Businessassociate”hasthesamemeaningasinHIPAA.
94		-	(5)“Businessassociate”hasthesamemeaningasintheHealth
95		-	InsurancePortabilityandAccountabilityActof1996,Pub.L.No.104-191
96		-	(HIPAA).
97		-	(6)“Collect”meansbuying,renting,gathering,obtaining,receiving,or
98		-	accessinganypersonaldatabyanymeans.Thisincludesreceivingdatafrom
99		-	theconsumer,eitheractivelyorpassively,orbyobservingtheconsumer’s
100		-	behavior.
101		-	(7)“Compulsiveuse”meanstherepetitiveuseofacoveredbusiness’s
102		-	servicethatmateriallydisruptsoneormoremajorlifeactivitiesofaminor,
103		-	1
104		-	2
105		-	3
106		-	4
107		-	5
108		-	6
109		-	7
110		-	8
111		-	9
112		-	10
113		-	11
114		-	12
115		-	13
116		-	14
117		-	15
118		-	16
119		-	17
120		-	18
121		-	19 BILLASINTRODUCEDANDPASSEDBYSENATE S.69
122		-	2025 Page4of25
123		-	includingsleeping,eating,learning,reading,concentrating,communicating,or
124		-	working.
125		-	(8)(A)“Consumer”meansanindividualwhoisaresidentoftheState.
126		-	(B)“Consumer”doesnotincludeanindividualactingina
127		-	commercialoremploymentcontextorasanemployee,owner,director,officer,
128		-	orcontractorofacompany,partnership,soleproprietorship,nonprofit,or
129		-	governmentagencywhosecommunicationsortransactionswiththecovered
130		-	businessoccursolelywithinthecontextofthatindividual’srolewiththe
131		-	company,partnership,soleproprietorship,nonprofit,orgovernmentagency.
132		-	(9)“Consumerhealthdata”meansanypersonaldatathatacontroller
133		-	usestoidentifyaconsumer’sphysicalormentalhealthconditionordiagnosis,
134		-	includinggender-affirminghealthdataandreproductiveorsexualhealthdata.
135		-	(10)“Controller”meansapersonwho,aloneorjointlywithothers,
136		-	determinesthepurposeandmeansofprocessingpersonaldata.
137		-	(11)“Coveredbusiness”meansasoleproprietorship,partnership,
138		-	limitedliabilitycompany,corporation,association,otherlegalentity,oran
139		-	affiliatethereof,thatconductsbusinessinthisStateandwhoseonline
140		-	products,services,orfeaturesarereasonablylikelytobeaccessedbyaminor
141		-	andthat:
142		-	(A)collectsconsumers’personaldataorhasconsumers’personal
143		-	datacollectedonitsbehalfbyaprocessor;and
144		-	1
145		-	2
146		-	3
147		-	4
148		-	5
149		-	6
150		-	7
151		-	8
152		-	9
153		-	10
154		-	11
155		-	12
156		-	13
157		-	14
158		-	15
159		-	16
160		-	17
161		-	18
162		-	19
163		-	20
164		-	21 BILLASINTRODUCEDANDPASSEDBYSENATE S.69
165		-	2025 Page5of25
166		-	(B)aloneorjointlywithothersdeterminesthepurposesandmeans
167		-	oftheprocessingofconsumerspersonaldata.
168		-	(11)“Coveredbusiness”meansasoleproprietorship,partnership,
169		-	limitedliabilitycompany,corporation,association,otherlegalentity,oran
170		-	affiliatethereof:
171		-	(A)thatconductsbusinessinthisState;
172		-	(B)thatgeneratesamajorityofitsannualrevenuefromonline
173		-	services;
174		-	(C)whoseonlineproducts,services,orfeaturesarereasonablylikely
175		-	tobeaccessedbyaminor;
176		-	(D)thatcollectsconsumers’personaldataorhasconsumers’
177		-	personaldatacollectedonitsbehalfbyaprocessor;and
178		-	(E)thataloneorjointlywithothersdeterminesthepurposesand
179		-	meansoftheprocessingofconsumerspersonaldata.
180		-	(12)“Coveredentity”hasthesamemeaningasinHIPAA.
181		-	(13)“Coveredminor”isaconsumerwhoacoveredbusinessactually
182		-	knowsisaminororlabelsasaminorpursuanttoageassurancemethodsin
183		-	rulesadoptedbytheAttorneyGeneral.
184		-	(14)“Default”meansapreselectedoptionadoptedbythecovered
185		-	businessfortheonlineservice,product,orfeature.
186		-	(15)“De-identifieddata”meansdatathatdoesnotidentifyandcannot
187		-	reasonablybeusedtoinferinformationabout,orotherwisebelinkedto,an
188		-	identifiedoridentifiableindividual,oradevicelinkedtotheindividual,ifthe
189		-	coveredbusinessthatpossessesthedata:
190		-	(A)(i)takesreasonablemeasurestoensurethatthedatacannotbe
191		-	usedtoreidentifyanidentifiedoridentifiableindividualorbeassociatedwith
192		-	1
193		-	2
194		-	3
195		-	4
196		-	5
197		-	6
198		-	7
199		-	8
200		-	9
201		-	10
202		-	11
203		-	12
204		-	13
205		-	14 BILLASINTRODUCEDANDPASSEDBYSENATE S.69
206		-	2025 Page6of25
207		-	anindividualordevicethatidentifiesorislinkedorreasonablylinkabletoan
208		-	individualorhousehold;and
209		-	(ii)forpurposesofthissubdivision(A),“reasonablemeasures”
210		-	includesthede-identificationrequirementssetforthunder45C.F.R.§ 164.514
211		-	(otherrequirementsrelatingtousesanddisclosuresofprotectedhealth
212		-	information);
213		-	(B)publiclycommitstoprocessthedataonlyinade-identified
214		-	fashionandnotattempttoreidentifythedata;and
215		-	(C)contractuallyobligatesanyrecipientsofthedatatocomplywith
216		-	allprovisionsofthissubchapter.
217		-	(16)“Deriveddata”meansdatathatiscreatedbythederivationof
218		-	information,data,assumptions,correlations,inferences,predictions,or
219		-	conclusionsfromfacts,evidence,oranothersourceofinformationordata
220		-	aboutaminororaminor’sdevice.
221		-	(17)“Geneticdata”meansanydata,regardlessofitsformat,thatresults
222		-	fromtheanalysisofabiologicalsampleofanindividual,orfromanother
223		-	sourceenablingequivalentinformationtobeobtained,andconcernsgenetic
224		-	material,includingdeoxyribonucleicacids(DNA),ribonucleicacids(RNA),
225		-	genes,chromosomes,alleles,genomes,alterationsormodificationstoDNAor
226		-	RNA,singlenucleotidepolymorphisms(SNPs),epigeneticmarkers,
227		-	1
228		-	2
229		-	3
230		-	4
231		-	5
232		-	6
233		-	7
234		-	8
235		-	9
236		-	10
237		-	11
238		-	12
239		-	13
240		-	14
241		-	15
242		-	16
243		-	17
244		-	18
245		-	19
246		-	20 BILLASINTRODUCEDANDPASSEDBYSENATE S.69
247		-	2025 Page7of25
248		-	uninterpreteddatathatresultsfromanalysisofthebiologicalsampleorother
249		-	source,andanyinformationextrapolated,derived,orinferredtherefrom.
250		-	(18)“Identifiedoridentifiableindividual”meansanindividualwhocan
251		-	bereadilyidentified,directlyorindirectly,includingbyreferencetoan
252		-	identifiersuchasaname,anidentificationnumber,specificgeolocationdata,
253		-	oranonlineidentifier.
254		-	(19)“Knownadult”isaconsumerwhoacoveredbusinessactually
255		-	knowsisanadultorlabelsasanadultpursuanttoageassurancemethodsin
256		-	rulesadoptedbytheAttorneyGeneral.
257		-	(20)“Minor”meansanindividualunder18yearsofagewhoisa
258		-	residentoftheState.
259		-	(21)“Neuraldata”meansinformationthatiscollectedthrough
260		-	biosensorsandthatcouldbeprocessedtoinferorpredictmentalstates.
261		-	(22)“Onlineservice,product,orfeature”meansadigitalproductthatis
262		-	accessibletothepublicviatheinternet,includingawebsiteorapplication,and
263		-	doesnotmeananyofthefollowing:
264		-	(A)telecommunicationsservice,asdefinedin47U.S.C.§ 153;
265		-	(B)abroadbandinternetaccessserviceasdefinedin47C.F.R.
266		-	§ 54.400;or
267		-	(C)thesale,delivery,oruseofaphysicalproduct.
268		-	1
269		-	2
270		-	3
271		-	4
272		-	5
273		-	6
274		-	7
275		-	8
276		-	9
277		-	10
278		-	11
279		-	12
280		-	13
281		-	14
282		-	15
283		-	16
284		-	17
285		-	18
286		-	19
287		-	20 BILLASINTRODUCEDANDPASSEDBYSENATE S.69
288		-	2025 Page8of25
289		-	(23)(A)“Personaldata”meansanyinformation,includingderiveddata
290		-	anduniqueidentifiers,thatislinkedorreasonablylinkabletoanidentifiedor
291		-	identifiableindividualortoadevicethatidentifies,islinkedto,oris
292		-	reasonablylinkabletooneormoreidentifiedoridentifiableindividualsina
293		-	household.
294		-	(B)Personaldatadoesnotincludede-identifieddataorpublicly
295		-	availableinformation.
296		-	(24)(A)“Precisegeolocationdata”meansinformationderivedfrom
297		-	technologythatrevealsthepastorpresentphysicallocationofaconsumeror
298		-	devicethatidentifiesorislinkedorreasonablylinkabletooneormore
299		-	consumerswithprecisionandaccuracywithinaradiusof1,850feet.
300		-	(B)“Precisegeolocationdata”doesnotinclude:
301		-	(i)thecontentofcommunications;
302		-	(ii)datageneratedbyorconnectedtoanadvancedutilitymetering
303		-	infrastructuresystem;
304		-	(iii)aphotograph,ormetadataassociatedwithaphotographor
305		-	video,thatcannotbelinkedtoanindividual;or
306		-	(iv)datageneratedbyequipmentusedbyautilitycompany.
307		-	(25)“Process”or“processing”meansanyoperationorsetofoperations
308		-	performed,whetherbymanualorautomatedmeans,onpersonaldataoron
309		-	1
310		-	2
311		-	3
312		-	4
313		-	5
314		-	6
315		-	7
316		-	8
317		-	9
318		-	10
319		-	11
320		-	12
321		-	13
322		-	14
323		-	15
324		-	16
325		-	17
326		-	18
327		-	19
328		-	20 BILLASINTRODUCEDANDPASSEDBYSENATE S.69
329		-	2025 Page9of25
330		-	setsofpersonaldata,suchasthecollection,use,storage,disclosure,analysis,
331		-	deletion,modification,orotherwisehandlingofpersonaldata.
332		-	(26)“Processor”meansapersonwhoprocessespersonaldataonbehalf
333		-	ofacoveredbusiness.
334		-	(27)“Profiling”meansanyformofautomatedprocessingperformedon
335		-	personaldatatoevaluate,analyze,orpredictpersonalaspectsrelatedtoan
336		-	identifiedoridentifiableindividual’seconomicsituation,health,personal
337		-	preferences,interests,reliability,behavior,location,ormovements.
338		-	(28)(A)“Publiclyavailableinformation”meansinformationthat:
339		-	(i)ismadeavailablethroughfederal,state,orlocalgovernment
340		-	records;or
341		-	(ii)acontrollerhasareasonablebasistobelievethattheconsumer
342		-	haslawfullymadeavailabletothegeneralpublic.
343		-	(B)“Publiclyavailableinformation”doesnotinclude:
344		-	(i)biometricdatacollectedbyabusinessaboutaconsumer
345		-	withouttheconsumer’sknowledge;
346		-	(ii)informationthatiscollatedandcombinedtocreatea
347		-	consumerprofilethatismadeavailabletoauserofapubliclyavailable
348		-	websiteeitherinexchangeforpaymentorfreeofcharge;
349		-	(iii)informationthatismadeavailableforsale;
350		-	1
351		-	2
352		-	3
353		-	4
354		-	5
355		-	6
356		-	7
357		-	8
358		-	9
359		-	10
360		-	11
361		-	12
362		-	13
363		-	14
364		-	15
365		-	16
366		-	17
367		-	18
368		-	19
369		-	20 BILLASINTRODUCEDANDPASSEDBYSENATE S.69
370		-	2025 Page10of25
371		-	(iv)aninferencethatisgeneratedfromtheinformationdescribed
372		-	insubdivision(ii)or(iii)ofthissubdivision(28)(B);
373		-	(v)anyobscenevisualdepiction,asdefinedin18U.S.C.§ 1460;
374		-	(vi)anyinferencemadeexclusivelyfrommultipleindependent
375		-	sourcesofpubliclyavailableinformationthatrevealssensitivedatawith
376		-	respecttoaconsumer;
377		-	(vii)personaldatathatiscreatedthroughthecombinationof
378		-	personaldatawithpubliclyavailableinformation;
379		-	(viii)geneticdata,unlessotherwisemadepubliclyavailableby
380		-	theconsumertowhomtheinformationpertains;
381		-	(ix)informationprovidedbyaconsumeronawebsiteoronline
382		-	servicemadeavailabletoallmembersofthepublic,forfreeorforafee,
383		-	wheretheconsumerhasmaintainedareasonableexpectationofprivacyinthe
384		-	information,suchasbyrestrictingtheinformationtoaspecificaudience;or
385		-	(x)intimateimages,authenticorcomputer-generated,knownto
386		-	benonconsensual.
387		-	(29)“Reasonablylikelytobeaccessed”meansanonlineservice,
388		-	product,orfeaturethatisreasonablylikelytobeaccessedbyacoveredminor
389		-	basedonanyofthefollowingindicators:
390		-	1
391		-	2
392		-	3
393		-	4
394		-	5
395		-	6
396		-	7
397		-	8
398		-	9
399		-	10
400		-	11
401		-	12
402		-	13
403		-	14
404		-	15
405		-	16
406		-	17
407		-	18
408		-	19 BILLASINTRODUCEDANDPASSEDBYSENATE S.69
409		-	2025 Page11of25
410		-	(A)theonlineservice,product,orfeatureisdirectedtochildren,as
411		-	definedbytheChildren’sOnlinePrivacyProtectionAct,15U.S.C.§§ 6501–
412		-	6506andtheFederalTradeCommissionrulesimplementingthatAct;
413		-	(B)theonlineservice,product,orfeatureisdetermined,basedon
414		-	competentandreliableevidenceregardingaudiencecomposition,tobe
415		-	routinelyaccessedbyanaudiencethatiscomposedofatleasttwopercent
416		-	minorstwothrough17yearsofage;
417		-	(C)theonlineservice,product,orfeaturecontainsadvertisements
418		-	marketedtominors;
419		-	(D)theaudienceoftheonlineservice,product,orfeatureis
420		-	determined,basedoninternalcompanyresearch,tobecomposedofatleast
421		-	twopercentminorstwothrough17yearsofage;or
422		-	(E)thecoveredbusinesskneworshouldhaveknownthatatleast
423		-	twopercentoftheaudienceoftheonlineservice,product,orfeatureincludes
424		-	minorstwothrough17yearsofage,providedthat,inmakingthisassessment,
425		-	thebusinessshallnotcollectorprocessanypersonaldatathatisnot
426		-	reasonablynecessarytoprovideanonlineservice,product,orfeaturewith
427		-	whichaminorisactivelyandknowinglyengaged.
428		-	(30)“Sensitivedata”meanspersonaldatathat:
429		-	1
430		-	2
431		-	3
432		-	4
433		-	5
434		-	6
435		-	7
436		-	8
437		-	9
438		-	10
439		-	11
440		-	12
441		-	13
442		-	14
443		-	15
444		-	16
445		-	17
446		-	18
447		-	19 BILLASINTRODUCEDANDPASSEDBYSENATE S.69
448		-	2025 Page12of25
449		-	(A)revealsaconsumer’sgovernment-issuedidentifier,suchasa
450		-	SocialSecuritynumber,passportnumber,stateidentificationcard,ordriver’s
451		-	licensenumber,thatisnotrequiredbylawtobepubliclydisplayed;
452		-	(B)revealsaconsumer’sracialorethnicorigin;nationalorigin;
453		-	citizenshiporimmigrationstatus;religiousorphilosophicalbeliefs;amental
454		-	orphysicalhealthcondition,diagnosis,disability,ortreatment;statusas
455		-	pregnant;incomelevelorindebtedness;orunionmembership;
456		-	(C)revealsaconsumer’ssexualorientation,sexlife,sexuality,or
457		-	statusastransgenderornon-binary;
458		-	(D)revealsaconsumer’sstatusasavictimofacrime;
459		-	(E)isaconsumer’staxreturnandaccountnumber,financialaccount
460		-	log-in,financialaccount,debitcardnumber,orcreditcardnumberin
461		-	combinationwithanyrequiredsecurityoraccesscode,password,or
462		-	credentialsallowingaccesstoanaccount;
463		-	(F)isconsumerhealthdata;
464		-	(G)iscollectedandanalyzedconcerningconsumerhealthdatathat
465		-	describesorrevealsapast,present,orfuturementalorphysicalhealth
466		-	condition,treatment,disability,ordiagnosis,includingpregnancy,totheextent
467		-	thepersonaldataisusedbythecontrollerforapurposeotherthantoidentifya
468		-	specificconsumer’sphysicalormentalhealthconditionordiagnosis;
469		-	(H)isbiometricorgeneticdata;
470		-	1
471		-	2
472		-	3
473		-	4
474		-	5
475		-	6
476		-	7
477		-	8
478		-	9
479		-	10
480		-	11
481		-	12
482		-	13
483		-	14
484		-	15
485		-	16
486		-	17
487		-	18
488		-	19
489		-	20
490		-	21 BILLASINTRODUCEDANDPASSEDBYSENATE S.69
491		-	2025 Page13of25
492		-	(I)iscollectedfromacoveredminor;
493		-	(J)isprecisegeolocationdata;
494		-	(K)arekeystrokes;
495		-	(L)isdrivingbehavior;or
496		-	(M)isneuraldata.
497		-	(31)(A)“Socialmediaplatform”meansapublicorsemipublicinternet-
498		-	basedserviceorapplicationthatisprimarilyintendedtoconnectandallowa
499		-	usertosociallyinteractwithinsuchserviceorapplicationandenablesauser
500		-	to:
501		-	(i)constructapublicorsemipublicprofileforthepurposesof
502		-	signingintoandusingsuchserviceorapplication;
503		-	(ii)populateapubliclistofotheruserswithwhomtheusershares
504		-	asocialconnectionwithinsuchserviceorapplication;or
505		-	(iii)createorpostcontentthatisviewablebyotherusers,
506		-	includingcontentonmessageboardsandinchatrooms,andthatpresentsthe
507		-	userwithcontentgeneratedbyotherusers.
508		-	(B)“Socialmediaplatform”doesnotmeanapublicorsemipublic
509		-	internet-basedserviceorapplicationthat:
510		-	(i)exclusivelyprovidesemailordirectmessagingservices;
511		-	(ii)primarilyconsistsofnews,sports,entertainment,interactive
512		-	videogames,electroniccommerce,orcontentthatispreselectedbythe
513		-	1
514		-	2
515		-	3
516		-	4
517		-	5
518		-	6
519		-	7
520		-	8
521		-	9
522		-	10
523		-	11
524		-	12
525		-	13
526		-	14
527		-	15
528		-	16
529		-	17
530		-	18
531		-	19
532		-	20
533		-	21 BILLASINTRODUCEDANDPASSEDBYSENATE S.69
534		-	2025 Page14of25
535		-	providerforwhichanyinteractivefunctionalityisincidentalto,directly
536		-	relatedto,ordependentontheprovisionofsuchcontent;or
537		-	(iii)isusedbyandunderthedirectionofaneducationalentity,
538		-	includingalearningmanagementsystemorastudentengagementprogram.
539		-	(32)“Thirdparty”meansanaturalorlegalperson,publicauthority,
540		-	agency,orbodyotherthanthecoveredminororthecoveredbusiness.
541		-	§ 2449b.EXCLUSIONS
542		-	Thissubchapterdoesnotapplyto:
543		-	(1)afederal,state,tribal,orlocalgovernmententityintheordinary
544		-	courseofitsoperation;
545		-	(2)protectedhealthinformationthatacoveredentityorbusiness
546		-	associateprocessesinaccordancewith,ordocumentsthatacoveredentityor
547		-	businessassociatecreatesforthepurposeofcomplyingwith,HIPAA;
548		-	(3)informationusedonlyforpublichealthactivitiesandpurposes
549		-	describedin45C.F.R.§164.512;
550		-	(4)informationthatidentifiesaconsumerinconnectionwith:
551		-	(A)activitiesthataresubjecttotheFederalPolicyfortheProtection
552		-	ofHumanSubjectsassetforthin45C.F.R.Part46;
553		-	(B)researchonhumansubjectsundertakeninaccordancewithgood
554		-	clinicalpracticeguidelinesissuedbytheInternationalCouncilfor
555		-	1
556		-	2
557		-	3
558		-	4
559		-	5
560		-	6
561		-	7
562		-	8
563		-	9
564		-	10
565		-	11
566		-	12
567		-	13
568		-	14
569		-	15
570		-	16
571		-	17
572		-	18
573		-	19
574		-	20 BILLASINTRODUCEDANDPASSEDBYSENATE S.69
575		-	2025 Page15of25
576		-	HarmonisationofTechnicalRequirementsforPharmaceuticalsforHuman
577		-	Use;
578		-	(C)activitiesthataresubjecttotheprotectionsprovidedin21C.F.R.
579		-	Part50and21C.F.R.Part56;or
580		-	(D)researchconductedinaccordancewiththerequirementssetforth
581		-	insubdivisions(A)–(C)ofthissubdivision(4)orotherwiseinaccordancewith
582		-	Stateorfederallaw;and
583		-	(5)anentitywhoseprimarypurposeisjournalismasdefinedin
584		-	12 V.S.A.§ 1615(a)(2)andthathasamajorityofitsworkforceconsistingof
585		-	individualsengaginginjournalism.
586		-	§ 2449b.EXCLUSIONS
587		-	Thissubchapterdoesnotapplyto:
588		-	(1)afederal,state,tribal,orlocalgovernmententityintheordinary
589		-	courseofitsoperation;
590		-	(2)protectedhealthinformationthatacoveredentityorbusiness
591		-	associateprocessesinaccordancewith,ordocumentsthatacoveredentityor
592		-	businessassociatecreatesforthepurposeofcomplyingwith,HIPAA;
593		-	(3)informationusedonlyforpublichealthactivitiesandpurposes
594		-	describedin45C.F.R.§164.512;
595		-	(4)informationthatidentifiesaconsumerinconnectionwith:
596		-	(A)activitiesthataresubjecttotheFederalPolicyfortheProtection
597		-	ofHumanSubjectsassetforthin45C.F.R.Part46;
598		-	(B)researchonhumansubjectsundertakeninaccordancewithgood
599		-	clinicalpracticeguidelinesissuedbytheInternationalCouncilfor
600		-	HarmonisationofTechnicalRequirementsforPharmaceuticalsforHuman
601		-	Use;
602		-	(C)activitiesthataresubjecttotheprotectionsprovidedin21C.F.R.
603		-	Part50and21C.F.R.Part56;or
604		-	1
605		-	2
606		-	3
607		-	4
608		-	5
609		-	6
610		-	7
611		-	8
612		-	9
613		-	10 BILLASINTRODUCEDANDPASSEDBYSENATE S.69
614		-	2025 Page16of25
615		-	(D)researchconductedinaccordancewiththerequirementssetforth
616		-	insubdivisions(A)–(C)ofthissubdivision(4)orotherwiseinaccordancewith
617		-	Stateorfederallaw;
618		-	(5)anentitywhoseprimarypurposeisjournalismasdefinedin
619		-	12 V.S.A.§ 1615(a)(2)andthathasamajorityofitsworkforceconsistingof
620		-	individualsengaginginjournalism;
621		-	(6)apersonwhocontrolledorprocessedthepersonaldataofnotmore
622		-	than:
623		-	(A)25,000consumersinthepreviouscalendaryear,excluding
624		-	personaldatacontrolledorprocessedsolelyforthepurposeofcompletinga
625		-	paymenttransaction;or
626		-	(B)50,000consumersinthepreviouscalendaryear,excluding
627		-	personaldatacontrolledorprocessedsolelyforthepurposeofcompletinga
628		-	paymenttransactionandhadanannualgrossrevenueofnotmorethan
629		-	$1,000,000.00inthepreviouscalendaryear;and
630		-	(7)afinancialinstitutionordatasubjecttoTitleVoftheGramm-
631		-	Leach-BlileyAct,Pub.L.No.106-102,andregulationsadoptedtoimplement
632		-	thatact.
633		-	§ 2449c.MINIMUMDUTYOFCARE
634		-	(a)Acoveredbusinessthatprocessesacoveredminor’sdatainany
635		-	capacityowesaminimumdutyofcaretothecoveredminor.
636		-	(b)Asusedinthissubchapter,“aminimumdutyofcare”meanstheuseof
637		-	thepersonaldataofacoveredminorandthedesignofanonlineservice,
638		-	product,orfeaturewillnotresultin:
639		-	(1)reasonablyforeseeableemotionaldistressasdefinedin13V.S.A.
640		-	§ 1061(2)toacoveredminor;
641		-	(2)reasonablyforeseeablecompulsiveuseoftheonlineservice,
642		-	product,orfeaturebyacoveredminor; or
643		-	1
644		-	2
645		-	3
646		-	4
647		-	5
648		-	6
649		-	7
650		-	8
651		-	9
652		-	10 BILLASINTRODUCEDANDPASSEDBYSENATE S.69
653		-	2025 Page17of25
654		-	(3)discriminationagainstacoveredminorbaseduponrace,ethnicity,
655		-	sex,disability,sexualorientation,genderidentity,genderexpression,or
656		-	nationalorigin.
657		-	(c)Thecontentofthemediaviewedbyacoveredminorshallnotestablish
658		-	emotionaldistressorcompulsiveuseasthosetermsareusedinsubsection(b)
659		-	ofthissection.
660		-	(d)Nothinginthissectionshallbeconstruedtorequireacoveredbusiness
661		-	topreventorprecludeacoveredminorfromaccessingorviewinganypieceof
662		-	mediaorcategoryofmedia.
663		-	§ 2449d.REQUIREDDEFAULTPRIVACYSETTINGSANDTOOLS
664		-	(a)Defaultprivacysettings.
665		-	(1)Acoveredbusinessshallconfigurealldefaultprivacysettings
666		-	providedtoacoveredminorthroughtheonlineservice,product,orfeatureto
667		-	thehighestlevelofprivacy,includingthefollowingdefaultsettings:
668		-	(A)notdisplayingtheexistenceofthecoveredminor’ssocialmedia
669		-	accounttoanyknownadultuserunlessthecoveredminorhasexpresslyand
670		-	unambiguouslyallowedaspecificknownadultusertoviewtheiraccountor
671		-	hasexpresslyandunambiguouslychosentomaketheiraccount’sexistence
672		-	public;
673		-	(B)notdisplayingmediacreatedorpostedbythecoveredminoron
674		-	asocialmediaplatformtoanyknownadultuserunlessthecoveredminorhas
675		-	1
676		-	2
677		-	3
678		-	4
679		-	5
680		-	6
681		-	7
682		-	8
683		-	9
684		-	10
685		-	11
686		-	12
687		-	13
688		-	14
689		-	15
690		-	16
691		-	17
692		-	18
693		-	19
694		-	20
695		-	21 BILLASINTRODUCEDANDPASSEDBYSENATE S.69
696		-	2025 Page18of25
697		-	expresslyandunambiguouslyallowedaspecificknownadultusertoview
698		-	theirmediaorhasexpresslyandunambiguouslychosentomaketheirmedia
699		-	publiclyavailable;
700		-	(C)notpermittinganyknownadultuserstolike,commenton,or
701		-	otherwiseprovidefeedbackonthecoveredminor’smediaonasocialmedia
702		-	platformunlessthecoveredminorhasexpresslyandunambiguouslyalloweda
703		-	specificknownadultusertodoso;
704		-	(D)notpermittingdirectmessagingonasocialmediaplatform
705		-	betweenthecoveredminorandanyknownadultuserunlessthecoveredminor
706		-	hasexpresslyandunambiguouslydecidedtoallowdirectmessagingwitha
707		-	specificknownadultuser;
708		-	(E)notdisplayingthecoveredminor’slocationtootherusers,unless
709		-	thecoveredminorexpresslyandunambiguouslysharestheirlocationwitha
710		-	specificuser;
711		-	(F)notdisplayingtheusersconnectedtothecoveredminorona
712		-	socialmediaplatformunlessthecoveredminorexpresslyandunambiguously
713		-	choosestosharetheinformationwithaspecificuser;
714		-	(G)disablingsearchengineindexingofthecoveredminor’saccount
715		-	profile;and
716		-	(H)notsendingpushnotificationstothecoveredminors.
717		-	(2)Acoveredbusinessshallnot:
718		-	1
719		-	2
720		-	3
721		-	4
722		-	5
723		-	6
724		-	7
725		-	8
726		-	9
727		-	10
728		-	11
729		-	12
730		-	13
731		-	14
732		-	15
733		-	16
734		-	17
735		-	18
736		-	19
737		-	20
738		-	21 BILLASINTRODUCEDANDPASSEDBYSENATE S.69
739		-	2025 Page19of25
740		-	(A)provideacoveredminorwithasinglesettingthatmakesallof
741		-	thedefaultprivacysettingslessprotectiveatonce;or
742		-	(B)requestorpromptacoveredminortomaketheirprivacysettings
743		-	lessprotective,unlessthechangeisstrictlynecessaryforthecoveredminorto
744		-	accessaserviceorfeaturetheyhaveexpresslyandunambiguouslyrequested.
745		-	(b)Timelydeletionofaccount.Acoveredbusinessshall:
746		-	(1)provideaprominent,accessible,andresponsivetooltoallowa
747		-	coveredminortorequestthecoveredminor’ssocialmediaaccountbe
748		-	unpublishedordeleted;and
749		-	(2)honorthatrequestnotlaterthan15daysafteracoveredbusiness
750		-	receivestherequest.
751		-	§ 2449e.TRANSPARENCY
752		-	(a)Acoveredbusinessshallprominentlyandclearlyprovideontheir
753		-	websiteormobileapplication:
754		-	(1)thecoveredbusiness’privacyinformation,termsofservice,policies,
755		-	andcommunitystandards;
756		-	(2)detaileddescriptionsofeachalgorithmicrecommendationsystemin
757		-	usebythecoveredbusiness,includingthefactorsusedbythealgorithmic
758		-	recommendationsystemandhoweachfactor:
759		-	(A)ismeasuredordetermined;
760		-	(B)usesthepersonaldataofcoveredminors;
761		-	1
762		-	2
763		-	3
764		-	4
765		-	5
766		-	6
767		-	7
768		-	8
769		-	9
770		-	10
771		-	11
772		-	12
773		-	13
774		-	14
775		-	15
776		-	16
777		-	17
778		-	18
779		-	19
780		-	20
781		-	21 BILLASINTRODUCEDANDPASSEDBYSENATE S.69
782		-	2025 Page20of25
783		-	(C)influencestherecommendationissuedbythesystem;and
784		-	(D)isweighedrelativetotheotherfactorslistedinthissubdivision
785		-	(2);and
786		-	(3)descriptions,foreveryfeatureoftheservicethatusesthepersonal
787		-	dataofcoveredminors,of:
788		-	(A)thepurposeoftheservicefeature;
789		-	(B)thepersonaldatacollectedbytheservicefeature;
790		-	(C)thepersonaldatausedbytheservicefeature;
791		-	(D)howthepersonaldataisusedbytheservicefeature;
792		-	(E)anypersonaldatatransferredtoorsharedwithaprocessoror
793		-	thirdpartybytheservicefeature,theidentityoftheprocessororthirdparty,
794		-	andthepurposeofthetransferorsharing;and
795		-	(F)howlongthepersonaldataisretained.
796		-	§ 2449f.PROHIBITEDDATAANDDESIGNPRACTICES
797		-	(a)Dataprivacy.Acoveredbusinessshallnot:
798		-	(1)collect,sell,share,orretainanypersonaldataofacoveredminor
799		-	thatisnotnecessarytoprovideanonlineservice,product,orfeaturewith
800		-	whichthecoveredminorisactivelyandknowinglyengaged;
801		-	(2)usepreviouslycollectedpersonaldataofacoveredminorforany
802		-	purposeotherthanapurposeforwhichthepersonaldatawascollected,unless
803		-	necessarytocomplywithanyobligationunderthischapter;
804		-	1
805		-	2
806		-	3
807		-	4
808		-	5
809		-	6
810		-	7
811		-	8
812		-	9
813		-	10
814		-	11
815		-	12
816		-	13
817		-	14
818		-	15
819		-	16
820		-	17
821		-	18
822		-	19
823		-	20
824		-	21 BILLASINTRODUCEDANDPASSEDBYSENATE S.69
825		-	2025 Page21of25
826		-	(3)permitanyconsumer,includingaparentorguardianofacovered
827		-	minor,tomonitortheonlineactivityofacoveredminorortotrackthe
828		-	locationofthecoveredminorwithoutprovidingaconspicuoussignaltothe
829		-	coveredminorwhenthecoveredminorisbeingmonitoredortracked;
830		-	(4)usethepersonaldataofacoveredminortoselect,recommend,or
831		-	prioritizemediaforthecoveredminor,unlessthepersonaldatais:
832		-	(A)thecoveredminor’sexpressandunambiguousrequesttoreceive:
833		-	(i)mediafromaspecificaccount,feed,oruser,ortoreceivemore
834		-	orlessmediafromthataccount,feed,oruser;
835		-	(ii)aspecificcategoryofmedia,suchas“catvideos”or“breaking
836		-	news,”ortoseemoreorlessofthatcategoryofmedia;or
837		-	(iii)moreorlessmediawithsimilarcharacteristicsasthemedia
838		-	theyarecurrentlyviewing;
839		-	(B)user-selectedprivacyoraccessibilitysettings;or
840		-	(C)asearchquery,providedthesearchqueryisonlyusedtoselect
841		-	andprioritizemediainresponsetothesearch;or
842		-	(5)sendpushnotificationstoacoveredminorbetween12:00midnight
843		-	and6:00a.m.
844		-	(b)Rulemaking.TheAttorneyGeneralshallhavetheauthoritytoadopt
845		-	rulespursuanttothissubchapterthatprohibitsdataprocessingordesign
846		-	practicesofacoveredbusinessthat,intheopinionoftheAttorneyGeneral,
847		-	1
848		-	2
849		-	3
850		-	4
851		-	5
852		-	6
853		-	7
854		-	8
855		-	9
856		-	10
857		-	11
858		-	12
859		-	13
860		-	14
861		-	15
862		-	16
863		-	17
864		-	18
865		-	19
866		-	20
867		-	21 BILLASINTRODUCEDANDPASSEDBYSENATE S.69
868		-	2025 Page22of25
869		-	leadtocompulsiveuseorsubvertorimpairuserautonomy,decisionmaking,
870		-	orchoiceduringtheuseofanonlineservice,product,orfeatureofthecovered
871		-	business.TheAttorneyGeneralshall,atleastonceeverytwoyears,review
872		-	andupdatetheserulesasnecessarytokeeppacewithemergingtechnology.
873		-	§ 2449g.AGEASSURANCEPRIVACY
874		-	(a)Privacyprotectionsforageassurancedata.Coveredbusinessesand
875		-	processorsshall:
876		-	(1)onlycollectpersonaldataofauserthatisstrictlynecessaryforage
877		-	assurance;
878		-	(2)immediatelyupondeterminingwhetherauserisacoveredminor,
879		-	deleteanypersonaldatacollectedofthatuserforageassurance,except
880		-	whethertheuserisorisnotdeterminedtobeacoveredminor;
881		-	(3)notuseanypersonaldataofausercollectedforageassurancefor
882		-	anyotherpurpose;
883		-	(4)notcombinepersonaldataofausercollectedforageassurancewith
884		-	anyotherpersonaldataoftheuser,exceptwhethertheuserisorisnot
885		-	determinedtobeacoveredminor;and
886		-	(5)implementareviewprocesstoallowuserstoappealtheirage
887		-	designation.
888		-	(b)Rulemaking.
889		-	1
890		-	2
891		-	3
892		-	4
893		-	5
894		-	6
895		-	7
896		-	8
897		-	9
898		-	10
899		-	11
900		-	12
901		-	13
902		-	14
903		-	15
904		-	16
905		-	17
906		-	18
907		-	19
908		-	20 BILLASINTRODUCEDANDPASSEDBYSENATE S.69
909		-	2025 Page23of25
910		-	(1)Subjecttosubdivision(2)ofthissubsection,theAttorneyGeneral
911		-	shall,onorbeforeJuly1,2027,adoptrulesidentifyingcommercially
912		-	reasonableandtechnicallyfeasiblemethodsforcoveredbusinessesand
913		-	processorstodetermineifauserisacoveredminor,describingappropriate
914		-	reviewprocessesforusersappealingtheiragedesignations,andprovidingany
915		-	additionalprivacyprotectionsforageassurancedata.TheAttorneyGeneral
916		-	shallperiodicallyreviewandupdatetheserulesasnecessarytokeeppacewith
917		-	emergingtechnology.
918		-	(2)Inadoptingtheserules,theAttorneyGeneralshall:
919		-	(A)prioritizeuserprivacyandaccessibilityovertheaccuracyofage
920		-	assurancemethods;and
921		-	(B)consider:
922		-	(i)thesize,financialresources,andtechnicalcapabilitiesof
923		-	coveredbusinessesandprocessors;
924		-	(ii)thecostsandeffectivenessofavailableageassurancemethods;
925		-	(iii)theimpactofageassurancemethodsonusers’safety,utility,
926		-	andexperience;
927		-	(iv)whetherandtowhatextenttransparencymeasureswould
928		-	increaseconsumertrustinanageassurancemethod;and
929		-	(v)theefficacyofrequiringcoveredbusinessesandprocessorsto:
930		-	(I)usepreviouslycollecteddatatodetermineuserage;
931		-	1
932		-	2
933		-	3
934		-	4
935		-	5
936		-	6
937		-	7
938		-	8
939		-	9
940		-	10
941		-	11
942		-	12
943		-	13
944		-	14
945		-	15
946		-	16
947		-	17
948		-	18
949		-	19
950		-	20
951		-	21 BILLASINTRODUCEDANDPASSEDBYSENATE S.69
952		-	2025 Page24of25
953		-	(II)adoptinteroperableageassurancemethods;and
954		-	(III)provideuserswithmultipleoptionsforageassurance.
955		-	§ 2449h.ENFORCEMENT
956		-	(a)Acoveredbusinessorprocessorthatviolatesthissubchapterorrules
957		-	adoptedpursuanttothissubchaptercommitsanunfairanddeceptiveactin
958		-	commerceinviolationofsection2453ofthistitle.
959		-	(b)TheAttorneyGeneralshallhavethesameauthorityunderthis
960		-	subchaptertomakerules,conductcivilinvestigations,bringcivilactions,
961		-	andenterintoassurancesofdiscontinuanceasprovidedunderchapter63of
962		-	thistitle.
963		-	§ 2449i.LIMITATIONS
964		-	Nothinginthissubchaptershallbeinterpretedorconstruedto:
965		-	(1)imposeliabilityinamannerthatisinconsistentwith47U.S.C.
966		-	§ 230;or
967		-	(2)preventorprecludeanycoveredminorfromdeliberatelyor
968		-	independentlysearchingfor,orspecificallyrequesting,anymedia.
969		-	§ 2449j.RIGHTSANDFREEDOMSOFCOVEREDMINORS
970		-	ItistheintentoftheGeneralAssemblythatnothinginthissubchaptermay
971		-	beconstruedtoinfringeontheexistingrightsandfreedomsofcoveredminors
972		-	orbeconstruedtodiscriminateagainstthecoveredminorsbasedonrace,
973		-	1
974		-	2
975		-	3
976		-	4
977		-	5
978		-	6
979		-	7
980		-	8
981		-	9
982		-	10
983		-	11
984		-	12
985		-	13
986		-	14
987		-	15
988		-	16
989		-	17
990		-	18
991		-	19
992		-	20 BILLASINTRODUCEDANDPASSEDBYSENATE S.69
993		-	2025 Page25of25
994		-	ethnicity,sex,disability,sexualorientation,genderidentity,genderexpression,
995		-	ornationalorigin.
996		-	Sec.2.EFFECTIVEDATE
997		-	ThisactshalltakeeffectonJuly1,2026.
998		-	1
999		-	2
1000		-	3
1001		-	4
	1	+	BILL AS INTRODUCED S.69
	2	+	2025 Page 1 of 23
	3	+
	4	+
	5	+	VT LEG #380778 v.1
	6	+	S.69 1
	7	+	Introduced by Senators Harrison, Bongartz, Brennan, Clarkson, Collamore, 2
	8	+	Cummings, Hashim, Lyons, Major, Perchlik, Plunkett, Watson, 3
	9	+	Weeks and White 4
	10	+	Referred to Committee on 5
	11	+	Date: 6
	12	+	Subject: Commerce and trade; protection of personal information; privacy of 7
	13	+	minors 8
	14	+	Statement of purpose of bill as introduced: This bill proposes to require that 9
	15	+	any covered business that develops and provides online services, products, or 10
	16	+	features that children are reasonably likely to access must not use abusive or 11
	17	+	privacy-invasive design features on children. 12
	18	+	An act relating to an age-appropriate design code 13
	19	+	It is hereby enacted by the General Assembly of the State of Vermont: 14
	20	+	Sec. 1. 9 V.S.A. chapter 62, subchapter 6 is added to read: 15
	21	+	Subchapter 6. Vermont Age-Appropriate Design Code Act 16
	22	+	§ 2449a. DEFINITIONS 17
	23	+	As used in this subchapter: 18 BILL AS INTRODUCED S.69
	24	+	2025 Page 2 of 23
	25	+
	26	+
	27	+	VT LEG #380778 v.1
	28	+	(1)(A) “Affiliate” means a legal entity that shares common branding 1
	29	+	with another legal entity or controls, is controlled by, or is under common 2
	30	+	control with another legal entity. 3
	31	+	(B) As used in subdivision (A) of this subdivision (1), “control” or 4
	32	+	“controlled” means: 5
	33	+	(i) ownership of, or the power to vote, more than 50 percent of the 6
	34	+	outstanding shares of any class of voting security of a company; 7
	35	+	(ii) control in any manner over the election of a majority of the 8
	36	+	directors or of individuals exercising similar functions; or 9
	37	+	(iii) the power to exercise controlling influence over the 10
	38	+	management of a company. 11
	39	+	(2) “Age assurance” encompasses a range of methods used to determine, 12
	40	+	estimate, or communicate the age or an age range of an online user. 13
	41	+	(3) “Algorithmic recommendation system” means a system that uses an 14
	42	+	algorithm to select, filter, and arrange media on a covered business’s website 15
	43	+	for the purpose of selecting, recommending, or prioritizing media for a user. 16
	44	+	(4)(A) “Biometric data” means data generated from the technological 17
	45	+	processing of an individual’s unique biological, physical, or physiological 18
	46	+	characteristics that allow or confirm the unique identification of the consumer, 19
	47	+	including: 20 BILL AS INTRODUCED S.69
	48	+	2025 Page 3 of 23
	49	+
	50	+
	51	+	VT LEG #380778 v.1
	52	+	(i) iris or retina scans; 1
	53	+	(ii) fingerprints; 2
	54	+	(iii) facial or hand mapping, geometry, or templates; 3
	55	+	(iv) vein patterns; 4
	56	+	(v) voice prints or vocal biomarkers; and 5
	57	+	(vi) gait or personally identifying physical movement or patterns. 6
	58	+	(B) “Biometric data” does not include: 7
	59	+	(i) a digital or physical photograph; 8
	60	+	(ii) an audio or video recording; or 9
	61	+	(iii) any data generated from a digital or physical photograph, or 10
	62	+	an audio or video recording, unless such data is generated to identify a specific 11
	63	+	individual. 12
	64	+	(5) “Business associate” has the same meaning as in HIPAA. 13
	65	+	(6) “Collect” means buying, renting, gathering, obtaining, receiving, or 14
	66	+	accessing any personal data by any means. This includes receiving data from 15
	67	+	the consumer, either actively or passively, or by observing the consumer’s 16
	68	+	behavior. 17
	69	+	(7) “Compulsive use” means the repetitive use of a covered business’s 18
	70	+	service that materially disrupts one or more major life activities of a minor, 19
	71	+	including sleeping, eating, learning, reading, concentrating, communicating, or 20
	72	+	working. 21 BILL AS INTRODUCED S.69
	73	+	2025 Page 4 of 23
	74	+
	75	+
	76	+	VT LEG #380778 v.1
	77	+	(8)(A) “Consumer” means an individual who is a resident of the State. 1
	78	+	(B) “Consumer” does not include an individual acting in a 2
	79	+	commercial or employment context or as an employee, owner, director, officer, 3
	80	+	or contractor of a company, partnership, sole proprietorship, nonprofit, or 4
	81	+	government agency whose communications or transactions with the covered 5
	82	+	business occur solely within the context of that individual’s role with the 6
	83	+	company, partnership, sole proprietorship, nonprofit, or government agency. 7
	84	+	(9) “Consumer health data” means any personal data that a controller 8
	85	+	uses to identify a consumer’s physical or mental health condition or diagnosis, 9
	86	+	including gender-affirming health data and reproductive or sexual health data. 10
	87	+	(10) “Controller” means a person who, alone or jointly with others, 11
	88	+	determines the purpose and means of processing personal data. 12
	89	+	(11) “Covered business” means a sole proprietorship, partnership, 13
	90	+	limited liability company, corporation, association, other legal entity, or an 14
	91	+	affiliate thereof, that conducts business in this State and whose online products, 15
	92	+	services, or features are reasonably likely to be accessed by a minor and that: 16
	93	+	(A) collects consumers’ personal data or has consumers’ personal 17
	94	+	data collected on its behalf by a processor; and 18
	95	+	(B) alone or jointly with others determines the purposes and means of 19
	96	+	the processing of consumers personal data. 20
	97	+	(12) “Covered entity” has the same meaning as in HIPAA. 21 BILL AS INTRODUCED S.69
	98	+	2025 Page 5 of 23
	99	+
	100	+
	101	+	VT LEG #380778 v.1
	102	+	(13) “Covered minor” is a consumer who a covered business actually 1
	103	+	knows is a minor or labels as a minor pursuant to age assurance methods in 2
	104	+	rules adopted by the Attorney General. 3
	105	+	(14) “Default” means a preselected option adopted by the covered 4
	106	+	business for the online service, product, or feature. 5
	107	+	(15) “De-identified data” means data that does not identify and cannot 6
	108	+	reasonably be used to infer information about, or otherwise be linked to, an 7
	109	+	identified or identifiable individual, or a device linked to the individual, if the 8
	110	+	covered business that possesses the data: 9
	111	+	(A)(i) takes reasonable measures to ensure that the data cannot be 10
	112	+	used to reidentify an identified or identifiable individual or be associated with 11
	113	+	an individual or device that identifies or is linked or reasonably linkable to an 12
	114	+	individual or household; and 13
	115	+	(ii) for purposes of this subdivision (A), “reasonable measures” 14
	116	+	includes the de-identification requirements set forth under 45 C.F.R. § 164.514 15
	117	+	(other requirements relating to uses and disclosures of protected health 16
	118	+	information); 17
	119	+	(B) publicly commits to process the data only in a de-identified 18
	120	+	fashion and not attempt to reidentify the data; and 19
	121	+	(C) contractually obligates any recipients of the data to comply with 20
	122	+	all provisions of this subchapter. 21 BILL AS INTRODUCED S.69
	123	+	2025 Page 6 of 23
	124	+
	125	+
	126	+	VT LEG #380778 v.1
	127	+	(16) “Derived data” means data that is created by the derivation of 1
	128	+	information, data, assumptions, correlations, inferences, predictions, or 2
	129	+	conclusions from facts, evidence, or another source of information or data 3
	130	+	about a minor or a minor’s device. 4
	131	+	(17) “Genetic data” means any data, regardless of its format, that results 5
	132	+	from the analysis of a biological sample of an individual, or from another 6
	133	+	source enabling equivalent information to be obtained, and concerns genetic 7
	134	+	material, including deoxyribonucleic acids (DNA), ribonucleic acids (RNA), 8
	135	+	genes, chromosomes, alleles, genomes, alterations or modifications to DNA or 9
	136	+	RNA, single nucleotide polymorphisms (SNPs), epigenetic markers, 10
	137	+	uninterpreted data that results from analysis of the biological sample or other 11
	138	+	source, and any information extrapolated, derived, or inferred therefrom. 12
	139	+	(18) “Identified or identifiable individual” means an individual who can 13
	140	+	be readily identified, directly or indirectly, including by reference to an 14
	141	+	identifier such as a name, an identification number, specific geolocation data, 15
	142	+	or an online identifier. 16
	143	+	(19) “Known adult” is a consumer who a covered business actually 17
	144	+	knows is an adult or labels as an adult pursuant to age assurance methods in 18
	145	+	rules adopted by the Attorney General. 19
	146	+	(20) “Minor” means an individual under 18 years of age who is a 20
	147	+	resident of the State. 21 BILL AS INTRODUCED S.69
	148	+	2025 Page 7 of 23
	149	+
	150	+
	151	+	VT LEG #380778 v.1
	152	+	(21) “Neural data” means information that is collected through 1
	153	+	biosensors and that could be processed to infer or predict mental states. 2
	154	+	(22) “Online service, product, or feature” means a digital product that is 3
	155	+	accessible to the public via the internet, including a website or application, and 4
	156	+	does not mean any of the following: 5
	157	+	(A) telecommunications service, as defined in 47 U.S.C. § 153; 6
	158	+	(B) a broadband internet access service as defined in 47 C.F.R. 7
	159	+	§ 54.400; or 8
	160	+	(C) the sale, delivery, or use of a physical product. 9
	161	+	(23)(A) “Personal data” means any information, including derived data 10
	162	+	and unique identifiers, that is linked or reasonably linkable to an identified or 11
	163	+	identifiable individual or to a device that identifies, is linked to, or is 12
	164	+	reasonably linkable to one or more identified or identifiable individuals in a 13
	165	+	household. 14
	166	+	(B) Personal data does not include de-identified data or publicly 15
	167	+	available information. 16
	168	+	(24)(A) “Precise geolocation data” means information derived from 17
	169	+	technology that reveals the past or present physical location of a consumer or 18
	170	+	device that identifies or is linked or reasonably linkable to one or more 19
	171	+	consumers with precision and accuracy within a radius of 1,850 feet. 20
	172	+	(B) “Precise geolocation data” does not include: 21 BILL AS INTRODUCED S.69
	173	+	2025 Page 8 of 23
	174	+
	175	+
	176	+	VT LEG #380778 v.1
	177	+	(i) the content of communications; 1
	178	+	(ii) data generated by or connected to an advanced utility metering 2
	179	+	infrastructure system; 3
	180	+	(iii) a photograph, or metadata associated with a photograph or 4
	181	+	video, that cannot be linked to an individual; or 5
	182	+	(iv) data generated by equipment used by a utility company. 6
	183	+	(25) “Process” or “processing” means any operation or set of operations 7
	184	+	performed, whether by manual or automated means, on personal data or on sets 8
	185	+	of personal data, such as the collection, use, storage, disclosure, analysis, 9
	186	+	deletion, modification, or otherwise handling of personal data. 10
	187	+	(26) “Processor” means a person who processes personal data on behalf 11
	188	+	of a covered business. 12
	189	+	(27) “Profiling” means any form of automated processing performed on 13
	190	+	personal data to evaluate, analyze, or predict personal aspects related to an 14
	191	+	identified or identifiable individual’s economic situation, health, personal 15
	192	+	preferences, interests, reliability, behavior, location, or movements. 16
	193	+	(28)(A) “Publicly available information” means information that: 17
	194	+	(i) is made available through federal, state, or local government 18
	195	+	records; or 19
	196	+	(ii) a controller has a reasonable basis to believe that the consumer 20
	197	+	has lawfully made available to the general public. 21 BILL AS INTRODUCED S.69
	198	+	2025 Page 9 of 23
	199	+
	200	+
	201	+	VT LEG #380778 v.1
	202	+	(B) “Publicly available information” does not include: 1
	203	+	(i) biometric data collected by a business about a consumer 2
	204	+	without the consumer’s knowledge; 3
	205	+	(ii) information that is collated and combined to create a consumer 4
	206	+	profile that is made available to a user of a publicly available website either in 5
	207	+	exchange for payment or free of charge; 6
	208	+	(iii) information that is made available for sale; 7
	209	+	(iv) an inference that is generated from the information described 8
	210	+	in subdivision (ii) or (iii) of this subdivision (28)(B); 9
	211	+	(v) any obscene visual depiction, as defined in 18 U.S.C. § 1460; 10
	212	+	(vi) any inference made exclusively from multiple independent 11
	213	+	sources of publicly available information that reveals sensitive data with 12
	214	+	respect to a consumer; 13
	215	+	(vii) personal data that is created through the combination of 14
	216	+	personal data with publicly available information; 15
	217	+	(viii) genetic data, unless otherwise made publicly available by the 16
	218	+	consumer to whom the information pertains; 17
	219	+	(ix) information provided by a consumer on a website or online 18
	220	+	service made available to all members of the public, for free or for a fee, where 19
	221	+	the consumer has maintained a reasonable expectation of privacy in the 20
	222	+	information, such as by restricting the information to a specific audience; or 21 BILL AS INTRODUCED S.69
	223	+	2025 Page 10 of 23
	224	+
	225	+
	226	+	VT LEG #380778 v.1
	227	+	(x) intimate images, authentic or computer-generated, known to be 1
	228	+	nonconsensual. 2
	229	+	(29) “Reasonably likely to be accessed” means an online service, 3
	230	+	product, or feature that is reasonably likely to be accessed by a covered minor 4
	231	+	based on any of the following indicators: 5
	232	+	(A) the online service, product, or feature is directed to children, as 6
	233	+	defined by the Children’s Online Privacy Protection Act, 15 U.S.C. §§ 6501–7
	234	+	6506 and the Federal Trade Commission rules implementing that Act; 8
	235	+	(B) the online service, product, or feature is determined, based on 9
	236	+	competent and reliable evidence regarding audience composition, to be 10
	237	+	routinely accessed by an audience that is composed of at least two percent 11
	238	+	minors two through 17 years of age; 12
	239	+	(C) the online service, product, or feature contains advertisements 13
	240	+	marketed to minors; 14
	241	+	(D) the audience of the online service, product, or feature is 15
	242	+	determined, based on internal company research, to be composed of at least 16
	243	+	two percent minors two through 17 years of age; or 17
	244	+	(E) the covered business knew or should have known that at least two 18
	245	+	percent of the audience of the online service, product, or feature includes 19
	246	+	minors two through 17 years of age, provided that, in making this assessment, 20
	247	+	the business shall not collect or process any personal data that is not reasonably 21 BILL AS INTRODUCED S.69
	248	+	2025 Page 11 of 23
	249	+
	250	+
	251	+	VT LEG #380778 v.1
	252	+	necessary to provide an online service, product, or feature with which a minor 1
	253	+	is actively and knowingly engaged. 2
	254	+	(30) “Sensitive data” means personal data that: 3
	255	+	(A) reveals a consumer’s government-issued identifier, such as a 4
	256	+	Social Security number, passport number, state identification card, or driver’s 5
	257	+	license number, that is not required by law to be publicly displayed; 6
	258	+	(B) reveals a consumer’s racial or ethnic origin; national origin; 7
	259	+	citizenship or immigration status; religious or philosophical beliefs; a mental 8
	260	+	or physical health condition, diagnosis, disability, or treatment; status as 9
	261	+	pregnant; income level or indebtedness; or union membership; 10
	262	+	(C) reveals a consumer’s sexual orientation, sex life, sexuality, or 11
	263	+	status as transgender or non-binary; 12
	264	+	(D) reveals a consumer’s status as a victim of a crime; 13
	265	+	(E) is a consumer’s tax return and account number, financial account 14
	266	+	log-in, financial account, debit card number, or credit card number in 15
	267	+	combination with any required security or access code, password, or 16
	268	+	credentials allowing access to an account; 17
	269	+	(F) is consumer health data; 18
	270	+	(G) is collected and analyzed concerning consumer health data that 19
	271	+	describes or reveals a past, present, or future mental or physical health 20
	272	+	condition, treatment, disability, or diagnosis, including pregnancy, to the extent 21 BILL AS INTRODUCED S.69
	273	+	2025 Page 12 of 23
	274	+
	275	+
	276	+	VT LEG #380778 v.1
	277	+	the personal data is used by the controller for a purpose other than to identify a 1
	278	+	specific consumer’s physical or mental health condition or diagnosis; 2
	279	+	(H) is biometric or genetic data; 3
	280	+	(I) is collected from a covered minor; 4
	281	+	(J) is precise geolocation data; 5
	282	+	(K) are keystrokes; 6
	283	+	(L) is driving behavior; or 7
	284	+	(M) is neural data. 8
	285	+	(31)(A) “Social media platform” means a public or semipublic internet-9
	286	+	based service or application that is primarily intended to connect and allow a 10
	287	+	user to socially interact within such service or application and enables a user 11
	288	+	to: 12
	289	+	(i) construct a public or semipublic profile for the purposes of 13
	290	+	signing into and using such service or application; 14
	291	+	(ii) populate a public list of other users with whom the user shares 15
	292	+	a social connection within such service or application; or 16
	293	+	(iii) create or post content that is viewable by other users, 17
	294	+	including content on message boards and in chat rooms, and that presents the 18
	295	+	user with content generated by other users. 19
	296	+	(B) “Social media platform” does not mean a public or semipublic 20
	297	+	internet-based service or application that: 21 BILL AS INTRODUCED S.69
	298	+	2025 Page 13 of 23
	299	+
	300	+
	301	+	VT LEG #380778 v.1
	302	+	(i) exclusively provides email or direct messaging services; 1
	303	+	(ii) primarily consists of news, sports, entertainment, interactive 2
	304	+	video games, electronic commerce, or content that is preselected by the 3
	305	+	provider for which any interactive functionality is incidental to, directly related 4
	306	+	to, or dependent on the provision of such content; or 5
	307	+	(iii) is used by and under the direction of an educational entity, 6
	308	+	including a learning management system or a student engagement program. 7
	309	+	(32) “Third party” means a natural or legal person, public authority, 8
	310	+	agency, or body other than the covered minor or the covered business. 9
	311	+	§ 2449b. EXCLUSIONS 10
	312	+	This subchapter does not apply to: 11
	313	+	(1) a federal, state, tribal, or local government entity in the ordinary 12
	314	+	course of its operation; 13
	315	+	(2) protected health information that a covered entity or business 14
	316	+	associate processes in accordance with, or documents that a covered entity or 15
	317	+	business associate creates for the purpose of complying with, HIPAA; 16
	318	+	(3) information used only for public health activities and purposes 17
	319	+	described in 45 C.F.R. § 164.512; 18
	320	+	(4) information that identifies a consumer in connection with: 19
	321	+	(A) activities that are subject to the Federal Policy for the Protection 20
	322	+	of Human Subjects as set forth in 45 C.F.R. Part 46; 21 BILL AS INTRODUCED S.69
	323	+	2025 Page 14 of 23
	324	+
	325	+
	326	+	VT LEG #380778 v.1
	327	+	(B) research on human subjects undertaken in accordance with good 1
	328	+	clinical practice guidelines issued by the International Council for 2
	329	+	Harmonisation of Technical Requirements for Pharmaceuticals for Human 3
	330	+	Use; 4
	331	+	(C) activities that are subject to the protections provided in 21 C.F.R. 5
	332	+	Part 50 and 21 C.F.R. Part 56; or 6
	333	+	(D) research conducted in accordance with the requirements set forth 7
	334	+	in subdivisions (A)–(C) of this subdivision (4) or otherwise in accordance with 8
	335	+	State or federal law; and 9
	336	+	(5) an entity whose primary purpose is journalism as defined in 10
	337	+	12 V.S.A. § 1615(a)(2) and that has a majority of its workforce consisting of 11
	338	+	individuals engaging in journalism. 12
	339	+	§ 2449c. MINIMUM DUTY OF CARE 13
	340	+	(a) A covered business that processes a covered minor’s data in any 14
	341	+	capacity owes a minimum duty of care to the covered minor. 15
	342	+	(b) As used in this subchapter, “a minimum duty of care” means the use of 16
	343	+	the personal data of a covered minor and the design of an online service, 17
	344	+	product, or feature will not result in: 18
	345	+	(1) reasonably foreseeable emotional distress as defined in 13 V.S.A. 19
	346	+	§ 1061(2) to a covered minor; 20 BILL AS INTRODUCED S.69
	347	+	2025 Page 15 of 23
	348	+
	349	+
	350	+	VT LEG #380778 v.1
	351	+	(2) reasonably foreseeable compulsive use of the online service, 1
	352	+	product, or feature by a covered minor; or 2
	353	+	(3) discrimination against a covered minor based upon race, ethnicity, 3
	354	+	sex, disability, sexual orientation, gender identity, gender expression, or 4
	355	+	national origin. 5
	356	+	(c) The content of the media viewed by a covered minor shall not establish 6
	357	+	emotional distress or compulsive use as those terms are used in subsection (b) 7
	358	+	of this section. 8
	359	+	(d) Nothing in this section shall be construed to require a covered business 9
	360	+	to prevent or preclude a covered minor from accessing or viewing any piece of 10
	361	+	media or category of media. 11
	362	+	§ 2449d. REQUIRED DEFAULT PRIVACY SETTINGS AND TOOLS 12
	363	+	(a) Default privacy settings. 13
	364	+	(1) A covered business shall configure all default privacy settings 14
	365	+	provided to a covered minor through the online service, product, or feature to 15
	366	+	the highest level of privacy, including the following default settings: 16
	367	+	(A) not displaying the existence of the covered minor’s social media 17
	368	+	account to any known adult user unless the covered minor has expressly and 18
	369	+	unambiguously allowed a specific known adult user to view their account or 19
	370	+	has expressly and unambiguously chosen to make their account’s existence 20
	371	+	public; 21 BILL AS INTRODUCED S.69
	372	+	2025 Page 16 of 23
	373	+
	374	+
	375	+	VT LEG #380778 v.1
	376	+	(B) not displaying media created or posted by the covered minor on 1
	377	+	a social media platform to any known adult user unless the covered minor has 2
	378	+	expressly and unambiguously allowed a specific known adult user to view their 3
	379	+	media or has expressly and unambiguously chosen to make their media 4
	380	+	publicly available; 5
	381	+	(C) not permitting any known adult users to like, comment on, or 6
	382	+	otherwise provide feedback on the covered minor’s media on a social media 7
	383	+	platform unless the covered minor has expressly and unambiguously allowed a 8
	384	+	specific known adult user to do so; 9
	385	+	(D) not permitting direct messaging on a social media platform 10
	386	+	between the covered minor and any known adult user unless the covered minor 11
	387	+	has expressly and unambiguously decided to allow direct messaging with a 12
	388	+	specific known adult user; 13
	389	+	(E) not displaying the covered minor’s location to other users, unless 14
	390	+	the covered minor expressly and unambiguously shares their location with a 15
	391	+	specific user; 16
	392	+	(F) not displaying the users connected to the covered minor on a 17
	393	+	social media platform unless the covered minor expressly and unambiguously 18
	394	+	chooses to share the information with a specific user; 19
	395	+	(G) disabling search engine indexing of the covered minor’s account 20
	396	+	profile; and 21 BILL AS INTRODUCED S.69
	397	+	2025 Page 17 of 23
	398	+
	399	+
	400	+	VT LEG #380778 v.1
	401	+	(H) not sending push notifications to the covered minors. 1
	402	+	(2) A covered business shall not: 2
	403	+	(A) provide a covered minor with a single setting that makes all of 3
	404	+	the default privacy settings less protective at once; or 4
	405	+	(B) request or prompt a covered minor to make their privacy settings 5
	406	+	less protective, unless the change is strictly necessary for the covered minor to 6
	407	+	access a service or feature they have expressly and unambiguously requested. 7
	408	+	(b) Timely deletion of account. A covered business shall: 8
	409	+	(1) provide a prominent, accessible, and responsive tool to allow a 9
	410	+	covered minor to request the covered minor’s social media account be 10
	411	+	unpublished or deleted; and 11
	412	+	(2) honor that request not later than 15 days after a covered business 12
	413	+	receives the request. 13
	414	+	§ 2449e. TRANSPARENCY 14
	415	+	(a) A covered business shall prominently and clearly provide on their 15
	416	+	website or mobile application: 16
	417	+	(1) the covered business’ privacy information, terms of service, policies, 17
	418	+	and community standards; 18
	419	+	(2) detailed descriptions of each algorithmic recommendation system in 19
	420	+	use by the covered business, including the factors used by the algorithmic 20
	421	+	recommendation system and how each factor: 21 BILL AS INTRODUCED S.69
	422	+	2025 Page 18 of 23
	423	+
	424	+
	425	+	VT LEG #380778 v.1
	426	+	(A) is measured or determined; 1
	427	+	(B) uses the personal data of covered minors; 2
	428	+	(C) influences the recommendation issued by the system; and 3
	429	+	(D) is weighed relative to the other factors listed in this subdivision 4
	430	+	(2); and 5
	431	+	(3) descriptions, for every feature of the service that uses the personal 6
	432	+	data of covered minors, of: 7
	433	+	(A) the purpose of the service feature; 8
	434	+	(B) the personal data collected by the service feature; 9
	435	+	(C) the personal data used by the service feature; 10
	436	+	(D) how the personal data is used by the service feature; 11
	437	+	(E) any personal data transferred to or shared with a processor or 12
	438	+	third party by the service feature, the identity of the processor or third party, 13
	439	+	and the purpose of the transfer or sharing; and 14
	440	+	(F) how long the personal data is retained. 15
	441	+	§ 2449f. PROHIBITED DATA AND DESIGN PRACTICES 16
	442	+	(a) Data privacy. A covered business shall not: 17
	443	+	(1) collect, sell, share, or retain any personal data of a covered minor 18
	444	+	that is not necessary to provide an online service, product, or feature with 19
	445	+	which the covered minor is actively and knowingly engaged; 20 BILL AS INTRODUCED S.69
	446	+	2025 Page 19 of 23
	447	+
	448	+
	449	+	VT LEG #380778 v.1
	450	+	(2) use previously collected personal data of a covered minor for any 1
	451	+	purpose other than a purpose for which the personal data was collected, unless 2
	452	+	necessary to comply with any obligation under this chapter; 3
	453	+	(3) permit any consumer, including a parent or guardian of a covered 4
	454	+	minor, to monitor the online activity of a covered minor or to track the location 5
	455	+	of the covered minor without providing a conspicuous signal to the covered 6
	456	+	minor when the covered minor is being monitored or tracked; 7
	457	+	(4) use the personal data of a covered minor to select, recommend, or 8
	458	+	prioritize media for the covered minor, unless the personal data is: 9
	459	+	(A) the covered minor’s express and unambiguous request to receive: 10
	460	+	(i) media from a specific account, feed, or user, or to receive more 11
	461	+	or less media from that account, feed, or user; 12
	462	+	(ii) a specific category of media, such as “cat videos” or “breaking 13
	463	+	news,” or to see more or less of that category of media; or 14
	464	+	(iii) more or less media with similar characteristics as the media 15
	465	+	they are currently viewing; 16
	466	+	(B) user-selected privacy or accessibility settings; or 17
	467	+	(C) a search query, provided the search query is only used to select 18
	468	+	and prioritize media in response to the search; or 19
	469	+	(5) send push notifications to a covered minor between 12:00 midnight 20
	470	+	and 6:00 a.m. 21 BILL AS INTRODUCED S.69
	471	+	2025 Page 20 of 23
	472	+
	473	+
	474	+	VT LEG #380778 v.1
	475	+	(b) Rulemaking. The Attorney General shall have the authority to adopt 1
	476	+	rules pursuant to this subchapter that prohibits data processing or design 2
	477	+	practices of a covered business that, in the opinion of the Attorney General, 3
	478	+	lead to compulsive use or subvert or impair user autonomy, decision making, 4
	479	+	or choice during the use of an online service, product, or feature of the covered 5
	480	+	business. The Attorney General shall, at least once every two years, review 6
	481	+	and update these rules as necessary to keep pace with emerging technology. 7
	482	+	§ 2449g. AGE ASSURANCE PRIVACY 8
	483	+	(a) Privacy protections for age assurance data. Covered businesses and 9
	484	+	processors shall: 10
	485	+	(1) only collect personal data of a user that is strictly necessary for age 11
	486	+	assurance; 12
	487	+	(2) immediately upon determining whether a user is a covered minor, 13
	488	+	delete any personal data collected of that user for age assurance, except 14
	489	+	whether the user is or is not determined to be a covered minor; 15
	490	+	(3) not use any personal data of a user collected for age assurance for 16
	491	+	any other purpose; 17
	492	+	(4) not combine personal data of a user collected for age assurance with 18
	493	+	any other personal data of the user, except whether the user is or is not 19
	494	+	determined to be a covered minor; and 20 BILL AS INTRODUCED S.69
	495	+	2025 Page 21 of 23
	496	+
	497	+
	498	+	VT LEG #380778 v.1
	499	+	(5) implement a review process to allow users to appeal their age 1
	500	+	designation. 2
	501	+	(b) Rulemaking. 3
	502	+	(1) Subject to subdivision (2) of this subsection, the Attorney General 4
	503	+	shall, on or before July 1, 2027, adopt rules identifying commercially 5
	504	+	reasonable and technically feasible methods for covered businesses and 6
	505	+	processors to determine if a user is a covered minor, describing appropriate 7
	506	+	review processes for users appealing their age designations, and providing any 8
	507	+	additional privacy protections for age assurance data. The Attorney General 9
	508	+	shall periodically review and update these rules as necessary to keep pace with 10
	509	+	emerging technology. 11
	510	+	(2) In adopting these rules, the Attorney General shall: 12
	511	+	(A) prioritize user privacy and accessibility over the accuracy of age 13
	512	+	assurance methods; and 14
	513	+	(B) consider: 15
	514	+	(i) the size, financial resources, and technical capabilities of 16
	515	+	covered businesses and processors; 17
	516	+	(ii) the costs and effectiveness of available age assurance methods; 18
	517	+	(iii) the impact of age assurance methods on users’ safety, utility, 19
	518	+	and experience; 20 BILL AS INTRODUCED S.69
	519	+	2025 Page 22 of 23
	520	+
	521	+
	522	+	VT LEG #380778 v.1
	523	+	(iv) whether and to what extent transparency measures would 1
	524	+	increase consumer trust in an age assurance method; and 2
	525	+	(v) the efficacy of requiring covered businesses and processors to: 3
	526	+	(I) use previously collected data to determine user age; 4
	527	+	(II) adopt interoperable age assurance methods; and 5
	528	+	(III) provide users with multiple options for age assurance. 6
	529	+	§ 2449h. ENFORCEMENT 7
	530	+	(a) A covered business or processor that violates this subchapter or rules 8
	531	+	adopted pursuant to this subchapter commits an unfair and deceptive act in 9
	532	+	commerce in violation of section 2453 of this title. 10
	533	+	(b) The Attorney General shall have the same authority under this 11
	534	+	subchapter to make rules, conduct civil investigations, bring civil actions, 12
	535	+	and enter into assurances of discontinuance as provided under chapter 63 of 13
	536	+	this title. 14
	537	+	§ 2449i. LIMITATIONS 15
	538	+	Nothing in this subchapter shall be interpreted or construed to: 16
	539	+	(1) impose liability in a manner that is inconsistent with 47 U.S.C. 17
	540	+	§ 230; or 18
	541	+	(2) prevent or preclude any covered minor from deliberately or 19
	542	+	independently searching for, or specifically requesting, any media. 20 BILL AS INTRODUCED S.69
	543	+	2025 Page 23 of 23
	544	+
	545	+
	546	+	VT LEG #380778 v.1
	547	+	§ 2449j. RIGHTS AND FREEDOMS OF COVERED MINORS 1
	548	+	It is the intent of the General Assembly that nothing in this subchapter may 2
	549	+	be construed to infringe on the existing rights and freedoms of covered minors 3
	550	+	or be construed to discriminate against the covered minors based on race, 4
	551	+	ethnicity, sex, disability, sexual orientation, gender identity, gender expression, 5
	552	+	or national origin. 6
	553	+	Sec. 2. EFFECTIVE DATE 7
	554	+	This act shall take effect on July 1, 2026. 8