VT
Vermont Senate Bill S0070

Vermont 2025-2026 Regular Session

Vermont Senate Bill S0070 Compare Versions

Only one version of the bill is available at this time.
OldNewDifferences
11 BILL AS INTRODUCED S.70
22 2025 Page 1 of 30
33
44
55 VT LEG #380863 v.1
66 S.70 1
77 Introduced by Senators Clarkson, Harrison, Hashim, Major, Vyhovsky and 2
88 White 3
99 Referred to Committee on 4
1010 Date: 5
1111 Subject: Commerce and trade; protection of personal information; data brokers 6
1212 Statement of purpose of bill as introduced: This bill proposes to add various 7
1313 provisions to Vermont’s laws that protect the personal information of its 8
1414 residents, including requiring data brokers to provide notice of security 9
1515 breaches, to certify that the personal information it discloses will be used for a 10
1616 legitimate purpose, and to delete the personal information of consumers who 11
1717 make such a request through the use of an accessible deletion mechanism. 12
1818 An act relating to data brokers and personal information 13
1919 It is hereby enacted by the General Assembly of the State of Vermont: 14
2020 Sec. 1. 9 V.S.A. chapter 62 is amended to read: 15
2121 CHAPTER 62. PROTECTION OF PERSONAL INFORMATION 16
2222 Subchapter 1. General Provisions 17
2323 § 2430. DEFINITIONS 18
2424 As used in this chapter: 19
2525 (1) “Authorized agent” means: 20 BILL AS INTRODUCED S.70
2626 2025 Page 2 of 30
2727
2828
2929 VT LEG #380863 v.1
3030 (A) a person designated by a consumer to act on the consumer’s 1
3131 behalf; 2
3232 (B) a parent or legal guardian that acts on behalf of the parent’s child 3
3333 or on behalf of a child for whom the guardian has legal responsibility; or 4
3434 (C) a guardian or conservator that acts on behalf of a consumer that is 5
3535 subject to a guardianship, conservatorship, or other protective arrangement. 6
3636 (2)(A) “Biometric data” means data generated from the technological 7
3737 processing of an individual’s unique biological, physical, or physiological 8
3838 characteristics that is linked or reasonably linkable to an individual, including: 9
3939 (i) iris or retina scans; 10
4040 (ii) fingerprints; 11
4141 (iii) facial or hand mapping, geometry, or templates; 12
4242 (iv) vein patterns; 13
4343 (v) voice prints; and 14
4444 (vi) gait or personally identifying physical movement or patterns. 15
4545 (B) “Biometric data” does not include: 16
4646 (i) a digital or physical photograph; 17
4747 (ii) an audio or video recording; or 18
4848 (iii) any data generated from a digital or physical photograph, or 19
4949 an audio or video recording, unless such data is generated to identify a specific 20
5050 individual. 21 BILL AS INTRODUCED S.70
5151 2025 Page 3 of 30
5252
5353
5454 VT LEG #380863 v.1
5555 (3)(A) “Brokered personal information” means one or more of the 1
5656 following computerized data elements about a consumer, if categorized or 2
5757 organized for dissemination to third parties: 3
5858 (i) name; 4
5959 (ii) address; 5
6060 (iii) date of birth; 6
6161 (iv) place of birth; 7
6262 (v) mother’s maiden name; 8
6363 (vi) unique biometric data generated from measurements or 9
6464 technical analysis of human body characteristics used by the owner or licensee 10
6565 of the data to identify or authenticate the consumer, such as a fingerprint, retina 11
6666 or iris image, or other unique physical representation or digital representation 12
6767 of biometric data; 13
6868 (vii) name or address of a member of the consumer’s immediate 14
6969 family or household; 15
7070 (viii) Social Security number or other government-issued 16
7171 identification number; or 17
7272 (ix) phone number; or 18
7373 (x) other information that, alone or in combination with the other 19
7474 information sold or licensed, would allow a reasonable person to identify the 20
7575 consumer with reasonable certainty. 21 BILL AS INTRODUCED S.70
7676 2025 Page 4 of 30
7777
7878
7979 VT LEG #380863 v.1
8080 (B) “Brokered personal information” does not include publicly 1
8181 available information to the extent that it is related to a consumer’s business or 2
8282 profession. 3
8383 (2)(4) “Business” means a controller, a consumer health data controller, 4
8484 a processor, or a commercial entity, including a sole proprietorship, 5
8585 partnership, corporation, association, limited liability company, or other group, 6
8686 however organized and whether or not organized to operate at a profit, 7
8787 including a financial institution organized, chartered, or holding a license or 8
8888 authorization certificate under the laws of this State, any other state, the United 9
8989 States, or any other country, or the parent, affiliate, or subsidiary of a financial 10
9090 institution, but does not include the State, a State agency, any political 11
9191 subdivision of the State, or a vendor acting solely on behalf of, and at the 12
9292 direction of, the State. 13
9393 (3)(5) “Consumer” means an individual residing in this State. 14
9494 (6) “Consumer health data controller” means any controller that, alone 15
9595 or jointly with others, determines the purpose and means of processing 16
9696 consumer health data. 17
9797 (7) “Controller” means a person who, alone or jointly with others, 18
9898 determines the purpose and means of processing personal data. 19
9999 (4)(8)(A) “Data broker” means a business, or unit or units of a business, 20
100100 separately or together, that knowingly collects and sells or licenses to third 21 BILL AS INTRODUCED S.70
101101 2025 Page 5 of 30
102102
103103
104104 VT LEG #380863 v.1
105105 parties the brokered personal information of a consumer with whom the 1
106106 business does not have a direct relationship. 2
107107 (B) Examples of a direct relationship with a business include if the 3
108108 consumer is a past or present: 4
109109 (i) customer, client, subscriber, user, or registered user of the 5
110110 business’s goods or services within the last five calendar years; 6
111111 (ii) employee, contractor, or agent of the business; 7
112112 (iii) investor in the business; or 8
113113 (iv) donor to the business. 9
114114 (C) The following activities conducted by a business, and the 10
115115 collection and sale or licensing of brokered personal information incidental to 11
116116 conducting these activities, do not qualify the business as a data broker: 12
117117 (i) developing or maintaining third-party e-commerce or 13
118118 application platforms; 14
119119 (ii) providing 411 directory assistance or directory information 15
120120 services, including name, address, and telephone number, on behalf of or as a 16
121121 function of a telecommunications carrier; 17
122122 (iii) providing publicly available information related to a 18
123123 consumer’s business or profession; or 19
124124 (iv) providing publicly available information via real-time or near-20
125125 real-time alert services for health or safety purposes. 21 BILL AS INTRODUCED S.70
126126 2025 Page 6 of 30
127127
128128
129129 VT LEG #380863 v.1
130130 (D) The phrase “sells or licenses” does not include: 1
131131 (i) a one-time or occasional sale of assets of a business as part of a 2
132132 transfer of control of those assets that is not part of the ordinary conduct of the 3
133133 business; or 4
134134 (ii) a sale or license of data that is merely incidental to the 5
135135 business. 6
136136 (5)(9)(A) “Data broker security breach” means an unauthorized 7
137137 acquisition or a reasonable belief of an unauthorized acquisition of more than 8
138138 one element of brokered personal information maintained by a data broker 9
139139 when the brokered personal information is not encrypted, redacted, or 10
140140 protected by another method that renders the information unreadable or 11
141141 unusable by an unauthorized person. 12
142142 (B) “Data broker security breach” does not include good faith but 13
143143 unauthorized acquisition of brokered personal information by an employee or 14
144144 agent of the data broker for a legitimate purpose of the data broker, provided 15
145145 that the brokered personal information is not used for a purpose unrelated to 16
146146 the data broker’s business or subject to further unauthorized disclosure. 17
147147 (C) In determining whether brokered personal information has been 18
148148 acquired or is reasonably believed to have been acquired by a person without 19
149149 valid authorization, a data broker may consider the following factors, among 20
150150 others: 21 BILL AS INTRODUCED S.70
151151 2025 Page 7 of 30
152152
153153
154154 VT LEG #380863 v.1
155155 (i) indications that the brokered personal information is in the 1
156156 physical possession and control of a person without valid authorization, such 2
157157 as a lost or stolen computer or other device containing brokered personal 3
158158 information; 4
159159 (ii) indications that the brokered personal information has been 5
160160 downloaded or copied; 6
161161 (iii) indications that the brokered personal information was used 7
162162 by an unauthorized person, such as fraudulent accounts opened or instances of 8
163163 identity theft reported; or 9
164164 (iv) that the brokered personal information has been made public. 10
165165 (6)(10) “Data collector” means a person who, for any purpose, whether 11
166166 by automated collection or otherwise, handles, collects, disseminates, or 12
167167 otherwise deals with personally identifiable information, and includes the 13
168168 State, State agencies, political subdivisions of the State, public and private 14
169169 universities, privately and publicly held corporations, limited liability 15
170170 companies, financial institutions, and retail operators. 16
171171 (7)(11) “Encryption” means use of an algorithmic process to transform 17
172172 data into a form in which the data is rendered unreadable or unusable without 18
173173 use of a confidential process or key. 19
174174 (8)(12) “License” means a grant of access to, or distribution of, data by 20
175175 one person to another in exchange for consideration. A use of data for the sole 21 BILL AS INTRODUCED S.70
176176 2025 Page 8 of 30
177177
178178
179179 VT LEG #380863 v.1
180180 benefit of the data provider, where the data provider maintains control over the 1
181181 use of the data, is not a license. 2
182182 (9)(13) “Login credentials” means a consumer’s user name or e-mail 3
183183 email address, in combination with a password or an answer to a security 4
184184 question, that together permit access to an online account. 5
185185 (10)(14)(A) “Personally identifiable information” means a consumer’s 6
186186 first name or first initial and last name in combination with one or more of the 7
187187 following digital data elements, when the data elements are not encrypted, 8
188188 redacted, or protected by another method that renders them unreadable or 9
189189 unusable by unauthorized persons: 10
190190 (i) a Social Security number; 11
191191 (ii) a driver license or nondriver State identification card number, 12
192192 individual taxpayer identification number, passport number, military 13
193193 identification card number, or other identification number that originates from 14
194194 a government identification document that is commonly used to verify identity 15
195195 for a commercial transaction; 16
196196 (iii) a financial account number or credit or debit card number, if 17
197197 the number could be used without additional identifying information, access 18
198198 codes, or passwords; 19
199199 (iv) a password, personal identification number, or other access 20
200200 code for a financial account; 21 BILL AS INTRODUCED S.70
201201 2025 Page 9 of 30
202202
203203
204204 VT LEG #380863 v.1
205205 (v) unique biometric data generated from measurements or 1
206206 technical analysis of human body characteristics used by the owner or licensee 2
207207 of the data to identify or authenticate the consumer, such as a fingerprint, retina 3
208208 or iris image, or other unique physical representation or digital representation 4
209209 of biometric data; 5
210210 (vi) genetic information; and 6
211211 (vii)(I) health records or records of a wellness program or similar 7
212212 program of health promotion or disease prevention; 8
213213 (II) a health care professional’s medical diagnosis or treatment 9
214214 of the consumer; or 10
215215 (III) a health insurance policy number. 11
216216 (B) “Personally identifiable information” does not mean publicly 12
217217 available information that is lawfully made available to the general public from 13
218218 federal, State, or local government records. 14
219219 (15) “Precise geolocation” means information derived from technology 15
220220 that can precisely and accurately identify the specific location of a consumer 16
221221 within a radius of 1,850 feet. 17
222222 (16) “Processor” means a person who processes personal data on behalf 18
223223 of a controller. 19 BILL AS INTRODUCED S.70
224224 2025 Page 10 of 30
225225
226226
227227 VT LEG #380863 v.1
228228 (11)(17) “Record” means any material on which written, drawn, spoken, 1
229229 visual, or electromagnetic information is recorded or preserved, regardless of 2
230230 physical form or characteristics. 3
231231 (12)(18) “Redaction” means the rendering of data so that the data are 4
232232 unreadable or are truncated so that no not more than the last four digits of the 5
233233 identification number are accessible as part of the data. 6
234234 (13)(19)(A) “Security breach” means unauthorized acquisition of 7
235235 electronic data, or a reasonable belief of an unauthorized acquisition of 8
236236 electronic data, that compromises the security, confidentiality, or integrity of a 9
237237 consumer’s personally identifiable information or login credentials maintained 10
238238 by a data collector. 11
239239 (B) “Security breach” does not include good faith but unauthorized 12
240240 acquisition of personally identifiable information or login credentials by an 13
241241 employee or agent of the data collector for a legitimate purpose of the data 14
242242 collector, provided that the personally identifiable information or login 15
243243 credentials are not used for a purpose unrelated to the data collector’s business 16
244244 or subject to further unauthorized disclosure. 17
245245 (C) In determining whether personally identifiable information or 18
246246 login credentials have been acquired or is reasonably believed to have been 19
247247 acquired by a person without valid authorization, a data collector may consider 20
248248 the following factors, among others: 21 BILL AS INTRODUCED S.70
249249 2025 Page 11 of 30
250250
251251
252252 VT LEG #380863 v.1
253253 (i) indications that the information is in the physical possession 1
254254 and control of a person without valid authorization, such as a lost or stolen 2
255255 computer or other device containing information; 3
256256 (ii) indications that the information has been downloaded or 4
257257 copied; 5
258258 (iii) indications that the information was used by an unauthorized 6
259259 person, such as fraudulent accounts opened or instances of identity theft 7
260260 reported; or 8
261261 (iv) that the information has been made public. 9
262262 * * * 10
263263 Subchapter 2. Security Breach Notice Act Breaches 11
264264 § 2435. NOTICE OF SECURITY BREACHES 12
265265 * * * 13
266266 (h) Enforcement. 14
267267 (1) With respect to all data collectors and other entities subject to this 15
268268 subchapter, other than a person or entity licensed or registered with the 16
269269 Department of Financial Regulation under Title 8 or this title, the Attorney 17
270270 General and State’s Attorney shall have sole and full authority to investigate 18
271271 potential violations of this subchapter and to enforce, prosecute, obtain, and 19
272272 impose remedies for a violation of this subchapter or any rules or regulations 20
273273 made pursuant to this subchapter as the Attorney General and State’s Attorney 21 BILL AS INTRODUCED S.70
274274 2025 Page 12 of 30
275275
276276
277277 VT LEG #380863 v.1
278278 have under chapter 63 of this title. With respect to a controller or processor 1
279279 other than a controller or processor licensed or registered with the Department 2
280280 of Financial Regulation under Title 8 or this title, the Attorney General has the 3
281281 same authority to adopt rules to implement the provisions of this section and to 4
282282 conduct civil investigations, enter into assurances of discontinuance, bring civil 5
283283 actions, and take other enforcement actions as provided under chapter 63, 6
284284 subchapter 1 of this title. The Attorney General may refer the matter to the 7
285285 State’s Attorney in an appropriate case. The Superior Courts shall have 8
286286 jurisdiction over any enforcement matter brought by the Attorney General or a 9
287287 State’s Attorney under this subsection. 10
288288 (2) With respect to a data collector that is a person or entity licensed or 11
289289 registered with the Department of Financial Regulation under Title 8 or this 12
290290 title, the Department of Financial Regulation shall have the full authority to 13
291291 investigate potential violations of this subchapter and to prosecute, obtain, and 14
292292 impose remedies for a violation of this subchapter or any rules or regulations 15
293293 adopted pursuant to this subchapter, as the Department has under Title 8 or this 16
294294 title or any other applicable law or regulation. With respect to a controller or 17
295295 processor that is licensed or registered with the Department of Financial 18
296296 Regulation under Title 8 or this title, the Department of Financial Regulation 19
297297 has the same authority to adopt rules to implement the provisions of this 20
298298 section and to conduct civil investigations, enter into assurances of 21 BILL AS INTRODUCED S.70
299299 2025 Page 13 of 30
300300
301301
302302 VT LEG #380863 v.1
303303 discontinuance, bring civil actions, and take other enforcement actions as 1
304304 provided under Title 8 or this title or any other applicable law or regulation. 2
305305 * * * 3
306306 § 2436. NOTICE OF DATA BROKER SECURITY BREACH ES 4
307307 (a) Short title. This section shall be known as the “Data Broker Security 5
308308 Breach Notice Act.” 6
309309 (b) Notice of breach to consumers. 7
310310 (1) Except as otherwise provided in subsection (c) of this section, a data 8
311311 broker shall, following discovery or notification to the data broker of a security 9
312312 breach affecting a consumer, notify the consumer that there has been a data 10
313313 broker security breach. Notice of the security breach shall be made in the most 11
314314 expedient time possible and without unreasonable delay, but not later than 45 12
315315 days after the discovery or notification, consistent with the legitimate needs of 13
316316 the law enforcement agency, as provided in subdivisions (3) and (4) of this 14
317317 subsection, or with any measures necessary to determine the scope of the 15
318318 security breach and restore the reasonable integrity, security, and 16
319319 confidentiality of the data system. 17
320320 (2) A data broker shall provide notice of a breach to the Attorney 18
321321 General as follows: 19
322322 (A)(i) The data broker shall notify the Attorney General of the date of 20
323323 the security breach and the date of discovery of the breach and shall provide a 21 BILL AS INTRODUCED S.70
324324 2025 Page 14 of 30
325325
326326
327327 VT LEG #380863 v.1
328328 preliminary description of the breach within 14 business days, consistent with 1
329329 the legitimate needs of the law enforcement agency, as provided in 2
330330 subdivisions (3) and (4) of this subsection (b), after the data broker’s discovery 3
331331 of the security breach. 4
332332 (ii) If the date of the breach is unknown at the time notice is sent 5
333333 to the Attorney General, the data broker shall send the Attorney General the 6
334334 date of the breach as soon as it is known. 7
335335 (iii) Unless otherwise ordered by a court of this State for good 8
336336 cause shown, a notice provided under this subdivision (2)(A) shall not be 9
337337 disclosed, without the consent of the data broker, to any person other than the 10
338338 authorized agent or representative of the Attorney General, a State’s Attorney, 11
339339 or another law enforcement officer engaged in legitimate law enforcement 12
340340 activities. 13
341341 (B)(i) When the data broker provides notice of the breach pursuant to 14
342342 subdivision (1) of this subsection, the data broker shall notify the Attorney 15
343343 General of the number of Vermont consumers affected, if known to the data 16
344344 broker, and shall provide a copy of the notice provided to consumers under 17
345345 subdivision (1) of this subsection (b). 18
346346 (ii) The data broker may send to the Attorney General a second 19
347347 copy of the consumer notice, from which is redacted the type of brokered 20 BILL AS INTRODUCED S.70
348348 2025 Page 15 of 30
349349
350350
351351 VT LEG #380863 v.1
352352 personal information that was subject to the breach, that the Attorney General 1
353353 shall use for any public disclosure of the breach. 2
354354 (3) The notice to the Attorney General and a consumer required by this 3
355355 subsection shall be delayed upon request of a law enforcement agency. A law 4
356356 enforcement agency may request the delay if it believes that notification may 5
357357 impede a law enforcement investigation or a national or Homeland Security 6
358358 investigation or jeopardize public safety or national or Homeland Security 7
359359 interests. In the event law enforcement makes the request for a delay in a 8
360360 manner other than in writing, the data broker shall document the request 9
361361 contemporaneously in writing and include the name of the law enforcement 10
362362 officer making the request and the officer’s law enforcement agency engaged 11
363363 in the investigation. A law enforcement agency shall promptly notify the data 12
364364 broker in writing when the law enforcement agency no longer believes that 13
365365 notification may impede a law enforcement investigation or a national or 14
366366 Homeland Security investigation or jeopardize public safety or national or 15
367367 Homeland Security interests. The data broker shall provide notice required by 16
368368 this subsection without unreasonable delay upon receipt of a written 17
369369 communication, which includes facsimile or electronic communication, from 18
370370 the law enforcement agency withdrawing its request for delay. 19
371371 (4) The notice to a consumer required in subdivision (1) of this 20
372372 subsection shall be clear and conspicuous. A notice to a consumer of a 21 BILL AS INTRODUCED S.70
373373 2025 Page 16 of 30
374374
375375
376376 VT LEG #380863 v.1
377377 security breach involving brokered personal information shall include a 1
378378 description of each of the following, if known to the data broker: 2
379379 (A) the incident in general terms; 3
380380 (B) the categories of brokered personal information that was subject 4
381381 to the security breach; 5
382382 (C) the general acts of the data broker to protect the brokered 6
383383 personal information from further security breach; 7
384384 (D) a telephone number, toll-free if available, that the consumer may 8
385385 call for further information and assistance; 9
386386 (E) advice that directs the consumer to remain vigilant by reviewing 10
387387 account statements and monitoring free credit reports; and 11
388388 (F) the approximate date of the data broker security breach. 12
389389 (5) A data broker may provide notice of a security breach involving 13
390390 brokered personal information to a consumer by two or more of the following 14
391391 methods: 15
392392 (A) written notice mailed to the consumer’s residence; 16
393393 (B) electronic notice, for those consumers for whom the data broker 17
394394 has a valid email address, if: 18
395395 (i) the data broker’s primary method of communication with the 19
396396 consumer is by electronic means, the electronic notice does not request or 20
397397 contain a hypertext link to a request that the consumer provide personal 21 BILL AS INTRODUCED S.70
398398 2025 Page 17 of 30
399399
400400
401401 VT LEG #380863 v.1
402402 information, and the electronic notice conspicuously warns consumers not to 1
403403 provide personal information in response to electronic communications 2
404404 regarding security breaches; or 3
405405 (ii) the notice is consistent with the provisions regarding electronic 4
406406 records and signatures for notices in 15 U.S.C. § 7001; 5
407407 (C) telephonic notice, provided that telephonic contact is made 6
408408 directly with each affected consumer and not through a prerecorded message; 7
409409 or 8
410410 (D) notice by publication in a newspaper of statewide circulation in 9
411411 the event the data broker cannot effectuate notice by any other means. 10
412412 (c) Exception. 11
413413 (1) Notice of a security breach pursuant to subsection (b) of this section 12
414414 is not required if the data broker establishes that misuse of brokered personal 13
415415 information is not reasonably possible and the data broker provides notice of 14
416416 the determination that the misuse of the brokered personal information is not 15
417417 reasonably possible pursuant to the requirements of this subsection. If the data 16
418418 broker establishes that misuse of the brokered personal information is not 17
419419 reasonably possible, the data broker shall provide notice of its determination 18
420420 that misuse of the brokered personal information is not reasonably possible and 19
421421 a detailed explanation for said determination to the Attorney General. The data 20
422422 broker may designate its notice and detailed explanation to the Attorney 21 BILL AS INTRODUCED S.70
423423 2025 Page 18 of 30
424424
425425
426426 VT LEG #380863 v.1
427427 General as a trade secret if the notice and detailed explanation meet the 1
428428 definition of trade secret contained in 1 V.S.A. § 317(c)(9). 2
429429 (2) If a data broker established that misuse of brokered personal 3
430430 information was not reasonably possible under subdivision (1) of this 4
431431 subsection and subsequently obtains facts indicating that misuse of the 5
432432 brokered personal information has occurred or is occurring, the data broker 6
433433 shall provide notice of the security breach pursuant to subsection (b) of this 7
434434 section. 8
435435 (d) Waiver. Any waiver of the provisions of this subchapter is contrary to 9
436436 public policy and is void and unenforceable. 10
437437 (e) Enforcement. 11
438438 (1) With respect to a controller or processor other than a controller or 12
439439 processor licensed or registered with the Department of Financial Regulation 13
440440 under Title 8 or this title, the Attorney General has the same authority to adopt 14
441441 rules to implement the provisions of this section and to conduct civil 15
442442 investigations, enter into assurances of discontinuance, bring civil actions, and 16
443443 take other enforcement actions as provided under chapter 63, subchapter 1 of 17
444444 this title. The Attorney General may refer the matter to the State’s Attorney in 18
445445 an appropriate case. The Superior Courts shall have jurisdiction over any 19
446446 enforcement matter brought by the Attorney General or a State’s Attorney 20
447447 under this subsection. 21 BILL AS INTRODUCED S.70
448448 2025 Page 19 of 30
449449
450450
451451 VT LEG #380863 v.1
452452 (2) With respect to a controller or processor that is licensed or registered 1
453453 with the Department of Financial Regulation under Title 8 or this title, the 2
454454 Department of Financial Regulation has the same authority to adopt rules to 3
455455 implement the provisions of this section and to conduct civil investigations, 4
456456 enter into assurances of discontinuance, bring civil actions, and take other 5
457457 enforcement actions as provided under Title 8 or this title or any other 6
458458 applicable law or regulation. 7
459459 * * * 8
460460 Subchapter 5. Data Brokers 9
461461 § 2446. DATA BROKERS; ANNUAL REGISTRATION 10
462462 (a) Registration. Annually, on or before January 31 following a year in 11
463463 which a person meets the definition of data broker as provided in section 2430 12
464464 of this title, a data broker shall: 13
465465 (1) register with the Secretary of State; 14
466466 (2) pay a registration fee of $100.00; and pay a registration fee in an 15
467467 amount determined by the Secretary of State which shall: 16
468468 (A) not exceed the reasonable costs of: 17
469469 (i) establishing and maintaining the informational website set forth 18
470470 in subsection (d) of this section; and 19
471471 (ii) establishing, maintaining, and providing access to the 20
472472 accessible deletion mechanism set forth in section 2446a of this title; and 21 BILL AS INTRODUCED S.70
473473 2025 Page 20 of 30
474474
475475
476476 VT LEG #380863 v.1
477477 (B) be deposited by the Secretary of State into the Data Brokers 1
478478 Registry Fund established in section 2446b of this title; and 2
479479 (3) provide the following information to the Secretary of State: 3
480480 (A) the name and primary physical, e-mail email, phone number, and 4
481481 Internet internet addresses of the data broker; 5
482482 (B) if the data broker permits a consumer to opt out of the data 6
483483 broker’s collection of brokered personal information, opt out of its databases, 7
484484 or opt out of certain sales of data: 8
485485 (i) the method for requesting an opt-out; 9
486486 (ii) if the opt-out applies to only certain activities or sales, which 10
487487 ones; and 11
488488 (iii) whether the data broker permits a consumer to authorize a 12
489489 third party an authorized agent to perform the opt-out on the consumer’s 13
490490 behalf; 14
491491 (C) a statement specifying the data collection, databases, or sales 15
492492 activities from which a consumer may not opt out; 16
493493 (D) a statement whether the data broker implements a purchaser 17
494494 credentialing process; 18
495495 (E) the number of data broker security breaches that the data broker 19
496496 has experienced during the prior year, and if known, the total number of 20
497497 consumers affected by the breaches; 21 BILL AS INTRODUCED S.70
498498 2025 Page 21 of 30
499499
500500
501501 VT LEG #380863 v.1
502502 (F) where the data broker has actual knowledge that it possesses the 1
503503 brokered personal information of minors, a separate statement detailing the 2
504504 data collection practices, databases, sales activities, and opt-out policies that 3
505505 are applicable to the brokered personal information of minors; and 4
506506 (G) whether the data broker collects: 5
507507 (i) precise geolocation of consumers; 6
508508 (ii) reproductive health care data of consumers; 7
509509 (iii) Social Security numbers of consumers; 8
510510 (iv) driver’s license information of consumers; 9
511511 (v) biometric data of consumers; 10
512512 (vi) immigration status of consumers; 11
513513 (vii) sexual orientation of consumers; or 12
514514 (viii) union membership status of consumers; 13
515515 (H) beginning on January 1, 2031, whether the data broker has 14
516516 undergone an audit pursuant to subsection 2446a(d) of this title and if so, the 15
517517 most recent year that the data broker has submitted a report resulting from the 16
518518 audit to the Secretary of State; 17
519519 (I) beginning on January 1, 2029, the following annual metrics 18
520520 pursuant to section 2446a of this title: 19
521521 (i) the number of deletion requests received; 20
522522 (ii) the number of deletion requests processed; 21 BILL AS INTRODUCED S.70
523523 2025 Page 22 of 30
524524
525525
526526 VT LEG #380863 v.1
527527 (iii) the number of deletion requests denied because the consumer 1
528528 request cannot be verified; and 2
529529 (iv) the number of deletion requests denied because retention of 3
530530 the consumer’s brokered personal information is required by law; and 4
531531 (J) any additional information or explanation the data broker chooses 5
532532 to provide concerning its data collection practices. 6
533533 (b) Penalties. A data broker that fails to register pursuant to subsection (a) 7
534534 of this section is liable to the State for: 8
535535 (1) a civil penalty of $50.00 for each day, not to exceed a total of 9
536536 $10,000.00 for each year, it fails to register pursuant to this section; 10
537537 (2) an amount equal to the fees due under this section during the period 11
538538 it failed to register pursuant to this section; and 12
539539 (3) other penalties imposed by law. 13
540540 (1) A data broker that fails to register as required by subsection (a) of 14
541541 this section is liable to the State for: 15
542542 (A) an administrative fine of $200.00 for each day the data broker 16
543543 fails to register; 17
544544 (B) an amount equal to the fees that were due during the period the 18
545545 data broker failed to register; and 19
546546 (C) any reasonable costs incurred by the State in the investigation 20
547547 and administration of the action as the court deems appropriate. 21 BILL AS INTRODUCED S.70
548548 2025 Page 23 of 30
549549
550550
551551 VT LEG #380863 v.1
552552 (2) A data broker that fails to provide all registration information 1
553553 required in subdivision (a)(3) of this section shall file an amendment that 2
554554 includes any omitted information not later than 30 days after receiving 3
555555 notification of the omission from the Secretary of State and is liable to the 4
556556 State for a civil penalty of $1,000.00 per day for each day thereafter that the 5
557557 data broker does not file an amendment providing the omitted information. 6
558558 (3) A data broker that files materially incorrect information in its 7
559559 registration: 8
560560 (A) is liable to the State for a civil penalty of $25,000.00; and 9
561561 (B) shall correct the incorrect information not later than 30 days after 10
562562 notification of the incorrect information, and, if it fails to correct the 11
563563 information, the data broker shall be liable for an additional civil penalty of 12
564564 $1,000.00 per day for each day the data broker fails to correct the information. 13
565565 (4) All penalties, fines, fees, and expenses recovered in an action 14
566566 pursuant to this section shall be deposited in the Data Brokers Registry Fund. 15
567567 (c) Enforcement. The Attorney General and the Secretary of State may 16
568568 maintain an action in the Civil Division of the Superior Court to collect the 17
569569 penalties imposed in this section and to seek appropriate injunctive relief. 18
570570 (d) Public web page. The Secretary of State shall create a publicly 19
571571 accessible page on its website where it lists the registration information 20 BILL AS INTRODUCED S.70
572572 2025 Page 24 of 30
573573
574574
575575 VT LEG #380863 v.1
576576 provided by data brokers pursuant to this section and the accessible deletion 1
577577 mechanism set forth in section 2446a of this title. 2
578578 § 2446a. ACCESSIBLE DELETION MECHANISM 3
579579 (a) Creation of mechanism. On or before January 1, 2028, the Secretary of 4
580580 State shall establish an accessible deletion mechanism that: 5
581581 (1) implements and maintains reasonable security procedures and 6
582582 practices, including administrative, physical, and technical safeguards 7
583583 appropriate to the nature of the information and the purposes for which the 8
584584 brokered personal information will be used and to protect a consumer’s 9
585585 brokered personal information from unauthorized use, disclosure, access, 10
586586 destruction, or modification; 11
587587 (2) allows a consumer, through a single verifiable consumer request, to 12
588588 request that every data broker that maintains any brokered personal 13
589589 information about the consumer delete the brokered personal information; 14
590590 (3) allows a consumer to selectively exclude specific data brokers from 15
591591 a request made under subdivision (2) of this subsection; 16
592592 (4) allows a consumer to alter a previous request made pursuant to 17
593593 subdivision (2) of this subsection after at least 45 days have passed since the 18
594594 consumer last made a request; 19 BILL AS INTRODUCED S.70
595595 2025 Page 25 of 30
596596
597597
598598 VT LEG #380863 v.1
599599 (5) allows a consumer to request the deletion of all brokered personal 1
600600 information related to that consumer all at once through a single deletion 2
601601 request; 3
602602 (6) permits a consumer to securely submit information in one or more 4
603603 privacy-protecting ways, as determined by the Secretary of State, to aid in the 5
604604 deletion request; 6
605605 (7) allows a data broker registered with the Secretary of State to 7
606606 determine whether a consumer has submitted a verifiable request to delete the 8
607607 brokered personal information related to that consumer as described in 9
608608 subdivision (2) of this subsection; 10
609609 (8) does not allow the disclosure of any additional brokered personal 11
610610 information of a consumer when the data broker accesses the accessible 12
611611 deletion mechanism, unless otherwise specified in this subchapter; 13
612612 (9) allows a consumer to make a request described in subdivision (2) of 14
613613 this subsection using a website operated by the Secretary of State; 15
614614 (10) does not charge a consumer to make a request described in 16
615615 subdivision (2) of this subsection; 17
616616 (11) is readily accessible and usable by consumers with disabilities; 18
617617 (12) supports the ability of a consumer’s authorized agents to aid in the 19
618618 deletion request; 20 BILL AS INTRODUCED S.70
619619 2025 Page 26 of 30
620620
621621
622622 VT LEG #380863 v.1
623623 (13) allows the consumer or their authorized agent to verify the status of 1
624624 the consumer’s deletion request; and 2
625625 (14) provides a description of the following: 3
626626 (A) the deletion permitted by this section; 4
627627 (B) the process for submitting a deletion request pursuant to this 5
628628 section; and 6
629629 (C) examples of the types of information that may be deleted. 7
630630 (b) Data broker access. 8
631631 (1) Beginning on August 1, 2028, a data broker shall access the 9
632632 accessible deletion mechanism established in subsection (a) of this section at 10
633633 least once every 45 days and shall: 11
634634 (A) process all verifiable deletion requests the data broker has 12
635635 received from consumers in the previous 45 days and delete such brokered 13
636636 personal information; 14
637637 (B) process a request as an opt-out of the sale or sharing of the 15
638638 consumer’s brokered personal information; 16
639639 (C) direct all service providers and contractors associated with the 17
640640 data broker to: 18
641641 (i) delete all brokered personal information related to a consumer 19
642642 who has made a verifiable deletion request; and 20 BILL AS INTRODUCED S.70
643643 2025 Page 27 of 30
644644
645645
646646 VT LEG #380863 v.1
647647 (ii) process a request as an opt-out of the sale or sharing of the 1
648648 consumer’s brokered personal information; and 2
649649 (D) not use or disclose any information submitted by a consumer 3
650650 through the accessible deletion mechanism for any other purpose besides the 4
651651 authority provided in this subsection (b), including for marketing purposes. 5
652652 (2) A data broker may deny a consumer’s request to delete a consumer’s 6
653653 brokered personal information made pursuant to this section if retention of the 7
654654 consumer’s brokered personal information is required by law. 8
655655 (3) The Secretary of State may charge an access fee to a data broker to 9
656656 use the accessible deletion mechanism that does not exceed the reasonable 10
657657 costs of providing access. 11
658658 (4) Any fees collected pursuant to subdivision (3) of this subsection 12
659659 shall be deposited into the Data Brokers Registry Fund. 13
660660 (c) Continuing obligation to consumers. Beginning on August 1, 2028, 14
661661 once a data broker has processed a verifiable consumer request to delete a 15
662662 consumer’s brokered personal information, the data broker shall: 16
663663 (1) delete all brokered personal information of the consumer at least 17
664664 once every 45 days unless: 18
665665 (A) the consumer alters the consumer’s decision pursuant to 19
666666 subdivision (a)(4) of this section; or 20 BILL AS INTRODUCED S.70
667667 2025 Page 28 of 30
668668
669669
670670 VT LEG #380863 v.1
671671 (B) retention of the consumer’s brokered personal information is 1
672672 required by law; and 2
673673 (2) not sell or share new brokered personal information of the consumer 3
674674 unless the consumer expressly requests otherwise in writing; 4
675675 (d) Audits. 5
676676 (1) A data broker shall undergo an audit by an independent third party to 6
677677 determine compliance with this section at least once every three years, with the 7
678678 first audit taking place on or before December 31, 2030. 8
679679 (2) For an audit completed pursuant to subdivision (1) of this 9
680680 subsection, the data broker shall submit the report resulting from the audit and 10
681681 any related materials to the Secretary of State within five business days of a 11
682682 written request from the Secretary of State. 12
683683 (3) A data broker shall maintain all reports and materials resulting from 13
684684 audits conducted pursuant to this subsection for at least six years. 14
685685 (e) Rules. The Secretary of State may adopt rules to implement the 15
686686 provisions of this subchapter, except it shall not be permitted to create a rule 16
687687 that establishes a new fee that is not authorized in this section. 17
688688 (f) Penalties. 18
689689 (1) A data broker that fails to comply with the requirements of this 19
690690 section is liable to the State for: 20 BILL AS INTRODUCED S.70
691691 2025 Page 29 of 30
692692
693693
694694 VT LEG #380863 v.1
695695 (A) an administrative fine of $200.00 per day for each deletion 1
696696 request the data broker fails to complete as required by subsection (b) of this 2
697697 section; and 3
698698 (B) reasonable expenses incurred by the State in the investigation and 4
699699 administration of the action. 5
700700 (2) All penalties, fines, fees, and expenses recovered in an action 6
701701 pursuant to subdivision (1) of this subsection shall be deposited in the Data 7
702702 Brokers Registry Fund. 8
703703 § 2446b. DATA BROKERS REGISTRY FUND 9
704704 There is established the Data Brokers Registry Fund within the State 10
705705 Treasury. The Fund shall be administered by the Secretary of State. All 11
706706 monies collected or received by the Secretary of State and the Attorney 12
707707 General pursuant to this subchapter shall be deposited into the Fund and shall 13
708708 be made available for expenditure by the Secretary of State upon appropriation 14
709709 by the General Assembly to offset the following costs: 15
710710 (1) the reasonable costs of establishing and maintaining the 16
711711 informational website as set forth in subsection 2446(d) of this title; 17
712712 (2) the costs incurred by State courts and the Secretary of State in 18
713713 connection with enforcing this subchapter; and 19 BILL AS INTRODUCED S.70
714714 2025 Page 30 of 30
715715
716716
717717 VT LEG #380863 v.1
718718 (3) the reasonable costs of establishing, maintaining, and providing 1
719719 access to the accessible deletion mechanism described in section 2446a of this 2
720720 title. 3
721721 § 2446c. CREDENTIALING 4
722722 (a) A data broker shall maintain reasonable procedures designed to ensure 5
723723 that the brokered personal information it discloses is used for a legitimate and 6
724724 legal purpose. 7
725725 (b) These procedures shall require that prospective users of the brokered 8
726726 information identify themselves, certify the purposes for which the information 9
727727 is sought, and certify that the information shall be used for no other purpose. 10
728728 (c) A data broker shall make a reasonable effort to verify the identity of a 11
729729 new prospective user and the uses certified by the prospective user prior to 12
730730 furnishing the user brokered personal information. 13
731731 (d) A data broker shall not furnish brokered personal information to any 14
732732 person if it has reasonable grounds for believing that the brokered personal 15
733733 information will not be used for a legitimate and legal purpose. 16
734734 § 2447. DATA BROKER DUTY TO PROTECT INFORMATION; 17
735735 STANDARDS; TECHNICAL RE QUIREMENTS 18
736736 * * * 19
737737 Sec. 2. EFFECTIVE DATE 20
738738 This act shall take effect on July 1, 2025. 21