VT
Vermont Senate Bill S0071

Vermont 2025-2026 Regular Session

Vermont Senate Bill S0071 Compare Versions

OldNewDifferences
1-BILLASINTRODUCEDANDPASSEDBYSENATE S.71
2-2025 Page1of89
3-S.71
4-IntroducedbySenatorsClarkson,Harrison,Hashim,Major,Vyhovskyand
5-White
6-ReferredtoCommitteeonInstitutions
7-Date:February18,2025
8-Subject:Commerceandtrade;consumerprotection;dataprivacy
9-Statementofpurposeofbillasintroduced:Thisbillproposestoprovidedata
10-privacyandonlinesurveillanceprotectionstoVermonters.
11-Anactrelatingtoconsumerdataprivacyandonlinesurveillance
12-ItisherebyenactedbytheGeneralAssemblyoftheStateofVermont:
13-Sec.1.9V.S.A.chapter61Aisaddedtoread:
14-CHAPTER61A.VERMONTDATAPRIVACYANDONLINE
15-SURVEILLANCEACT
16-§ 2415.DEFINITIONS
17-Asusedinthischapter:
18-(1)(A)“Affiliate”meansalegalentitythatsharescommonbranding
19-withanotherlegalentityorcontrols,iscontrolledby,orisundercommon
20-controlwithanotherlegalentity.
21-1
22-2
23-3
24-4
25-5
26-6
27-7
28-8
29-9
30-10
31-11
32-12
33-13
34-14
35-15
36-16
37-17
38-18 BILLASINTRODUCEDANDPASSEDBYSENATE S.71
39-2025 Page2of89
40-(B)Asusedinsubdivision(A)ofthissubdivision(1),“control”or
41-“controlled”means:
42-(i)ownershipof,orthepowertovote,morethan50percentofthe
43-outstandingsharesofanyclassofvotingsecurityofacompany;
44-(ii)controlinanymannerovertheelectionofamajorityofthe
45-directorsorofindividualsexercisingsimilarfunctions;or
46-(iii)thepowertoexercisecontrollinginfluenceoverthe
47-managementofacompany.
48-(2)“Authenticate”meanstousereasonablemeanstodeterminethata
49-requesttoexerciseanyoftherightsaffordedundersubdivisions2418(a)(1)–
50-(6)ofthistitleisbeingmadeby,oronbehalfof,theconsumerwhoisentitled
51-toexercisetheconsumerrightswithrespecttothepersonaldataatissue.
52-(3)(A)“Biometricdata”meansdatageneratedfromthetechnological
53-processingofanindividual’suniquebiological,physical,orphysiological
54-characteristicsthatalloworconfirmtheuniqueidentificationoftheconsumer,
55-including:
56-(i)irisorretinascans;
57-(ii)fingerprints;
58-(iii)facialorhandmapping,geometry,ortemplates;
59-(iv)veinpatterns;
60-(v)voiceprintsorvocalbiomarkers;and
61-1
62-2
63-3
64-4
65-5
66-6
67-7
68-8
69-9
70-10
71-11
72-12
73-13
74-14
75-15
76-16
77-17
78-18
79-19
80-20
81-21 BILLASINTRODUCEDANDPASSEDBYSENATE S.71
82-2025 Page3of89
83-(vi)gaitorpersonallyidentifyingphysicalmovementorpatterns.
84-(B)“Biometricdata”doesnotinclude:
85-(i)adigitalorphysicalphotograph;
86-(ii)anaudioorvideorecording;or
87-(iii)anydatageneratedfromadigitalorphysicalphotograph,or
88-anaudioorvideorecording,unlesssuchdataisgeneratedtoidentifyaspecific
89-individual.
90-(4)“Businessassociate”hasthesamemeaningasinHIPAA.
91-(5)“Child”hasthesamemeaningasinCOPPA.
92-(6)(A)“Consent”meansaclearaffirmativeactsignifyingaconsumer’s
93-freelygiven,specific,informed,andunambiguousagreementtoallowthe
94-processingofpersonaldatarelatingtotheconsumerinresponsetoaspecific
95-request,providedtherequest:
96-(i)isprovidedtotheconsumerinaclearandconspicuous
97-disclosure;
98-(ii)includesadescriptionoftheprocessingpurposeforwhichthe
99-consumer’sconsentissought;
100-(iii)clearlydistinguishesbetweenanactorpracticethatis
101-necessarytofulfillarequestoftheconsumerandanactorpracticethatisfor
102-anotherpurpose;
103-1
104-2
105-3
106-4
107-5
108-6
109-7
110-8
111-9
112-10
113-11
114-12
115-13
116-14
117-15
118-16
119-17
120-18
121-19
122-20 BILLASINTRODUCEDANDPASSEDBYSENATE S.71
123-2025 Page4of89
124-(iv)clearlystatesthespecificcategoriesofpersonaldatathatthe
125-controllerintendstocollectorprocessundereachactorpractice;
126-(v)clearlystatesthespecificcategoriesofpersonaldatathatthe
127-controllerintendstocollectorprocessundereachactorpractice;and
128-(vi)isaccessibletoaconsumerwithdisabilities.
129-(B)“Consent”mayincludeawrittenstatement,includingby
130-electronicmeans,oranyotherunambiguousaffirmativeaction.
131-(C)“Consent”doesnotinclude:
132-(i)acceptanceofageneralorbroadtermsofuseorsimilar
133-documentthatcontainsdescriptionsofpersonaldataprocessingalongwith
134-other,unrelatedinformation;
135-(ii)hoveringover,muting,pausing,orclosingagivenpieceof
136-content;
137-(iii)inactionoftheconsumerortheconsumer’scontinueduseofa
138-serviceorproductprovidedbythecontroller;or
139-(iv)anagreementobtainedthroughtheuseofdarkpatterns.
140-(7)(A)“Consumer”meansanindividualwhoisaresidentoftheState.
141-(B)“Consumer”doesnotincludeanindividualactingina
142-commercialcapacityorasanowner,director,officer,orcontractorofa
143-company,partnership,soleproprietorship,nonprofit,orgovernmentagency
144-whosecommunicationsortransactionswiththecontrolleroccursolelywithin
145-1
146-2
147-3
148-4
149-5
150-6
151-7
152-8
153-9
154-10
155-11
156-12
157-13
158-14
159-15
160-16
161-17
162-18
163-19
164-20
165-21 BILLASINTRODUCEDANDPASSEDBYSENATE S.71
166-2025 Page5of89
167-thecontextofthatindividual’srolewiththecompany,partnership,sole
168-proprietorship,nonprofit,orgovernmentagency.
169-(8)“Consumerhealthdata”meansanypersonaldatathatacontroller
170-usestoidentifyaconsumer’sphysicalormentalhealthconditionordiagnosis,
171-includinggender-affirminghealthdataandreproductiveorsexualhealthdata.
172-(9)“Consumerhealthdatacontroller”meansanycontrollerthat,alone
173-orjointlywithothers,determinesthepurposeandmeansofprocessing
174-consumerhealthdata.
175-(10)“Consumerreportingagency”hasthesamemeaningasintheFair
176-CreditReportingAct,15 U.S.C.§ 1681a(f).
177-(11)“Contextualadvertising”or“contextualadvertisement,”assubject
178-toprovisionssetforthinsubsection2418(g)ofthischapter,meansdisplaying
179-orpresentinganadvertisementthatdoesnotvarybasedontheidentityofthe
180-individualrecipientandisbasedsolelyon:
181-(A)theimmediatecontentofawebpageoronlineservicewithin
182-whichtheadvertisementappears;or
183-(B)aspecificrequestoftheconsumerforinformationorfeedback.
184-(12)“Controller”meansapersonwho,aloneorjointlywithothers,
185-determinesthepurposeandmeansofprocessingpersonaldata.
186-(13)“COPPA”meanstheChildren’sOnlinePrivacyProtectionActof
187-1998,15U.S.C.§ 6501–6506,andanyregulations,rules,guidance,and
188-1
189-2
190-3
191-4
192-5
193-6
194-7
195-8
196-9
197-10
198-11
199-12
200-13
201-14
202-15
203-16
204-17
205-18
206-19
207-20
208-21 BILLASINTRODUCEDANDPASSEDBYSENATE S.71
209-2025 Page6of89
210-exemptionspromulgatedpursuanttotheact,astheactandregulations,rules,
211-guidance,andexemptionsmaybeamended.
212-(14)“Coveredentity”hasthesamemeaningasinHIPAA.
213-(15)“Creditunion”hasthesamemeaningasin8V.S.A.§ 30101.
214-(16)“Darkpattern”meansauserinterfacedesignedormanipulated
215-withthesubstantialeffectofsubvertingorimpairinguserautonomy,decision-
216-making,orchoiceandincludesanypracticetheFederalTradeCommission
217-referstoasa“darkpattern.”
218-(17)“Databroker”hasthesamemeaningasinsection2430ofthistitle.
219-(18)“Decisionsthatproducelegalorsimilarlysignificanteffects
220-concerningtheconsumer”meansdecisionsthatresultinormateriallyaffect
221-accessto,theprovisionordenialof,orthetermsandconditionsoffinancialor
222-lendingservices,housing,insurance,educationenrollmentoropportunity,
223-criminaljustice,employmentopportunities,healthcareservices,oraccessto
224-essentialgoodsorservices.
225-(19)“De-identifieddata”meansdatathatdoesnotidentifyandcannot
226-reasonablybeusedtoinferinformationabout,orotherwisebelinkedto,an
227-identifiedoridentifiableindividual,oradevicelinkedtotheindividual,ifthe
228-controllerthatpossessesthedata:
229-(A)takesreasonablephysical,technical,oradministrativemeasures
230-toensurethatthedatacannotbeusedtoreidentifyanidentifiedoridentifiable
231-1
232-2
233-3
234-4
235-5
236-6
237-7
238-8
239-9
240-10
241-11
242-12
243-13
244-14
245-15
246-16
247-17
248-18
249-19
250-20
251-21 BILLASINTRODUCEDANDPASSEDBYSENATE S.71
252-2025 Page7of89
253-individualorbeassociatedwithanindividualordevicethatidentifiesoris
254-linkedorreasonablylinkabletoanindividualorhousehold,providedthatsuch
255-reasonablemeasuresforprotectedhealthinformationcoveredbyHIPAAshall
256-includethede-identificationrequirementssetforthunder45C.F.R.§164.514
257-(otherrequirementsrelatingtousesanddisclosuresofprotectedhealth
258-information);
259-(B)publiclycommitstoprocessthedataonlyinade-identified
260-fashionandnotattempttoreidentifythedata;and
261-(C)contractuallyobligatesanyrecipientsofthedatatosatisfythe
262-criteriasetforthinsubdivisions(A)and(B)ofthissubdivision(19).
263-(20)“Financialinstitution”asusedinsubdivision2417(a)(11)ofthis
264-title,hasthesamemeaningasin15U.S.C.§ 6809.
265-(21)“Firstparty”meansaconsumer-facingcontrollerwithwhichthe
266-consumerintendsorexpectstointeract.
267-(22)“First-partyadvertising”meansprocessingbyafirstpartyofits
268-ownfirst-partydataforthepurposesofadvertisingandmarketingandis
269-carriedout:
270-(A)throughdirectcommunicationswithaconsumer,suchasdirect
271-mail,email,ortextmessagecommunications;
272-(B)inaphysicallocationoperatedbythefirstparty;or
273-1
274-2
275-3
276-4
277-5
278-6
279-7
280-8
281-9
282-10
283-11
284-12
285-13
286-14
287-15
288-16
289-17
290-18
291-19
292-20 BILLASINTRODUCEDANDPASSEDBYSENATE S.71
293-2025 Page8of89
294-(C)throughdisplayorpresentationofanadvertisementonthefirst
295-party’sownwebsite,application,oritsotheronlinecontent.
296-(23)“First-partydata”meanspersonaldatacollecteddirectlyfroma
297-consumerbyafirstpartyincompliancewiththischapter,includingbasedona
298-visitbytheconsumertoorusebytheconsumerofawebsite,aphysical
299-location,oranonlineserviceoperatedbythefirstparty.
300-(24)“Gender-affirminghealthcareservices”hasthesamemeaningasin
301-1V.S.A.§ 150.
302-(25)“Gender-affirminghealthdata”meansanypersonaldata
303-concerningapast,present,orfutureeffortmadebyaconsumertoseek,ora
304-consumer’sreceiptof,gender-affirminghealthcareservices,including:
305-(A)precisegeolocationdatathatisusedfordetermininga
306-consumer’sattempttoacquireorreceivegender-affirminghealthcareservices;
307-(B)effortstoresearchorobtaingender-affirminghealthcare
308-services;and
309-(C)anygender-affirminghealthdatathatisderivedfromnonhealth
310-information.
311-(26)“Geneticdata”meansanydata,regardlessofitsformat,thatresults
312-fromtheanalysisofabiologicalsampleofanindividual,orfromanother
313-sourceenablingequivalentinformationtobeobtained,andconcernsgenetic
314-material,includingdeoxyribonucleicacids(DNA),ribonucleicacids(RNA),
315-1
316-2
317-3
318-4
319-5
320-6
321-7
322-8
323-9
324-10
325-11
326-12
327-13
328-14
329-15
330-16
331-17
332-18
333-19
334-20
335-21 BILLASINTRODUCEDANDPASSEDBYSENATE S.71
336-2025 Page9of89
337-genes,chromosomes,alleles,genomes,alterationsormodificationstoDNAor
338-RNA,singlenucleotidepolymorphisms(SNPs),epigeneticmarkers,
339-uninterpreteddatathatresultsfromanalysisofthebiologicalsampleorother
340-source,andanyinformationextrapolated,derived,orinferredtherefrom.
341-(27)“Geofence”meansanytechnologythatusesglobalpositioning
342-coordinates,celltowerconnectivity,cellulardata,radiofrequency
343-identification,wirelessfidelitytechnologydata,oranyotherformoflocation
344-detection,oranycombinationofsuchcoordinates,connectivity,data,
345-identification,orotherformoflocationdetection,toestablishavirtual
346-boundary.
347-(28)“Healthcarecomponent”hasthesamemeaningasinHIPAA.
348-(29)“Healthcarefacility”hasthesamemeaningasin18V.S.A.§ 9432.
349-(30)“HIPAA”meanstheHealthInsurancePortabilityand
350-AccountabilityActof1996,Pub.L.No.104-191,andanyregulations
351-promulgatedpursuanttotheact,asmaybeamended.
352-(31)“Hybridentity”hasthesamemeaningasinHIPAA.
353-(32)“Identifiedoridentifiableindividual”meansanindividualwhocan
354-bereadilyidentified,directlyorindirectly,includingbyreferencetoan
355-identifiersuchasaname,anidentificationnumber,specificorhistorical
356-patternofgeolocationdata,oranonlineidentifier.
357-1
358-2
359-3
360-4
361-5
362-6
363-7
364-8
365-9
366-10
367-11
368-12
369-13
370-14
371-15
372-16
373-17
374-18
375-19
376-20 BILLASINTRODUCEDANDPASSEDBYSENATE S.71
377-2025 Page10of89
378-(33)“Independenttrustcompany”hasthesamemeaningasin8V.S.A.
379-§ 2401.
380-(34)“Investmentadviser”hasthesamemeaningasin9V.S.A.§ 5102.
381-(35)“Largedataholder”meansapersonwhoduringthepreceding
382-calendaryearprocessedthepersonaldataofnotfewerthan100,000
383-consumers.
384-(36)“Marketingmeasurement”meansmeasuringandreportingon
385-marketingperformanceormediaperformancebythecontroller,including
386-processingpersonaldataformeasurementandreportingoffrequency,
387-attribution,andperformance,providedthatsuchmeasurementdataisnot
388-processedortransferredforanyotherpurpose.
389-(37)“Mentalhealthfacility”meansanyhealthcarefacilityinwhichat
390-least70percentofthehealthcareservicesprovidedinthefacilityaremental
391-healthservices.
392-(38)“Minor”meansanyconsumerwhoisyoungerthan18yearsofage.
393-(39)“Neuraldata”meansinformationthatiscollectedthrough
394-biosensorsandthatcouldbeprocessedtoinferorpredictmentalstates.
395-(40)“Nonpublicpersonalinformation”hasthesamemeaningasin
396-15 U.S.C.§ 6809.
397-1
398-2
399-3
400-4
401-5
402-6
403-7
404-8
405-9
406-10
407-11
408-12
409-13
410-14
411-15
412-16
413-17
414-18
415-19 BILLASINTRODUCEDANDPASSEDBYSENATE S.71
416-2025 Page11of89
417-(41)(A)“Onlineservice,product,orfeature”meansanyservice,
418-product,orfeaturethatisprovidedonline,exceptasprovidedinsubdivision
419-(B)ofthissubdivision(41).
420-(B)“Onlineservice,product,orfeature”doesnotinclude:
421-(i)telecommunicationsservice,asthattermisdefinedinthe
422-CommunicationsActof1934,47 U.S.C.§ 153;
423-(ii)broadbandinternetaccessservice,asthattermisdefinedin
424-47 C.F.R.§ 54.400(universalservicesupport);or
425-(iii)thedeliveryoruseofaphysicalproduct,butnotincluding
426-theprovisionoruseofanonlineservice,product,orfeaturethroughuseofan
427-internet-connectedphysicalproduct.
428-(42)“Patientidentifyinginformation”hasthesamemeaningasin
429-42 C.F.R.§ 2.11(confidentialityofsubstanceusedisorderpatientrecords).
430-(43)“Patientsafetyworkproduct”hasthesamemeaningasin42
431-C.F.R.§ 3.20(patientsafetyorganizationsandpatientsafetyworkproduct).
432-(44)(A)“Personaldata”meansanyinformation,includingderiveddata
433-anduniqueidentifiers,thatislinkedorreasonablylinkable,aloneorin
434-combinationwithotherinformation,toanidentifiedoridentifiableindividual
435-ortoadevicethatidentifies,islinkedto,orisreasonablylinkabletooneor
436-moreidentifiedoridentifiableindividualsinahousehold.
437-1
438-2
439-3
440-4
441-5
442-6
443-7
444-8
445-9
446-10
447-11
448-12
449-13
450-14
451-15
452-16
453-17
454-18
455-19
456-20 BILLASINTRODUCEDANDPASSEDBYSENATE S.71
457-2025 Page12of89
458-(B)“Personaldata”doesnotincludede-identifieddataorpublicly
459-availableinformation.
460-(45)(A)“Precisegeolocationdata”meansinformationderivedfrom
461-technologythatrevealsthepastorpresentphysicallocationofaconsumeror
462-devicethatidentifiesorislinkedorreasonablylinkabletooneormore
463-consumerswithprecisionandaccuracywithinaradiusof1,850feet.
464-(B)“Precisegeolocationdata”doesnotinclude:
465-(i)thecontentofcommunications;
466-(ii)datageneratedbyorconnectedtoanadvancedutilitymetering
467-infrastructuresystem;
468-(iii)aphotograph,ormetadataassociatedwithaphotographor
469-video,thatcannotbelinkedtoanindividual;or
470-(iv)datageneratedbyequipmentusedbyautilitycompany.
471-(46)“Process”or“processing”meansanyoperationorsetofoperations
472-performed,whetherbymanualorautomatedmeans,onpersonaldataoron
473-setsofpersonaldata,suchasthecollection,use,storage,disclosure,analysis,
474-deletion,ormodificationofpersonaldata.
475-(47)“Processor”meansapersonwhoprocessespersonaldataonbehalf
476-of:
477-(A)acontroller;
478-(B)anotherprocessor;or
479-1
480-2
481-3
482-4
483-5
484-6
485-7
486-8
487-9
488-10
489-11
490-12
491-13
492-14
493-15
494-16
495-17
496-18
497-19
498-20
499-21 BILLASINTRODUCEDANDPASSEDBYSENATE S.71
500-2025 Page13of89
501-(C)afederal,state,tribal,orlocalgovernmententity.
502-(48)“Profiling”meansanyformofautomatedprocessingperformedon
503-personaldatatoevaluate,analyze,orpredictpersonalaspects,includingan
504-individual’seconomicsituation,health,personalpreferences,interests,
505-reliability,behavior,location,movements,oridentifyingcharacteristics.
506-(49)“Protectedhealthinformation”hasthesamemeaningasinHIPAA.
507-(50)(A)“Publiclyavailableinformation”meansinformationthat:
508-(i)ismadeavailable:
509-(I)throughfederal,state,orlocalgovernmentrecords;or
510-(II)tothegeneralpublicfromwidelydistributedmedia;or
511-(ii)acontrollerhasareasonablebasistobelievethattheconsumer
512-haslawfullymadeavailabletothegeneralpublic.
513-(B)“Publiclyavailableinformation”doesnotinclude:
514-(i)biometricdatacollectedbyabusinessaboutaconsumer
515-withouttheconsumer’sknowledge;
516-(ii)informationthatiscollatedandcombinedtocreatea
517-consumerprofilethatismadeavailabletoauserofapubliclyavailable
518-websiteeitherinexchangeforpaymentorfreeofcharge;
519-(iii)informationthatismadeavailableforsale;
520-(iv)aninferencethatisgeneratedfromtheinformationdescribed
521-insubdivision(ii)or(iii)ofthissubdivision(50)(B);
522-1
523-2
524-3
525-4
526-5
527-6
528-7
529-8
530-9
531-10
532-11
533-12
534-13
535-14
536-15
537-16
538-17
539-18
540-19
541-20
542-21 BILLASINTRODUCEDANDPASSEDBYSENATE S.71
543-2025 Page14of89
544-(v)anyobscenevisualdepiction,asdefinedin18U.S.C.§ 1460;
545-(vi)anyinferencemadeexclusivelyfrommultipleindependent
546-sourcesofpubliclyavailableinformationthatrevealssensitivedatawith
547-respecttoaconsumer;
548-(vii)personaldatathatiscreatedthroughthecombinationof
549-personaldatawithpubliclyavailableinformation;
550-(viii)geneticdata,unlessotherwisemadepubliclyavailableby
551-theconsumertowhomtheinformationpertains;
552-(ix)informationprovidedbyaconsumeronawebsiteoronline
553-servicemadeavailabletoallmembersofthepublic,forfreeorforafee,
554-wheretheconsumerhasmaintainedareasonableexpectationofprivacyinthe
555-information,suchasbyrestrictingtheinformationtoaspecificaudience;or
556-(x)intimateimages,authenticorcomputer-generated,knownto
557-benonconsensual.
558-(51)“Qualifiedserviceorganization”hasthesamemeaningasin
559-42 C.F.R.§ 2.11(confidentialityofsubstanceusedisorderpatientrecords).
560-(52)“Reproductiveorsexualhealthcare”hasthesamemeaningas
561-“reproductivehealthcareservices”in1V.S.A.§ 150(c)(1).
562-(53)“Reproductiveorsexualhealthdata”meansanypersonaldata
563-concerningapast,present,orfutureeffortmadebyaconsumertoseek,ora
564-consumer’sreceiptof,reproductiveorsexualhealthcare.
565-1
566-2
567-3
568-4
569-5
570-6
571-7
572-8
573-9
574-10
575-11
576-12
577-13
578-14
579-15
580-16
581-17
582-18
583-19
584-20
585-21 BILLASINTRODUCEDANDPASSEDBYSENATE S.71
586-2025 Page15of89
587-(54)“Reproductiveorsexualhealthfacility”meansanyhealthcare
588-facilityinwhichatleast70percentofthehealthcare-relatedservicesor
589-productsrenderedorprovidedinthefacilityarereproductiveorsexualhealth
590-care.
591-(55)(A)“Saleofpersonaldata”meanstheexchangeofaconsumer’s
592-personaldatabythecontrollertoathirdpartyformonetaryorothervaluable
593-consideration.
594-(B)“Saleofpersonaldata”doesnotinclude:
595-(i)thedisclosureofpersonaldatatoaprocessorthatprocessesthe
596-personaldataonbehalfofthecontroller;
597-(ii)thedisclosureofpersonaldatatoathirdpartyforpurposesof
598-providingaproductorservicerequestedbytheconsumer;
599-(iii)thedisclosureortransferofpersonaldatatoanaffiliateofthe
600-controller;
601-(iv)thedisclosure,withtheconsumer’sconsent,ofpersonaldata
602-wheretheconsumerdirectsthecontrollertodisclosethepersonaldataor
603-intentionallyusesthecontrollertointeractwithathirdparty;
604-(v)thedisclosureofpubliclyavailableinformation;
605-(vi)thedisclosureortransferofpersonaldatatoathirdpartyas
606-anassetthatispartofamerger,acquisition,bankruptcy,orothertransaction,
607-1
608-2
609-3
610-4
611-5
612-6
613-7
614-8
615-9
616-10
617-11
618-12
619-13
620-14
621-15
622-16
623-17
624-18
625-19
626-20 BILLASINTRODUCEDANDPASSEDBYSENATE S.71
627-2025 Page16of89
628-oraproposedmerger,acquisition,bankruptcy,orothertransaction,inwhich
629-thethirdpartyassumescontrolofallorpartofthecontroller’sassets.
630-(56)“Sensitivedata”meanspersonaldatathat:
631-(A)revealsaconsumer’sgovernment-issuedidentifier,suchasa
632-SocialSecuritynumber,passportnumber,stateidentificationcard,ordriver’s
633-licensenumber,thatisnotrequiredbylawtobepubliclydisplayed;
634-(B)revealsaconsumer’sracialorethnicorigin,nationalorigin,
635-citizenshiporimmigrationstatus,religiousorphilosophicalbeliefs,amental
636-orphysicalhealthcondition,diagnosis,disabilityortreatment,statusas
637-pregnant,incomelevelorindebtedness,orunionmembership;
638-(C)revealsaconsumer’ssexualorientation,sexlife,sexuality,or
639-statusastransgenderornonbinary;
640-(D)revealsaconsumer’sstatusasavictimofacrime;
641-(E)isaconsumer’staxreturnandaccountnumber,financialaccount
642-log-in,financialaccount,debitcardnumber,orcreditcardnumberin
643-combinationwithanyrequiredsecurityoraccesscode,password,or
644-credentialsallowingaccesstoanaccount;
645-(F)isconsumerhealthdata;
646-(G)iscollectedandanalyzedconcerningconsumerhealthdatathat
647-describesorrevealsapast,present,orfuturementalorphysicalhealth
648-condition,treatment,disability,ordiagnosis,includingpregnancy,totheextent
649-1
650-2
651-3
652-4
653-5
654-6
655-7
656-8
657-9
658-10
659-11
660-12
661-13
662-14
663-15
664-16
665-17
666-18
667-19
668-20
669-21 BILLASINTRODUCEDANDPASSEDBYSENATE S.71
670-2025 Page17of89
671-thepersonaldataisusedbythecontrollerforapurposeotherthantoidentifya
672-specificconsumer’sphysicalormentalhealthconditionordiagnosis;
673-(H)isbiometricorgeneticdata;
674-(I)iscollectedfromaconsumerthatacontrollerkneworshould
675-haveknownisaminor;
676-(J)isprecisegeolocationdata;
677-(K)arekeystrokes;
678-(L)isdrivingbehavior;
679-(M)isneuraldata;or
680-(N)aretheonlineactivitiesofaconsumerovertimeandacross
681-devices,websites,onlineapplications,andmobileapplications,thatdonot
682-sharecommonbranding,ordatageneratedby,profilingperformedonsuch
683-data.
684-(57)(A)“Targetedadvertising”meansdisplayingorpresentinganonline
685-advertisementtoaconsumerortoadeviceidentifiedbyauniquepersistent
686-identifier,iftheadvertisementisselectedbased,inwholeorinpart,onknown
687-orpredictedpreferences,characteristics,behavior,orinterestsassociatedwith
688-theconsumeroradeviceidentifiedbyauniquepersistentidentifier.“Targeted
689-advertising”includesdisplayingorpresentinganonlineadvertisementfora
690-productorservicebasedonthepreviousinteractionofaconsumeroradevice
691-identifiedbyauniquepersistentidentifierwithsuchproductorserviceona
692-1
693-2
694-3
695-4
696-5
697-6
698-7
699-8
700-9
701-10
702-11
703-12
704-13
705-14
706-15
707-16
708-17
709-18
710-19
711-20
712-21 BILLASINTRODUCEDANDPASSEDBYSENATE S.71
713-2025 Page18of89
714-websiteoronlineservicethatdoesnotsharecommonbrandingwiththe
715-websiteoronlineservicedisplayingorpresentingtheadvertisement,and
716-marketingmeasurementrelatedtosuchadvertisements.
717-(B)“Targetedadvertising”doesnotinclude:
718-(i)first-partyadvertising;or
719-(ii)contextualadvertising.
720-(58)“Thirdparty”meansapersonwhocollectspersonaldatafrom
721-anotherpersonwhoisnottheconsumertowhomthedatapertainsandisnota
722-processorwithrespecttosuchdata.“Thirdparty”doesnotincludeaperson
723-whocollectspersonaldatafromanotherentityiftheentitiesareaffiliates.
724-(59)“Tradesecret”hasthesamemeaningasinsection4601ofthistitle.
725-(60)(A)“Uniquepersistentidentifier”meansatechnologicallycreated
726-identifiertotheextentthatsuchidentifierisreasonablylinkabletoaconsumer
727-oradevicethatidentifiesorislinkedorreasonablylinkabletooneormore
728-consumers,includingdeviceidentifiers,internetprotocoladdresses,cookies,
729-beacons,pixeltags,mobileadidentifiersorsimilartechnologycustomer
730-numbers,uniquepseudonyms,useraliases,telephonenumbers,orotherforms
731-ofpersistentorprobabilisticidentifiersthatarelinkedorreasonablylinkableto
732-oneormoreconsumersordevices.
733-(B)“Uniquepersistentidentifier”doesnotincludeanidentifier
734-assignedbyacontrollerforthesolepurposeofgivingeffecttotheexerciseof
735-1
736-2
737-3
738-4
739-5
740-6
741-7
742-8
743-9
744-10
745-11
746-12
747-13
748-14
749-15
750-16
751-17
752-18
753-19
754-20
755-21 BILLASINTRODUCEDANDPASSEDBYSENATE S.71
756-2025 Page19of89
757-affirmativeconsentoroptoutbyaconsumerwithrespecttothecollectionor
758-processingofpersonaldataorotherwiselimitingthecollectionorprocessing
759-ofpersonaldata.
760-(61)“Victimservicesorganization”meansanonprofitorganizationthat
761-isestablishedtoprovideservicestovictimsorwitnessesofchildabuse,
762-domesticviolence,humantrafficking,sexualassault,violentfelony,or
763-stalking.
764-§ 2416.APPLICABILITY
765-(a)Exceptasprovidedinsubsection(b)ofthissection,thischapterapplies
766-toapersonwhoconductsbusinessinthisStateorapersonwhoproduces
767-productsorservicesthataretargetedtoresidentsofthisStateandthatduring
768-theprecedingcalendaryear:
769-(1)controlledorprocessedthepersonaldataofnotfewerthan25,000
770-consumers,excludingpersonaldatacontrolledorprocessedsolelyforthe
771-purposeofcompletingapaymenttransaction;or
772-(2)controlledorprocessedthepersonaldataofnotfewerthan12,500
773-consumersandderivedmorethan25percentoftheperson’sgrossrevenue
774-fromthesaleofpersonaldata.
775-(b)Section2425ofthischapterandtheprovisionsofthischapter
776-concerningconsumerhealthdataandconsumerhealthdatacontrollersapplyto
777-1
778-2
779-3
780-4
781-5
782-6
783-7
784-8
785-9
786-10
787-11
788-12
789-13
790-14
791-15
792-16
793-17
794-18
795-19
796-20 BILLASINTRODUCEDANDPASSEDBYSENATE S.71
797-2025 Page20of89
798-apersonwhoconductsbusinessinthisStateorapersonwhoproduces
799-productsorservicesthataretargetedtoresidentsofthisState.
800-§ 2417.EXEMPTIONS
801-(a)Thischapterdoesnotapplyto:
802-(1)afederal,state,tribal,orlocalgovernmententityintheordinary
803-courseofitsoperation;
804-(2)protectedhealthinformationunderHIPAA;
805-(3)patient–identifyinginformation,forpurposesof42U.S.C.
806-§ 290DD–2;
807-(4)(i)informationtotheextentitisusedforpublichealth,community
808-health,orpopulationhealthactivitiesandpurposes,asauthorizedbyHIPAA,
809-whenprovidedbyortoacoveredentityorwhenprovidedbyortoabusiness
810-associateinaccordancewiththebusinessassociateagreementwithacovered
811-entity;
812-(ii)informationthatisahealthcarerecord,asthattermisdefined
813-in18V.S.A.§ 9419,iftheinformationisheldbyanentitythatisacovered
814-entityorbusinessassociateunderHIPAAbecauseitcollects,uses,ordiscloses
815-protectedhealthinformation;
816-(iii)informationthatisde-identifiedinaccordancewiththe
817-requirementsforde-identificationsetforthin45C.F.R.164.514andthatis
818-1
819-2
820-3
821-4
822-5
823-6
824-7
825-8
826-9
827-10
828-11
829-12
830-13
831-14
832-15
833-16
834-17
835-18
836-19
837-20 BILLASINTRODUCEDANDPASSEDBYSENATE S.71
838-2025 Page21of89
839-derivedfromindividuallyidentifiablehealthinformationasdescribedin
840-HIPAA;and
841-(iv)personalinformationconsistentwiththehumansubject
842-protectionrequirementsoftheU.S.FoodandDrugAdministration;
843-(5)informationusedonlyforpublichealthactivitiesandpurposes
844-describedin45C.F.R.§ 164.512(disclosureofprotectedhealthinformation
845-withoutauthorization);
846-(6)informationthatidentifiesaconsumerinconnectionwith:
847-(A)activitiesthataresubjecttotheFederalPolicyfortheProtection
848-ofHumanSubjects,codifiedas45C.F.R.Part46(HHSprotectionofhuman
849-subjects)andinvariousotherfederalregulations;
850-(B)activitiesthataresubjecttotheprotectionsprovidedin21C.F.R.
851-Parts50(FDAclinicalinvestigationsprotectionofhumansubjects)and
852-56 (FDAclinicalinvestigationsinstitutionalreviewboards);or
853-(C)researchconductedinaccordancewiththerequirementssetforth
854-insubdivisions(A)and(B)ofthissubdivision(a)(6)orotherwisein
855-accordancewithapplicablelaw;
856-(7)patientidentifyinginformationthatiscollectedandprocessedin
857-accordancewith42C.F.R.Part2(confidentialityofsubstanceusedisorder
858-patientrecords);
859-1
860-2
861-3
862-4
863-5
864-6
865-7
866-8
867-9
868-10
869-11
870-12
871-13
872-14
873-15
874-16
875-17
876-18
877-19
878-20 BILLASINTRODUCEDANDPASSEDBYSENATE S.71
879-2025 Page22of89
880-(8)patientsafetyworkproductthatiscreatedandusedforpurposesof
881-patientsafetyimprovementinaccordancewith42C.F.R.§3,establishedin
882-accordancewith42U.S.C.§§299b–21through299b–26;
883-(9)informationordocumentscreatedforthepurposesoftheHealthcare
884-QualityImprovementActof1986,42U.S.C.§ 11101–11152,andregulations
885-adoptedtoimplementthatact;
886-(10)informationprocessedormaintainedsolelyinconnectionwith,and
887-forthepurposeof,enablingnoticeofanemergencytopersonsthatan
888-individualspecifies;
889-(11)anyactivitythatinvolvescollecting,maintaining,disclosing,
890-selling,communicating,orusinginformationforthepurposeofevaluatinga
891-consumer’screditworthiness,creditstanding,creditcapacity,character,
892-generalreputation,personalcharacteristics,ormodeoflivingifdonestrictly
893-inaccordancewiththeprovisionsoftheFairCreditReportingAct,15U.S.C.
894-§ 1681–1681x,asmaybeamended,by:
895-(A)aconsumerreportingagency;
896-(B)apersonwhofurnishesinformationtoaconsumerreporting
897-agencyunder15U.S.C.§ 1681s-2(responsibilitiesoffurnishersof
898-informationtoconsumerreportingagencies);or
899-(C)apersonwhousesaconsumerreportasprovidedin15U.S.C.
900-§ 1681b(a)(3)(permissiblepurposesofconsumerreports);
901-1
902-2
903-3
904-4
905-5
906-6
907-7
908-8
909-9
910-10
911-11
912-12
913-13
914-14
915-15
916-16
917-17
918-18
919-19
920-20
921-21 BILLASINTRODUCEDANDPASSEDBYSENATE S.71
922-2025 Page23of89
923-(12)informationcollected,processed,sold,ordisclosedunderandin
924-accordancewiththefollowinglawsandregulations:
925-(A)theDriver’sPrivacyProtectionActof1994,18U.S.C.§ 2721–
926-2725;
927-(B)datathatissubjecttotheFamilyEducationalRightsandPrivacy
928-Act,20U.S.C.§ 1232g,andregulationsadoptedtoimplementthatact;
929-(C)datathatissubjecttotheAirlineDeregulationAct,Pub.L.No.
930-95-504,onlytotheextentthatanaircarriercollectsinformationrelatedto
931-prices,routes,orservices,andonlytotheextentthattheprovisionsofthe
932-AirlineDeregulationActpreemptthischapter;
933-(D)datathatissubjecttotheFarmCreditAct,Pub.L.No.92-181,
934-asmaybeamended;and
935-(E)datathatissubjecttofederalpolicyunder21U.S.C.§ 830
936-(regulationoflistedchemicalsandcertainmachines);
937-(13)nonpublicpersonalinformationthatisprocessedbyafinancial
938-institutionsubjecttotheGramm-Leach-BlileyAct,Pub.L.No.106-102,and
939-regulationsadoptedtoimplementthatact;
940-(14)astateorfederallycharteredbankorcreditunion,oranaffiliateor
941-subsidiarythatisprincipallyengagedinfinancialactivities,asdescribedin
942-18 U.S.C.§ 1843(k);
943-1
944-2
945-3
946-4
947-5
948-6
949-7
950-8
951-9
952-10
953-11
954-12
955-13
956-14
957-15
958-16
959-17
960-18
961-19
962-20 BILLASINTRODUCEDANDPASSEDBYSENATE S.71
963-2025 Page24of89
964-(15)apersonregulatedpursuantto8V.S.A.part3(chapters101–165)
965-otherthanapersonwho,aloneorincombinationwithanotherperson,
966-establishesandmaintainsaself-insuranceprogramandwhodoesnototherwise
967-engageinthebusinessofenteringintopoliciesofinsurance;
968-(16)athird-partyadministrator,asthattermisdefinedintheThird
969-PartyAdministratorRuleadoptedpursuantto18V.S.A.§ 9417;
970-(17)personaldataofavictimorwitnessofchildabuse,domestic
971-violence,humantrafficking,sexualassault,violentfelony,orstalkingthata
972-victimservicesorganizationcollects,processes,ormaintainsinthecourseof
973-itsoperation;
974-(18)anonprofitorganizationthatisestablishedtodetectandprevent
975-fraudulentactsinconnectionwithinsurance;
976-(19)informationthatisprocessedforpurposesofcompliance,
977-enrollmentordegreeverification,orresearchservicesbyanonprofit
978-organizationthatisestablishedtoprovideenrollmentdatareportingservices
979-onbehalfofpostsecondaryschoolsasthattermisdefinedin16V.S.A.§ 176;
980-or
981-(20)noncommercialactivityof:
982-(A)apublisher,editor,reporter,orotherpersonwhoisconnected
983-withoremployedbyanewspaper,magazine,periodical,newsletter,pamphlet,
984-report,orotherpublicationingeneralcirculation;
985-1
986-2
987-3
988-4
989-5
990-6
991-7
992-8
993-9
994-10
995-11
996-12
997-13
998-14
999-15
1000-16
1001-17
1002-18
1003-19
1004-20
1005-21 BILLASINTRODUCEDANDPASSEDBYSENATE S.71
1006-2025 Page25of89
1007-(B)aradioortelevisionstationthatholdsalicenseissuedbythe
1008-FederalCommunicationsCommission;
1009-(C)anonprofitorganizationthatprovidesprogrammingtoradioor
1010-televisionnetworks;or
1011-(D)apressassociationorwireservice.
1012-(b)Controllers,processors,andconsumerhealthdatacontrollersthat
1013-complywiththeverifiableparentalconsentrequirementsofCOPPAshallbe
1014-deemedcompliantwithanyobligationtoobtainparentalconsentpursuantto
1015-thischapter.
1016-§ 2418.CONSUMERPERSONALDATARIGHTS
1017-(a)Aconsumershallhavetherightto:
1018-(1)confirmwhetheracontrollerisprocessingtheconsumer’spersonal
1019-dataand,ifacontrollerisprocessingtheconsumer’spersonaldata,accessthe
1020-personaldata;
1021-(2)knowwhetheraconsumer’spersonaldataisorwillbeusedinany
1022-artificialintelligencesystemandforwhatpurpose;
1023-(3)obtainfromacontrolleralistofthirdpartiestowhichthecontroller
1024-hasdisclosedtheconsumer’spersonaldataor,ifthecontrollerdoesnot
1025-maintainthisinformationinaformatspecifictotheconsumer,alistofthird
1026-partiestowhichthecontrollerhasdisclosedpersonaldata;
1027-1
1028-2
1029-3
1030-4
1031-5
1032-6
1033-7
1034-8
1035-9
1036-10
1037-11
1038-12
1039-13
1040-14
1041-15
1042-16
1043-17
1044-18
1045-19
1046-20 BILLASINTRODUCEDANDPASSEDBYSENATE S.71
1047-2025 Page26of89
1048-(4)correctinaccuraciesintheconsumer’spersonaldata,takinginto
1049-accountthenatureofthepersonaldataandthepurposesoftheprocessingof
1050-theconsumer’spersonaldata;
1051-(5)deletepersonaldata,includingderiveddata,providedby,or
1052-obtainedabout,theconsumerunlessretentionofthepersonaldataisrequired
1053-bylaw;
1054-(6)obtainacopyoftheconsumer’spersonaldataprocessedbythe
1055-controllerinaportableand,totheextenttechnicallyfeasible,readilyusable
1056-formatthatallowstheconsumertotransmitthedatatoanothercontroller
1057-withouthindrance;and
1058-(7)optoutoftheprocessingofpersonaldataforpurposesof:
1059-(A)targetedadvertising;
1060-(B)thesaleofpersonaldata;or
1061-(C)profilinginfurtheranceofautomateddecisionsthatproducelegal
1062-orsimilarlysignificanteffectsconcerningtheconsumer.
1063-(b)(1)Aconsumermayexerciserightsunderthissectionbysubmittinga
1064-requesttoacontrollerusingthemethodthatthecontrollerspecifiesinthe
1065-privacynoticeundersection2419ofthistitle.
1066-(2)Acontrollershallnotrequireaconsumertocreateanaccountforthe
1067-purposedescribedinsubdivision(1)ofthissubsection,butthecontrollermay
1068-requiretheconsumertouseanaccounttheconsumerpreviouslycreated.
1069-1
1070-2
1071-3
1072-4
1073-5
1074-6
1075-7
1076-8
1077-9
1078-10
1079-11
1080-12
1081-13
1082-14
1083-15
1084-16
1085-17
1086-18
1087-19
1088-20
1089-21 BILLASINTRODUCEDANDPASSEDBYSENATE S.71
1090-2025 Page27of89
1091-(3)Aparentorlegalguardianmayexerciserightsunderthissectionon
1092-behalfoftheparent’schildoronbehalfofachildforwhomtheguardianhas
1093-legalresponsibility.Aguardianorconservatormayexercisetherightsunder
1094-thissectiononbehalfofaconsumerthatissubjecttoaguardianship,
1095-conservatorship,orotherprotectivearrangement.
1096-(4)(A)Aconsumermaydesignateanotherpersontoactonthe
1097-consumer’sbehalfastheconsumer’sauthorizedagentforthepurposeof
1098-exercisingtheconsumer’srightsundersubdivision(a)(5)or(a)(7)ofthis
1099-section.
1100-(B)Theconsumermaydesignateanauthorizedagentbymeansofan
1101-internetlink,browsersetting,browserextension,globaldevicesetting,or
1102-othertechnologythatenablestheconsumertoexercisetheconsumer’srights
1103-undersubdivision(a)(5)or(a)(7)ofthissection.
1104-(c)Exceptasotherwiseprovidedinthischapter,acontrollershallcomply
1105-witharequestbyaconsumertoexercisetheconsumerrightsauthorized
1106-pursuanttothischapterasfollows:
1107-(1)(A)Acontrollershallrespondtotheconsumerwithoutunduedelay,
1108-butnotlaterthan45daysafterreceiptoftherequest.
1109-(B)Thecontrollermayextendtheresponseperiodby45additional
1110-dayswhenreasonablynecessary,consideringthecomplexityandnumberof
1111-theconsumer’srequests,providedthecontrollerinformstheconsumerofthe
1112-1
1113-2
1114-3
1115-4
1116-5
1117-6
1118-7
1119-8
1120-9
1121-10
1122-11
1123-12
1124-13
1125-14
1126-15
1127-16
1128-17
1129-18
1130-19
1131-20
1132-21 BILLASINTRODUCEDANDPASSEDBYSENATE S.71
1133-2025 Page28of89
1134-extensionwithintheinitial45-dayresponseperiodandofthereasonforthe
1135-extension.
1136-(C)Iftheconsumerappointedanagent,thecontrollershallinteract
1137-withtheagentthroughouttheprocessand,withtheexclusionofadataaccess
1138-request,notrequiretheconsumertobeinvolvedinthefulfillmentofthe
1139-request.
1140-(2)Ifacontrollerdeclinestotakeactionregardingtheconsumer’s
1141-request,thecontrollershallinformtheconsumerwithoutunduedelay,butnot
1142-laterthan45daysafterreceiptoftherequest,ofthejustificationfordeclining
1143-totakeactionandinstructionsforhowtoappealthedecision.
1144-(3)(A)Informationprovidedinresponsetoaconsumerrequestshallbe
1145-providedbyacontroller,freeofcharge,onceperconsumerduringany12-
1146-monthperiodoraftereverytimethecontrollermakesmaterialchangestoits
1147-personaldatapracticesandpolicies.
1148-(B)Ifrequestsfromaconsumeraremanifestlyunfounded,excessive,
1149-orrepetitive,thecontrollermaychargetheconsumerareasonablefeetocover
1150-theadministrativecostsofcomplyingwiththerequestordeclinetoactonthe
1151-request.
1152-(C)Thecontrollerbearstheburdenofdemonstratingthemanifestly
1153-unfounded,excessive,orrepetitivenatureoftherequest.
1154-1
1155-2
1156-3
1157-4
1158-5
1159-6
1160-7
1161-8
1162-9
1163-10
1164-11
1165-12
1166-13
1167-14
1168-15
1169-16
1170-17
1171-18
1172-19
1173-20 BILLASINTRODUCEDANDPASSEDBYSENATE S.71
1174-2025 Page29of89
1175-(D)Whenacontrollerdeterminesaconsumerrequestismanifestly
1176-unfounded,excessive,orrepetitive,thecontrollershallinformtheconsumer
1177-andsharethecontroller’sjustificationpriortodisregardingtherequestor
1178-chargingtheconsumeraprocessingfee.Thatnoticeshallincludeinstructions
1179-forappealingthedecision.
1180-(4)(A)Ifacontrollerisunabletoauthenticatearequesttoexerciseany
1181-oftherightsaffordedundersubdivisions(a)(1)–(6)ofthissection,the
1182-controllershallnotberequiredtocomplywitharequesttoinitiateanaction
1183-pursuanttothissectionandshallprovidenoticetotheconsumerorthe
1184-consumer’sagentthatthecontrollerisunabletoauthenticatetherequestto
1185-exercisetherightorrightsuntiltheconsumerprovidesadditionalinformation
1186-reasonablynecessarytoauthenticatetheconsumerandtheconsumer’srequest
1187-toexercisetherightorrights.
1188-(B)Acontrollershallnotrequireauthenticationtoexerciseanopt-
1189-outrequest,butacontrollermaydenyanopt-outrequestifthecontrollerhasa
1190-goodfaith,reasonable,anddocumentedbeliefthattherequestisfraudulent.
1191-(C)Ifacontrollerdeniesanopt-outrequestbecausethecontroller
1192-believestherequestisfraudulent,thecontrollershallsendanoticetothe
1193-personwhomadetherequestdisclosingthatthecontrollerbelievestherequest
1194-isfraudulent,whythecontrollerbelievestherequestisfraudulent,andthatthe
1195-controllershallnotcomplywiththerequest.Iftherequestwasplacedthrough
1196-1
1197-2
1198-3
1199-4
1200-5
1201-6
1202-7
1203-8
1204-9
1205-10
1206-11
1207-12
1208-13
1209-14
1210-15
1211-16
1212-17
1213-18
1214-19
1215-20
1216-21 BILLASINTRODUCEDANDPASSEDBYSENATE S.71
1217-2025 Page30of89
1218-anagent,boththeagentandthepersonwhoappointedtheagentshallreceive
1219-thatnotice.
1220-(5)Acontrollershallnotconditiontheexerciseofarightunderthis
1221-sectionthrough:
1222-(A)theuseofanyfalse,fictitious,fraudulent,ormaterially
1223-misleadingstatementorrepresentation;or
1224-(B)theemploymentofanydarkpattern.
1225-(d)Acontrollershallestablishaprocessbymeansofwhichaconsumer
1226-mayappealthecontroller’srefusaltotakeactiononarequestunder
1227-subsection (b)ofthissection.Thecontroller’sprocessshall:
1228-(1)Allowareasonableperiodoftimeaftertheconsumerreceivesthe
1229-controller’srefusalwithinwhichtoappeal.
1230-(2)Beconspicuouslyavailabletotheconsumer.
1231-(3)Besimilartothemannerinwhichaconsumermustsubmitarequest
1232-undersubsection(b)ofthissection.
1233-(4)Requirethecontrollertoapproveordenytheappealwithin45days
1234-afterthedateonwhichthecontrollerreceivedtheappealandtonotifythe
1235-consumerinwritingofthecontroller’sdecisionandthereasonsforthe
1236-decision.Ifthecontrollerdeniestheappeal,thenoticemustprovideorspecify
1237-informationthatenablestheconsumertocontacttheAttorneyGeneralto
1238-submitacomplaint.
1239-1
1240-2
1241-3
1242-4
1243-5
1244-6
1245-7
1246-8
1247-9
1248-10
1249-11
1250-12
1251-13
1252-14
1253-15
1254-16
1255-17
1256-18
1257-19
1258-20
1259-21 BILLASINTRODUCEDANDPASSEDBYSENATE S.71
1260-2025 Page31of89
1261-(e)Nothinginthissectionshallbeconstruedtorequireacontrollerto
1262-revealatradesecret.
1263-(f)Inresponsetoaconsumerrequestundersubdivision(a)(1)ofthis
1264-section,acontrollershallnotdisclosethefollowinginformationabouta
1265-consumer,butshallinsteadinformtheconsumerwithsufficientparticularity
1266-thatthecontrollerhascollectedthattypeofinformation:
1267-(1)SocialSecuritynumber;
1268-(2)driver’slicensenumberorothergovernment-issuedidentification
1269-number;
1270-(3)financialaccountnumber;
1271-(4)healthinsuranceaccountnumberormedicalidentificationnumber;
1272-(5)accountpassword,securityquestions,oranswers;or
1273-(6)biometricdata.
1274-(g)(1)Acontrollermayusethefollowingtypesofinformationtodisplaya
1275-contextualadvertisement:
1276-(A)technicalspecificationsasarenecessaryfortheadtobe
1277-deliveredanddisplayedproperlyonagivendevice;
1278-(B)aconsumer’simmediatepresenceinageographicareawitha
1279-radiusnotsmallerthan10miles,oranareareasonablyestimatedtoinclude
1280-onlineactivityfromatleast5,000users,butnotincludingprecisegeolocation
1281-data;and
1282-1
1283-2
1284-3
1285-4
1286-5
1287-6
1288-7
1289-8
1290-9
1291-10
1292-11
1293-12
1294-13
1295-14
1296-15
1297-16
1298-17
1299-18
1300-19
1301-20
1302-21 BILLASINTRODUCEDANDPASSEDBYSENATE S.71
1303-2025 Page32of89
1304-(C)theconsumer’slanguagepreferences,asinferredfromcontext,
1305-browsersettings,orusersettings.
1306-(2)Acontrollerusinginformationpursuanttosubdivision(1)ofthis
1307-subsectiontodisplayacontextualadvertisementshallnotusethatinformation
1308-tomakeinferencesaboutaconsumer,profileaconsumer,orforanyother
1309-purpose,andthecontrollershallnotprohibitaconsumerfromusingtechnical
1310-meanstoobfuscateorchangeaconsumer’sphysicallocationtospecifya
1311-languagepreference.
1312-§ 2419.DUTIESOFCONTROLLERS
1313-(a)Acontrollershall:
1314-(1)limitthecollectionandprocessingofpersonaldatatowhatis
1315-reasonablynecessaryandproportionatetoprovideormaintain:
1316-(A)aspecificproductorservicerequestedbytheconsumertowhom
1317-thedatapertains;and
1318-(B)acommunication,thatisnotanadvertisement,bythecontroller
1319-totheconsumerthatisreasonablyanticipatedwithinthecontextofthe
1320-relationshipbetweenthecontrollerandtheconsumer;
1321-(2)establish,implement,andmaintainreasonableadministrative,
1322-technical,andphysicaldatasecuritypracticestoprotecttheconfidentiality,
1323-integrity,andaccessibilityofpersonaldataappropriatetothevolumeand
1324-natureofthepersonaldataatissue,includingdisposingofpersonaldatain
1325-1
1326-2
1327-3
1328-4
1329-5
1330-6
1331-7
1332-8
1333-9
1334-10
1335-11
1336-12
1337-13
1338-14
1339-15
1340-16
1341-17
1342-18
1343-19
1344-20
1345-21 BILLASINTRODUCEDANDPASSEDBYSENATE S.71
1346-2025 Page33of89
1347-accordancewitharetentionschedulethatrequiresthedeletionofpersonaldata
1348-whenthedataisrequiredtobedeletedbylaworisnolongernecessaryforthe
1349-purposeforwhichthedatawascollectedorprocessed;and
1350-(3)provideaneffectivemechanismforaconsumertowithdrawconsent
1351-providedpursuanttothischapterthatisatleastaseasyasthemechanismby
1352-whichtheconsumerprovidedtheconsent.
1353-(b)(1)Acontrollerthatoffersanyonlineservice,product,orfeaturetoa
1354-consumerwhomthecontrollerknowsisaminorshall:
1355-(A)usereasonablecaretoavoidanyheightenedriskofharmto
1356-minorscausedbyprocessingofpersonaldatainthecourseofprovidingthe
1357-onlineservice,product,orfeature;
1358-(B)providetotheminoraconspicuoussignalindicatingthatthe
1359-controlleriscollectingtheminor’sprecisegeolocationdataandmakethe
1360-signalavailabletotheminorfortheentiredurationofthecollectionofthe
1361-minor’sprecisegeolocationdata;and
1362-(C)notprocessthepersonaldataofaminorforthepurposesof
1363-targetedadvertisingorsellthepersonaldataofaminor.
1364-(2)Forpurposesofthissubsection,“knows”meansacontrollerknewor
1365-shouldhaveknowntheconsumerisaminor,includingbasedon:
1366-(A)informationcollectedabouttheageoftheconsumer;or
1367-1
1368-2
1369-3
1370-4
1371-5
1372-6
1373-7
1374-8
1375-9
1376-10
1377-11
1378-12
1379-13
1380-14
1381-15
1382-16
1383-17
1384-18
1385-19
1386-20 BILLASINTRODUCEDANDPASSEDBYSENATE S.71
1387-2025 Page34of89
1388-(B)anyageorcloselyrelatedproxythebusinessknowsorhas
1389-inferred,derived,attributedto,orassociatedwiththeconsumerforany
1390-purpose,includingmarketing,advertising,orproductdevelopment.
1391-(3)Nothinginthischaptershallbeconstruedtorequire:
1392-(A)theaffirmativecollectionofanypersonaldatawithrespecttothe
1393-ageofusersthatacontrollerisnotalreadycollectinginthenormalcourseof
1394-business;or
1395-(B)acontrollertoimplementanagegatingorageverification
1396-functionality.
1397-(c)Acontrollershallnot:
1398-(1)processsensitivedataconcerningaconsumerexceptwhenthe
1399-processingisstrictlynecessarytoprovideormaintainaspecificproductor
1400-servicerequestedbytheconsumertowhomthesensitivedatapertains;
1401-(2)sellsensitivedata;
1402-(3)discriminateorretaliateagainstaconsumerwhoexercisesaright
1403-providedtotheconsumerunderthischapterorrefusestoconsenttothe
1404-processingofpersonaldataforaseparateproductorservice,includingby:
1405-(A)denyinggoodsorservices;
1406-(B)chargingdifferentpricesorratesforgoodsorservices;or
1407-(C)providingadifferentlevelofqualityorselectionofgoodsor
1408-servicestotheconsumer;
1409-1
1410-2
1411-3
1412-4
1413-5
1414-6
1415-7
1416-8
1417-9
1418-10
1419-11
1420-12
1421-13
1422-14
1423-15
1424-16
1425-17
1426-18
1427-19
1428-20
1429-21 BILLASINTRODUCEDANDPASSEDBYSENATE S.71
1430-2025 Page35of89
1431-(4)processpersonaldatainviolationofStateorfederallawsthat
1432-prohibitunlawfuldiscrimination;or
1433-(5)(A)exceptasprovidedinsubdivision(B)ofthissubdivision(5),
1434-processaconsumer’spersonaldatainamannerthatdiscriminatesagainst
1435-individualsorotherwisemakesunavailabletheequalenjoymentofgoodsor
1436-servicesonthebasisofanindividual’sactualorperceivedrace,color,sex,
1437-sexualorientationorgenderidentity,physicalormentaldisability,religion,
1438-ancestry,ornationalorigin;
1439-(B)subdivision(A)ofthissubdivision(5)shallnotapplyto:
1440-(i)aprivateestablishment,asthattermisusedin42U.S.C.
1441-§ 2000a(e)(prohibitionagainstdiscriminationorsegregationinplacesof
1442-publicaccommodation);
1443-(ii)processingforthepurposeofacontroller’sorprocessor’sself-
1444-testingtopreventormitigateunlawfuldiscriminationorotherwisetoensure
1445-compliancewithStateorfederallaw;or
1446-(iii)processingforthepurposeofdiversifyinganapplicant,
1447-participant,orconsumerpool.
1448-(d)Subsections(a)–(c)ofthissectionshallnotbeconstruedto:
1449-(1)requireacontrollertoprovideagoodorservicethatrequires
1450-personaldatafromaconsumerthatthecontrollerdoesnotcollectormaintain;
1451-or
1452-1
1453-2
1454-3
1455-4
1456-5
1457-6
1458-7
1459-8
1460-9
1461-10
1462-11
1463-12
1464-13
1465-14
1466-15
1467-16
1468-17
1469-18
1470-19
1471-20
1472-21 BILLASINTRODUCEDANDPASSEDBYSENATE S.71
1473-2025 Page36of89
1474-(2)prohibitacontrollerfromofferingadifferentprice,rate,levelof
1475-quality,orselectionofgoodsorservicestoaconsumer,includinganofferfor
1476-nofeeorcharge,inconnectionwithaconsumer’sparticipation,withconsent,
1477-inafinancialincentiveprogram,suchasabonafideloyalty,rewards,premium
1478-features,discount,orclubcardprogram,providedthatthecontrollermaynot
1479-transferpersonaldatatoathirdpartyaspartoftheprogramunless:
1480-(A)thetransferisnecessarytoenablethethirdpartytoprovidea
1481-benefittowhichtheconsumerisentitled;and
1482-(B)(i)thetermsoftheprogramclearlydisclosethatpersonaldata
1483-willbetransferredtothethirdpartyortoacategoryofthirdpartiesofwhich
1484-thethirdpartybelongs;and
1485-(ii)thethirdpartyusesthepersonaldataonlyforpurposesof
1486-facilitatingabenefittowhichtheconsumerisentitledanddoesnotprocessor
1487-transferthepersonaldataforanyotherpurpose.
1488-(e)Thesaleofpersonaldatashallnotbeconsideredfunctionallynecessary
1489-toprovideafinancialincentiveprogram.Acontrollershallnotusefinancial
1490-incentivepracticesthatareunjust,unreasonable,coercive,orusuriousin
1491-nature.
1492-(f)(1)Acontrollershallprovidetoconsumersareasonablyaccessible,
1493-clear,andmeaningfulprivacynoticethat:
1494-1
1495-2
1496-3
1497-4
1498-5
1499-6
1500-7
1501-8
1502-9
1503-10
1504-11
1505-12
1506-13
1507-14
1508-15
1509-16
1510-17
1511-18
1512-19
1513-20 BILLASINTRODUCEDANDPASSEDBYSENATE S.71
1514-2025 Page37of89
1515-(A)liststhecategoriesofpersonaldata,includingthecategoriesof
1516-sensitivedata,thatthecontrollerprocesseswithacleardescriptionofwhat
1517-dataeachcategoryincludes;
1518-(B)describesthecontroller’spurposesforprocessingeachcategory
1519-ofpersonaldatathecontrollerprocessesinawaythatgivesconsumersa
1520-meaningfulunderstandingofhoweachcategoryoftheirpersonaldatawillbe
1521-used;
1522-(C)describeshowaconsumermayexercisetheconsumer’srights
1523-underthischapter,includinghowaconsumermayappealacontroller’sdenial
1524-ofaconsumer’srequestundersection2418ofthistitle;
1525-(D)listsallcategoriesofpersonaldata,includingthecategoriesof
1526-sensitivedata,thatthecontrollersellsorshareswiththirdparties;
1527-(E)describesallcategoriesofthirdpartieswithwhichthecontroller
1528-sellsorsharespersonaldataatalevelofdetailthatenablestheconsumerto
1529-understandwhattypeofentityeachthirdpartyisand,totheextentpossible,
1530-howeachthirdpartymayprocesspersonaldata;
1531-(F)describesthelengthoftimethecontrollerintendstoretaineach
1532-categoryofpersonaldataor,ifitisnotpossibletoidentifythelengthoftime,
1533-thecriteriausedtodeterminethelengthoftimethecontrollerintendstoretain
1534-categoriesofpersonaldata;
1535-1
1536-2
1537-3
1538-4
1539-5
1540-6
1541-7
1542-8
1543-9
1544-10
1545-11
1546-12
1547-13
1548-14
1549-15
1550-16
1551-17
1552-18
1553-19
1554-20 BILLASINTRODUCEDANDPASSEDBYSENATE S.71
1555-2025 Page38of89
1556-(G)specifiesanemailaddressorotheronlinemethodbywhicha
1557-consumercancontactthecontrollerthatthecontrolleractivelymonitors;
1558-(H)identifiesthecontroller,includinganybusinessnameunder
1559-whichthecontrollerregisteredwiththeSecretaryofStateandanyassumed
1560-businessnamethatthecontrollerusesinthisState;
1561-(I)describesanycollection,processing,selling,orsharingof
1562-personaldatafortrainingoruseofartificialintelligencesystems,ifapplicable;
1563-(J)providesaclearandconspicuousdescriptionofanyprocessingof
1564-personaldatainwhichthecontrollerengagesforthepurposesoftargeted
1565-advertising,saleofpersonaldatatothirdparties,orprofilingtheconsumerin
1566-furtheranceofdecisionsthatproducelegalorsimilarlysignificanteffects
1567-concerningtheconsumer,andaprocedurebywhichtheconsumermayoptout
1568-ofthistypeofprocessing;and
1569-(K)describesthemethodormethodsthecontrollerhasestablished
1570-foraconsumertosubmitarequestundersubdivision2418(b)(1)ofthistitle.
1571-(2)Theprivacynoticeshalladheretotheaccessibilityandusability
1572-guidelinesrecommendedunder42U.S.C.chapter126(theAmericanswith
1573-DisabilitiesAct)and29U.S.C.§ 794d(section508oftheRehabilitationAct
1574-of1973),includingensuringreadabilityforindividualswithdisabilitiesacross
1575-variousscreenresolutionsanddevicesandemployingdesignpracticesthat
1576-facilitateeasycomprehensionandnavigationforallusers.
1577-1
1578-2
1579-3
1580-4
1581-5
1582-6
1583-7
1584-8
1585-9
1586-10
1587-11
1588-12
1589-13
1590-14
1591-15
1592-16
1593-17
1594-18
1595-19
1596-20
1597-21 BILLASINTRODUCEDANDPASSEDBYSENATE S.71
1598-2025 Page39of89
1599-(3)Wheneveracontrollermakesamaterialchangetothecontroller’s
1600-privacynoticeorpractices,thecontrollermustnotifyconsumersaffectedby
1601-thematerialchangewithrespecttoanyprospectivelycollectedpersonaldata
1602-andprovideareasonableopportunityforconsumerstowithdrawconsentto
1603-anyfurthermateriallydifferenttransferofpreviouslycollectedpersonaldata
1604-underthechangedpolicy.Thecontrollershalltakeallreasonableelectronic
1605-measurestoprovidenotificationregardingmaterialchangestoaffected
1606-consumers,takingintoaccountavailabletechnologyandthenatureofthe
1607-relationship.
1608-(4)AcontrollerisnotrequiredtoprovideaseparateVermont-specific
1609-privacynoticeorsectionofaprivacynoticeifthecontroller’sgeneralprivacy
1610-noticecontainsalltheinformationrequiredbythissubsection.
1611-(5)Theprivacynoticemustbepostedonlinethroughaconspicuous
1612-hyperlinkusingtheword“privacy”or“surveillance,”orbothwordsif
1613-applicable,onthecontroller’swebsitehomepageoronamobileapplication’s
1614-appstorepageordownloadpage.Acontrollerthatmaintainsanapplication
1615-onamobileorotherdeviceshallalsoincludeahyperlinktotheprivacynotice
1616-intheapplication’ssettingsmenuorinasimilarlyconspicuousandaccessible
1617-location.Acontrollerthatdoesnotoperateawebsiteshallmaketheprivacy
1618-noticeconspicuouslyavailabletoconsumersthroughamediumregularlyused
1619-bythecontrollertointeractwithconsumers,includingemail.
1620-1
1621-2
1622-3
1623-4
1624-5
1625-6
1626-7
1627-8
1628-9
1629-10
1630-11
1631-12
1632-13
1633-14
1634-15
1635-16
1636-17
1637-18
1638-19
1639-20
1640-21 BILLASINTRODUCEDANDPASSEDBYSENATE S.71
1641-2025 Page40of89
1642-(g)Themethodormethodsundersubdivision(f)(1)(J)ofthissectionfor
1643-submittingaconsumer’srequesttoacontrollermust:
1644-(1)takeintoaccountthewaysinwhichconsumersnormallyinteract
1645-withthecontroller,theneedforsecurityandreliabilityincommunications
1646-relatedtotherequest,andthecontroller’sabilitytoauthenticatetheidentityof
1647-theconsumerthatmakestherequest;
1648-(2)provideaclearandconspicuouslinktoawebsitewherethe
1649-consumeroranauthorizedagentmayoptoutfromacontroller’sprocessingof
1650-theconsumer’spersonaldatapursuanttosubdivision2418(a)(7)ofthistitleor,
1651-solelyifthecontrollerdoesnothaveacapacityneededforlinkingtoaweb
1652-page,provideanothermethodtheconsumercanusetooptout,whichmay
1653-includeaninternethyperlinkclearlylabeled“YourOpt-OutRights”or“Your
1654-PrivacyRights”thatdirectlyeffectuatestheopt-outrequestortakesconsumers
1655-toawebpagewheretheconsumercanmaketheopt-outrequest;and
1656-(3)allowaconsumerorauthorizedagenttosendasignaltothe
1657-controllerthatindicatestheconsumer’spreferencetooptoutofthesaleof
1658-personaldataortargetedadvertisingpursuanttosubdivision2418(a)(7)ofthis
1659-titlebymeansofaplatform,technology,ormechanismthat:
1660-(A)isconsumerfriendlyandeasyforanaverageconsumertouse;
1661-1
1662-2
1663-3
1664-4
1665-5
1666-6
1667-7
1668-8
1669-9
1670-10
1671-11
1672-12
1673-13
1674-14
1675-15
1676-16
1677-17
1678-18
1679-19 BILLASINTRODUCEDANDPASSEDBYSENATE S.71
1680-2025 Page41of89
1681-(B)(i)enablesthecontrollertoreasonablydeterminewhetherthe
1682-consumerhasmadealegitimaterequestpursuanttosubsection2418(b)ofthis
1683-titletooptoutpursuanttosubdivision2418(a)(7)ofthistitle;and
1684-(ii)forpurposesofsubdivision(i)ofthissubdivision(B),useof
1685-aninternetprotocoladdresstoestimatetheconsumer’slocationmaybe
1686-consideredsufficienttoaccuratelydetermineresidency.
1687-(h)Ifaconsumerorauthorizedagentusesamethodundersubdivision
1688-(f)(1)(J)ofthissectiontooptoutofacontroller’sprocessingofthe
1689-consumer’spersonaldatapursuanttosubdivision2418(a)(7)ofthistitleand
1690-thedecisionconflictswithaconsumer’sexistingcontroller-specificprivacy
1691-settingorvoluntaryparticipationinabonafidereward,clubcard,orloyalty
1692-programoraprogramthatprovidespremiumfeaturesordiscounts,the
1693-controllershallcomplywiththeconsumer’sopt-outpreferencesignalbutmay
1694-notifytheconsumeroftheconflictandprovidetotheconsumerthechoiceto
1695-confirmthecontroller-specificprivacysettingorparticipationintheprogram.
1696-§ 2420.DUTIESOFPROCESSORS
1697-(a)Aprocessorshalladheretoacontroller’sinstructionsandshallassist
1698-thecontrollerinmeetingthecontroller’sobligationsunderthischapter.In
1699-assistingthecontroller,theprocessormust:
1700-(1)enablethecontrollertorespondtorequestsfromconsumerspursuant
1701-tosubsection2418(b)ofthistitlebymeansthat:
1702-1
1703-2
1704-3
1705-4
1706-5
1707-6
1708-7
1709-8
1710-9
1711-10
1712-11
1713-12
1714-13
1715-14
1716-15
1717-16
1718-17
1719-18
1720-19
1721-20
1722-21 BILLASINTRODUCEDANDPASSEDBYSENATE S.71
1723-2025 Page42of89
1724-(A)takeintoaccounthowtheprocessorprocessespersonaldataand
1725-theinformationavailabletotheprocessor;and
1726-(B)useappropriatetechnicalandorganizationalmeasurestothe
1727-extentreasonablypracticable;
1728-(2)adoptadministrative,technical,andphysicalsafeguardsthatare
1729-reasonablydesignedtoprotectthesecurityandconfidentialityofthepersonal
1730-datatheprocessorprocesses,takingintoaccounthowtheprocessorprocesses
1731-thepersonaldataandtheinformationavailabletotheprocessor;and
1732-(3)provideinformationreasonablynecessaryforthecontrollerto
1733-conductanddocumentdataprotectionassessments.
1734-(b)Processingbyaprocessormustbegovernedbyacontractbetweenthe
1735-controllerandtheprocessor.Thecontractmust:
1736-(1)bevalidandbindingonbothparties;
1737-(2)setforthclearinstructionsforprocessingdata,thenatureand
1738-purposeoftheprocessing,thetypeofdatathatissubjecttoprocessing,
1739-limitations,andthedurationoftheprocessing;
1740-(3)specifytherightsandobligationsofbothpartieswithrespecttothe
1741-subjectmatterofthecontract;
1742-(4)ensurethateachpersonthatprocessespersonaldataissubjecttoa
1743-dutyofconfidentialitywithrespecttothepersonaldata;
1744-1
1745-2
1746-3
1747-4
1748-5
1749-6
1750-7
1751-8
1752-9
1753-10
1754-11
1755-12
1756-13
1757-14
1758-15
1759-16
1760-17
1761-18
1762-19
1763-20 BILLASINTRODUCEDANDPASSEDBYSENATE S.71
1764-2025 Page43of89
1765-(5)requiretheprocessortodeletethepersonaldataorreturnthe
1766-personaldatatothecontrolleratthecontroller’sdirectionorattheendofthe
1767-provisionofservices,unlessalawrequirestheprocessortoretainthepersonal
1768-data;
1769-(6)requiretheprocessortomakeavailabletothecontroller,atthe
1770-controller’srequest,allinformationthecontrollerneedstoverifythatthe
1771-processorhascompliedwithallobligationstheprocessorhasunderthis
1772-chapter;
1773-(7)requiretheprocessortoenterintoasubcontractwithapersonthe
1774-processorengagestoassistwithprocessingpersonaldataonthecontroller’s
1775-behalfandinthesubcontractrequirethesubcontractortomeettheprocessor’s
1776-obligationsconcerningpersonaldata;
1777-(8)(A)allowthecontroller,thecontroller’sdesignee,oraqualifiedand
1778-independentpersontheprocessorengages,inaccordancewithanappropriate
1779-andacceptedcontrolstandard,framework,orprocedure,toassessthe
1780-processor’spoliciesandtechnicalandorganizationalmeasuresforcomplying
1781-withtheprocessor’sobligationsunderthischapter;
1782-(B)requiretheprocessortocooperatewiththeassessment;and
1783-(C)atthecontroller’srequest,reporttheresultsoftheassessmentto
1784-thecontroller;
1785-1
1786-2
1787-3
1788-4
1789-5
1790-6
1791-7
1792-8
1793-9
1794-10
1795-11
1796-12
1797-13
1798-14
1799-15
1800-16
1801-17
1802-18
1803-19
1804-20 BILLASINTRODUCEDANDPASSEDBYSENATE S.71
1805-2025 Page44of89
1806-(9)prohibittheprocessorfromcombiningpersonaldataobtainedfrom
1807-thecontrollerwithpersonaldatathattheprocessor:
1808-(A)receivesfromoronbehalfofanothercontrollerorperson;or
1809-(B)collectsdirectlyfromanindividual;and
1810-(10)requiretheprocessortoadheretoequivalentorgreaterde-
1811-identificationstandards.
1812-(c)Thissectiondoesnotrelieveacontrollerorprocessorfromanyliability
1813-thataccruesunderthischapterasaresultofthecontroller’sorprocessor’s
1814-actionsinprocessingpersonaldata.
1815-(d)(1)Forpurposesofdeterminingobligationsunderthischapter,aperson
1816-isacontrollerwithrespecttoprocessingasetofpersonaldataandissubjectto
1817-anactionundersection2424ofthistitletopunishaviolationofthischapter,if
1818-theperson:
1819-(A)doesnotadheretoacontroller’sinstructionstoprocessthe
1820-personaldata;or
1821-(B)beginsatanypointtodeterminethepurposesandmeansfor
1822-processingthepersonaldata,aloneorinconcertwithanotherperson.
1823-(2)Adeterminationunderthissubsectionisafact-baseddetermination
1824-thatmusttakeaccountofthecontextinwhichasetofpersonaldatais
1825-processed.
1826-1
1827-2
1828-3
1829-4
1830-5
1831-6
1832-7
1833-8
1834-9
1835-10
1836-11
1837-12
1838-13
1839-14
1840-15
1841-16
1842-17
1843-18
1844-19
1845-20 BILLASINTRODUCEDANDPASSEDBYSENATE S.71
1846-2025 Page45of89
1847-(3)Aprocessorthatadherestoacontroller’sinstructionswithrespectto
1848-aspecificprocessingofpersonaldataremainsaprocessor.
1849-§ 2421.DATAPROTECTIONASSESSMENTSFORPROCESSING
1850-ACTIVITIESTHATPRESENTAHEIGHTENEDRISKOFHARM
1851-TOACONSUMER
1852-(a)Acontrollershallconductanddocumentadataprotectionassessment
1853-foreachofthecontroller’sprocessingactivitiesthatpresentsaheightenedrisk
1854-ofharmtoaconsumer,which,forthepurposesofthissection,includes:
1855-(1)theprocessingofpersonaldataforthepurposesoftargeted
1856-advertising;
1857-(2)thesaleofpersonaldata;
1858-(3)theprocessingofpersonaldataforthepurposesofprofiling,where
1859-theprofilingpresentsareasonablyforeseeableriskof:
1860-(A)unfairordeceptivetreatmentof,orunlawfuldisparateimpacton,
1861-consumers;
1862-(B)financial,physical,orreputationalinjurytoconsumers;
1863-(C)aphysicalorotherintrusionuponthesolitudeorseclusion,orthe
1864-privateaffairsorconcerns,ofconsumers,wheretheintrusionwouldbe
1865-offensivetoareasonableperson;or
1866-(D)othersubstantialinjurytoconsumers;and
1867-(4)theprocessingofsensitivedata.
1868-1
1869-2
1870-3
1871-4
1872-5
1873-6
1874-7
1875-8
1876-9
1877-10
1878-11
1879-12
1880-13
1881-14
1882-15
1883-16
1884-17
1885-18
1886-19
1887-20
1888-21 BILLASINTRODUCEDANDPASSEDBYSENATE S.71
1889-2025 Page46of89
1890-(b)(1)Dataprotectionassessmentsconductedpursuanttosubsection(a)of
1891-thissectionshall:
1892-(A)identifythecategoriesofpersonaldataprocessed,thepurposes
1893-forprocessingthepersonaldata,andwhetherthepersonaldataisbeing
1894-transferredtothirdparties;and
1895-(B)identifyandweighthebenefitsthatmayflow,directlyand
1896-indirectly,fromtheprocessingtothecontroller,theconsumer,other
1897-stakeholders,andthepublicagainstthepotentialriskstotheconsumer
1898-associatedwiththeprocessing,asmitigatedbysafeguardsthatcanbe
1899-employedbythecontrollertoreducetherisks.
1900-(2)Thecontrollershallfactorintoanydataprotectionassessmentthe
1901-useofde-identifieddataandthereasonableexpectationsofconsumers,aswell
1902-asthecontextoftheprocessingandtherelationshipbetweenthecontrollerand
1903-theconsumerwhosepersonaldatawillbeprocessed.
1904-(c)(1)TheAttorneyGeneralmayrequirethatacontrollerdiscloseanydata
1905-protectionassessmentthatisrelevanttoaninvestigationconductedbythe
1906-AttorneyGeneralpursuanttosection2424ofthistitle,andthecontrollershall
1907-makethedataprotectionassessmentavailabletotheAttorneyGeneral.
1908-(2)TheAttorneyGeneralmayevaluatethedataprotectionassessment
1909-forcompliancewiththeresponsibilitiessetforthinthischapter.
1910-1
1911-2
1912-3
1913-4
1914-5
1915-6
1916-7
1917-8
1918-9
1919-10
1920-11
1921-12
1922-13
1923-14
1924-15
1925-16
1926-17
1927-18
1928-19
1929-20 BILLASINTRODUCEDANDPASSEDBYSENATE S.71
1930-2025 Page47of89
1931-(3)Dataprotectionassessmentsshallbeconfidentialandshallbe
1932-exemptfromdisclosureandcopyingunderthePublicRecordsAct.
1933-(4)Totheextentanyinformationcontainedinadataprotection
1934-assessmentdisclosedtotheAttorneyGeneralincludesinformationsubjectto
1935-attorney-clientprivilegeorworkproductprotection,thedisclosureshallnot
1936-constituteawaiveroftheprivilegeorprotection.
1937-(d)Asingledataprotectionassessmentmayaddressacomparablesetof
1938-processingoperationsthatpresentasimilarheightenedriskofharm.
1939-(e)Ifacontrollerconductsadataprotectionassessmentforthepurposeof
1940-complyingwithanotherapplicablelaworregulation,thedataprotection
1941-assessmentshallbedeemedtosatisfytherequirementsestablishedinthis
1942-sectionifthedataprotectionassessmentisreasonablysimilarinscopeand
1943-effecttothedataprotectionassessmentthatwouldotherwisebeconducted
1944-pursuanttothissection.
1945-(f)Acontrollershallupdatethedataprotectionassessmentasoftenas
1946-appropriateconsideringthetype,amount,andsensitivityofpersonaldata
1947-collectedorprocessedandlevelofriskpresentedbytheprocessingthroughout
1948-theprocessingactivity’slifecycleinorderto:
1949-(1)monitorforharmcausedbytheprocessingandadjustsafeguards
1950-accordingly;and
1951-1
1952-2
1953-3
1954-4
1955-5
1956-6
1957-7
1958-8
1959-9
1960-10
1961-11
1962-12
1963-13
1964-14
1965-15
1966-16
1967-17
1968-18
1969-19
1970-20 BILLASINTRODUCEDANDPASSEDBYSENATE S.71
1971-2025 Page48of89
1972-(2)ensurethatdataprotectionandprivacyareconsideredasthe
1973-controllermakesnewdecisionswithrespecttotheprocessing.
1974-(g)Acontrollershallretainforatleastthreeyearsalldataprotection
1975-assessmentsthecontrollerconductsunderthissection.
1976-§ 2422.DE-IDENTIFIEDDATA
1977-(a)Acontrollerinpossessionofde-identifieddatashall:
1978-(1)takereasonablemeasurestoensurethatthedatacannotbeusedto
1979-reidentifyanidentifiedoridentifiableindividualorbeassociatedwithan
1980-individualordevicethatidentifiesorislinkedorreasonablylinkabletoan
1981-individualorhousehold;
1982-(2)publiclycommittomaintainingandusingde-identifieddatawithout
1983-attemptingtoreidentifythedata;and
1984-(3)contractuallyobligateanyrecipientsofthede-identifieddatato
1985-complywiththeprovisionsofthischapter.
1986-(b)Thissectiondoesnotprohibitacontrollerfromattemptingtoreidentify
1987-de-identifieddatasolelyforthepurposeoftestingthecontroller’smethodsfor
1988-de-identifyingdata.
1989-(c)Thischaptershallnotbeconstruedtorequireacontrollerorprocessor
1990-to:
1991-(1)reidentifyde-identifieddata;
1992-1
1993-2
1994-3
1995-4
1996-5
1997-6
1998-7
1999-8
2000-9
2001-10
2002-11
2003-12
2004-13
2005-14
2006-15
2007-16
2008-17
2009-18
2010-19
2011-20 BILLASINTRODUCEDANDPASSEDBYSENATE S.71
2012-2025 Page49of89
2013-(2)maintaindatainidentifiableform,orcollect,obtain,retain,or
2014-accessanydataortechnology,inordertoassociateaconsumerwithpersonal
2015-datainordertoauthenticatetheconsumer’srequestundersubsection2418(b)
2016-ofthistitle;or
2017-(3)complywithanauthenticatedconsumerrightsrequestifthe
2018-controller:
2019-(A)isnotreasonablycapableofassociatingtherequestwiththe
2020-personaldataoritwouldbeunreasonablyburdensomeforthecontrollerto
2021-associatetherequestwiththepersonaldata;and
2022-(B)doesnotusethepersonaldatatorecognizeorrespondtothe
2023-specificconsumerwhoisthesubjectofthepersonaldataorassociatethe
2024-personaldatawithotherpersonaldataaboutthesamespecificconsumer.
2025-(d)Acontrollerthatdisclosesortransfersde-identifieddatashallexercise
2026-reasonableoversighttomonitorcompliancewithanycontractualcommitments
2027-towhichthede-identifieddataissubjectandshalltakeappropriatestepsto
2028-addressanybreachesofthosecontractualcommitments.
2029-§ 2423.CONSTRUCTIONOFDUTIESOFCONTROLLERSAND
2030-PROCESSORS
2031-(a)Thischaptershallnotbeconstruedtorestrictacontroller’s,
2032-processor’s,orconsumerhealthdatacontroller’sabilityto:
2033-1
2034-2
2035-3
2036-4
2037-5
2038-6
2039-7
2040-8
2041-9
2042-10
2043-11
2044-12
2045-13
2046-14
2047-15
2048-16
2049-17
2050-18
2051-19
2052-20 BILLASINTRODUCEDANDPASSEDBYSENATE S.71
2053-2025 Page50of89
2054-(1)complywithfederal,state,ormunicipallaws,ordinances,or
2055-regulations,exceptasprohibitedby1V.S.A.§150;
2056-(2)complywithacivil,criminal,orregulatoryinquiry,investigation,
2057-subpoena,orsummonsbyfederal,state,municipal,orothergovernmental
2058-authorities;
2059-(3)cooperatewithlawenforcementagenciesconcerningconductor
2060-activitythatthecontroller,processor,orconsumerhealthdatacontroller
2061-reasonablyandingoodfaithbelievesmayviolatefederal,state,ormunicipal
2062-laws,ordinances,orregulations;
2063-(4)carryoutobligationsunderacontractundersubsection2420(b)of
2064-thistitleforafederalorStateagencyorlocalunitofgovernment;
2065-(5)investigate,establish,exercise,preparefor,ordefendlegalclaims;
2066-(6)provideaproductorservicespecificallyrequestedbytheconsumer
2067-towhomthepersonaldatapertainsconsistentwithsection2419ofthistitle;
2068-(7)performunderacontracttowhichaconsumerisaparty,including
2069-fulfillingthetermsofawrittenwarranty;
2070-(8)takestepsattherequestofaconsumerpriortoenteringintoa
2071-contract;
2072-(9)takeimmediatestepstoprotectaninterestthatisessentialforthe
2073-lifeorphysicalsafetyoftheconsumeroranotherindividual,andwherethe
2074-processingcannotbemanifestlybasedonanotherlegalbasis;
2075-1
2076-2
2077-3
2078-4
2079-5
2080-6
2081-7
2082-8
2083-9
2084-10
2085-11
2086-12
2087-13
2088-14
2089-15
2090-16
2091-17
2092-18
2093-19
2094-20
2095-21 BILLASINTRODUCEDANDPASSEDBYSENATE S.71
2096-2025 Page51of89
2097-(10)prevent,detect,protectagainst,orrespondtoanetworksecurityor
2098-physicalsecurityincident,includinganintrusionortrespass,medicalalert,or
2099-firealarm;
2100-(11)prevent,detect,protectagainst,orrespondtoidentitytheft,fraud,
2101-harassment,maliciousordeceptiveactivity,oranycriminalactivitytargetedat
2102-orinvolvingthecontrollerorprocessororitsservices,preservetheintegrityor
2103-securityofsystems,orinvestigate,report,orprosecutethoseresponsiblefor
2104-theaction;
2105-(12)assistanothercontroller,processor,consumerhealthdata
2106-controller,orthirdpartywithanyoftheobligationsunderthischapter;
2107-(13)processpersonaldataforreasonsofpublicinterestintheareaof
2108-publichealth,communityhealth,orpopulationhealth,butsolelytotheextent
2109-thattheprocessingis:
2110-(A)subjecttosuitableandspecificmeasurestosafeguardtherights
2111-oftheconsumerwhosepersonaldataisbeingprocessed;and
2112-(B)undertheresponsibilityofaprofessionalsubjectto
2113-confidentialityobligationsunderfederal,state,orlocallaw;
2114-(14)effectuateaproductrecall;or
2115-(15)processpersonaldatapreviouslycollectedinaccordancewiththis
2116-chaptersuchthatthepersonaldatabecomesde-identifieddata,includingto:
2117-1
2118-2
2119-3
2120-4
2121-5
2122-6
2123-7
2124-8
2125-9
2126-10
2127-11
2128-12
2129-13
2130-14
2131-15
2132-16
2133-17
2134-18
2135-19
2136-20 BILLASINTRODUCEDANDPASSEDBYSENATE S.71
2137-2025 Page52of89
2138-(A)conductinternalresearchtodevelop,improve,orrepair
2139-products,services,ortechnology;
2140-(B)identifyandrepairtechnicalerrorsthatimpairexistingor
2141-intendedfunctionality;
2142-(C)performinternaloperationsthatarereasonablyalignedwiththe
2143-expectationsoftheconsumerorreasonablyanticipatedbasedonthe
2144-consumer’sexistingrelationshipwiththecontroller,orareotherwise
2145-compatiblewithprocessingdatainfurtheranceoftheprovisionofaproductor
2146-servicespecificallyrequestedbyaconsumerortheperformanceofacontract
2147-towhichtheconsumerisaparty;or
2148-(D)conductapublicorpeer-reviewedscientific,historical,or
2149-statisticalresearchprojectthatisinthepublicinterestandadherestoall
2150-relevantlawsandregulationsgoverningsuchresearch,includingregulations
2151-fortheprotectionofhumansubjects.
2152-(b)(1)Theobligationsimposedoncontrollers,processors,orconsumer
2153-healthdatacontrollersunderthischaptershallnotapplywherecomplianceby
2154-thecontroller,processor,orconsumerhealthdatacontrollerwiththischapter
2155-wouldviolateanevidentiaryprivilegeunderthelawsofthisState.
2156-(2)Thischaptershallnotbeconstruedtopreventacontroller,processor,
2157-orconsumerhealthdatacontrollerfromprovidingpersonaldataconcerninga
2158-1
2159-2
2160-3
2161-4
2162-5
2163-6
2164-7
2165-8
2166-9
2167-10
2168-11
2169-12
2170-13
2171-14
2172-15
2173-16
2174-17
2175-18
2176-19
2177-20 BILLASINTRODUCEDANDPASSEDBYSENATE S.71
2178-2025 Page53of89
2179-consumertoapersoncoveredbyanevidentiaryprivilegeunderthelawsofthe
2180-Stateaspartofaprivilegedcommunication.
2181-(3)Nothinginthischaptermodifies2020ActsandResolvesNo.166,
2182-Sec.14orauthorizestheuseoffacialrecognitiontechnologybylaw
2183-enforcement.
2184-(c)(1)Acontroller,processor,orconsumerhealthdatacontrollerthat
2185-disclosespersonaldatatoaprocessororthird-partycontrollerpursuanttothis
2186-chaptershallnotbedeemedtohaveviolatedthischapteriftheprocessoror
2187-third-partycontrollerthatreceivesandprocessesthepersonaldataviolatesthis
2188-chapter,providedthatatthetimethedisclosingcontroller,processor,or
2189-consumerhealthdatacontrollerdisclosedthepersonaldata,thedisclosing
2190-controller,processor,orconsumerhealthdatacontrollerdidnothaveactual
2191-knowledgethatthereceivingprocessororthird-partycontrollerwouldviolate
2192-thischapter.
2193-(2)Athird-partycontrollerorprocessorreceivingpersonaldatafroma
2194-controller,processor,orconsumerhealthdatacontrollerincompliancewith
2195-thischapterisnotinviolationofthischapterforthetransgressionsofthe
2196-controller,processor,orconsumerhealthdatacontrollerfromwhichthethird-
2197-partycontrollerorprocessorreceivesthepersonaldata.
2198-(d)Thischaptershallnotbeconstruedto:
2199-1
2200-2
2201-3
2202-4
2203-5
2204-6
2205-7
2206-8
2207-9
2208-10
2209-11
2210-12
2211-13
2212-14
2213-15
2214-16
2215-17
2216-18
2217-19
2218-20 BILLASINTRODUCEDANDPASSEDBYSENATE S.71
2219-2025 Page54of89
2220-(1)imposeanyobligationonacontroller,processor,orconsumerhealth
2221-datacontrollerthatadverselyaffectstherightsorfreedomsofanyperson,
2222-includingtherightsofanyperson:
2223-(A)tofreedomofspeechorfreedomofthepressguaranteedinthe
2224-FirstAmendmenttotheU.S.Constitution;or
2225-(B)under12V.S.A.§ 1615;
2226-(2)applytoanyperson’sprocessingofpersonaldatainthecourseof
2227-theperson’ssolelypersonalorhouseholdactivities;
2228-(3)requireanindependentschoolasdefinedin16V.S.A.§ 11(a)(8)ora
2229-privateinstitutionofhighereducation,asdefinedin20U.S.C.§1001etseq.,
2230-todeletepersonaldataoroptoutofprocessingofpersonaldatathatwould
2231-unreasonablyinterferewiththeprovisionofeducationservicesbyorthe
2232-ordinaryoperationoftheschoolorinstitution;
2233-(4)require,foremployeedata,deletionofpersonaldatathatwould
2234-unreasonablyinterferewiththeordinarybusinessoperationsofthecontroller
2235-orunreasonablyadverselyaffecttherightsofanotheremployee,including
2236-underthischapterorpursuanttotheprotectionssetforthin21V.S.A
2237-chapter 5; or
2238-(5)require,forprocessorsactingonthebehalfofafederal,State,tribal,
2239-orlocalgovernmententity,deletionofpersonaldataoroptoutofthe
2240-processingofpersonaldatathatwouldunreasonablyinterferewiththe
2241-1
2242-2
2243-3
2244-4
2245-5
2246-6
2247-7
2248-8
2249-9
2250-10
2251-11
2252-12
2253-13
2254-14
2255-15
2256-16
2257-17
2258-18
2259-19
2260-20
2261-21 BILLASINTRODUCEDANDPASSEDBYSENATE S.71
2262-2025 Page55of89
2263-provisionofgovernmentservicesbyortheordinaryoperationofagovernment
2264-entity.
2265-(e)(1)Personaldataprocessedbyacontrollerorconsumerhealthdata
2266-controllerpursuanttothissectionmaybeprocessedtotheextentthatthe
2267-processingis:
2268-(A)(i)reasonablynecessaryandproportionatetothepurposeslisted
2269-inthissection;or
2270-(ii)inthecaseofsensitivedata,strictlynecessarytothepurposes
2271-listedinthissection;
2272-(B)adequate,relevant,andlimitedtowhatisnecessaryinrelationto
2273-thespecificpurposeslistedinthissection;and
2274-(C)compliantwiththeantidiscriminationprovisionssetforthin
2275-subdivision2419(c)(5)ofthistitle.
2276-(2)(A)Personaldatacollected,used,orretainedpursuanttosubsection
2277-(b)ofthissectionshall,whereapplicable,takeintoaccountthenatureand
2278-purposeorpurposesofthecollection,use,orretention.
2279-(B)Personaldatacollected,used,orretainedpursuanttosubsection
2280-(b)ofthissectionshallbesubjecttoreasonableadministrative,technical,and
2281-physicalmeasurestoprotecttheconfidentiality,integrity,andaccessibilityof
2282-thepersonaldataandtoreducereasonablyforeseeablerisksofharmto
2283-consumersrelatingtothecollection,use,orretentionofpersonaldata.
2284-1
2285-2
2286-3
2287-4
2288-5
2289-6
2290-7
2291-8
2292-9
2293-10
2294-11
2295-12
2296-13
2297-14
2298-15
2299-16
2300-17
2301-18
2302-19
2303-20
2304-21 BILLASINTRODUCEDANDPASSEDBYSENATE S.71
2305-2025 Page56of89
2306-(f)Ifacontrollerorconsumerhealthdatacontrollerprocessespersonal
2307-datapursuanttoanexemptioninthissection,thecontrollerorconsumerhealth
2308-datacontrollerbearstheburdenofdemonstratingthattheprocessingqualifies
2309-fortheexemptionandcomplieswiththerequirementsinsubsection(e)ofthis
2310-section.
2311-(g)Thischaptershallnotbeconstruedtorequireacontroller,processor,or
2312-consumerhealthdatacontrollertoimplementanage-verificationorage-gating
2313-systemorotherwiseaffirmativelycollecttheageofconsumers.
2314-§ 2424.ENFORCEMENT;ATTORNEYGENERAL’SPOWERS
2315-(a)Apersonwhoviolatesthischapterorrulesadoptedpursuanttothis
2316-chaptercommitsanunfairanddeceptiveactincommerceinviolationof
2317-section2453ofthistitle,andtheAttorneyGeneralshallhaveexclusive
2318-authoritytoenforcesuchviolationsexceptasprovidedinsubsection(d)ofthis
2319-section.
2320-(b)TheAttorneyGeneralhasthesameauthoritytoadoptrulesto
2321-implementtheprovisionsofthissectionandtoconductcivilinvestigations,
2322-enterintoassurancesofdiscontinuance,bringcivilactions,andtakeother
2323-enforcementactionsasprovidedunderchapter63,subchapter1ofthistitle.
2324-(c)(1)IftheAttorneyGeneraldeterminesthataviolationofthischapteror
2325-rulesadoptedpursuanttothischaptermaybecured,theAttorneyGeneral
2326-may,priortoinitiatinganyactionfortheviolation,issueanoticeofviolation
2327-1
2328-2
2329-3
2330-4
2331-5
2332-6
2333-7
2334-8
2335-9
2336-10
2337-11
2338-12
2339-13
2340-14
2341-15
2342-16
2343-17
2344-18
2345-19
2346-20
2347-21 BILLASINTRODUCEDANDPASSEDBYSENATE S.71
2348-2025 Page57of89
2349-extendinga60-daycureperiodtothecontroller,processor,orconsumerhealth
2350-datacontrollerallegedtohaveviolatedthischapterorrulesadoptedpursuant
2351-tothischapter.
2352-(2)TheAttorneyGeneralmay,indeterminingwhethertogranta
2353-controller,processor,orconsumerhealthdatacontrollertheopportunityto
2354-cureanallegedviolationdescribedinsubdivision(1)ofthissubsection,
2355-consider:
2356-(A)thenumberofviolations;
2357-(B)thesizeandcomplexityofthecontroller,processor,orconsumer
2358-healthdatacontroller;
2359-(C)thenatureandextentofthecontroller’s,processor’s,or
2360-consumerhealthdatacontroller’sprocessingactivities;
2361-(D)thesubstantiallikelihoodofinjurytothepublic;
2362-(E)thesafetyofpersonsorproperty;
2363-(F)whethertheallegedviolationwaslikelycausedbyhumanor
2364-technicalerror;and
2365-(G)thesensitivityofthedata.
2366-(d)(1)Theprivaterightofactionavailabletoaconsumerforviolationsof
2367-thischapterorrulesadoptedpursuanttothischaptershallbeexclusivelyas
2368-providedunderthissubsection.
2369-1
2370-2
2371-3
2372-4
2373-5
2374-6
2375-7
2376-8
2377-9
2378-10
2379-11
2380-12
2381-13
2382-14
2383-15
2384-16
2385-17
2386-18
2387-19
2388-20 BILLASINTRODUCEDANDPASSEDBYSENATE S.71
2389-2025 Page58of89
2390-(2)(A)Subjecttotherequirementsofsubdivisions(3)and(4)ofthis
2391-subsection(d),aconsumerwhoisharmedbyadatabroker’sorlargedata
2392-holder’sviolationofsubsection2419(c)ofthistitleorsection2425ofthistitle
2393-maybringanactionundersubsection2461(b)ofthistitleinSuperiorCourt
2394-for:
2395-(i)thegreaterof$5,000.00oractualdamages;
2396-(ii)injunctiverelief;
2397-(iii)punitivedamages,inthecaseofanintentionalviolation;
2398-(iv)reasonablecostsandattorney’sfees;and
2399-(v)anyotherreliefthecourtdeemsproper.
2400-(B)Noactionmaybetakenundersubsection2461(b)ofthistitle:
2401-(i)foraviolationofanyprovisionofthischapterorrulesadopted
2402-pursuanttothischapterotherthanwhatisspecificallypermittedinsubdivision
2403-(A)ofthissubdivision(2);or
2404-(ii)againstacontrollerthatisregisteredintheStateandthat
2405-earnedlessthan$25millioninrevenueinthepreviouscalendaryear.
2406-(3)Atleast65dayspriortothefilingofanyactionpursuantto
2407-subdivision(2)(A)ofthissubsection,theconsumershall:
2408-(A)onlyoncenotifytheAttorneyGeneraloftheallegedharmina
2409-formandmannerprescribedbytheAttorneyGeneral,which,atminimum,
2410-1
2411-2
2412-3
2413-4
2414-5
2415-6
2416-7
2417-8
2418-9
2419-10
2420-11
2421-12
2422-13
2423-14
2424-15
2425-16
2426-17
2427-18
2428-19
2429-20 BILLASINTRODUCEDANDPASSEDBYSENATE S.71
2430-2025 Page59of89
2431-shallrequirethenameoftheconsumerandareasonabledescriptionofthe
2432-allegedviolationandtheharmsuffered;and
2433-(B)mailtotheallegedviolatorawrittendemandletterthatidentifies
2434-theconsumerandreasonablydescribestheallegedviolationandtheharm
2435-suffered,unlesstheallegedviolatordoesnotmaintainaplaceofbusinessin
2436-VermontordoesnotkeepassetsinVermont.
2437-(4)Within65daysafterreceivingthenoticerequiredbysubdivision
2438-(3)(A)ofthissubsection,theAttorneyGeneralshallreviewtheallegedharm
2439-todeterminewhethertheclaimisfrivolousornonfrivolous.
2440-(A)IftheAttorneyGeneraldeterminesthattheclaimisfrivolous,
2441-theAttorneyGeneralshallnotifytheconsumerinwriting,andtheconsumeris
2442-prohibitedfromproceedingwithanactionundersubsection2461(b)ofthis
2443-titlefortheallegedharm.
2444-(B)IftheAttorneyGeneraldeterminesthattheclaimisnonfrivolous
2445-ordoesnotissueadeterminationwithin65daysafterreceivingnotice,the
2446-consumermayproceedwithanactionpursuanttosubdivision(2)(A)ofthis
2447-subsection(d).
2448-(e)Annually,onorbeforeFebruary1,theAttorneyGeneralshallsubmita
2449-reporttotheGeneralAssemblydisclosing:
2450-(1)thenumberofnoticesofviolationtheAttorneyGeneralhasissued;
2451-(2)thenatureofeachviolation;
2452-1
2453-2
2454-3
2455-4
2456-5
2457-6
2458-7
2459-8
2460-9
2461-10
2462-11
2463-12
2464-13
2465-14
2466-15
2467-16
2468-17
2469-18
2470-19
2471-20
2472-21 BILLASINTRODUCEDANDPASSEDBYSENATE S.71
2473-2025 Page60of89
2474-(3)thenumberofviolationsthatwerecuredduringtheavailablecure
2475-period;
2476-(4)thenumberofactionsbroughtundersubsection(d)ofthissection;
2477-(5)theproportionofactionsbroughtundersubsection(d)ofthissection
2478-thatproceedtotrial;
2479-(6)thedatabrokersorlargedataholdersmostfrequentlysuedunder
2480-subsection(d)ofthissection;and
2481-(7)anyothermattertheAttorneyGeneraldeemsrelevantforthe
2482-purposesofthereport.
2483-§ 2425.CONFIDENTIALITYOFCONSUMERHEALTHDATA
2484-Exceptasprovidedinsubsections2417(a)and(b)ofthistitleandsection
2485-2423ofthistitle,nopersonshall:
2486-(1)provideanyemployeeorcontractorwithaccesstoconsumerhealth
2487-dataunlesstheemployeeorcontractorissubjecttoacontractualorstatutory
2488-dutyofconfidentiality;
2489-(2)provideanyprocessorwithaccesstoconsumerhealthdataunlessthe
2490-personandprocessorcomplywithsection2420ofthistitle;or
2491-(3)useageofencetoestablishavirtualboundarythatiswithin1,850
2492-feetofanyhealthcarefacility,includinganymentalhealthfacilityor
2493-reproductiveorsexualhealthfacility,forthepurposeofidentifying,tracking,
2494-1
2495-2
2496-3
2497-4
2498-5
2499-6
2500-7
2501-8
2502-9
2503-10
2504-11
2505-12
2506-13
2507-14
2508-15
2509-16
2510-17
2511-18
2512-19
2513-20 BILLASINTRODUCEDANDPASSEDBYSENATE S.71
2514-2025 Page61of89
2515-collectingdatafrom,orsendinganynotificationtoaconsumerregardingthe
2516-consumer’sconsumerhealthdata.
2517-Sec.2.PUBLICEDUCATIONANDOUTREACH;ATTORNEYGENERAL
2518-STUDY
2519-(a)TheAttorneyGeneralshallimplementacomprehensivepublic
2520-education,outreach,andassistanceprogramforcontrollersandprocessorsas
2521-thosetermsaredefinedin9V.S.A.§ 2415.Theprogramshallfocuson:
2522-(1)therequirementsandobligationsofcontrollersandprocessorsunder
2523-theVermontDataPrivacyandOnlineSurveillanceAct;
2524-(2)dataprotectionassessmentsunder9V.S.A.§ 2421;
2525-(3)enhancedprotectionsthatapplytochildren,minors,sensitivedata,
2526-orconsumerhealthdataasthosetermsaredefinedin9V.S.A.§ 2415;
2527-(4)acontroller’sobligationstolawenforcementagenciesandthe
2528-AttorneyGeneral’soffice;
2529-(5)methodsforconductingdatainventories;and
2530-(6)anyothermatterstheAttorneyGeneraldeemsappropriate.
2531-(b)TheAttorneyGeneralshallprovideguidancetocontrollersfor
2532-establishingdataprivacynoticesandopt-outmechanisms,whichmaybeinthe
2533-formoftemplates.
2534-1
2535-2
2536-3
2537-4
2538-5
2539-6
2540-7
2541-8
2542-9
2543-10
2544-11
2545-12
2546-13
2547-14
2548-15
2549-16
2550-17
2551-18
2552-19 BILLASINTRODUCEDANDPASSEDBYSENATE S.71
2553-2025 Page62of89
2554-(c)TheAttorneyGeneralshallimplementacomprehensivepublic
2555-education,outreach,andassistanceprogramforconsumersasthattermis
2556-definedin9V.S.A.§ 2415.Theprogramshallfocuson:
2557-(1)therightsaffordedconsumersundertheVermontDataPrivacyand
2558-OnlineSurveillanceAct,including:
2559-(A)themethodsavailableforexercisingdataprivacyrights;and
2560-(B)theopt-outmechanismavailabletoconsumers;
2561-(2)theobligationscontrollershavetoconsumers;
2562-(3)differenttreatmentofchildren,minors,andotherconsumersunder
2563-theAct,includingthedifferentconsentmechanismsinplaceforchildrenand
2564-otherconsumers;
2565-(4)understandingaprivacynoticeprovidedundertheAct;
2566-(5)thedifferentenforcementmechanismsavailableundertheAct,
2567-includingtheconsumer’sprivaterightofaction;and
2568-(6)anyothermatterstheAttorneyGeneraldeemsappropriate.
2569-(d)TheAttorneyGeneralshallcooperatewithstateswithcomparabledata
2570-privacyregimestodevelopanyoutreach,assistance,andeducationprograms,
2571-whereappropriate.
2572-(e)TheAttorneyGeneralmayhavetheassistanceoftheVermontLawand
2573-GraduateSchoolindevelopingeducation,outreach,andassistanceprograms
2574-underthissection.
2575-1
2576-2
2577-3
2578-4
2579-5
2580-6
2581-7
2582-8
2583-9
2584-10
2585-11
2586-12
2587-13
2588-14
2589-15
2590-16
2591-17
2592-18
2593-19
2594-20
2595-21 BILLASINTRODUCEDANDPASSEDBYSENATE S.71
2596-2025 Page63of89
2597-(f)OnorbeforeDecember15,2027,theAttorneyGeneralshallassessthe
2598-effectivenessoftheimplementationoftheActandsubmitareporttothe
2599-HouseCommitteesonCommerceandEconomicDevelopmentandonEnergy
2600-andDigitalInfrastructureandtheSenateCommitteesonEconomic
2601-Development,HousingandGeneralAffairsandonInstitutionswithits
2602-findingsandrecommendations,includinganyproposeddraftlegislationto
2603-addressissuesthathavearisensinceimplementation.
2604-Sec.3.9V.S.A.§ 2416(a)isamendedtoread:
2605-(a)Exceptasprovidedinsubsection(b)ofthissection,thischapterapplies
2606-toapersonthatconductsbusinessinthisStateorapersonthatproduces
2607-productsorservicesthataretargetedtoresidentsofthisStateandthatduring
2608-theprecedingcalendaryear:
2609-(1)controlledorprocessedthepersonaldataofnotfewerthan25,000
2610-12,500consumers,excludingpersonaldatacontrolledorprocessedsolelyfor
2611-thepurposeofcompletingapaymenttransaction;or
2612-(2)controlledorprocessedthepersonaldataofnotfewerthan12,500
2613-6,250consumersandderivedmorethan2520percentoftheperson’sgross
2614-revenuefromthesaleofpersonaldata.
2615-Sec.4.9V.S.A.§ 2416(a)isamendedtoread:
2616-(a)Exceptasprovidedinsubsection(b)ofthissection,thischapterapplies
2617-toapersonthatconductsbusinessinthisStateorapersonthatproduces
2618-1
2619-2
2620-3
2621-4
2622-5
2623-6
2624-7
2625-8
2626-9
2627-10
2628-11
2629-12
2630-13
2631-14
2632-15
2633-16
2634-17
2635-18
2636-19
2637-20
2638-21 BILLASINTRODUCEDANDPASSEDBYSENATE S.71
2639-2025 Page64of89
2640-productsorservicesthataretargetedtoresidentsofthisStateandthatduring
2641-theprecedingcalendaryear:
2642-(1)controlledorprocessedthepersonaldataofnotfewerthan12,500
2643-6,250consumers,excludingpersonaldatacontrolledorprocessedsolelyfor
2644-thepurposeofcompletingapaymenttransaction;or
2645-(2)controlledorprocessedthepersonaldataofnotfewerthan6,250
2646-3,125consumersandderivedmorethan20percentoftheperson’sgross
2647-revenuefromthesaleofpersonaldata.
2648-Sec.5.EFFECTIVEDATES
2649-(a)ThissectionandSec.2(publiceducationandoutreach)shalltakeeffect
2650-onJuly1,2025.
2651-(b)Sec.1(VermontDataPrivacyandOnlineSurveillanceAct)shalltake
2652-effectonJuly1,2026.
2653-(c)Sec.3(VermontDataPrivacyOnlineSurveillanceActmiddle
2654-applicabilitythreshold)shalltakeeffectonJuly1,2027.
2655-(d)Sec.4(VermontDataPrivacyOnlineSurveillanceActlow
2656-applicabilitythreshold)shalltakeeffectonJuly1,2028.
2657-Sec.1.9V.S.A.chapter61Aisaddedtoread:
2658-CHAPTER61A.VERMONTDATAPRIVACYACT
2659-§ 2415.DEFINITIONS
2660-Asusedinthischapter:
2661-(1)“Abortion”meansterminatingapregnancyforanypurposeother
2662-thanproducingalivebirth.
2663-1
2664-2
2665-3
2666-4
2667-5
2668-6
2669-7
2670-8
2671-9
2672-10
2673-11
2674-12
2675-13
2676-14
2677-15
2678-16
2679-17 BILLASINTRODUCEDANDPASSEDBYSENATE S.71
2680-2025 Page65of89
2681-(2)(A)“Affiliate”meansalegalentitythatsharescommonbranding
2682-withanotherlegalentityorcontrols,iscontrolledby,orisundercommon
2683-controlwithanotherlegalentity.
2684-(B)Asusedinsubdivision(A)ofthissubdivision(2),“control”or
2685-“controlled”means:
2686-(i)ownershipof,orthepowertovote,morethan50percentofthe
2687-outstandingsharesofanyclassofvotingsecurityofacompany;
2688-(ii)controlinanymannerovertheelectionofamajorityofthe
2689-directorsorofindividualsexercisingsimilarfunctions;or
2690-(iii)thepowertoexercisecontrollinginfluenceoverthe
2691-managementofacompany.
2692-(3)“Authenticate”meanstousereasonablemeanstodeterminethata
2693-requesttoexerciseanyoftherightsaffordedundersubdivisions2418(a)(1)–
2694-(4)ofthistitleisbeingmadeby,oronbehalfof,theconsumerwhoisentitled
2695-toexercisetheconsumerrightswithrespecttothepersonaldataatissue.
2696-(4)(A)“Biometricdata”meanspersonaldatageneratedbyautomatic
2697-measurementsofanindividual’suniquebiologicalpatternsorcharacteristics
2698-thatareusedtoidentifyaspecificindividual.
2699-(B)“Biometricdata”doesnotinclude:
2700-(i)adigitalorphysicalphotograph;
2701-(ii)anaudioorvideorecording;or
2702-(iii)anydatageneratedfromadigitalorphysicalphotograph,or
2703-anaudioorvideorecording,unlesssuchdataisgeneratedtoidentifya
2704-specificindividual.
2705-(5)“Businessassociate”hasthesamemeaningasinHIPAA.
2706-(6)“Child”hasthesamemeaningasinCOPPA.
2707-(7)(A)“Consent”meansaclearaffirmativeactsignifyingaconsumer’s
2708-freelygiven,specific,informed,andunambiguousagreementtoallowthe
2709-processingofpersonaldatarelatingtotheconsumer.
2710-(B)“Consent”mayincludeawrittenstatement,includingby
2711-electronicmeans,oranyotherunambiguousaffirmativeaction.
2712-(C)“Consent”doesnotinclude:
2713-(i)acceptanceofageneralorbroadtermsofuseorsimilar
2714-documentthatcontainsdescriptionsofpersonaldataprocessingalongwith
2715-other,unrelatedinformation; BILLASINTRODUCEDANDPASSEDBYSENATE S.71
2716-2025 Page66of89
2717-(ii)hoveringover,muting,pausing,orclosingagivenpieceof
2718-content;or
2719-(iii)agreementobtainedthroughtheuseofdarkpatterns.
2720-(8)(A)“Consumer”meansanindividualwhoisaresidentoftheState.
2721-(B)“Consumer”doesnotincludeanindividualactingina
2722-commercialoremploymentcontextorasanemployee,owner,director,officer,
2723-orcontractorofacompany,partnership,soleproprietorship,nonprofit,or
2724-governmentagencywhosecommunicationsortransactionswiththecontroller
2725-occursolelywithinthecontextofthatindividual’srolewiththecompany,
2726-partnership,soleproprietorship,nonprofit,orgovernmentagency.
2727-(9)“Consumerhealthdata”meansanypersonaldatathatacontroller
2728-usestoidentifyaconsumer’sphysicalormentalhealthconditionordiagnosis,
2729-includinggender-affirminghealthdataandreproductiveorsexualhealthdata.
2730-(10)“Consumerhealthdatacontroller”meansanycontrollerthat,
2731-aloneorjointlywithothers,determinesthepurposeandmeansofprocessing
2732-consumerhealthdata.
2733-(11)“Controller”meansapersonwho,aloneorjointlywithothers,
2734-determinesthepurposeandmeansofprocessingpersonaldata.
2735-(12)“COPPA”meanstheChildren’sOnlinePrivacyProtectionActof
2736-1998,15U.S.C.§6501–6506,andanyregulations,rules,guidance,and
2737-exemptionsadoptedpursuanttotheact,astheactandregulations,rules,
2738-guidance,andexemptionsmaybeamended.
2739-(13)“Coveredentity”hasthesamemeaningasinHIPAA.
2740-(14)“Darkpattern”meansauserinterfacedesignedormanipulated
2741-withthesubstantialeffectofsubvertingorimpairinguserautonomy,decision-
2742-making,orchoiceandincludesanypracticetheFederalTradeCommission
2743-referstoasa“darkpattern.”
2744-(15)“Decisionsthatproducelegalorsimilarlysignificanteffects
2745-concerningtheconsumer”meansdecisionsmadebythecontrollerthatresult
2746-intheprovisionordenialbythecontrolleroffinancialorlendingservices,
2747-housing,insurance,educationenrollmentoropportunity,criminaljustice,
2748-employmentopportunities,healthcareservices,oraccesstoessentialgoodsor
2749-services.
2750-(16)“De-identifieddata”meansdatathatdoesnotidentifyandcannot
2751-reasonablybeusedtoinferinformationabout,orotherwisebelinkedto,an
2752-identifiedoridentifiableindividual,oradevicelinkedtotheindividual,ifthe
2753-controllerthatpossessesthedata: BILLASINTRODUCEDANDPASSEDBYSENATE S.71
2754-2025 Page67of89
2755-(A)takesreasonablemeasurestoensurethatthedatacannotbe
2756-associatedwithanindividual;
2757-(B)publiclycommitstoprocessthedataonlyinade-identified
2758-fashionandnotattempttore-identifythedata;and
2759-(C)contractuallyobligatesanyrecipientsofthedatatosatisfythe
2760-criteriasetforthinsubdivisions(A)and(B)ofthissubdivision(16).
2761-(17)“Gender-affirminghealthcareservices”hasthesamemeaningas
2762-in1V.S.A.§ 150.
2763-(18)“Gender-affirminghealthdata”meansanypersonaldata
2764-concerningapast,present,orfutureeffortmadebyaconsumertoseek,ora
2765-consumer’sreceiptof,gender-affirminghealthcareservices.
2766-(19)“Geofence”meansanytechnologythatusesglobalpositioning
2767-coordinates,celltowerconnectivity,cellulardata,radiofrequency
2768-identification,wirelessfidelitytechnologydata,oranyotherformoflocation
2769-detection,oranycombinationofsuchcoordinates,connectivity,data,
2770-identification,orotherformoflocationdetection,toestablishavirtual
2771-boundary.
2772-(20)“HIPAA”meanstheHealthInsurancePortabilityand
2773-AccountabilityActof1996,Pub.L.No.104-191,asmaybeamended.
2774-(21)“Identifiedoridentifiableindividual”meansanindividualwho
2775-canbereadilyidentified,directlyorindirectly.
2776-(22)“Institutionofhighereducation”meansanyindividualwho,or
2777-school,board,association,limitedliabilitycompanyorcorporationthat,is
2778-licensedoraccreditedtoofferoneormoreprogramsofhigherlearning
2779-leadingtooneormoredegrees.
2780-(23)“Mentalhealthfacility”meansanyhealthcarefacilityinwhichat
2781-least70percentofthehealthcareservicesprovidedinthefacilityaremental
2782-healthservices.
2783-(24)“Nonprofitorganization”meansanyorganizationthatisqualified
2784-fortaxexemptstatusunderI.R.C.§501(c)(3),501(c)(4),501(c)(6),or
2785-501(c)(12),oranycorrespondinginternalrevenuecodeoftheUnitedStates,
2786-asmaybeamended,
2787-(25)“Person”meansanindividual,association,company,limited
2788-liabilitycompany,corporation,partnership,soleproprietorship,trust,orother
2789-legalentity.
2790-(26)(A)“Personaldata”meansanyinformationthatislinkedor
2791-reasonablylinkabletoanidentifiedoridentifiableindividual. BILLASINTRODUCEDANDPASSEDBYSENATE S.71
2792-2025 Page68of89
2793-(B)“Personaldata”doesnotincludede-identifieddataorpublicly
2794-availableinformation.
2795-(27)(A)“Precisegeolocationdata”meansinformationderivedfrom
2796-technology,includingglobalpositioningsystemlevellatitudeandlongitude
2797-coordinatesorothermechanisms,thatdirectlyidentifiesthespecificlocation
2798-ofanindividualwithprecisionandaccuracywithinaradiusof1,750feet.
2799-(B)“Precisegeolocationdata”doesnotinclude:
2800-(i)thecontentofcommunications;
2801-(ii)datageneratedbyorconnectedtoanadvancedutility
2802-meteringinfrastructuresystem;or
2803-(iii)datageneratedbyequipmentusedbyautilitycompany.
2804-(28)“Process”or“processing”meansanyoperationorsetof
2805-operationsperformed,whetherbymanualorautomatedmeans,onpersonal
2806-dataoronsetsofpersonaldata,suchasthecollection,use,storage,
2807-disclosure,analysis,deletion,ormodificationofpersonaldata.
2808-(29)“Processor”meansapersonwhoprocessespersonaldataon
2809-behalfofacontroller.
2810-(30)“Profiling”meansanyformofautomatedprocessingperformedon
2811-personaldatatoevaluate,analyze,orpredictpersonalaspectsrelatedtoan
2812-identifiedoridentifiableindividual’seconomicsituation,health,personal
2813-preferences,interests,reliability,behavior,location,ormovements.
2814-(31)“Protectedhealthinformation”hasthesamemeaningasin
2815-HIPAA.
2816-(32)“Pseudonymousdata”meanspersonaldatathatcannotbe
2817-attributedtoaspecificindividualwithouttheuseofadditionalinformation,
2818-providedtheadditionalinformationiskeptseparatelyandissubjectto
2819-appropriatetechnicalandorganizationalmeasurestoensurethatthepersonal
2820-dataisnotattributedtoanidentifiedoridentifiableindividual.
2821-(33)“Publiclyavailableinformation”meansinformationthat:
2822-(A)islawfullymadeavailablethroughfederal,state,orlocal
2823-governmentrecordsorwidelydistributedmedia;or
2824-(B)acontrollerhasareasonablebasistobelievethattheconsumer
2825-haslawfullymadeavailabletothegeneralpublic.
2826-(34)“Reproductiveorsexualhealthcare”meansanyhealthcare-
2827-relatedservicesorproductsrenderedorprovidedconcerningaconsumer’s BILLASINTRODUCEDANDPASSEDBYSENATE S.71
2828-2025 Page69of89
2829-reproductivesystemorsexualwell-being,includinganysuchserviceor
2830-productrenderedorprovidedconcerning:
2831-(A)anindividualhealthcondition,status,disease,diagnosis,
2832-diagnostictestortreatment;
2833-(B)asocial,psychological,behavioral,ormedicalintervention;
2834-(C)asurgeryorprocedure,includinganabortion;
2835-(D)auseorpurchaseofamedication,includingamedicationused
2836-orpurchasedforthepurposesofanabortion,abodilyfunction,vitalsign,or
2837-symptom;
2838-(E)ameasurementofabodilyfunction,vitalsign,orsymptom;or
2839-(F)anabortion,includingmedicalornonmedicalservices,products,
2840-diagnostics,counseling,orfollow-upservicesforanabortion.
2841-(35)“Reproductiveorsexualhealthdata”meansanypersonaldata
2842-concerninganeffortmadebyaconsumertoseek,oraconsumer’sreceiptof,
2843-reproductiveorsexualhealthcare.
2844-(36)“Reproductiveorsexualhealthfacility”meansanyhealthcare
2845-facilityinwhichatleast70percentofthehealthcare-relatedservicesor
2846-productsrenderedorprovidedinthefacilityarereproductiveorsexualhealth
2847-care.
2848-(37)(A)“Saleofpersonaldata”meanstheexchangeofaconsumer’s
2849-personaldatabythecontrollertoathirdpartyformonetaryorothervaluable
2850-consideration.
2851-(B)“Saleofpersonaldata”doesnotinclude:
2852-(i)thedisclosureofpersonaldatatoaprocessorthatprocesses
2853-thepersonaldataonbehalfofthecontroller;
2854-(ii)thedisclosureofpersonaldatatoathirdpartyforpurposesof
2855-providingaproductorservicerequestedbytheconsumer;
2856-(iii)thedisclosureortransferofpersonaldatatoanaffiliateof
2857-thecontroller;
2858-(iv)thedisclosureofpersonaldatawheretheconsumerdirectsthe
2859-controllertodisclosethepersonaldataorintentionallyusesthecontrollerto
2860-interactwithathirdparty;
2861-(v)thedisclosureofpersonaldatathattheconsumer:
2862-(I)intentionallymadeavailabletothegeneralpublicviaa
2863-channelofmassmedia;and BILLASINTRODUCEDANDPASSEDBYSENATE S.71
2864-2025 Page70of89
2865-(II)didnotrestricttoaspecificaudience;or
2866-(vi)thedisclosureortransferofpersonaldatatoathirdpartyas
2867-anassetthatispartofamerger,acquisition,bankruptcyorothertransaction,
2868-oraproposedmerger,acquisition,bankruptcy,orothertransaction,inwhich
2869-thethirdpartyassumescontrolofallorpartofthecontroller’sassets.
2870-(38)“Sensitivedata”meanspersonaldatathatincludes:
2871-(A)datarevealingracialorethnicorigin,religiousbeliefs,mentalor
2872-physicalhealthconditionordiagnosis,sexlife,sexualorientation,or
2873-citizenshiporimmigrationstatus;
2874-(B)consumerhealthdata;
2875-(C)theprocessingofgeneticorbiometricdataforthepurposeof
2876-uniquelyidentifyinganindividual;
2877-(D)personaldatacollectedfromaknownchild;
2878-(E)dataconcerninganindividual’sstatusasavictimofcrime;and
2879-(F)anindividual’sprecisegeolocationdata.
2880-(39)(A)“Targetedadvertising”meansdisplayingadvertisementstoa
2881-consumerwheretheadvertisementisselectedbasedonpersonaldataobtained
2882-orinferredfromthatconsumer’sactivitiesovertimeandacrossnonaffiliated
2883-websitesoronlineapplicationstopredicttheconsumer’spreferencesor
2884-interests.
2885-(B)“Targetedadvertising”doesnotinclude:
2886-(i)anadvertisementbasedonactivitieswithinthecontroller’s
2887-owncommonlybrandedwebsiteoronlineapplication;
2888-(ii)anadvertisementbasedonthecontextofaconsumer’scurrent
2889-searchquery,visittoawebsite,oruseofanonlineapplication;
2890-(iii)anadvertisementdirectedtoaconsumerinresponsetothe
2891-consumer’srequestforinformationorfeedback;or
2892-(iv)processingpersonaldatasolelytomeasureorreport
2893-advertisingfrequency,performance,orreach.
2894-(40)“Thirdparty”meansaperson,publicauthority,agency,orbody,
2895-otherthantheconsumer,controller,orprocessororanaffiliateofthe
2896-processororthecontroller.
2897-(41)“Tradesecret”hasthesamemeaningasinsection4601ofthis
2898-title. BILLASINTRODUCEDANDPASSEDBYSENATE S.71
2899-2025 Page71of89
2900-§ 2416.APPLICABILITY
2901-(a)Exceptasprovidedinsubsection(b)ofthissection,thischapterapplies
2902-toapersonthatconductsbusinessinthisStateorapersonthatproduces
2903-productsorservicesthataretargetedtoresidentsofthisStateandthatduring
2904-theprecedingcalendaryear:
2905-(1)controlledorprocessedthepersonaldataofnotfewerthan100,000
2906-consumers,excludingpersonaldatacontrolledorprocessedsolelyforthe
2907-purposeofcompletingapaymenttransaction;or
2908-(2)controlledorprocessedthepersonaldataofnotfewerthan25,000
2909-consumersandderivedmorethan25percentoftheperson’sgrossrevenue
2910-fromthesaleofpersonaldata.
2911-(b)Section2426ofthistitleandtheprovisionsofthischapterconcerning
2912-consumerhealthdataandconsumerhealthdatacontrollersapplytoaperson
2913-thatconductsbusinessinthisStateorapersonthatproducesproductsor
2914-servicesthataretargetedtoresidentsofthisState.
2915-§ 2417.EXEMPTIONS
2916-(a)Exceptasprovidedinsubsection(c)ofthissection,thischaptershall
2917-notapplytoany:
2918-(1)body,authority,board,bureau,commission,districtoragencyofthis
2919-StateorofanypoliticalsubdivisionofthisState;
2920-(2)personwhohasenteredintoacontractwithanentitydescribedin
2921-subdivision(1)ofthissubsectiontoprocessconsumerhealthdataonbehalfof
2922-theentity;
2923-(3)nonprofitorganization;
2924-(4)institutionofhighereducation;
2925-(5)nationalsecuritiesassociationthatisregisteredunder15U.S.C.
2926-78o-3oftheSecuritiesExchangeActof1934,asmaybeamended;
2927-(6)financialinstitutionordatasubjecttoTitleVoftheGramm-Leach-
2928-BlileyAct,Pub.L.No.106-102,andregulationsadoptedtoimplementthat
2929-act;
2930-(7)coveredentityorbusinessassociate,asdefinedin45C.F.R.
2931-§ 160.103;
2932-(8)tribalnationgovernmentorganization;or
2933-(9)aircarrier,as:
2934-(A)definedin49U.S.C.§ 40102,asmaybeamended;and BILLASINTRODUCEDANDPASSEDBYSENATE S.71
2935-2025 Page72of89
2936-(B)regulatedundertheFederalAviationActof1958,49U.S.C.
2937-§ 40101etseq.andtheAirlineDeregulationActof1978,49U.S.C.§ 41713,
2938-asmaybeamended.
2939-(b)Thefollowinginformation,data,andactivitiesareexemptfromthis
2940-chapter:
2941-(1)protectedhealthinformationunderHIPAA;
2942-(2)patientidentifyinginformationthatiscollectedandprocessedin
2943-accordancewith42C.F.R.Part2(confidentialityofsubstanceusedisorder
2944-patientrecords);
2945-(3)identifiableprivateinformation:
2946-(A)forpurposesoftheFederalPolicyfortheProtectionofHuman
2947-Subjects,codifiedas45C.F.R.Part46(HHSprotectionofhumansubjects)
2948-andinvariousotherfederalregulations;and
2949-(B)thatisotherwiseinformationcollectedaspartofhumansubjects
2950-researchpursuanttothegoodclinicalpracticeguidelinesissuedbythe
2951-InternationalCouncilforHarmonisationofTechnicalRequirementsfor
2952-PharmaceuticalsforHumanUse;
2953-(4)informationthatidentifiesaconsumerinconnectionwiththe
2954-protectionofhumansubjectsunder21C.F.R.Parts6,50,and56,orpersonal
2955-datausedorsharedinresearch,asdefinedin45C.F.R.§ 164.501,thatis
2956-conductedinaccordancewiththestandardssetforthinthissubdivisionandin
2957-subdivision(3)ofthissubsection,orotherresearchconductedinaccordance
2958-withapplicablelaw;
2959-(5)informationordocumentscreatedforthepurposesoftheHealthcare
2960-QualityImprovementActof1986,42U.S.C.§§ 11101–11152,andregulations
2961-adoptedtoimplementthatact;
2962-(6)patientsafetyworkproductthatiscreatedforpurposesofimproving
2963-patientsafetyunder42C.F.R.Part3(patientsafetyorganizationsandpatient
2964-safetyworkproduct);
2965-(7)informationderivedfromanyofthehealthcare-relatedinformation
2966-listedinthissubsectionthatisde-identifiedinaccordancewiththe
2967-requirementsforde-identificationpursuanttoHIPAA;
2968-(8)informationoriginatingfromandintermingledtobe
2969-indistinguishablewith,orinformationtreatedinthesamemanneras,
2970-informationexemptunderthissubsectionthatismaintainedbyacovered
2971-entityorbusinessassociate,program,orqualifiedserviceorganization,as
2972-specifiedin42U.S.C.§ 290dd-2,asmaybeamended; BILLASINTRODUCEDANDPASSEDBYSENATE S.71
2973-2025 Page73of89
2974-(9)informationusedforpublichealthactivitiesandpurposesas
2975-authorizedbyHIPAA,communityhealthactivities,andpopulationhealth
2976-activities;
2977-(10)thecollection,maintenance,disclosure,sale,communication,or
2978-useofanypersonalinformationbearingonaconsumer’screditworthiness,
2979-creditstanding,creditcapacity,character,generalreputation,personal
2980-characteristics,ormodeoflivingbyaconsumerreportingagency,furnisher,
2981-oruserthatprovidesinformationforuseinaconsumerreport,andbyauser
2982-ofaconsumerreport,butonlytotheextentthatsuchactivityisregulatedby
2983-andauthorizedundertheFairCreditReportingAct,15U.S.C.§ 1681etseq.,
2984-asmaybeamended;
2985-(11)personaldatacollected,processed,sold,ordisclosedunderandin
2986-compliancewith:
2987-(A)theDriver’sPrivacyProtectionActof1994,18U.S.C.§ 2721–
2988-2725;and
2989-(B)theFarmCreditAct,Pub.L.No.92-181,asmaybeamended;
2990-(12)personaldataregulatedbytheFamilyEducationalRightsand
2991-PrivacyAct,20U.S.C.§ 1232g,asmaybeamended;
2992-(13)dataprocessedormaintained:
2993-(A)inthecourseofanindividualapplyingto,employedby,oracting
2994-asanagentorindependentcontractorofacontroller,processor,consumer
2995-healthdatacontroller,orthirdparty,totheextentthatthedataiscollectedand
2996-usedwithinthecontextofthatrole;
2997-(B)astheemergencycontactinformationofaconsumerpursuantto
2998-thischapter,usedforemergencycontactpurposes,or
2999-(C)thatisnecessarytoretaintoadministerbenefitsforanother
3000-individualrelatingtotheindividualwhoisthesubjectoftheinformation
3001-pursuanttosubdivision(1)ofthissubsection(b)andusedforthepurposesof
3002-administeringsuchbenefits;and
3003-(14)personaldatacollected,processed,sold,ordisclosedinrelationto
3004-price,route,orservice,assuchtermsareusedintheFederalAviationActof
3005-1958,49U.S.C.§ 40101etseq.,asmaybeamended,andtheAirline
3006-DeregulationActof1978,49U.S.C.§ 41713,asmaybeamended.
3007-(c)Controllers,processors,andconsumerhealthdatacontrollersthat
3008-complywiththeverifiableparentalconsentrequirementsofCOPPAshallbe
3009-deemedcompliantwithanyobligationtoobtainparentalconsentpursuantto
3010-thischapter. BILLASINTRODUCEDANDPASSEDBYSENATE S.71
3011-2025 Page74of89
3012-§ 2418.CONSUMERRIGHTS;COMPLIANCEBYCONTROLLERS;
3013-APPEALS
3014-(a)Aconsumershallhavetherightto:
3015-(1)confirmwhetherornotacontrollerisprocessingtheconsumer’s
3016-personaldataandaccessthepersonaldata,unlesstheconfirmationoraccess
3017-wouldrequirethecontrollertorevealatradesecret;
3018-(2)correctinaccuraciesintheconsumer’spersonaldata,takinginto
3019-accountthenatureofthepersonaldataandthepurposesoftheprocessingof
3020-theconsumer’spersonaldata;
3021-(3)deletepersonaldataprovidedby,orobtainedabout,theconsumer;
3022-(4)obtainacopyoftheconsumer’spersonaldataprocessedbythe
3023-controller,inaportableand,totheextenttechnicallyfeasible,readilyusable
3024-formatthatallowstheconsumertotransmitthedatatoanothercontroller
3025-withouthindrance,wheretheprocessingiscarriedoutbyautomatedmeans,
3026-providedthecontrollershallnotberequiredtorevealanytradesecret;and
3027-(5)optoutoftheprocessingofthepersonaldataforpurposesof:
3028-(A)targetedadvertising;
3029-(B)thesaleofpersonaldata,exceptasprovidedinsubsection
3030-2420(b)ofthistitle;or
3031-(C)profilinginfurtheranceofsolelyautomateddecisionsthat
3032-producelegalorsimilarlysignificanteffectsconcerningtheconsumer.
3033-(b)(1)Aconsumermayexerciserightsunderthissectionbyasecureand
3034-reliablemeansestablishedbythecontrolleranddescribedtotheconsumerin
3035-thecontroller’sprivacynotice.
3036-(2)Aconsumermaydesignateanauthorizedagentinaccordancewith
3037-section2419ofthistitletoexercisetherightsoftheconsumertooptoutofthe
3038-processingoftheconsumer’spersonaldataforpurposesofsubdivision(a)(5)
3039-ofthissectiononbehalfoftheconsumer.
3040-(3)Inthecaseofprocessingpersonaldataofaknownchild,theparent
3041-orlegalguardianmayexercisetheconsumerrightsonthechild’sbehalf.
3042-(4)Inthecaseofprocessingpersonaldataconcerningaconsumer
3043-subjecttoaguardianship,conservatorship,orotherprotectivearrangement,
3044-theguardianortheconservatoroftheconsumermayexercisetherightsonthe
3045-consumer’sbehalf. BILLASINTRODUCEDANDPASSEDBYSENATE S.71
3046-2025 Page75of89
3047-(c)Exceptasotherwiseprovidedinthischapter,acontrollershallcomply
3048-witharequestbyaconsumertoexercisetheconsumerrightsauthorized
3049-pursuanttothischapterasfollows:
3050-(1)(A)Acontrollershallrespondtotheconsumerwithoutunduedelay,
3051-butnotlaterthan45daysafterreceiptoftherequest.
3052-(B)Thecontrollermayextendtheresponseperiodby45additional
3053-dayswhenreasonablynecessary,consideringthecomplexityandnumberofthe
3054-consumer’srequests,providedthecontrollerinformstheconsumerofthe
3055-extensionwithintheinitial45-dayresponseperiodandofthereasonforthe
3056-extension.
3057-(2)Ifacontrollerdeclinestotakeactionregardingtheconsumer’s
3058-request,thecontrollershallinformtheconsumerwithoutunduedelay,butnot
3059-laterthan45daysafterreceiptoftherequest,ofthejustificationfordeclining
3060-totakeactionandinstructionsforhowtoappealthedecision.
3061-(3)(A)Informationprovidedinresponsetoaconsumerrequestshallbe
3062-providedbyacontroller,freeofcharge,onceperconsumerduringany12-
3063-monthperiod.
3064-(B)Ifrequestsfromaconsumeraremanifestlyunfounded,excessive,
3065-orrepetitive,thecontrollermaychargetheconsumerareasonablefeetocover
3066-theadministrativecostsofcomplyingwiththerequestordeclinetoactonthe
3067-request.
3068-(C)Thecontrollerbearstheburdenofdemonstratingthemanifestly
3069-unfounded,excessive,orrepetitivenatureoftherequest.
3070-(4)(A)Ifacontrollerisunabletoauthenticatearequesttoexerciseany
3071-oftherightsaffordedundersubdivisions(a)(1)–(4)ofthissectionusing
3072-commerciallyreasonableefforts,thecontrollershallnotberequiredtocomply
3073-witharequesttoinitiateanactionpursuanttothissectionandshallprovide
3074-noticetotheconsumerthatthecontrollerisunabletoauthenticatetherequest
3075-toexercisetherightorrightsuntiltheconsumerprovidesadditional
3076-informationreasonablynecessarytoauthenticatetheconsumerandthe
3077-consumer’srequesttoexercisetherightorrights.
3078-(B)Acontrollershallnotberequiredtoauthenticateanopt-out
3079-request,butacontrollermaydenyanopt-outrequestifthecontrollerhasa
3080-goodfaith,reasonable,anddocumentedbeliefthattherequestisfraudulent.
3081-(C)Ifacontrollerdeniesanopt-outrequestbecausethecontroller
3082-believestherequestisfraudulent,thecontrollershallsendanoticetothe
3083-personwhomadetherequestdisclosingthatthecontrollerbelievestherequest BILLASINTRODUCEDANDPASSEDBYSENATE S.71
3084-2025 Page76of89
3085-isfraudulent,whythecontrollerbelievestherequestisfraudulent,andthatthe
3086-controllershallnotcomplywiththerequest.
3087-(5)Acontrollerthathasobtainedpersonaldataaboutaconsumerfrom
3088-asourceotherthantheconsumershallbedeemedincompliancewitha
3089-consumer’srequesttodeletethedatapursuanttosubdivision(a)(3)ofthis
3090-sectionby:
3091-(A)retainingarecordofthedeletionrequestandtheminimumdata
3092-necessaryforthepurposeofensuringtheconsumer’spersonaldataremains
3093-deletedfromthecontroller’srecordsandnotusingtheretaineddataforany
3094-otherpurposepursuanttotheprovisionsofthischapter;or
3095-(B)optingtheconsumeroutoftheprocessingofthepersonaldata
3096-foranypurposeexceptforthoseexemptedpursuanttotheprovisionsofthis
3097-chapter.
3098-(d)(1)Acontrollershallestablishaprocessforaconsumertoappealthe
3099-controller’srefusaltotakeactiononarequestwithinareasonableperiodof
3100-timeaftertheconsumer’sreceiptofthedecision.
3101-(2)Theappealprocessshallbeconspicuouslyavailableandsimilarto
3102-theprocessforsubmittingrequeststoinitiateactionpursuanttothissection.
3103-(3)Notlaterthan60daysafterreceiptofanappeal,acontrollershall
3104-informtheconsumerinwritingofanyactiontakenornottakeninresponseto
3105-theappeal,includingawrittenexplanationofthereasonsforthedecisions.
3106-(4)Iftheappealisdenied,thecontrollershallalsoprovidethe
3107-consumerwithanonlinemechanism,ifavailable,orothermethodthrough
3108-whichtheconsumermaycontacttheAttorneyGeneraltosubmitacomplaint.
3109-§ 2419.AUTHORIZEDAGENTSANDCONSUMEROPT-OUT
3110-(a)Aconsumermaydesignateanotherpersontoserveastheconsumer’s
3111-authorizedagent,andactontheconsumer’sbehalf,tooptoutofthe
3112-processingoftheconsumer’spersonaldataforoneormoreofthepurposes
3113-specifiedinsubdivision2418(a)(5)ofthistitle.
3114-(b)Theconsumermaydesignateanauthorizedagentbywayof,among
3115-otherthings,atechnology,includinganinternetlinkorabrowsersetting,
3116-browserextension,orglobaldevicesetting,indicatingtheconsumer’sintentto
3117-optoutoftheprocessing.
3118-(c)Acontrollershallcomplywithanopt-outrequestreceivedfroman
3119-authorizedagentifthecontrollerisabletoverify,withcommercially
3120-reasonableeffort,theidentityoftheconsumerandtheauthorizedagent’s
3121-authoritytoactontheconsumer’sbehalf. BILLASINTRODUCEDANDPASSEDBYSENATE S.71
3122-2025 Page77of89
3123-§ 2420.CONTROLLERS’DUTIES;SALEOFPERSONALDATATO
3124-THIRDPARTIES;NOTICEANDDISCLOSURETO
3125-CONSUMERS;CONSUMEROPT-OUT
3126-(a)Acontroller:
3127-(1)shalllimitthecollectionofpersonaldatatowhatisadequate,
3128-relevant,andreasonablynecessaryinrelationtothepurposesforwhichthe
3129-dataisprocessed,asdisclosedtotheconsumer;
3130-(2)exceptasotherwiseprovidedinthischapter,shallnotprocess
3131-personaldataforpurposesthatareneitherreasonablynecessaryto,nor
3132-compatiblewith,thedisclosedpurposesforwhichthepersonaldatais
3133-processed,asdisclosedtotheconsumer,unlessthecontrollerobtainsthe
3134-consumer’sconsent;
3135-(3)shallestablish,implement,andmaintainreasonableadministrative,
3136-technical,andphysicaldatasecuritypracticestoprotecttheconfidentiality,
3137-integrity,andaccessibilityofpersonaldataappropriatetothevolumeand
3138-natureofthepersonaldataatissue;
3139-(4)shallnotprocesssensitivedataconcerningaconsumerwithout
3140-obtainingtheconsumer’sconsentor,inthecaseoftheprocessingofsensitive
3141-dataconcerningaknownchild,withoutprocessingthedatainaccordance
3142-withCOPPA;
3143-(5)shallnotprocesspersonaldatainviolationofthelawsofthisState
3144-andfederallawsthatprohibitunlawfuldiscriminationagainstconsumers;
3145-(6)shallprovideaneffectivemechanismforaconsumertorevokethe
3146-consumer’sconsentunderthissectionthatisatleastaseasyasthemechanism
3147-bywhichtheconsumerprovidedtheconsumer’sconsentand,uponrevocation
3148-oftheconsent,ceasetoprocessthedataassoonaspracticable,butnotlater
3149-than15daysafterthereceiptoftherequest;
3150-(7)shallnotprocessthepersonaldataofaconsumerforpurposesof
3151-targetedadvertising,orselltheconsumer’spersonaldatawithoutthe
3152-consumer’sconsent,undercircumstanceswhereacontrollerhasactual
3153-knowledge,andwillfullydisregards,thattheconsumerisatleast13yearsof
3154-agebutyoungerthan16yearsofage;and
3155-(8)shallnotdiscriminateagainstaconsumerforexercisinganyofthe
3156-consumerrightscontainedinthischapter,includingdenyinggoodsorservices,
3157-chargingdifferentpricesorratesforgoodsorservices,orprovidingadifferent
3158-levelofqualityofgoodsorservicestotheconsumer.
3159-(b)Subsection(a)ofthissectionshallnotbeconstruedtorequirea
3160-controllertoprovideaproductorservicethatrequiresthepersonaldataofa BILLASINTRODUCEDANDPASSEDBYSENATE S.71
3161-2025 Page78of89
3162-consumerthatthecontrollerdoesnotcollectormaintain,orprohibita
3163-controllerfromofferingadifferentprice,rate,level,quality,orselectionof
3164-goodsorservicestoaconsumer,includingofferinggoodsorservicesfornofee
3165-iftheofferingisinconnectionwithaconsumer’svoluntaryparticipationina
3166-bonafideloyalty,rewards,premiumfeatures,discounts,orclubcardprogram.
3167-(c)Acontrollershallprovideconsumerswithareasonablyaccessible,
3168-clear,andmeaningfulprivacynoticethatincludes:
3169-(1)thecategoriesofpersonaldataprocessedbythecontroller;
3170-(2)thepurposeforprocessingpersonaldata;
3171-(3)howconsumersmayexercisetheirconsumerrights,includinghowa
3172-consumermayappealacontroller’sdecisionwithregardtotheconsumer’s
3173-request;
3174-(4)thecategoriesofpersonaldatathatthecontrollershareswiththird
3175-parties,ifany;
3176-(5)thecategoriesofthirdparties,ifany,withwhichthecontroller
3177-sharespersonaldata;and
3178-(6)anactiveemailaddressorotheronlinemechanismthatthe
3179-consumermayusetocontactthecontroller.
3180-(d)Ifacontrollersellspersonaldatatothirdpartiesorprocessespersonal
3181-datafortargetedadvertising,thecontrollershallclearlyandconspicuously
3182-disclosetheprocessing,aswellasthemannerinwhichaconsumermay
3183-exercisetherighttooptoutoftheprocessing.
3184-(e)(1)Acontrollershallestablish,andshalldescribeinaprivacynotice,
3185-oneormoresecureandreliablemeansforconsumerstosubmitarequestto
3186-exercisetheirconsumerrightspursuanttothischapter.
3187-(2)Themeansshalltakeintoaccountthewaysinwhichconsumers
3188-normallyinteractwiththecontroller,theneedforsecureandreliable
3189-communicationoftherequests,andtheabilityofthecontrollertoverifythe
3190-identityoftheconsumermakingtherequest.
3191-(3)Acontrollershallnotrequireaconsumertocreateanewaccountin
3192-ordertoexerciseconsumerrightsbutmayrequireaconsumertousean
3193-existingaccount.
3194-(4)(A)Themeansshallinclude:
3195-(i)providingaclearandconspicuouslinkonthecontroller’s
3196-websitetoanwebpagethatenablesaconsumer,oranagentoftheconsumer, BILLASINTRODUCEDANDPASSEDBYSENATE S.71
3197-2025 Page79of89
3198-tooptoutofthetargetedadvertisingorsaleoftheconsumer’spersonaldata;
3199-and
3200-(ii)notlaterthanJanuary1,2026,allowingaconsumertoopt
3201-outofanyprocessingoftheconsumer’spersonaldataforthepurposesof
3202-targetedadvertising,oranysaleofthepersonaldata,throughanopt-out
3203-preferencesignalsenttothecontrollerwiththeconsumer’sconsentindicating
3204-theconsumer’sintenttooptoutofanytheprocessingorsale,byaplatform,
3205-technology,orothermechanismthatshall:
3206-(I)notunfairlydisadvantageanothercontroller;
3207-(II)notmakeuseofadefaultsetting,butratherrequirethe
3208-consumertomakeanaffirmative,freelygiven,andunambiguouschoicetoopt
3209-outofanyprocessingoftheconsumer’spersonaldatapursuanttothis
3210-chapter;
3211-(III)beconsumer-friendlyandeasytousebytheaverage
3212-consumer;
3213-(IV)beasconsistentaspossiblewithanyothersimilar
3214-platform,technology,ormechanismrequiredbyanyfederalorStatelawor
3215-regulation;and
3216-(V)enablethecontrollertoaccuratelydeterminewhetherthe
3217-consumerisaresidentofthisStateandwhethertheconsumerhasmadea
3218-legitimaterequesttooptoutofanysaleoftheconsumer’spersonaldataor
3219-targetedadvertising.
3220-(B)Ifaconsumer’sdecisiontooptoutofanyprocessingofthe
3221-consumer’spersonaldataforthepurposesoftargetedadvertising,oranysale
3222-ofthepersonaldata,throughanopt-outpreferencesignalsentinaccordance
3223-withtheprovisionsofsubdivision(A)ofthissubdivision(e)(4)conflictswith
3224-theconsumer’sexistingcontroller-specificprivacysettingorvoluntary
3225-participationinacontroller’sbonafideloyalty,rewards,premiumfeatures,
3226-discounts,orclubcardprogram,thecontrollershallcomplywiththe
3227-consumer’sopt-outpreferencesignalbutmaynotifytheconsumerofthe
3228-conflictandprovidetotheconsumerthechoicetoconfirmthecontroller-
3229-specificprivacysettingorparticipationintheprogram.
3230-(5)Ifacontrollerrespondstoconsumeropt-outrequestsreceived
3231-pursuanttosubdivision(4)(A)ofthissubsectionbyinformingtheconsumerof
3232-achargefortheuseofanyproductorservice,thecontrollershallpresentthe
3233-termsofanyfinancialincentiveofferedpursuanttosubsection(b)ofthis
3234-sectionfortheretention,use,sale,orsharingoftheconsumer’spersonaldata. BILLASINTRODUCEDANDPASSEDBYSENATE S.71
3235-2025 Page80of89
3236-§ 2421.PROCESSORS’DUTIES;CONTRACTSBETWEEN
3237-CONTROLLERSANDPROCESSORS
3238-(a)Aprocessorshalladheretotheinstructionsofacontrollerandshall
3239-assistthecontrollerinmeetingthecontroller’sobligationsunderthischapter,
3240-including:
3241-(1)takingintoaccountthenatureofprocessingandtheinformation
3242-availabletotheprocessor,byappropriatetechnicalandorganizational
3243-measures,totheextentreasonablypracticable,tofulfillthecontroller’s
3244-obligationtorespondtoconsumerrightsrequests;
3245-(2)takingintoaccountthenatureofprocessingandtheinformation
3246-availabletotheprocessor,byassistingthecontrollerinmeetingthe
3247-controller’sobligationsinrelationtothesecurityofprocessingthepersonal
3248-dataandinrelationtothenotificationofadatabrokersecuritybreachor
3249-securitybreach,asdefinedinsection2430ofthistitle,ofthesystemofthe
3250-processor,inordertomeetthecontroller’sobligations;and
3251-(3)providingnecessaryinformationtoenablethecontrollertoconduct
3252-anddocumentdataprotectionassessments.
3253-(b)(1)Acontractbetweenacontrollerandaprocessorshallgovernthe
3254-processor’sdataprocessingprocedureswithrespecttoprocessingperformed
3255-onbehalfofthecontroller.
3256-(2)Thecontractshallbebindingandclearlysetforthinstructionsfor
3257-processingdata,thenatureandpurposeofprocessing,thetypeofdatasubject
3258-toprocessing,thedurationofprocessing,andtherightsandobligationsof
3259-bothparties.
3260-(3)Thecontractshallrequirethattheprocessor:
3261-(A)ensurethateachpersonprocessingpersonaldataissubjecttoa
3262-dutyofconfidentialitywithrespecttothedata;
3263-(B)atthecontroller’sdirection,deleteorreturnallpersonaldatato
3264-thecontrollerasrequestedattheendoftheprovisionofservices,unless
3265-retentionofthepersonaldataisrequiredbylaw;
3266-(C)uponthereasonablerequestofthecontroller,makeavailableto
3267-thecontrollerallinformationinitspossessionnecessarytodemonstratethe
3268-processor’scompliancewiththeobligationsinthischapter;
3269-(D)afterprovidingthecontrolleranopportunitytoobject,engage
3270-anysubcontractorpursuanttoawrittencontractthatrequiresthe
3271-subcontractortomeettheobligationsoftheprocessorwithrespecttothe
3272-personaldata;and BILLASINTRODUCEDANDPASSEDBYSENATE S.71
3273-2025 Page81of89
3274-(E)makeavailabletothecontrolleruponthereasonablerequestof
3275-thecontroller,allinformationintheprocessor’spossessionnecessaryto
3276-demonstratetheprocessor’scompliancewiththischapter.
3277-(4)Aprocessorshallprovideareportofanassessmenttothecontroller
3278-uponrequest.
3279-(c)Thissectionshallnotbeconstruedtorelieveacontrollerorprocessor
3280-fromtheliabilitiesimposedonthecontrollerorprocessorbyvirtueofthe
3281-controller’sorprocessor’sroleintheprocessingrelationship,asdescribedin
3282-thischapter.
3283-(d)(1)Determiningwhetherapersonisactingasacontrollerorprocessor
3284-withrespecttoaspecificprocessingofdataisafact-baseddeterminationthat
3285-dependsuponthecontextinwhichpersonaldataistobeprocessed.
3286-(2)Apersonwhoisnotlimitedintheperson’sprocessingofpersonal
3287-datapursuanttoacontroller’sinstructions,orwhofailstoadheretothe
3288-instructions,isacontrollerandnotaprocessorwithrespecttoaspecific
3289-processingofdata.
3290-(3)Aprocessorthatcontinuestoadheretoacontroller’sinstructions
3291-withrespecttoaspecificprocessingofpersonaldataremainsaprocessor.
3292-(4)Ifaprocessorbegins,aloneorjointlywithothers,determiningthe
3293-purposesandmeansoftheprocessingofpersonaldata,theprocessorisa
3294-controllerwithrespecttotheprocessingandmaybesubjecttoanenforcement
3295-actionundersection2425ofthistitle.
3296-§ 2422.CONTROLLERS’DATAPROTECTIONASSESSMENTS;
3297-DISCLOSURETOATTORNEYGENERAL
3298-(a)Acontrollershallconductanddocumentadataprotectionassessment
3299-foreachofthecontroller’sprocessingactivitiesthatpresentsaheightenedrisk
3300-ofharmtoaconsumer,whichforthepurposesofthissectionincludes:
3301-(1)theprocessingofpersonaldataforthepurposesoftargeted
3302-advertising;
3303-(2)thesaleofpersonaldata;
3304-(3)theprocessingofpersonaldataforthepurposesofprofiling,where
3305-theprofilingpresentsareasonablyforeseeableriskof:
3306-(A)unfairordeceptivetreatmentof,orunlawfuldisparateimpacton,
3307-consumers;
3308-(B)financial,physical,orreputationalinjurytoconsumers; BILLASINTRODUCEDANDPASSEDBYSENATE S.71
3309-2025 Page82of89
3310-(C)aphysicalorotherintrusionuponthesolitudeorseclusion,or
3311-theprivateaffairsorconcerns,ofconsumers,wheretheintrusionwouldbe
3312-offensivetoareasonableperson;or
3313-(D)othersubstantialinjurytoconsumers;and
3314-(4)theprocessingofsensitivedata.
3315-(b)(1)Dataprotectionassessmentsconductedpursuanttosubsection(a)of
3316-thissectionshallidentifyandweighthebenefitsthatmayflow,directlyand
3317-indirectly,fromtheprocessingtothecontroller,theconsumer,other
3318-stakeholders,andthepublicagainstthepotentialriskstotherightsofthe
3319-consumerassociatedwiththeprocessing,asmitigatedbysafeguardsthatcan
3320-beemployedbythecontrollertoreducetherisks.
3321-(2)Thecontrollershallfactorintoanydataprotectionassessmentthe
3322-useofde-identifieddataandthereasonableexpectationsofconsumers,aswell
3323-asthecontextoftheprocessingandtherelationshipbetweenthecontrollerand
3324-theconsumerwhosepersonaldatawillbeprocessed.
3325-(c)(1)TheAttorneyGeneralmayrequirethatacontrollerdiscloseanydata
3326-protectionassessmentthatisrelevanttoaninvestigationconductedbythe
3327-AttorneyGeneral,andthecontrollershallmakethedataprotectionassessment
3328-availabletotheAttorneyGeneral.
3329-(2)TheAttorneyGeneralmayevaluatethedataprotectionassessment
3330-forcompliancewiththeresponsibilitiessetforthinthischapter.
3331-(3)Dataprotectionassessmentsshallbeconfidentialandshallbe
3332-exemptfromdisclosureandcopyingunderthePublicRecordsAct.
3333-(4)Totheextentanyinformationcontainedinadataprotection
3334-assessmentdisclosedtotheAttorneyGeneralincludesinformationsubjectto
3335-attorney-clientprivilegeorworkproductprotection,thedisclosureshallnot
3336-constituteawaiveroftheprivilegeorprotection.
3337-(d)Asingledataprotectionassessmentmayaddressacomparablesetof
3338-processingoperationsthatincludesimilaractivities.
3339-(e)Ifacontrollerconductsadataprotectionassessmentforthepurposeof
3340-complyingwithanotherapplicablelaworregulation,thedataprotection
3341-assessmentshallbedeemedtosatisfytherequirementsestablishedinthis
3342-sectionifthedataprotectionassessmentisreasonablysimilarinscopeand
3343-effecttothedataprotectionassessmentthatwouldotherwisebeconducted
3344-pursuanttothissection.
3345-(f)Dataprotectionassessmentrequirementsshallapplytoprocessing
3346-activitiescreatedorgeneratedafterJuly1,2025andarenotretroactive. BILLASINTRODUCEDANDPASSEDBYSENATE S.71
3347-2025 Page83of89
3348-§ 2423.DE-IDENTIFIEDANDPSEUDONYMOUS DATA;
3349-CONTROLLERS’DUTIES;EXCEPTIONS;APPLICABILITYOF
3350-CONSUMERS’RIGHTS;DISCLOSUREANDOVERSIGHT
3351-(a)Acontrollerinpossessionofde-identifieddatashall:
3352-(1)takereasonablemeasurestoensurethatthedatacannotbe
3353-associatedwithanindividual;
3354-(2)publiclycommittomaintainingandusingde-identifieddatawithout
3355-attemptingtore-identifythedata;and
3356-(3)contractuallyobligateanyrecipientsofthede-identifieddatato
3357-complywiththeprovisionsofthischapter.
3358-(b)Thischaptershallnotbeconstruedto:
3359-(1)requireacontrollerorprocessortore-identifyde-identifieddataor
3360-pseudonymousdata;or
3361-(2)maintaindatainidentifiableform,orcollect,obtain,retain,or
3362-accessanydataortechnology,inordertobecapableofassociatingan
3363-authenticatedconsumerrequestwithpersonaldata.
3364-(c)Thischaptershallnotbeconstruedtorequireacontrollerorprocessor
3365-tocomplywithanauthenticatedconsumerrightsrequestifthecontroller:
3366-(1)isnotreasonablycapableofassociatingtherequestwiththe
3367-personaldataoritwouldbeunreasonablyburdensomeforthecontrollerto
3368-associatetherequestwiththepersonaldata;
3369-(2)doesnotusethepersonaldatatorecognizeorrespondtothespecific
3370-consumerwhoisthesubjectofthepersonaldata,orassociatethepersonal
3371-datawithotherpersonaldataaboutthesamespecificconsumer;and
3372-(3)doesnotsellthepersonaldatatoanythirdpartyorotherwise
3373-voluntarilydisclosethepersonaldatatoanythirdpartyotherthanaprocessor,
3374-exceptasotherwisepermittedinthissection.
3375-(d)Therightsaffordedundersubdivisions2418(a)(1)–(4)ofthistitleshall
3376-notapplytopseudonymousdataincaseswherethecontrollerisableto
3377-demonstratethatanyinformationnecessarytoidentifytheconsumeriskept
3378-separatelyandissubjecttoeffectivetechnicalandorganizationalcontrolsthat
3379-preventthecontrollerfromaccessingtheinformation.
3380-(e)Acontrollerthatdisclosespseudonymousdataorde-identifieddata
3381-shallexercisereasonableoversighttomonitorcompliancewithany
3382-contractualcommitmentstowhichthepseudonymousdataorde-identified
3383-dataissubjectandshalltakeappropriatestepstoaddressanybreachesof
3384-thosecontractualcommitments. BILLASINTRODUCEDANDPASSEDBYSENATE S.71
3385-2025 Page84of89
3386-§ 2424.CONSTRUCTIONOFCONTROLLERS’ANDPROCESSORS’
3387-DUTIES
3388-(a)Thischaptershallnotbeconstruedtorestrictacontroller’s,
3389-processor’s,orconsumerhealthdatacontroller’sabilityto:
3390-(1)complywithfederal,state,ormunicipallaws,ordinances,or
3391-regulations;
3392-(2)complywithacivil,criminal,orregulatoryinquiry,investigation,
3393-subpoena,orsummonsbyfederal,state,municipal,orothergovernmental
3394-authorities;
3395-(3)cooperatewithlawenforcementagenciesconcerningconductor
3396-activitythatthecontroller,processor,orconsumerhealthdatacontroller
3397-reasonablyandingoodfaithbelievesmayviolatefederal,state,ormunicipal
3398-laws,ordinances,orregulations;
3399-(4)investigate,establish,exercise,preparefor,ordefendlegalclaims;
3400-(5)provideaproductorservicespecificallyrequestedbyaconsumer;
3401-(6)performunderacontracttowhichaconsumerisaparty,including
3402-fulfillingthetermsofawrittenwarranty;
3403-(7)takestepsattherequestofaconsumerpriortoenteringintoa
3404-contract;
3405-(8)takeimmediatestepstoprotectaninterestthatisessentialforthe
3406-lifeorphysicalsafetyoftheconsumeroranotherindividual,andwherethe
3407-processingcannotbemanifestlybasedonanotherlegalbasis;
3408-(9)prevent,detect,protectagainst,orrespondtosecurityincidents,
3409-identitytheft,fraud,harassment,malicious,ordeceptiveactivitiesorany
3410-illegalactivity;preservetheintegrityorsecurityofsystems;orinvestigate,
3411-report,orprosecutethoseresponsiblefortheaction;
3412-(10)engageinpublicorpeer-reviewedscientificorstatisticalresearch
3413-inthepublicinterestthatadherestoallotherapplicableethicsandprivacy
3414-lawsandisapproved,monitored,andgovernedbyaninstitutionalreview
3415-boardthatdetermines,orsimilarindependentoversightentitiesthat
3416-determine:
3417-(A)whetherthedeletionoftheinformationislikelytoprovide
3418-substantialbenefitsthatdonotexclusivelyaccruetothecontroller;
3419-(B)theexpectedbenefitsoftheresearchoutweightheprivacyrisks;
3420-and BILLASINTRODUCEDANDPASSEDBYSENATE S.71
3421-2025 Page85of89
3422-(C)whetherthecontrollerorconsumerhealthdatacontrollerhas
3423-implementedreasonablesafeguardstomitigateprivacyrisksassociatedwith
3424-research,includinganyrisksassociatedwithre-identification;
3425-(11)assistanothercontroller,processor,consumerhealthdata
3426-controller,orthirdpartywithanyoftheobligationsunderthischapter;or
3427-(12)processpersonaldataforreasonsofpublicinterestintheareaof
3428-publichealth,communityhealth,orpopulationhealth,butsolelytotheextent
3429-thattheprocessingis:
3430-(A)subjecttosuitableandspecificmeasurestosafeguardtherights
3431-oftheconsumerwhosepersonaldataisbeingprocessed;and
3432-(B)undertheresponsibilityofaprofessionalsubjectto
3433-confidentialityobligationsunderfederal,state,orlocallaw.
3434-(b)Theobligationsimposedoncontrollers,processors,orconsumerhealth
3435-datacontrollersunderthischaptershallnotrestrictacontroller’s,processor’s,
3436-orconsumerhealthdatacontroller’sabilitytocollect,use,orretaindatafor
3437-internaluseto:
3438-(1)conductinternalresearchtodevelop,improve,orrepairproducts,
3439-services,ortechnology;
3440-(2)effectuateaproductrecall;
3441-(3)identifyandrepairtechnicalerrorsthatimpairexistingorintended
3442-functionality;or
3443-(4)performinternaloperationsthatarereasonablyalignedwiththe
3444-expectationsoftheconsumerorreasonablyanticipatedbasedonthe
3445-consumer’sexistingrelationshipwiththecontrollerorconsumerhealthdata
3446-controller,orareotherwisecompatiblewithprocessingdatainfurtheranceof
3447-theprovisionofaproductorservicespecificallyrequestedbyaconsumeror
3448-theperformanceofacontracttowhichtheconsumerisaparty.
3449-(c)(1)Theobligationsimposedoncontrollers,processors,orconsumer
3450-healthdatacontrollersunderthischaptershallnotapplywherecomplianceby
3451-thecontroller,processor,orconsumerhealthdatacontrollerwiththischapter
3452-wouldviolateanevidentiaryprivilegeunderthelawsofthisState.
3453-(2)Thischaptershallnotbeconstruedtopreventacontroller,
3454-processor,orconsumerhealthdatacontrollerfromprovidingpersonaldata
3455-concerningaconsumertoapersoncoveredbyanevidentiaryprivilegeunder
3456-thelawsoftheStateaspartofaprivilegedcommunication.
3457-(d)(1)Acontroller,processor,orconsumerhealthdatacontrollerthat
3458-disclosespersonaldatatoaprocessororthird-partycontrollerpursuanttothis BILLASINTRODUCEDANDPASSEDBYSENATE S.71
3459-2025 Page86of89
3460-chaptershallnotbedeemedtohaveviolatedthischapteriftheprocessoror
3461-third-partycontrollerthatreceivesandprocessesthepersonaldataviolates
3462-thischapter,provided,atthetimethedisclosingcontroller,processor,or
3463-consumerhealthdatacontrollerdisclosedthepersonaldata,thedisclosing
3464-controller,processor,orconsumerhealthdatacontrollerdidnothaveactual
3465-knowledgethatthereceivingprocessororthird-partycontrollerwouldviolate
3466-thischapter.
3467-(2)Athird-partycontrollerorprocessorreceivingpersonaldatafroma
3468-controller,processor,orconsumerhealthdatacontrollerincompliancewith
3469-thischapterisnotinviolationofthischapterforthetransgressionsofthe
3470-controller,processor,orconsumerhealthdatacontrollerfromwhichthethird-
3471-partycontrollerorprocessorreceivesthepersonaldata.
3472-(e)Thischaptershallnotbeconstruedto:
3473-(1)imposeanyobligationonacontrollerorprocessorthatadversely
3474-affectstherightsorfreedomsofanyperson,includingtherightsofanyperson:
3475-(A)tofreedomofspeechorfreedomofthepressguaranteedinthe
3476-FirstAmendmenttotheUnitedStatesConstitution;or
3477-(B)under12V.S.A.§ 1615;
3478-(2)applytoanyperson’sprocessingofpersonaldatainthecourseof
3479-theperson’spurelypersonalorhouseholdactivities;or
3480-(3)requireanindependentschoolasdefinedin16V.S.A.§11(a)(8)ora
3481-privateinstitutionofhighereducation,asdefinedin20U.S.C.§1001etseq.,
3482-todeletepersonaldataoroptoutofprocessingofpersonaldatathatwould
3483-unreasonablyinterferewiththeprovisionofeducationservicesbyorthe
3484-ordinaryoperationoftheschoolorinstitution.
3485-(f)(1)Personaldataprocessedbyacontrollerorconsumerhealthdata
3486-controllerpursuanttothissectionmaybeprocessedtotheextentthatthe
3487-processingis:
3488-(A)reasonablynecessaryandproportionatetothepurposeslistedin
3489-thissection;and
3490-(B)adequate,relevant,andlimitedtowhatisnecessaryinrelationto
3491-thespecificpurposeslistedinthissection.
3492-(2)(A)Personaldatacollected,used,orretainedpursuanttosubsection
3493-(b)ofthissectionshall,whereapplicable,takeintoaccountthenatureand
3494-purposeorpurposesofthecollection,use,orretention.
3495-(B)Thedatashallbesubjecttoreasonableadministrative,technical,
3496-andphysicalmeasurestoprotecttheconfidentiality,integrity,andaccessibility BILLASINTRODUCEDANDPASSEDBYSENATE S.71
3497-2025 Page87of89
3498-ofthepersonaldataandtoreducereasonablyforeseeablerisksofharmto
3499-consumersrelatingtothecollection,use,orretentionofpersonaldata.
3500-(g)Ifacontrollerorconsumerhealthdatacontrollerprocessespersonal
3501-datapursuanttoanexemptioninthissection,thecontrollerorconsumer
3502-healthdatacontrollerbearstheburdenofdemonstratingthattheprocessing
3503-qualifiesfortheexemptionandcomplieswiththerequirementsinsubsection
3504-(f)ofthissection.
3505-(h)Processingpersonaldataforthepurposesexpresslyidentifiedinthis
3506-sectionshallnotsolelymakealegalentityacontrollerorconsumerhealth
3507-datacontrollerwithrespecttotheprocessing.
3508-§ 2425.ENFORCEMENTBYATTORNEYGENERAL;NOTICEOF
3509-VIOLATION;CUREPERIOD;REPORT;PENALTY
3510-(a)TheAttorneyGeneralshallhaveexclusiveauthoritytoenforce
3511-violationsofthischapter.
3512-(b)(1)DuringtheperiodbeginningonJuly1,2025andendingon
3513-December31,2026,theAttorneyGeneralshall,priortoinitiatinganyaction
3514-foraviolationofanyprovisionofthischapter,issueanoticeofviolationtothe
3515-controllerorconsumerhealthdatacontrolleriftheAttorneyGeneral
3516-determinesthatacureispossible.
3517-(2)Ifthecontrollerorconsumerhealthdatacontrollerfailstocurethe
3518-violationwithin60daysafterreceiptofthenoticeofviolation,theAttorney
3519-Generalmaybringanactionpursuanttothissection.
3520-(3)Annually,onorbeforeFebruary1,theAttorneyGeneralshall
3521-submitareporttotheGeneralAssemblydisclosing:
3522-(A)thenumberofnoticesofviolationtheAttorneyGeneralhas
3523-issued;
3524-(B)thenatureofeachviolation;
3525-(C)thenumberofviolationsthatwerecuredduringtheavailable
3526-cureperiod;and
3527-(D)anyothermattertheAttorneyGeneraldeemsrelevantforthe
3528-purposesofthereport.
3529-(c)BeginningonJanuary1,2027,theAttorneyGeneralmay,in
3530-determiningwhethertograntacontrollerorprocessortheopportunitytocure
3531-anallegedviolationdescribedinsubsection(b)ofthissection,consider:
3532-(1)thenumberofviolations;
3533-(2)thesizeandcomplexityofthecontrollerorprocessor; BILLASINTRODUCEDANDPASSEDBYSENATE S.71
3534-2025 Page88of89
3535-(3)thenatureandextentofthecontroller’sorprocessor’sprocessing
3536-activities;
3537-(4)thesubstantiallikelihoodofinjurytothepublic;
3538-(5)thesafetyofpersonsorproperty;
3539-(6)whethertheallegedviolationwaslikelycausedbyhumanor
3540-technicalerror;and
3541-(7)thesensitivityofthedata.
3542-(d)Thischaptershallnotbeconstruedasprovidingthebasisfor,orbe
3543-subjectto,aprivaterightofactionforviolationsofthischapteroranyother
3544-law.
3545-(e)Subjectiontotheexceptioninsubsection(f)ofthissection,aviolation
3546-oftherequirementsofthischaptershallconstituteanunfairanddeceptiveact
3547-incommerceinviolationofsection2453ofthistitleandshallbeenforced
3548-solelybytheAttorneyGeneral,providedthataconsumerprivaterightof
3549-actionundersubsection2461(b)ofthistitleshallnotapplytotheviolation.
3550-(f)TheAttorneyGeneralshallprovideguidancetocontrollersand
3551-processorsforcompliancewiththetermsoftheVermontDataPrivacyAct.
3552-Anyprocessororcontrollerthat,intheopinionoftheAttorneyGeneral,
3553-materiallycomplieswiththeguidanceprovidedbytheAttorneyGeneralshall
3554-notconstituteanunfairanddeceptiveactincommerce.
3555-§ 2426.CONSUMERHEALTHDATAPRIVACY
3556-(a)Exceptasprovidedinsubsections(b)and(c)ofthissectionand
3557-subsections2417(b)and(c)ofthistitle,nopersonshall:
3558-(1)provideanyemployeeorcontractorwithaccesstoconsumerhealth
3559-dataunlesstheemployeeorcontractorissubjecttoacontractualorstatutory
3560-dutyofconfidentiality;
3561-(2)provideanyprocessorwithaccesstoconsumerhealthdataunless
3562-thepersonandprocessorcomplywithsection2421ofthistitle;
3563-(3)useageofencetoestablishavirtualboundarythatiswithin1,750
3564-feetofanyhealthcarefacility,includinganymentalhealthfacilityor
3565-reproductiveorsexualhealthfacility,forthepurposeofidentifying,tracking,
3566-collectingdatafrom,orsendinganynotificationtoaconsumerregardingthe
3567-consumer’sconsumerhealthdata;or
3568-(4)sell,oroffertosell,consumerhealthdatawithoutfirstobtainingthe
3569-consumer’sconsent. BILLASINTRODUCEDANDPASSEDBYSENATE S.71
3570-2025 Page89of89
3571-(b)Notwithstandingsection2416ofthistitle,subsection(a)ofthissection,
3572-andtheprovisionsofsections2415–2425ofthistitle,inclusive,concerning
3573-consumerhealthdataandconsumerhealthdatacontrollers,applytopersons
3574-thatconductbusinessinthisstateandpersonsthatproduceproductsor
3575-servicesthataretargetedtoresidentsofthisstate.
3576-(c)Subsection(a)ofthissectionshallnotapplytoany:
3577-(1)body,authority,board,bureau,commission,districtoragencyofthis
3578-StateorofanypoliticalsubdivisionofthisState;
3579-(2)personwhohasenteredintoacontractwithanentitydescribedin
3580-subdivision(1)ofthissubsectiontoprocessconsumerhealthdataonbehalfof
3581-theentity;
3582-(3)institutionofhighereducation;
3583-(4)nationalsecuritiesassociationthatisregisteredunder15U.S.C.
3584-78o-3oftheSecuritiesExchangeActof1934,asmaybeamended;
3585-(5)financialinstitutionordatasubjecttoTitleVoftheGramm-Leach-
3586-BlileyAct,Pub.L.No.106-102,andregulationsadoptedtoimplementthat
3587-act;
3588-(6)coveredentityorbusinessassociate,asdefinedin45C.F.R.
3589-§ 160.103;
3590-(7)tribalnationgovernmentorganization;or
3591-(8)aircarrier,as:
3592-(A)definedin49U.S.C.§ 40102,asmaybeamended;and
3593-(B)regulatedundertheFederalAviationActof1958,49U.S.C.
3594-§ 40101etseq.andtheAirlineDeregulationActof1978,49U.S.C.§ 41713,
3595-asmaybeamended.
3596-Sec.2.EFFECTIVEDATE
3597-ThisactshalltakeeffectonJuly1,2026.
1+BILL AS INTRODUCED S.71
2+2025 Page 1 of 64
3+
4+
5+VT LEG #380777 v.1
6+S.71 1
7+Introduced by Senators Clarkson, Harrison, Hashim, Major, Vyhovsky and 2
8+White 3
9+Referred to Committee on 4
10+Date: 5
11+Subject: Commerce and trade; consumer protection; data privacy 6
12+Statement of purpose of bill as introduced: This bill proposes to provide data 7
13+privacy and online surveillance protections to Vermonters. 8
14+An act relating to consumer data privacy and online surveillance 9
15+It is hereby enacted by the General Assembly of the State of Vermont: 10
16+Sec. 1. 9 V.S.A. chapter 61A is added to read: 11
17+CHAPTER 61A. VERMONT DATA PRIVACY AND ONLINE 12
18+SURVEILLANCE ACT 13
19+§ 2415. DEFINITIONS 14
20+As used in this chapter: 15
21+(1)(A) “Affiliate” means a legal entity that shares common branding 16
22+with another legal entity or controls, is controlled by, or is under common 17
23+control with another legal entity. 18
24+(B) As used in subdivision (A) of this subdivision (1), “control” or 19
25+“controlled” means: 20 BILL AS INTRODUCED S.71
26+2025 Page 2 of 64
27+
28+
29+VT LEG #380777 v.1
30+(i) ownership of, or the power to vote, more than 50 percent of the 1
31+outstanding shares of any class of voting security of a company; 2
32+(ii) control in any manner over the election of a majority of the 3
33+directors or of individuals exercising similar functions; or 4
34+(iii) the power to exercise controlling influence over the 5
35+management of a company. 6
36+(2) “Authenticate” means to use reasonable means to determine that a 7
37+request to exercise any of the rights afforded under subdivisions 2418(a)(1)–8
38+(6) of this title is being made by, or on behalf of, the consumer who is entitled 9
39+to exercise the consumer rights with respect to the personal data at issue. 10
40+(3)(A) “Biometric data” means data generated from the technological 11
41+processing of an individual’s unique biological, physical, or physiological 12
42+characteristics that allow or confirm the unique identification of the consumer, 13
43+including: 14
44+(i) iris or retina scans; 15
45+(ii) fingerprints; 16
46+(iii) facial or hand mapping, geometry, or templates; 17
47+(iv) vein patterns; 18
48+(v) voice prints or vocal biomarkers; and 19
49+(vi) gait or personally identifying physical movement or patterns. 20
50+(B) “Biometric data” does not include: 21 BILL AS INTRODUCED S.71
51+2025 Page 3 of 64
52+
53+
54+VT LEG #380777 v.1
55+(i) a digital or physical photograph; 1
56+(ii) an audio or video recording; or 2
57+(iii) any data generated from a digital or physical photograph, or 3
58+an audio or video recording, unless such data is generated to identify a specific 4
59+individual. 5
60+(4) “Business associate” has the same meaning as in HIPAA. 6
61+(5) “Child” has the same meaning as in COPPA. 7
62+(6)(A) “Consent” means a clear affirmative act signifying a consumer’s 8
63+freely given, specific, informed, and unambiguous agreement to allow the 9
64+processing of personal data relating to the consumer in response to a specific 10
65+request, provided the request: 11
66+(i) is provided to the consumer in a clear and conspicuous 12
67+disclosure; 13
68+(ii) includes a description of the processing purpose for which the 14
69+consumer’s consent is sought; 15
70+(iii) clearly distinguishes between an act or practice that is 16
71+necessary to fulfill a request of the consumer and an act or practice that is for 17
72+another purpose; 18
73+(iv) clearly states the specific categories of personal data that the 19
74+controller intends to collect or process under each act or practice; 20 BILL AS INTRODUCED S.71
75+2025 Page 4 of 64
76+
77+
78+VT LEG #380777 v.1
79+(v) clearly states the specific categories of personal data that the 1
80+controller intends to collect or process under each act or practice; and 2
81+(vi) is accessible to a consumer with disabilities. 3
82+(B) “Consent” may include a written statement, including by 4
83+electronic means, or any other unambiguous affirmative action. 5
84+(C) “Consent” does not include: 6
85+(i) acceptance of a general or broad terms of use or similar 7
86+document that contains descriptions of personal data processing along with 8
87+other, unrelated information; 9
88+(ii) hovering over, muting, pausing, or closing a given piece of 10
89+content; 11
90+(iii) inaction of the consumer or the consumer’s continued use of a 12
91+service or product provided by the controller; or 13
92+(iv) an agreement obtained through the use of dark patterns. 14
93+(7)(A) “Consumer” means an individual who is a resident of the State. 15
94+(B) “Consumer” does not include an individual acting in a 16
95+commercial capacity or as an owner, director, officer, or contractor of a 17
96+company, partnership, sole proprietorship, nonprofit, or government agency 18
97+whose communications or transactions with the controller occur solely within 19
98+the context of that individual’s role with the company, partnership, sole 20
99+proprietorship, nonprofit, or government agency. 21 BILL AS INTRODUCED S.71
100+2025 Page 5 of 64
101+
102+
103+VT LEG #380777 v.1
104+(8) “Consumer health data” means any personal data that a controller 1
105+uses to identify a consumer’s physical or mental health condition or diagnosis, 2
106+including gender-affirming health data and reproductive or sexual health data. 3
107+(9) “Consumer health data controller” means any controller that, alone 4
108+or jointly with others, determines the purpose and means of processing 5
109+consumer health data. 6
110+(10) “Consumer reporting agency” has the same meaning as in the Fair 7
111+Credit Reporting Act, 15 U.S.C. § 1681a(f). 8
112+(11) “Contextual advertising” or “contextual advertisement,” as subject 9
113+to provisions set forth in subsection 2418(g) of this chapter, means displaying 10
114+or presenting an advertisement that does not vary based on the identity of the 11
115+individual recipient and is based solely on: 12
116+(A) the immediate content of a web page or online service within 13
117+which the advertisement appears; or 14
118+(B) a specific request of the consumer for information or feedback. 15
119+(12) “Controller” means a person who, alone or jointly with others, 16
120+determines the purpose and means of processing personal data. 17
121+(13) “COPPA” means the Children’s Online Privacy Protection Act of 18
122+1998, 15 U.S.C. § 6501–6506, and any regulations, rules, guidance, and 19
123+exemptions promulgated pursuant to the act, as the act and regulations, rules, 20
124+guidance, and exemptions may be amended. 21 BILL AS INTRODUCED S.71
125+2025 Page 6 of 64
126+
127+
128+VT LEG #380777 v.1
129+(14) “Covered entity” has the same meaning as in HIPAA. 1
130+(15) “Credit union” has the same meaning as in 8 V.S.A. § 30101. 2
131+(16) “Dark pattern” means a user interface designed or manipulated with 3
132+the substantial effect of subverting or impairing user autonomy, decision-4
133+making, or choice and includes any practice the Federal Trade Commission 5
134+refers to as a “dark pattern.” 6
135+(17) “Data broker” has the same meaning as in section 2430 of this title. 7
136+(18) “Decisions that produce legal or similarly significant effects 8
137+concerning the consumer” means decisions that result in or materially affect 9
138+access to, the provision or denial of, or the terms and conditions of financial or 10
139+lending services, housing, insurance, education enrollment or opportunity, 11
140+criminal justice, employment opportunities, health care services, or access to 12
141+essential goods or services. 13
142+(19) “De-identified data” means data that does not identify and cannot 14
143+reasonably be used to infer information about, or otherwise be linked to, an 15
144+identified or identifiable individual, or a device linked to the individual, if the 16
145+controller that possesses the data: 17
146+(A) takes reasonable physical, technical, or administrative measures 18
147+to ensure that the data cannot be used to reidentify an identified or identifiable 19
148+individual or be associated with an individual or device that identifies or is 20
149+linked or reasonably linkable to an individual or household, provided that such 21 BILL AS INTRODUCED S.71
150+2025 Page 7 of 64
151+
152+
153+VT LEG #380777 v.1
154+reasonable measures for protected health information covered by HIPAA shall 1
155+include the de-identification requirements set forth under 45 C.F.R. § 164.514 2
156+(other requirements relating to uses and disclosures of protected health 3
157+information); 4
158+(B) publicly commits to process the data only in a de-identified 5
159+fashion and not attempt to reidentify the data; and 6
160+(C) contractually obligates any recipients of the data to satisfy the 7
161+criteria set forth in subdivisions (A) and (B) of this subdivision (19). 8
162+(20) “Financial institution” as used in subdivision 2417(a)(11) of this 9
163+title, has the same meaning as in 15 U.S.C. § 6809. 10
164+(21) “First party” means a consumer-facing controller with which the 11
165+consumer intends or expects to interact. 12
166+(22) “First-party advertising” means processing by a first party of its 13
167+own first-party data for the purposes of advertising and marketing and is 14
168+carried out: 15
169+(A) through direct communications with a consumer, such as direct 16
170+mail, email, or text message communications; 17
171+(B) in a physical location operated by the first party; or 18
172+(C) through display or presentation of an advertisement on the first 19
173+party’s own website, application, or its other online content. 20 BILL AS INTRODUCED S.71
174+2025 Page 8 of 64
175+
176+
177+VT LEG #380777 v.1
178+(23) “First-party data” means personal data collected directly from a 1
179+consumer by a first party in compliance with this chapter, including based on a 2
180+visit by the consumer to or use by the consumer of a website, a physical 3
181+location, or an online service operated by the first party. 4
182+(24) “Gender-affirming health care services” has the same meaning as in 5
183+1 V.S.A. § 150. 6
184+(25) “Gender-affirming health data” means any personal data 7
185+concerning a past, present, or future effort made by a consumer to seek, or a 8
186+consumer’s receipt of, gender-affirming health care services, including: 9
187+(A) precise geolocation data that is used for determining a 10
188+consumer’s attempt to acquire or receive gender-affirming health care services; 11
189+(B) efforts to research or obtain gender-affirming health care 12
190+services; and 13
191+(C) any gender-affirming health data that is derived from nonhealth 14
192+information. 15
193+(26) “Genetic data” means any data, regardless of its format, that results 16
194+from the analysis of a biological sample of an individual, or from another 17
195+source enabling equivalent information to be obtained, and concerns genetic 18
196+material, including deoxyribonucleic acids (DNA), ribonucleic acids (RNA), 19
197+genes, chromosomes, alleles, genomes, alterations or modifications to DNA or 20
198+RNA, single nucleotide polymorphisms (SNPs), epigenetic markers, 21 BILL AS INTRODUCED S.71
199+2025 Page 9 of 64
200+
201+
202+VT LEG #380777 v.1
203+uninterpreted data that results from analysis of the biological sample or other 1
204+source, and any information extrapolated, derived, or inferred therefrom. 2
205+(27) “Geofence” means any technology that uses global positioning 3
206+coordinates, cell tower connectivity, cellular data, radio frequency 4
207+identification, wireless fidelity technology data, or any other form of location 5
208+detection, or any combination of such coordinates, connectivity, data, 6
209+identification, or other form of location detection, to establish a virtual 7
210+boundary. 8
211+(28) “Health care component” has the same meaning as in HIPAA. 9
212+(29) “Health care facility” has the same meaning as in 18 V.S.A. § 9432. 10
213+(30) “HIPAA” means the Health Insurance Portability and 11
214+Accountability Act of 1996, Pub. L. No. 104-191, and any regulations 12
215+promulgated pursuant to the act, as may be amended. 13
216+(31) “Hybrid entity” has the same meaning as in HIPAA. 14
217+(32) “Identified or identifiable individual” means an individual who can 15
218+be readily identified, directly or indirectly, including by reference to an 16
219+identifier such as a name, an identification number, specific or historical 17
220+pattern of geolocation data, or an online identifier. 18
221+(33) “Independent trust company” has the same meaning as in 8 V.S.A. 19
222+§ 2401. 20
223+(34) “Investment adviser” has the same meaning as in 9 V.S.A. § 5102. 21 BILL AS INTRODUCED S.71
224+2025 Page 10 of 64
225+
226+
227+VT LEG #380777 v.1
228+(35) “Large data holder” means a person who during the preceding 1
229+calendar year processed the personal data of not fewer than 100,000 2
230+consumers. 3
231+(36) “Marketing measurement” means measuring and reporting on 4
232+marketing performance or media performance by the controller, including 5
233+processing personal data for measurement and reporting of frequency, 6
234+attribution, and performance, provided that such measurement data is not 7
235+processed or transferred for any other purpose. 8
236+(37) “Mental health facility” means any health care facility in which at 9
237+least 70 percent of the health care services provided in the facility are mental 10
238+health services. 11
239+(38) “Minor” means any consumer who is younger than 18 years of age. 12
240+(39) “Neural data” means information that is collected through 13
241+biosensors and that could be processed to infer or predict mental states. 14
242+(40) “Nonpublic personal information” has the same meaning as in 15
243+15 U.S.C. § 6809. 16
244+(41)(A) “Online service, product, or feature” means any service, 17
245+product, or feature that is provided online, except as provided in subdivision 18
246+(B) of this subdivision (41). 19
247+(B) “Online service, product, or feature” does not include: 20 BILL AS INTRODUCED S.71
248+2025 Page 11 of 64
249+
250+
251+VT LEG #380777 v.1
252+(i) telecommunications service, as that term is defined in the 1
253+Communications Act of 1934, 47 U.S.C. § 153; 2
254+(ii) broadband internet access service, as that term is defined in 3
255+47 C.F.R. § 54.400 (universal service support); or 4
256+(iii) the delivery or use of a physical product, but not including the 5
257+provision or use of an online service, product, or feature through use of an 6
258+internet-connected physical product. 7
259+(42) “Patient identifying information” has the same meaning as in 8
260+42 C.F.R. § 2.11 (confidentiality of substance use disorder patient records). 9
261+(43) “Patient safety work product” has the same meaning as in 42 C.F.R. 10
262+§ 3.20 (patient safety organizations and patient safety work product). 11
263+(44)(A) “Personal data” means any information, including derived data 12
264+and unique identifiers, that is linked or reasonably linkable, alone or in 13
265+combination with other information, to an identified or identifiable individual 14
266+or to a device that identifies, is linked to, or is reasonably linkable to one or 15
267+more identified or identifiable individuals in a household. 16
268+(B) “Personal data” does not include de-identified data or publicly 17
269+available information. 18
270+(45)(A) “Precise geolocation data” means information derived from 19
271+technology that reveals the past or present physical location of a consumer or 20 BILL AS INTRODUCED S.71
272+2025 Page 12 of 64
273+
274+
275+VT LEG #380777 v.1
276+device that identifies or is linked or reasonably linkable to one or more 1
277+consumers with precision and accuracy within a radius of 1,850 feet. 2
278+(B) “Precise geolocation data” does not include: 3
279+(i) the content of communications; 4
280+(ii) data generated by or connected to an advanced utility metering 5
281+infrastructure system; 6
282+(iii) a photograph, or metadata associated with a photograph or 7
283+video, that cannot be linked to an individual; or 8
284+(iv) data generated by equipment used by a utility company. 9
285+(46) “Process” or “processing” means any operation or set of operations 10
286+performed, whether by manual or automated means, on personal data or on sets 11
287+of personal data, such as the collection, use, storage, disclosure, analysis, 12
288+deletion, or modification of personal data. 13
289+(47) “Processor” means a person who processes personal data on behalf 14
290+of: 15
291+(A) a controller; 16
292+(B) another processor; or 17
293+(C) a federal, state, tribal, or local government entity. 18
294+(48) “Profiling” means any form of automated processing performed on 19
295+personal data to evaluate, analyze, or predict personal aspects, including an 20 BILL AS INTRODUCED S.71
296+2025 Page 13 of 64
297+
298+
299+VT LEG #380777 v.1
300+individual’s economic situation, health, personal preferences, interests, 1
301+reliability, behavior, location, movements, or identifying characteristics. 2
302+(49) “Protected health information” has the same meaning as in HIPAA. 3
303+(50)(A) “Publicly available information” means information that: 4
304+(i) is made available: 5
305+(I) through federal, state, or local government records; or 6
306+(II) to the general public from widely distributed media; or 7
307+(ii) a controller has a reasonable basis to believe that the consumer 8
308+has lawfully made available to the general public. 9
309+(B) “Publicly available information” does not include: 10
310+(i) biometric data collected by a business about a consumer 11
311+without the consumer’s knowledge; 12
312+(ii) information that is collated and combined to create a consumer 13
313+profile that is made available to a user of a publicly available website either in 14
314+exchange for payment or free of charge; 15
315+(iii) information that is made available for sale; 16
316+(iv) an inference that is generated from the information described 17
317+in subdivision (ii) or (iii) of this subdivision (50)(B); 18
318+(v) any obscene visual depiction, as defined in 18 U.S.C. § 1460; 19 BILL AS INTRODUCED S.71
319+2025 Page 14 of 64
320+
321+
322+VT LEG #380777 v.1
323+(vi) any inference made exclusively from multiple independent 1
324+sources of publicly available information that reveals sensitive data with 2
325+respect to a consumer; 3
326+(vii) personal data that is created through the combination of 4
327+personal data with publicly available information; 5
328+(viii) genetic data, unless otherwise made publicly available by the 6
329+consumer to whom the information pertains; 7
330+(ix) information provided by a consumer on a website or online 8
331+service made available to all members of the public, for free or for a fee, where 9
332+the consumer has maintained a reasonable expectation of privacy in the 10
333+information, such as by restricting the information to a specific audience; or 11
334+(x) intimate images, authentic or computer-generated, known to be 12
335+nonconsensual. 13
336+(51) “Qualified service organization” has the same meaning as in 14
337+42 C.F.R. § 2.11 (confidentiality of substance use disorder patient records). 15
338+(52) “Reproductive or sexual health care” has the same meaning as 16
339+“reproductive health care services” in 1 V.S.A. § 150(c)(1). 17
340+(53) “Reproductive or sexual health data” means any personal data 18
341+concerning a past, present, or future effort made by a consumer to seek, or a 19
342+consumer’s receipt of, reproductive or sexual health care. 20 BILL AS INTRODUCED S.71
343+2025 Page 15 of 64
344+
345+
346+VT LEG #380777 v.1
347+(54) “Reproductive or sexual health facility” means any health care 1
348+facility in which at least 70 percent of the health care-related services or 2
349+products rendered or provided in the facility are reproductive or sexual health 3
350+care. 4
351+(55)(A) “Sale of personal data” means the exchange of a consumer’s 5
352+personal data by the controller to a third party for monetary or other valuable 6
353+consideration. 7
354+(B) “Sale of personal data” does not include: 8
355+(i) the disclosure of personal data to a processor that processes the 9
356+personal data on behalf of the controller; 10
357+(ii) the disclosure of personal data to a third party for purposes of 11
358+providing a product or service requested by the consumer; 12
359+(iii) the disclosure or transfer of personal data to an affiliate of the 13
360+controller; 14
361+(iv) the disclosure, with the consumer’s consent, of personal data 15
362+where the consumer directs the controller to disclose the personal data or 16
363+intentionally uses the controller to interact with a third party; 17
364+(v) the disclosure of publicly available information; 18
365+(vi) the disclosure or transfer of personal data to a third party as an 19
366+asset that is part of a merger, acquisition, bankruptcy, or other transaction, or a 20 BILL AS INTRODUCED S.71
367+2025 Page 16 of 64
368+
369+
370+VT LEG #380777 v.1
371+proposed merger, acquisition, bankruptcy, or other transaction, in which the 1
372+third party assumes control of all or part of the controller’s assets. 2
373+(56) “Sensitive data” means personal data that: 3
374+(A) reveals a consumer’s government-issued identifier, such as a 4
375+Social Security number, passport number, state identification card, or driver’s 5
376+license number, that is not required by law to be publicly displayed; 6
377+(B) reveals a consumer’s racial or ethnic origin, national origin, 7
378+citizenship or immigration status, religious or philosophical beliefs, a mental or 8
379+physical health condition, diagnosis, disability or treatment, status as pregnant, 9
380+income level or indebtedness, or union membership; 10
381+(C) reveals a consumer’s sexual orientation, sex life, sexuality, or 11
382+status as transgender or nonbinary; 12
383+(D) reveals a consumer’s status as a victim of a crime; 13
384+(E) is a consumer’s tax return and account number, financial account 14
385+log-in, financial account, debit card number, or credit card number in 15
386+combination with any required security or access code, password, or 16
387+credentials allowing access to an account; 17
388+(F) is consumer health data; 18
389+(G) is collected and analyzed concerning consumer health data that 19
390+describes or reveals a past, present, or future mental or physical health 20
391+condition, treatment, disability, or diagnosis, including pregnancy, to the extent 21 BILL AS INTRODUCED S.71
392+2025 Page 17 of 64
393+
394+
395+VT LEG #380777 v.1
396+the personal data is used by the controller for a purpose other than to identify a 1
397+specific consumer’s physical or mental health condition or diagnosis; 2
398+(H) is biometric or genetic data; 3
399+(I) is collected from a consumer that a controller knew or should have 4
400+known is a minor; 5
401+(J) is precise geolocation data; 6
402+(K) are keystrokes; 7
403+(L) is driving behavior; 8
404+(M) is neural data; or 9
405+(N) are the online activities of a consumer over time and across 10
406+devices, websites, online applications, and mobile applications, that do not 11
407+share common branding, or data generated by, profiling performed on such 12
408+data. 13
409+(57)(A) “Targeted advertising” means displaying or presenting an online 14
410+advertisement to a consumer or to a device identified by a unique persistent 15
411+identifier, if the advertisement is selected based, in whole or in part, on known 16
412+or predicted preferences, characteristics, behavior, or interests associated with 17
413+the consumer or a device identified by a unique persistent identifier. “Targeted 18
414+advertising” includes displaying or presenting an online advertisement for a 19
415+product or service based on the previous interaction of a consumer or a device 20
416+identified by a unique persistent identifier with such product or service on a 21 BILL AS INTRODUCED S.71
417+2025 Page 18 of 64
418+
419+
420+VT LEG #380777 v.1
421+website or online service that does not share common branding with the 1
422+website or online service displaying or presenting the advertisement, and 2
423+marketing measurement related to such advertisements. 3
424+(B) “Targeted advertising” does not include: 4
425+(i) first-party advertising; or 5
426+(ii) contextual advertising. 6
427+(58) “Third party” means a person who collects personal data from 7
428+another person who is not the consumer to whom the data pertains and is not a 8
429+processor with respect to such data. “Third party” does not include a person 9
430+who collects personal data from another entity if the entities are affiliates. 10
431+(59) “Trade secret” has the same meaning as in section 4601 of this title. 11
432+(60)(A) “Unique persistent identifier” means a technologically created 12
433+identifier to the extent that such identifier is reasonably linkable to a consumer 13
434+or a device that identifies or is linked or reasonably linkable to one or more 14
435+consumers, including device identifiers, internet protocol addresses, cookies, 15
436+beacons, pixel tags, mobile ad identifiers or similar technology customer 16
437+numbers, unique pseudonyms, user aliases, telephone numbers, or other forms 17
438+of persistent or probabilistic identifiers that are linked or reasonably linkable to 18
439+one or more consumers or devices. 19
440+(B) “Unique persistent identifier” does not include an identifier 20
441+assigned by a controller for the sole purpose of giving effect to the exercise of 21 BILL AS INTRODUCED S.71
442+2025 Page 19 of 64
443+
444+
445+VT LEG #380777 v.1
446+affirmative consent or opt out by a consumer with respect to the collection or 1
447+processing of personal data or otherwise limiting the collection or processing 2
448+of personal data. 3
449+(61) “Victim services organization” means a nonprofit organization that 4
450+is established to provide services to victims or witnesses of child abuse, 5
451+domestic violence, human trafficking, sexual assault, violent felony, or 6
452+stalking. 7
453+§ 2416. APPLICABILITY 8
454+(a) Except as provided in subsection (b) of this section, this chapter applies 9
455+to a person who conducts business in this State or a person who produces 10
456+products or services that are targeted to residents of this State and that during 11
457+the preceding calendar year: 12
458+(1) controlled or processed the personal data of not fewer than 25,000 13
459+consumers, excluding personal data controlled or processed solely for the 14
460+purpose of completing a payment transaction; or 15
461+(2) controlled or processed the personal data of not fewer than 12,500 16
462+consumers and derived more than 25 percent of the person’s gross revenue 17
463+from the sale of personal data. 18
464+(b) Section 2425 of this chapter and the provisions of this chapter 19
465+concerning consumer health data and consumer health data controllers apply to 20 BILL AS INTRODUCED S.71
466+2025 Page 20 of 64
467+
468+
469+VT LEG #380777 v.1
470+a person who conducts business in this State or a person who produces 1
471+products or services that are targeted to residents of this State. 2
472+§ 2417. EXEMPTIONS 3
473+(a) This chapter does not apply to: 4
474+(1) a federal, state, tribal, or local government entity in the ordinary 5
475+course of its operation; 6
476+(2) protected health information under HIPAA; 7
477+(3) patient–identifying information, for purposes of 42 U.S.C. 8
478+§ 290DD–2; 9
479+(4)(i) information to the extent it is used for public health, community 10
480+health, or population health activities and purposes, as authorized by HIPAA, 11
481+when provided by or to a covered entity or when provided by or to a business 12
482+associate in accordance with the business associate agreement with a covered 13
483+entity; 14
484+(ii) information that is a health care record, as that term is defined 15
485+in 18 V.S.A. § 9419, if the information is held by an entity that is a covered 16
486+entity or business associate under HIPAA because it collects, uses, or discloses 17
487+protected health information; 18
488+(iii) information that is de-identified in accordance with the 19
489+requirements for de-identification set forth in 45 C.F.R. 164.514 and that is 20 BILL AS INTRODUCED S.71
490+2025 Page 21 of 64
491+
492+
493+VT LEG #380777 v.1
494+derived from individually identifiable health information as described in 1
495+HIPAA; and 2
496+(iv) personal information consistent with the human subject 3
497+protection requirements of the U.S. Food and Drug Administration; 4
498+(5) information used only for public health activities and purposes 5
499+described in 45 C.F.R. § 164.512 (disclosure of protected health information 6
500+without authorization); 7
501+(6) information that identifies a consumer in connection with: 8
502+(A) activities that are subject to the Federal Policy for the Protection 9
503+of Human Subjects, codified as 45 C.F.R. Part 46 (HHS protection of human 10
504+subjects) and in various other federal regulations; 11
505+(B) activities that are subject to the protections provided in 21 C.F.R. 12
506+Parts 50 (FDA clinical investigations protection of human subjects) and 13
507+56 (FDA clinical investigations institutional review boards); or 14
508+(C) research conducted in accordance with the requirements set forth 15
509+in subdivisions (A) and (B) of this subdivision (a)(6) or otherwise in 16
510+accordance with applicable law; 17
511+(7) patient identifying information that is collected and processed in 18
512+accordance with 42 C.F.R. Part 2 (confidentiality of substance use disorder 19
513+patient records); 20 BILL AS INTRODUCED S.71
514+2025 Page 22 of 64
515+
516+
517+VT LEG #380777 v.1
518+(8) patient safety work product that is created and used for purposes of 1
519+patient safety improvement in accordance with 42 C.F.R. § 3, established in 2
520+accordance with 42 U.S.C. §§ 299b–21 through 299b–26; 3
521+(9) information or documents created for the purposes of the Healthcare 4
522+Quality Improvement Act of 1986, 42 U.S.C. § 11101–11152, and regulations 5
523+adopted to implement that act; 6
524+(10) information processed or maintained solely in connection with, and 7
525+for the purpose of, enabling notice of an emergency to persons that an 8
526+individual specifies; 9
527+(11) any activity that involves collecting, maintaining, disclosing, 10
528+selling, communicating, or using information for the purpose of evaluating a 11
529+consumer’s creditworthiness, credit standing, credit capacity, character, 12
530+general reputation, personal characteristics, or mode of living if done strictly in 13
531+accordance with the provisions of the Fair Credit Reporting Act, 15 U.S.C. 14
532+§ 1681–1681x, as may be amended, by: 15
533+(A) a consumer reporting agency; 16
534+(B) a person who furnishes information to a consumer reporting 17
535+agency under 15 U.S.C. § 1681s-2 (responsibilities of furnishers of 18
536+information to consumer reporting agencies); or 19
537+(C) a person who uses a consumer report as provided in 15 U.S.C. 20
538+§ 1681b(a)(3) (permissible purposes of consumer reports); 21 BILL AS INTRODUCED S.71
539+2025 Page 23 of 64
540+
541+
542+VT LEG #380777 v.1
543+(12) information collected, processed, sold, or disclosed under and in 1
544+accordance with the following laws and regulations: 2
545+(A) the Driver’s Privacy Protection Act of 1994, 18 U.S.C. § 2721–3
546+2725; 4
547+(B) data that is subject to the Family Educational Rights and Privacy 5
548+Act, 20 U.S.C. § 1232g, and regulations adopted to implement that act; 6
549+(C) data that is subject to the Airline Deregulation Act, Pub. L. No. 7
550+95-504, only to the extent that an air carrier collects information related to 8
551+prices, routes, or services, and only to the extent that the provisions of the 9
552+Airline Deregulation Act preempt this chapter; 10
553+(D) data that is subject to the Farm Credit Act, Pub. L. No. 92-181, as 11
554+may be amended; and 12
555+(E) data that is subject to federal policy under 21 U.S.C. § 830 13
556+(regulation of listed chemicals and certain machines); 14
557+(13) nonpublic personal information that is processed by a financial 15
558+institution subject to the Gramm-Leach-Bliley Act, Pub. L. No. 106-102, and 16
559+regulations adopted to implement that act; 17
560+(14) a state or federally chartered bank or credit union, or an affiliate or 18
561+subsidiary that is principally engaged in financial activities, as described in 19
562+18 U.S.C. § 1843(k); 20 BILL AS INTRODUCED S.71
563+2025 Page 24 of 64
564+
565+
566+VT LEG #380777 v.1
567+(15) a person regulated pursuant to 8 V.S.A. part 3 (chapters 101–165) 1
568+other than a person who, alone or in combination with another person, 2
569+establishes and maintains a self-insurance program and who does not otherwise 3
570+engage in the business of entering into policies of insurance; 4
571+(16) a third-party administrator, as that term is defined in the Third Party 5
572+Administrator Rule adopted pursuant to 18 V.S.A. § 9417; 6
573+(17) personal data of a victim or witness of child abuse, domestic 7
574+violence, human trafficking, sexual assault, violent felony, or stalking that a 8
575+victim services organization collects, processes, or maintains in the course of 9
576+its operation; 10
577+(18) a nonprofit organization that is established to detect and prevent 11
578+fraudulent acts in connection with insurance; 12
579+(19) information that is processed for purposes of compliance, 13
580+enrollment or degree verification, or research services by a nonprofit 14
581+organization that is established to provide enrollment data reporting services 15
582+on behalf of postsecondary schools as that term is defined in 16 V.S.A. § 176; 16
583+or 17
584+(20) noncommercial activity of: 18
585+(A) a publisher, editor, reporter, or other person who is connected 19
586+with or employed by a newspaper, magazine, periodical, newsletter, pamphlet, 20
587+report, or other publication in general circulation; 21 BILL AS INTRODUCED S.71
588+2025 Page 25 of 64
589+
590+
591+VT LEG #380777 v.1
592+(B) a radio or television station that holds a license issued by the 1
593+Federal Communications Commission; 2
594+(C) a nonprofit organization that provides programming to radio or 3
595+television networks; or 4
596+(D) a press association or wire service. 5
597+(b) Controllers, processors, and consumer health data controllers that 6
598+comply with the verifiable parental consent requirements of COPPA shall be 7
599+deemed compliant with any obligation to obtain parental consent pursuant to 8
600+this chapter. 9
601+§ 2418. CONSUMER PERSONAL DATA RIGHTS 10
602+(a) A consumer shall have the right to: 11
603+(1) confirm whether a controller is processing the consumer’s personal 12
604+data and, if a controller is processing the consumer’s personal data, access the 13
605+personal data; 14
606+(2) know whether a consumer’s personal data is or will be used in any 15
607+artificial intelligence system and for what purpose; 16
608+(3) obtain from a controller a list of third parties to which the controller 17
609+has disclosed the consumer’s personal data or, if the controller does not 18
610+maintain this information in a format specific to the consumer, a list of third 19
611+parties to which the controller has disclosed personal data; 20 BILL AS INTRODUCED S.71
612+2025 Page 26 of 64
613+
614+
615+VT LEG #380777 v.1
616+(4) correct inaccuracies in the consumer’s personal data, taking into 1
617+account the nature of the personal data and the purposes of the processing of 2
618+the consumer’s personal data; 3
619+(5) delete personal data, including derived data, provided by, or obtained 4
620+about, the consumer unless retention of the personal data is required by law; 5
621+(6) obtain a copy of the consumer’s personal data processed by the 6
622+controller in a portable and, to the extent technically feasible, readily usable 7
623+format that allows the consumer to transmit the data to another controller 8
624+without hindrance; and 9
625+(7) opt out of the processing of personal data for purposes of: 10
626+(A) targeted advertising; 11
627+(B) the sale of personal data; or 12
628+(C) profiling in furtherance of automated decisions that produce legal 13
629+or similarly significant effects concerning the consumer. 14
630+(b)(1) A consumer may exercise rights under this section by submitting a 15
631+request to a controller using the method that the controller specifies in the 16
632+privacy notice under section 2419 of this title. 17
633+(2) A controller shall not require a consumer to create an account for the 18
634+purpose described in subdivision (1) of this subsection, but the controller may 19
635+require the consumer to use an account the consumer previously created. 20 BILL AS INTRODUCED S.71
636+2025 Page 27 of 64
637+
638+
639+VT LEG #380777 v.1
640+(3) A parent or legal guardian may exercise rights under this section on 1
641+behalf of the parent’s child or on behalf of a child for whom the guardian has 2
642+legal responsibility. A guardian or conservator may exercise the rights under 3
643+this section on behalf of a consumer that is subject to a guardianship, 4
644+conservatorship, or other protective arrangement. 5
645+(4)(A) A consumer may designate another person to act on the 6
646+consumer’s behalf as the consumer’s authorized agent for the purpose of 7
647+exercising the consumer’s rights under subdivision (a)(5) or (a)(7) of this 8
648+section. 9
649+(B) The consumer may designate an authorized agent by means of an 10
650+internet link, browser setting, browser extension, global device setting, or other 11
651+technology that enables the consumer to exercise the consumer’s rights under 12
652+subdivision (a)(5) or (a)(7) of this section. 13
653+(c) Except as otherwise provided in this chapter, a controller shall comply 14
654+with a request by a consumer to exercise the consumer rights authorized 15
655+pursuant to this chapter as follows: 16
656+(1)(A) A controller shall respond to the consumer without undue delay, 17
657+but not later than 45 days after receipt of the request. 18
658+(B) The controller may extend the response period by 45 additional 19
659+days when reasonably necessary, considering the complexity and number of 20
660+the consumer’s requests, provided the controller informs the consumer of the 21 BILL AS INTRODUCED S.71
661+2025 Page 28 of 64
662+
663+
664+VT LEG #380777 v.1
665+extension within the initial 45-day response period and of the reason for the 1
666+extension. 2
667+(C) If the consumer appointed an agent, the controller shall interact 3
668+with the agent throughout the process and, with the exclusion of a data access 4
669+request, not require the consumer to be involved in the fulfillment of the 5
670+request. 6
671+(2) If a controller declines to take action regarding the consumer’s 7
672+request, the controller shall inform the consumer without undue delay, but not 8
673+later than 45 days after receipt of the request, of the justification for declining 9
674+to take action and instructions for how to appeal the decision. 10
675+(3)(A) Information provided in response to a consumer request shall be 11
676+provided by a controller, free of charge, once per consumer during any 12-12
677+month period or after every time the controller makes material changes to its 13
678+personal data practices and policies. 14
679+(B) If requests from a consumer are manifestly unfounded, excessive, 15
680+or repetitive, the controller may charge the consumer a reasonable fee to cover 16
681+the administrative costs of complying with the request or decline to act on the 17
682+request. 18
683+(C) The controller bears the burden of demonstrating the manifestly 19
684+unfounded, excessive, or repetitive nature of the request. 20 BILL AS INTRODUCED S.71
685+2025 Page 29 of 64
686+
687+
688+VT LEG #380777 v.1
689+(D) When a controller determines a consumer request is manifestly 1
690+unfounded, excessive, or repetitive, the controller shall inform the consumer 2
691+and share the controller’s justification prior to disregarding the request or 3
692+charging the consumer a processing fee. That notice shall include instructions 4
693+for appealing the decision. 5
694+(4)(A) If a controller is unable to authenticate a request to exercise any 6
695+of the rights afforded under subdivisions (a)(1)–(6) of this section, the 7
696+controller shall not be required to comply with a request to initiate an action 8
697+pursuant to this section and shall provide notice to the consumer or the 9
698+consumer’s agent that the controller is unable to authenticate the request to 10
699+exercise the right or rights until the consumer provides additional information 11
700+reasonably necessary to authenticate the consumer and the consumer’s request 12
701+to exercise the right or rights. 13
702+(B) A controller shall not require authentication to exercise an opt-14
703+out request, but a controller may deny an opt-out request if the controller has a 15
704+good faith, reasonable, and documented belief that the request is fraudulent. 16
705+(C) If a controller denies an opt-out request because the controller 17
706+believes the request is fraudulent, the controller shall send a notice to the 18
707+person who made the request disclosing that the controller believes the request 19
708+is fraudulent, why the controller believes the request is fraudulent, and that the 20
709+controller shall not comply with the request. If the request was placed through 21 BILL AS INTRODUCED S.71
710+2025 Page 30 of 64
711+
712+
713+VT LEG #380777 v.1
714+an agent, both the agent and the person who appointed the agent shall receive 1
715+that notice. 2
716+(5) A controller shall not condition the exercise of a right under this 3
717+section through: 4
718+(A) the use of any false, fictitious, fraudulent, or materially 5
719+misleading statement or representation; or 6
720+(B) the employment of any dark pattern. 7
721+(d) A controller shall establish a process by means of which a consumer 8
722+may appeal the controller’s refusal to take action on a request under 9
723+subsection (b) of this section. The controller’s process shall: 10
724+(1) Allow a reasonable period of time after the consumer receives the 11
725+controller’s refusal within which to appeal. 12
726+(2) Be conspicuously available to the consumer. 13
727+(3) Be similar to the manner in which a consumer must submit a request 14
728+under subsection (b) of this section. 15
729+(4) Require the controller to approve or deny the appeal within 45 days 16
730+after the date on which the controller received the appeal and to notify the 17
731+consumer in writing of the controller’s decision and the reasons for the 18
732+decision. If the controller denies the appeal, the notice must provide or specify 19
733+information that enables the consumer to contact the Attorney General to 20
734+submit a complaint. 21 BILL AS INTRODUCED S.71
735+2025 Page 31 of 64
736+
737+
738+VT LEG #380777 v.1
739+(e) Nothing in this section shall be construed to require a controller to 1
740+reveal a trade secret. 2
741+(f) In response to a consumer request under subdivision (a)(1) of this 3
742+section, a controller shall not disclose the following information about a 4
743+consumer, but shall instead inform the consumer with sufficient particularity 5
744+that the controller has collected that type of information: 6
745+(1) Social Security number; 7
746+(2) driver’s license number or other government-issued identification 8
747+number; 9
748+(3) financial account number; 10
749+(4) health insurance account number or medical identification number; 11
750+(5) account password, security questions, or answers; or 12
751+(6) biometric data. 13
752+(g)(1) A controller may use the following types of information to display a 14
753+contextual advertisement: 15
754+(A) technical specifications as are necessary for the ad to be 16
755+delivered and displayed properly on a given device; 17
756+(B) a consumer’s immediate presence in a geographic area with a 18
757+radius not smaller than 10 miles, or an area reasonably estimated to include 19
758+online activity from at least 5,000 users, but not including precise geolocation 20
759+data; and 21 BILL AS INTRODUCED S.71
760+2025 Page 32 of 64
761+
762+
763+VT LEG #380777 v.1
764+(C) the consumer’s language preferences, as inferred from context, 1
765+browser settings, or user settings. 2
766+(2) A controller using information pursuant to subdivision (1) of this 3
767+subsection to display a contextual advertisement shall not use that information 4
768+to make inferences about a consumer, profile a consumer, or for any other 5
769+purpose, and the controller shall not prohibit a consumer from using technical 6
770+means to obfuscate or change a consumer’s physical location to specify a 7
771+language preference. 8
772+§ 2419. DUTIES OF CONTROLLERS 9
773+(a) A controller shall: 10
774+(1) limit the collection and processing of personal data to what is 11
775+reasonably necessary and proportionate to provide or maintain: 12
776+(A) a specific product or service requested by the consumer to whom 13
777+the data pertains; and 14
778+(B) a communication, that is not an advertisement, by the controller 15
779+to the consumer that is reasonably anticipated within the context of the 16
780+relationship between the controller and the consumer; 17
781+(2) establish, implement, and maintain reasonable administrative, 18
782+technical, and physical data security practices to protect the confidentiality, 19
783+integrity, and accessibility of personal data appropriate to the volume and 20
784+nature of the personal data at issue, including disposing of personal data in 21 BILL AS INTRODUCED S.71
785+2025 Page 33 of 64
786+
787+
788+VT LEG #380777 v.1
789+accordance with a retention schedule that requires the deletion of personal data 1
790+when the data is required to be deleted by law or is no longer necessary for the 2
791+purpose for which the data was collected or processed; and 3
792+(3) provide an effective mechanism for a consumer to withdraw consent 4
793+provided pursuant to this chapter that is at least as easy as the mechanism by 5
794+which the consumer provided the consent. 6
795+(b)(1) A controller that offers any online service, product, or feature to a 7
796+consumer whom the controller knows is a minor shall: 8
797+(A) use reasonable care to avoid any heightened risk of harm to 9
798+minors caused by processing of personal data in the course of providing the 10
799+online service, product, or feature; 11
800+(B) provide to the minor a conspicuous signal indicating that the 12
801+controller is collecting the minor’s precise geolocation data and make the 13
802+signal available to the minor for the entire duration of the collection of the 14
803+minor’s precise geolocation data; and 15
804+(C) not process the personal data of a minor for the purposes of 16
805+targeted advertising or sell the personal data of a minor. 17
806+(2) For purposes of this subsection, “knows” means a controller knew or 18
807+should have known the consumer is a minor, including based on: 19
808+(A) information collected about the age of the consumer; or 20 BILL AS INTRODUCED S.71
809+2025 Page 34 of 64
810+
811+
812+VT LEG #380777 v.1
813+(B) any age or closely related proxy the business knows or has 1
814+inferred, derived, attributed to, or associated with the consumer for any 2
815+purpose, including marketing, advertising, or product development. 3
816+(3) Nothing in this chapter shall be construed to require: 4
817+(A) the affirmative collection of any personal data with respect to the 5
818+age of users that a controller is not already collecting in the normal course of 6
819+business; or 7
820+(B) a controller to implement an age gating or age verification 8
821+functionality. 9
822+(c) A controller shall not: 10
823+(1) process sensitive data concerning a consumer except when the 11
824+processing is strictly necessary to provide or maintain a specific product or 12
825+service requested by the consumer to whom the sensitive data pertains; 13
826+(2) sell sensitive data; 14
827+(3) discriminate or retaliate against a consumer who exercises a right 15
828+provided to the consumer under this chapter or refuses to consent to the 16
829+processing of personal data for a separate product or service, including by: 17
830+(A) denying goods or services; 18
831+(B) charging different prices or rates for goods or services; or 19
832+(C) providing a different level of quality or selection of goods or 20
833+services to the consumer; 21 BILL AS INTRODUCED S.71
834+2025 Page 35 of 64
835+
836+
837+VT LEG #380777 v.1
838+(4) process personal data in violation of State or federal laws that 1
839+prohibit unlawful discrimination; or 2
840+(5)(A) except as provided in subdivision (B) of this subdivision (5), 3
841+process a consumer’s personal data in a manner that discriminates against 4
842+individuals or otherwise makes unavailable the equal enjoyment of goods or 5
843+services on the basis of an individual’s actual or perceived race, color, sex, 6
844+sexual orientation or gender identity, physical or mental disability, religion, 7
845+ancestry, or national origin; 8
846+(B) subdivision (A) of this subdivision (5) shall not apply to: 9
847+(i) a private establishment, as that term is used in 42 U.S.C. 10
848+§ 2000a(e) (prohibition against discrimination or segregation in places of 11
849+public accommodation); 12
850+(ii) processing for the purpose of a controller’s or processor’s self-13
851+testing to prevent or mitigate unlawful discrimination or otherwise to ensure 14
852+compliance with State or federal law; or 15
853+(iii) processing for the purpose of diversifying an applicant, 16
854+participant, or consumer pool. 17
855+(d) Subsections (a)–(c) of this section shall not be construed to: 18
856+(1) require a controller to provide a good or service that requires 19
857+personal data from a consumer that the controller does not collect or maintain; 20
858+or 21 BILL AS INTRODUCED S.71
859+2025 Page 36 of 64
860+
861+
862+VT LEG #380777 v.1
863+(2) prohibit a controller from offering a different price, rate, level of 1
864+quality, or selection of goods or services to a consumer, including an offer for 2
865+no fee or charge, in connection with a consumer’s participation, with consent, 3
866+in a financial incentive program, such as a bona fide loyalty, rewards, premium 4
867+features, discount, or club card program, provided that the controller may not 5
868+transfer personal data to a third party as part of the program unless: 6
869+(A) the transfer is necessary to enable the third party to provide a 7
870+benefit to which the consumer is entitled; and 8
871+(B)(i) the terms of the program clearly disclose that personal data 9
872+will be transferred to the third party or to a category of third parties of which 10
873+the third party belongs; and 11
874+(ii) the third party uses the personal data only for purposes of 12
875+facilitating a benefit to which the consumer is entitled and does not process or 13
876+transfer the personal data for any other purpose. 14
877+(e) The sale of personal data shall not be considered functionally necessary 15
878+to provide a financial incentive program. A controller shall not use financial 16
879+incentive practices that are unjust, unreasonable, coercive, or usurious in 17
880+nature. 18
881+(f)(1) A controller shall provide to consumers a reasonably accessible, 19
882+clear, and meaningful privacy notice that: 20 BILL AS INTRODUCED S.71
883+2025 Page 37 of 64
884+
885+
886+VT LEG #380777 v.1
887+(A) lists the categories of personal data, including the categories of 1
888+sensitive data, that the controller processes with a clear description of what 2
889+data each category includes; 3
890+(B) describes the controller’s purposes for processing each category 4
891+of personal data the controller processes in a way that gives consumers a 5
892+meaningful understanding of how each category of their personal data will be 6
893+used; 7
894+(C) describes how a consumer may exercise the consumer’s rights 8
895+under this chapter, including how a consumer may appeal a controller’s denial 9
896+of a consumer’s request under section 2418 of this title; 10
897+(D) lists all categories of personal data, including the categories of 11
898+sensitive data, that the controller sells or shares with third parties; 12
899+(E) describes all categories of third parties with which the controller 13
900+sells or shares personal data at a level of detail that enables the consumer to 14
901+understand what type of entity each third party is and, to the extent possible, 15
902+how each third party may process personal data; 16
903+(F) describes the length of time the controller intends to retain each 17
904+category of personal data or, if it is not possible to identify the length of time, 18
905+the criteria used to determine the length of time the controller intends to retain 19
906+categories of personal data; 20 BILL AS INTRODUCED S.71
907+2025 Page 38 of 64
908+
909+
910+VT LEG #380777 v.1
911+(G) specifies an email address or other online method by which a 1
912+consumer can contact the controller that the controller actively monitors; 2
913+(H) identifies the controller, including any business name under 3
914+which the controller registered with the Secretary of State and any assumed 4
915+business name that the controller uses in this State; 5
916+(I) describes any collection, processing, selling, or sharing of 6
917+personal data for training or use of artificial intelligence systems, if applicable; 7
918+(J) provides a clear and conspicuous description of any processing of 8
919+personal data in which the controller engages for the purposes of targeted 9
920+advertising, sale of personal data to third parties, or profiling the consumer in 10
921+furtherance of decisions that produce legal or similarly significant effects 11
922+concerning the consumer, and a procedure by which the consumer may opt out 12
923+of this type of processing; and 13
924+(K) describes the method or methods the controller has established 14
925+for a consumer to submit a request under subdivision 2418(b)(1) of this title. 15
926+(2) The privacy notice shall adhere to the accessibility and usability 16
927+guidelines recommended under 42 U.S.C. chapter 126 (the Americans with 17
928+Disabilities Act) and 29 U.S.C. § 794d (section 508 of the Rehabilitation Act 18
929+of 1973), including ensuring readability for individuals with disabilities across 19
930+various screen resolutions and devices and employing design practices that 20
931+facilitate easy comprehension and navigation for all users. 21 BILL AS INTRODUCED S.71
932+2025 Page 39 of 64
933+
934+
935+VT LEG #380777 v.1
936+(3) Whenever a controller makes a material change to the controller’s 1
937+privacy notice or practices, the controller must notify consumers affected by 2
938+the material change with respect to any prospectively collected personal data 3
939+and provide a reasonable opportunity for consumers to withdraw consent to 4
940+any further materially different transfer of previously collected personal data 5
941+under the changed policy. The controller shall take all reasonable electronic 6
942+measures to provide notification regarding material changes to affected 7
943+consumers, taking into account available technology and the nature of the 8
944+relationship. 9
945+(4) A controller is not required to provide a separate Vermont-specific 10
946+privacy notice or section of a privacy notice if the controller’s general privacy 11
947+notice contains all the information required by this subsection. 12
948+(5) The privacy notice must be posted online through a conspicuous 13
949+hyperlink using the word “privacy” or “surveillance,” or both words if 14
950+applicable, on the controller’s website home page or on a mobile application’s 15
951+app store page or download page. A controller that maintains an application 16
952+on a mobile or other device shall also include a hyperlink to the privacy notice 17
953+in the application’s settings menu or in a similarly conspicuous and accessible 18
954+location. A controller that does not operate a website shall make the privacy 19
955+notice conspicuously available to consumers through a medium regularly used 20
956+by the controller to interact with consumers, including email. 21 BILL AS INTRODUCED S.71
957+2025 Page 40 of 64
958+
959+
960+VT LEG #380777 v.1
961+(g) The method or methods under subdivision (f)(1)(J) of this section for 1
962+submitting a consumer’s request to a controller must: 2
963+(1) take into account the ways in which consumers normally interact 3
964+with the controller, the need for security and reliability in communications 4
965+related to the request, and the controller’s ability to authenticate the identity of 5
966+the consumer that makes the request; 6
967+(2) provide a clear and conspicuous link to a website where the 7
968+consumer or an authorized agent may opt out from a controller’s processing of 8
969+the consumer’s personal data pursuant to subdivision 2418(a)(7) of this title or, 9
970+solely if the controller does not have a capacity needed for linking to a web 10
971+page, provide another method the consumer can use to opt out, which may 11
972+include an internet hyperlink clearly labeled “Your Opt-Out Rights” or “Your 12
973+Privacy Rights” that directly effectuates the opt-out request or takes consumers 13
974+to a web page where the consumer can make the opt-out request; and 14
975+(3) allow a consumer or authorized agent to send a signal to the 15
976+controller that indicates the consumer’s preference to opt out of the sale of 16
977+personal data or targeted advertising pursuant to subdivision 2418(a)(7) of this 17
978+title by means of a platform, technology, or mechanism that: 18
979+(A) is consumer friendly and easy for an average consumer to use; 19 BILL AS INTRODUCED S.71
980+2025 Page 41 of 64
981+
982+
983+VT LEG #380777 v.1
984+(B)(i) enables the controller to reasonably determine whether the 1
985+consumer has made a legitimate request pursuant to subsection 2418(b) of this 2
986+title to opt out pursuant to subdivision 2418(a)(7) of this title; and 3
987+(ii) for purposes of subdivision (i) of this subdivision (B), use of 4
988+an internet protocol address to estimate the consumer’s location may be 5
989+considered sufficient to accurately determine residency. 6
990+(h) If a consumer or authorized agent uses a method under subdivision 7
991+(f)(1)(J) of this section to opt out of a controller’s processing of the consumer’s 8
992+personal data pursuant to subdivision 2418(a)(7) of this title and the decision 9
993+conflicts with a consumer’s existing controller-specific privacy setting or 10
994+voluntary participation in a bona fide reward, club card, or loyalty program or 11
995+a program that provides premium features or discounts, the controller shall 12
996+comply with the consumer’s opt-out preference signal but may notify the 13
997+consumer of the conflict and provide to the consumer the choice to confirm the 14
998+controller-specific privacy setting or participation in the program. 15
999+§ 2420. DUTIES OF PROCESSORS 16
1000+(a) A processor shall adhere to a controller’s instructions and shall assist 17
1001+the controller in meeting the controller’s obligations under this chapter. In 18
1002+assisting the controller, the processor must: 19
1003+(1) enable the controller to respond to requests from consumers pursuant 20
1004+to subsection 2418(b) of this title by means that: 21 BILL AS INTRODUCED S.71
1005+2025 Page 42 of 64
1006+
1007+
1008+VT LEG #380777 v.1
1009+(A) take into account how the processor processes personal data and 1
1010+the information available to the processor; and 2
1011+(B) use appropriate technical and organizational measures to the 3
1012+extent reasonably practicable; 4
1013+(2) adopt administrative, technical, and physical safeguards that are 5
1014+reasonably designed to protect the security and confidentiality of the personal 6
1015+data the processor processes, taking into account how the processor processes 7
1016+the personal data and the information available to the processor; and 8
1017+(3) provide information reasonably necessary for the controller to 9
1018+conduct and document data protection assessments. 10
1019+(b) Processing by a processor must be governed by a contract between the 11
1020+controller and the processor. The contract must: 12
1021+(1) be valid and binding on both parties; 13
1022+(2) set forth clear instructions for processing data, the nature and 14
1023+purpose of the processing, the type of data that is subject to processing, 15
1024+limitations, and the duration of the processing; 16
1025+(3) specify the rights and obligations of both parties with respect to the 17
1026+subject matter of the contract; 18
1027+(4) ensure that each person that processes personal data is subject to a 19
1028+duty of confidentiality with respect to the personal data; 20 BILL AS INTRODUCED S.71
1029+2025 Page 43 of 64
1030+
1031+
1032+VT LEG #380777 v.1
1033+(5) require the processor to delete the personal data or return the 1
1034+personal data to the controller at the controller’s direction or at the end of the 2
1035+provision of services, unless a law requires the processor to retain the personal 3
1036+data; 4
1037+(6) require the processor to make available to the controller, at the 5
1038+controller’s request, all information the controller needs to verify that the 6
1039+processor has complied with all obligations the processor has under this 7
1040+chapter; 8
1041+(7) require the processor to enter into a subcontract with a person the 9
1042+processor engages to assist with processing personal data on the controller’s 10
1043+behalf and in the subcontract require the subcontractor to meet the processor’s 11
1044+obligations concerning personal data; 12
1045+(8)(A) allow the controller, the controller’s designee, or a qualified and 13
1046+independent person the processor engages, in accordance with an appropriate 14
1047+and accepted control standard, framework, or procedure, to assess the 15
1048+processor’s policies and technical and organizational measures for complying 16
1049+with the processor’s obligations under this chapter; 17
1050+(B) require the processor to cooperate with the assessment; and 18
1051+(C) at the controller’s request, report the results of the assessment to 19
1052+the controller; 20 BILL AS INTRODUCED S.71
1053+2025 Page 44 of 64
1054+
1055+
1056+VT LEG #380777 v.1
1057+(9) prohibit the processor from combining personal data obtained from 1
1058+the controller with personal data that the processor: 2
1059+(A) receives from or on behalf of another controller or person; or 3
1060+(B) collects directly from an individual; and 4
1061+(10) require the processor to adhere to equivalent or greater de-5
1062+identification standards. 6
1063+(c) This section does not relieve a controller or processor from any liability 7
1064+that accrues under this chapter as a result of the controller’s or processor’s 8
1065+actions in processing personal data. 9
1066+(d)(1) For purposes of determining obligations under this chapter, a person 10
1067+is a controller with respect to processing a set of personal data and is subject to 11
1068+an action under section 2424 of this title to punish a violation of this chapter, if 12
1069+the person: 13
1070+(A) does not adhere to a controller’s instructions to process the 14
1071+personal data; or 15
1072+(B) begins at any point to determine the purposes and means for 16
1073+processing the personal data, alone or in concert with another person. 17
1074+(2) A determination under this subsection is a fact-based determination 18
1075+that must take account of the context in which a set of personal data is 19
1076+processed. 20 BILL AS INTRODUCED S.71
1077+2025 Page 45 of 64
1078+
1079+
1080+VT LEG #380777 v.1
1081+(3) A processor that adheres to a controller’s instructions with respect to 1
1082+a specific processing of personal data remains a processor. 2
1083+§ 2421. DATA PROTECTION ASSESSMENTS FOR PROCESSING 3
1084+ ACTIVITIES THAT PRESENT A HEIGHTENED RISK OF HARM 4
1085+ TO A CONSUMER 5
1086+(a) A controller shall conduct and document a data protection assessment 6
1087+for each of the controller’s processing activities that presents a heightened risk 7
1088+of harm to a consumer, which, for the purposes of this section, includes: 8
1089+(1) the processing of personal data for the purposes of targeted 9
1090+advertising; 10
1091+(2) the sale of personal data; 11
1092+(3) the processing of personal data for the purposes of profiling, where 12
1093+the profiling presents a reasonably foreseeable risk of: 13
1094+(A) unfair or deceptive treatment of, or unlawful disparate impact on, 14
1095+consumers; 15
1096+(B) financial, physical, or reputational injury to consumers; 16
1097+(C) a physical or other intrusion upon the solitude or seclusion, or the 17
1098+private affairs or concerns, of consumers, where the intrusion would be 18
1099+offensive to a reasonable person; or 19
1100+(D) other substantial injury to consumers; and 20
1101+(4) the processing of sensitive data. 21 BILL AS INTRODUCED S.71
1102+2025 Page 46 of 64
1103+
1104+
1105+VT LEG #380777 v.1
1106+(b)(1) Data protection assessments conducted pursuant to subsection (a) of 1
1107+this section shall: 2
1108+(A) identify the categories of personal data processed, the purposes 3
1109+for processing the personal data, and whether the personal data is being 4
1110+transferred to third parties; and 5
1111+(B) identify and weigh the benefits that may flow, directly and 6
1112+indirectly, from the processing to the controller, the consumer, other 7
1113+stakeholders, and the public against the potential risks to the consumer 8
1114+associated with the processing, as mitigated by safeguards that can be 9
1115+employed by the controller to reduce the risks. 10
1116+(2) The controller shall factor into any data protection assessment the 11
1117+use of de-identified data and the reasonable expectations of consumers, as well 12
1118+as the context of the processing and the relationship between the controller and 13
1119+the consumer whose personal data will be processed. 14
1120+(c)(1) The Attorney General may require that a controller disclose any data 15
1121+protection assessment that is relevant to an investigation conducted by the 16
1122+Attorney General pursuant to section 2424 of this title, and the controller shall 17
1123+make the data protection assessment available to the Attorney General. 18
1124+(2) The Attorney General may evaluate the data protection assessment 19
1125+for compliance with the responsibilities set forth in this chapter. 20 BILL AS INTRODUCED S.71
1126+2025 Page 47 of 64
1127+
1128+
1129+VT LEG #380777 v.1
1130+(3) Data protection assessments shall be confidential and shall be 1
1131+exempt from disclosure and copying under the Public Records Act. 2
1132+(4) To the extent any information contained in a data protection 3
1133+assessment disclosed to the Attorney General includes information subject to 4
1134+attorney-client privilege or work product protection, the disclosure shall not 5
1135+constitute a waiver of the privilege or protection. 6
1136+(d) A single data protection assessment may address a comparable set of 7
1137+processing operations that present a similar heightened risk of harm. 8
1138+(e) If a controller conducts a data protection assessment for the purpose of 9
1139+complying with another applicable law or regulation, the data protection 10
1140+assessment shall be deemed to satisfy the requirements established in this 11
1141+section if the data protection assessment is reasonably similar in scope and 12
1142+effect to the data protection assessment that would otherwise be conducted 13
1143+pursuant to this section. 14
1144+(f) A controller shall update the data protection assessment as often as 15
1145+appropriate considering the type, amount, and sensitivity of personal data 16
1146+collected or processed and level of risk presented by the processing throughout 17
1147+the processing activity’s lifecycle in order to: 18
1148+(1) monitor for harm caused by the processing and adjust safeguards 19
1149+accordingly; and 20 BILL AS INTRODUCED S.71
1150+2025 Page 48 of 64
1151+
1152+
1153+VT LEG #380777 v.1
1154+(2) ensure that data protection and privacy are considered as the 1
1155+controller makes new decisions with respect to the processing. 2
1156+(g) A controller shall retain for at least three years all data protection 3
1157+assessments the controller conducts under this section. 4
1158+§ 2422. DE-IDENTIFIED DATA 5
1159+(a) A controller in possession of de-identified data shall: 6
1160+(1) take reasonable measures to ensure that the data cannot be used to 7
1161+reidentify an identified or identifiable individual or be associated with an 8
1162+individual or device that identifies or is linked or reasonably linkable to an 9
1163+individual or household; 10
1164+(2) publicly commit to maintaining and using de-identified data without 11
1165+attempting to reidentify the data; and 12
1166+(3) contractually obligate any recipients of the de-identified data to 13
1167+comply with the provisions of this chapter. 14
1168+(b) This section does not prohibit a controller from attempting to reidentify 15
1169+de-identified data solely for the purpose of testing the controller’s methods for 16
1170+de-identifying data. 17
1171+(c) This chapter shall not be construed to require a controller or processor 18
1172+to: 19
1173+(1) reidentify de-identified data; 20 BILL AS INTRODUCED S.71
1174+2025 Page 49 of 64
1175+
1176+
1177+VT LEG #380777 v.1
1178+(2) maintain data in identifiable form, or collect, obtain, retain, or access 1
1179+any data or technology, in order to associate a consumer with personal data in 2
1180+order to authenticate the consumer’s request under subsection 2418(b) of this 3
1181+title; or 4
1182+(3) comply with an authenticated consumer rights request if the 5
1183+controller: 6
1184+(A) is not reasonably capable of associating the request with the 7
1185+personal data or it would be unreasonably burdensome for the controller to 8
1186+associate the request with the personal data; and 9
1187+(B) does not use the personal data to recognize or respond to the 10
1188+specific consumer who is the subject of the personal data or associate the 11
1189+personal data with other personal data about the same specific consumer. 12
1190+(d) A controller that discloses or transfers de-identified data shall exercise 13
1191+reasonable oversight to monitor compliance with any contractual commitments 14
1192+to which the de-identified data is subject and shall take appropriate steps to 15
1193+address any breaches of those contractual commitments. 16
1194+§ 2423. CONSTRUCTION OF DUTIES OF CONTROLLERS AND 17
1195+ PROCESSORS 18
1196+(a) This chapter shall not be construed to restrict a controller’s, processor’s, 19
1197+or consumer health data controller’s ability to: 20 BILL AS INTRODUCED S.71
1198+2025 Page 50 of 64
1199+
1200+
1201+VT LEG #380777 v.1
1202+(1) comply with federal, state, or municipal laws, ordinances, or 1
1203+regulations, except as prohibited by 1 V.S.A. § 150; 2
1204+(2) comply with a civil, criminal, or regulatory inquiry, investigation, 3
1205+subpoena, or summons by federal, state, municipal, or other governmental 4
1206+authorities; 5
1207+(3) cooperate with law enforcement agencies concerning conduct or 6
1208+activity that the controller, processor, or consumer health data controller 7
1209+reasonably and in good faith believes may violate federal, state, or municipal 8
1210+laws, ordinances, or regulations; 9
1211+(4) carry out obligations under a contract under subsection 2420(b) of 10
1212+this title for a federal or State agency or local unit of government; 11
1213+(5) investigate, establish, exercise, prepare for, or defend legal claims; 12
1214+(6) provide a product or service specifically requested by the consumer 13
1215+to whom the personal data pertains consistent with section 2419 of this title; 14
1216+(7) perform under a contract to which a consumer is a party, including 15
1217+fulfilling the terms of a written warranty; 16
1218+(8) take steps at the request of a consumer prior to entering into a 17
1219+contract; 18
1220+(9) take immediate steps to protect an interest that is essential for the life 19
1221+or physical safety of the consumer or another individual, and where the 20
1222+processing cannot be manifestly based on another legal basis; 21 BILL AS INTRODUCED S.71
1223+2025 Page 51 of 64
1224+
1225+
1226+VT LEG #380777 v.1
1227+(10) prevent, detect, protect against, or respond to a network security or 1
1228+physical security incident, including an intrusion or trespass, medical alert, or 2
1229+fire alarm; 3
1230+(11) prevent, detect, protect against, or respond to identity theft, fraud, 4
1231+harassment, malicious or deceptive activity, or any criminal activity targeted at 5
1232+or involving the controller or processor or its services, preserve the integrity or 6
1233+security of systems, or investigate, report, or prosecute those responsible for 7
1234+the action; 8
1235+(12) assist another controller, processor, consumer health data 9
1236+controller, or third party with any of the obligations under this chapter; 10
1237+(13) process personal data for reasons of public interest in the area of 11
1238+public health, community health, or population health, but solely to the extent 12
1239+that the processing is: 13
1240+(A) subject to suitable and specific measures to safeguard the rights 14
1241+of the consumer whose personal data is being processed; and 15
1242+(B) under the responsibility of a professional subject to 16
1243+confidentiality obligations under federal, state, or local law; 17
1244+(14) effectuate a product recall; or 18
1245+(15) process personal data previously collected in accordance with this 19
1246+chapter such that the personal data becomes de-identified data, including to: 20 BILL AS INTRODUCED S.71
1247+2025 Page 52 of 64
1248+
1249+
1250+VT LEG #380777 v.1
1251+(A) conduct internal research to develop, improve, or repair products, 1
1252+services, or technology; 2
1253+(B) identify and repair technical errors that impair existing or 3
1254+intended functionality; 4
1255+(C) perform internal operations that are reasonably aligned with the 5
1256+expectations of the consumer or reasonably anticipated based on the 6
1257+consumer’s existing relationship with the controller, or are otherwise 7
1258+compatible with processing data in furtherance of the provision of a product or 8
1259+service specifically requested by a consumer or the performance of a contract 9
1260+to which the consumer is a party; or 10
1261+(D) conduct a public or peer-reviewed scientific, historical, or 11
1262+statistical research project that is in the public interest and adheres to all 12
1263+relevant laws and regulations governing such research, including regulations 13
1264+for the protection of human subjects. 14
1265+(b)(1) The obligations imposed on controllers, processors, or consumer 15
1266+health data controllers under this chapter shall not apply where compliance by 16
1267+the controller, processor, or consumer health data controller with this chapter 17
1268+would violate an evidentiary privilege under the laws of this State. 18
1269+(2) This chapter shall not be construed to prevent a controller, processor, 19
1270+or consumer health data controller from providing personal data concerning a 20 BILL AS INTRODUCED S.71
1271+2025 Page 53 of 64
1272+
1273+
1274+VT LEG #380777 v.1
1275+consumer to a person covered by an evidentiary privilege under the laws of the 1
1276+State as part of a privileged communication. 2
1277+(3) Nothing in this chapter modifies 2020 Acts and Resolves No. 166, 3
1278+Sec. 14 or authorizes the use of facial recognition technology by law 4
1279+enforcement. 5
1280+(c)(1) A controller, processor, or consumer health data controller that 6
1281+discloses personal data to a processor or third-party controller pursuant to this 7
1282+chapter shall not be deemed to have violated this chapter if the processor or 8
1283+third-party controller that receives and processes the personal data violates this 9
1284+chapter, provided that at the time the disclosing controller, processor, or 10
1285+consumer health data controller disclosed the personal data, the disclosing 11
1286+controller, processor, or consumer health data controller did not have actual 12
1287+knowledge that the receiving processor or third-party controller would violate 13
1288+this chapter. 14
1289+(2) A third-party controller or processor receiving personal data from a 15
1290+controller, processor, or consumer health data controller in compliance with 16
1291+this chapter is not in violation of this chapter for the transgressions of the 17
1292+controller, processor, or consumer health data controller from which the third-18
1293+party controller or processor receives the personal data. 19
1294+(d) This chapter shall not be construed to: 20 BILL AS INTRODUCED S.71
1295+2025 Page 54 of 64
1296+
1297+
1298+VT LEG #380777 v.1
1299+(1) impose any obligation on a controller, processor, or consumer health 1
1300+data controller that adversely affects the rights or freedoms of any person, 2
1301+including the rights of any person: 3
1302+(A) to freedom of speech or freedom of the press guaranteed in the 4
1303+First Amendment to the U.S. Constitution; or 5
1304+(B) under 12 V.S.A. § 1615; 6
1305+(2) apply to any person’s processing of personal data in the course of the 7
1306+person’s solely personal or household activities; 8
1307+(3) require an independent school as defined in 16 V.S.A. § 11(a)(8) or a 9
1308+private institution of higher education, as defined in 20 U.S.C. § 1001 et seq., 10
1309+to delete personal data or opt out of processing of personal data that would 11
1310+unreasonably interfere with the provision of education services by or the 12
1311+ordinary operation of the school or institution; 13
1312+(4) require, for employee data, deletion of personal data that would 14
1313+unreasonably interfere with the ordinary business operations of the controller 15
1314+or unreasonably adversely affect the rights of another employee, including 16
1315+under this chapter or pursuant to the protections set forth in 21 V.S.A 17
1316+chapter 5; or 18
1317+(5) require, for processors acting on the behalf of a federal, State, tribal, 19
1318+or local government entity, deletion of personal data or opt out of the 20
1319+processing of personal data that would unreasonably interfere with the 21 BILL AS INTRODUCED S.71
1320+2025 Page 55 of 64
1321+
1322+
1323+VT LEG #380777 v.1
1324+provision of government services by or the ordinary operation of a government 1
1325+entity. 2
1326+(e)(1) Personal data processed by a controller or consumer health data 3
1327+controller pursuant to this section may be processed to the extent that the 4
1328+processing is: 5
1329+(A)(i) reasonably necessary and proportionate to the purposes listed 6
1330+in this section; or 7
1331+(ii) in the case of sensitive data, strictly necessary to the purposes 8
1332+listed in this section; 9
1333+(B) adequate, relevant, and limited to what is necessary in relation to 10
1334+the specific purposes listed in this section; and 11
1335+(C) compliant with the antidiscrimination provisions set forth in 12
1336+subdivision 2419(c)(5) of this title. 13
1337+(2)(A) Personal data collected, used, or retained pursuant to subsection 14
1338+(b) of this section shall, where applicable, take into account the nature and 15
1339+purpose or purposes of the collection, use, or retention. 16
1340+(B) Personal data collected, used, or retained pursuant to subsection 17
1341+(b) of this section shall be subject to reasonable administrative, technical, and 18
1342+physical measures to protect the confidentiality, integrity, and accessibility of 19
1343+the personal data and to reduce reasonably foreseeable risks of harm to 20
1344+consumers relating to the collection, use, or retention of personal data. 21 BILL AS INTRODUCED S.71
1345+2025 Page 56 of 64
1346+
1347+
1348+VT LEG #380777 v.1
1349+(f) If a controller or consumer health data controller processes personal data 1
1350+pursuant to an exemption in this section, the controller or consumer health data 2
1351+controller bears the burden of demonstrating that the processing qualifies for 3
1352+the exemption and complies with the requirements in subsection (e) of this 4
1353+section. 5
1354+(g) This chapter shall not be construed to require a controller, processor, or 6
1355+consumer health data controller to implement an age-verification or age-gating 7
1356+system or otherwise affirmatively collect the age of consumers. 8
1357+§ 2424. ENFORCEMENT; ATTORNEY GENERAL’S POWERS 9
1358+(a) A person who violates this chapter or rules adopted pursuant to this 10
1359+chapter commits an unfair and deceptive act in commerce in violation of 11
1360+section 2453 of this title, and the Attorney General shall have exclusive 12
1361+authority to enforce such violations except as provided in subsection (d) of this 13
1362+section. 14
1363+(b) The Attorney General has the same authority to adopt rules to 15
1364+implement the provisions of this section and to conduct civil investigations, 16
1365+enter into assurances of discontinuance, bring civil actions, and take other 17
1366+enforcement actions as provided under chapter 63, subchapter 1 of this title. 18
1367+(c)(1) If the Attorney General determines that a violation of this chapter or 19
1368+rules adopted pursuant to this chapter may be cured, the Attorney General may, 20
1369+prior to initiating any action for the violation, issue a notice of violation 21 BILL AS INTRODUCED S.71
1370+2025 Page 57 of 64
1371+
1372+
1373+VT LEG #380777 v.1
1374+extending a 60-day cure period to the controller, processor, or consumer health 1
1375+data controller alleged to have violated this chapter or rules adopted pursuant 2
1376+to this chapter. 3
1377+(2) The Attorney General may, in determining whether to grant a 4
1378+controller, processor, or consumer health data controller the opportunity to 5
1379+cure an alleged violation described in subdivision (1) of this subsection, 6
1380+consider: 7
1381+(A) the number of violations; 8
1382+(B) the size and complexity of the controller, processor, or consumer 9
1383+health data controller; 10
1384+(C) the nature and extent of the controller’s, processor’s, or consumer 11
1385+health data controller’s processing activities; 12
1386+(D) the substantial likelihood of injury to the public; 13
1387+(E) the safety of persons or property; 14
1388+(F) whether the alleged violation was likely caused by human or 15
1389+technical error; and 16
1390+(G) the sensitivity of the data. 17
1391+(d)(1) The private right of action available to a consumer for violations of 18
1392+this chapter or rules adopted pursuant to this chapter shall be exclusively as 19
1393+provided under this subsection. 20 BILL AS INTRODUCED S.71
1394+2025 Page 58 of 64
1395+
1396+
1397+VT LEG #380777 v.1
1398+(2)(A) Subject to the requirements of subdivisions (3) and (4) of this 1
1399+subsection (d), a consumer who is harmed by a data broker’s or large data 2
1400+holder’s violation of subsection 2419(c) of this title or section 2425 of this title 3
1401+may bring an action under subsection 2461(b) of this title in Superior Court 4
1402+for: 5
1403+(i) the greater of $5,000.00 or actual damages; 6
1404+(ii) injunctive relief; 7
1405+(iii) punitive damages, in the case of an intentional violation; 8
1406+(iv) reasonable costs and attorney’s fees; and 9
1407+(v) any other relief the court deems proper. 10
1408+(B) No action may be taken under subsection 2461(b) of this title: 11
1409+(i) for a violation of any provision of this chapter or rules adopted 12
1410+pursuant to this chapter other than what is specifically permitted in subdivision 13
1411+(A) of this subdivision (2); or 14
1412+(ii) against a controller that is registered in the State and that 15
1413+earned less than $25 million in revenue in the previous calendar year. 16
1414+(3) At least 65 days prior to the filing of any action pursuant to 17
1415+subdivision (2)(A) of this subsection, the consumer shall: 18
1416+(A) only once notify the Attorney General of the alleged harm in a 19
1417+form and manner prescribed by the Attorney General, which, at minimum, 20 BILL AS INTRODUCED S.71
1418+2025 Page 59 of 64
1419+
1420+
1421+VT LEG #380777 v.1
1422+shall require the name of the consumer and a reasonable description of the 1
1423+alleged violation and the harm suffered; and 2
1424+(B) mail to the alleged violator a written demand letter that identifies 3
1425+the consumer and reasonably describes the alleged violation and the harm 4
1426+suffered, unless the alleged violator does not maintain a place of business in 5
1427+Vermont or does not keep assets in Vermont. 6
1428+(4) Within 65 days after receiving the notice required by subdivision 7
1429+(3)(A) of this subsection, the Attorney General shall review the alleged harm to 8
1430+determine whether the claim is frivolous or nonfrivolous. 9
1431+(A) If the Attorney General determines that the claim is frivolous, the 10
1432+Attorney General shall notify the consumer in writing, and the consumer is 11
1433+prohibited from proceeding with an action under subsection 2461(b) of this 12
1434+title for the alleged harm. 13
1435+(B) If the Attorney General determines that the claim is nonfrivolous 14
1436+or does not issue a determination within 65 days after receiving notice, the 15
1437+consumer may proceed with an action pursuant to subdivision (2)(A) of this 16
1438+subsection (d). 17
1439+(e) Annually, on or before February 1, the Attorney General shall submit a 18
1440+report to the General Assembly disclosing: 19
1441+(1) the number of notices of violation the Attorney General has issued; 20
1442+(2) the nature of each violation; 21 BILL AS INTRODUCED S.71
1443+2025 Page 60 of 64
1444+
1445+
1446+VT LEG #380777 v.1
1447+(3) the number of violations that were cured during the available cure 1
1448+period; 2
1449+(4) the number of actions brought under subsection (d) of this section; 3
1450+(5) the proportion of actions brought under subsection (d) of this section 4
1451+that proceed to trial; 5
1452+(6) the data brokers or large data holders most frequently sued under 6
1453+subsection (d) of this section; and 7
1454+(7) any other matter the Attorney General deems relevant for the 8
1455+purposes of the report. 9
1456+§ 2425. CONFIDENTIALITY OF CONSUMER HEALTH DATA 10
1457+Except as provided in subsections 2417(a) and (b) of this title and section 11
1458+2423 of this title, no person shall: 12
1459+(1) provide any employee or contractor with access to consumer health 13
1460+data unless the employee or contractor is subject to a contractual or statutory 14
1461+duty of confidentiality; 15
1462+(2) provide any processor with access to consumer health data unless the 16
1463+person and processor comply with section 2420 of this title; or 17
1464+(3) use a geofence to establish a virtual boundary that is within 1,850 18
1465+feet of any health care facility, including any mental health facility or 19
1466+reproductive or sexual health facility, for the purpose of identifying, tracking, 20 BILL AS INTRODUCED S.71
1467+2025 Page 61 of 64
1468+
1469+
1470+VT LEG #380777 v.1
1471+collecting data from, or sending any notification to a consumer regarding the 1
1472+consumer’s consumer health data. 2
1473+Sec. 2. PUBLIC EDUCATION AND OUTREACH; ATTORNEY GENERAL 3
1474+ STUDY 4
1475+(a) The Attorney General shall implement a comprehensive public 5
1476+education, outreach, and assistance program for controllers and processors as 6
1477+those terms are defined in 9 V.S.A. § 2415. The program shall focus on: 7
1478+(1) the requirements and obligations of controllers and processors under 8
1479+the Vermont Data Privacy and Online Surveillance Act; 9
1480+(2) data protection assessments under 9 V.S.A. § 2421; 10
1481+(3) enhanced protections that apply to children, minors, sensitive data, 11
1482+or consumer health data as those terms are defined in 9 V.S.A. § 2415; 12
1483+(4) a controller’s obligations to law enforcement agencies and the 13
1484+Attorney General’s office; 14
1485+(5) methods for conducting data inventories; and 15
1486+(6) any other matters the Attorney General deems appropriate. 16
1487+(b) The Attorney General shall provide guidance to controllers for 17
1488+establishing data privacy notices and opt-out mechanisms, which may be in the 18
1489+form of templates. 19 BILL AS INTRODUCED S.71
1490+2025 Page 62 of 64
1491+
1492+
1493+VT LEG #380777 v.1
1494+(c) The Attorney General shall implement a comprehensive public 1
1495+education, outreach, and assistance program for consumers as that term is 2
1496+defined in 9 V.S.A. § 2415. The program shall focus on: 3
1497+(1) the rights afforded consumers under the Vermont Data Privacy and 4
1498+Online Surveillance Act, including: 5
1499+(A) the methods available for exercising data privacy rights; and 6
1500+(B) the opt-out mechanism available to consumers; 7
1501+(2) the obligations controllers have to consumers; 8
1502+(3) different treatment of children, minors, and other consumers under 9
1503+the Act, including the different consent mechanisms in place for children and 10
1504+other consumers; 11
1505+(4) understanding a privacy notice provided under the Act; 12
1506+(5) the different enforcement mechanisms available under the Act, 13
1507+including the consumer’s private right of action; and 14
1508+(6) any other matters the Attorney General deems appropriate. 15
1509+(d) The Attorney General shall cooperate with states with comparable data 16
1510+privacy regimes to develop any outreach, assistance, and education programs, 17
1511+where appropriate. 18
1512+(e) The Attorney General may have the assistance of the Vermont Law and 19
1513+Graduate School in developing education, outreach, and assistance programs 20
1514+under this section. 21 BILL AS INTRODUCED S.71
1515+2025 Page 63 of 64
1516+
1517+
1518+VT LEG #380777 v.1
1519+(f) On or before December 15, 2027, the Attorney General shall assess the 1
1520+effectiveness of the implementation of the Act and submit a report to the 2
1521+House Committees on Commerce and Economic Development and on Energy 3
1522+and Digital Infrastructure and the Senate Committees on Economic 4
1523+Development, Housing and General Affairs and on Institutions with its 5
1524+findings and recommendations, including any proposed draft legislation to 6
1525+address issues that have arisen since implementation. 7
1526+Sec. 3. 9 V.S.A. § 2416(a) is amended to read: 8
1527+(a) Except as provided in subsection (b) of this section, this chapter applies 9
1528+to a person that conducts business in this State or a person that produces 10
1529+products or services that are targeted to residents of this State and that during 11
1530+the preceding calendar year: 12
1531+(1) controlled or processed the personal data of not fewer than 25,000 13
1532+12,500 consumers, excluding personal data controlled or processed solely for 14
1533+the purpose of completing a payment transaction; or 15
1534+(2) controlled or processed the personal data of not fewer than 12,500 16
1535+6,250 consumers and derived more than 25 20 percent of the person’s gross 17
1536+revenue from the sale of personal data. 18
1537+Sec. 4. 9 V.S.A. § 2416(a) is amended to read: 19
1538+(a) Except as provided in subsection (b) of this section, this chapter applies 20
1539+to a person that conducts business in this State or a person that produces 21 BILL AS INTRODUCED S.71
1540+2025 Page 64 of 64
1541+
1542+
1543+VT LEG #380777 v.1
1544+products or services that are targeted to residents of this State and that during 1
1545+the preceding calendar year: 2
1546+(1) controlled or processed the personal data of not fewer than 12,500 3
1547+6,250 consumers, excluding personal data controlled or processed solely for 4
1548+the purpose of completing a payment transaction; or 5
1549+(2) controlled or processed the personal data of not fewer than 6,250 6
1550+3,125 consumers and derived more than 20 percent of the person’s gross 7
1551+revenue from the sale of personal data. 8
1552+Sec. 5. EFFECTIVE DATES 9
1553+(a) This section and Sec. 2 (public education and outreach) shall take effect 10
1554+on July 1, 2025. 11
1555+(b) Sec. 1 (Vermont Data Privacy and Online Surveillance Act) shall take 12
1556+effect on July 1, 2026. 13
1557+(c) Sec. 3 (Vermont Data Privacy Online Surveillance Act middle 14
1558+applicability threshold) shall take effect on July 1, 2027. 15
1559+(d) Sec. 4 (Vermont Data Privacy Online Surveillance Act low 16
1560+applicability threshold) shall take effect on July 1, 2028. 17