VT
Vermont Senate Bill S0093

Vermont 2025-2026 Regular Session

Vermont Senate Bill S0093 Compare Versions

Only one version of the bill is available at this time.
OldNewDifferences
11 BILL AS INTRODUCED S.93
22 2025 Page 1 of 45
33
44
55 VT LEG #380226 v.1
66 S.93 1
77 Introduced by Senators Chittenden, Beck, Cummings, Mattos and Ram 2
88 Hinsdale 3
99 Referred to Committee on 4
1010 Date: 5
1111 Subject: Commerce and trade; consumer protection; data privacy 6
1212 Statement of purpose of bill as introduced: This bill proposes to provide data 7
1313 privacy protections to Vermonters. 8
1414 An act relating to consumer data privacy 9
1515 It is hereby enacted by the General Assembly of the State of Vermont: 10
1616 Sec. 1. 9 V.S.A. chapter 61A is added to read: 11
1717 CHAPTER 61A. VERMONT DATA PRIVACY ACT 12
1818 § 2415. DEFINITIONS 13
1919 As used in this chapter: 14
2020 (1) “Abortion” means terminating a pregnancy for any purpose other 15
2121 than producing a live birth. 16
2222 (2)(A) “Affiliate” means a legal entity that shares common branding 17
2323 with another legal entity or controls, is controlled by, or is under common 18
2424 control with another legal entity. 19 BILL AS INTRODUCED S.93
2525 2025 Page 2 of 45
2626
2727
2828 VT LEG #380226 v.1
2929 (B) As used in subdivision (A) of this subdivision (2), “control” or 1
3030 “controlled” means: 2
3131 (i) ownership of, or the power to vote, more than 50 percent of the 3
3232 outstanding shares of any class of voting security of a company; 4
3333 (ii) control in any manner over the election of a majority of the 5
3434 directors or of individuals exercising similar functions; or 6
3535 (iii) the power to exercise controlling influence over the 7
3636 management of a company. 8
3737 (3) “Authenticate” means to use reasonable means to determine that a 9
3838 request to exercise any of the rights afforded under subdivisions 2418(a)(1)–10
3939 (4) of this title is being made by, or on behalf of, the consumer who is entitled 11
4040 to exercise the consumer rights with respect to the personal data at issue. 12
4141 (4)(A) “Biometric data” means personal data generated by automatic 13
4242 measurements of an individual’s unique biological patterns or characteristics 14
4343 that are used to identify a specific individual. 15
4444 (B) “Biometric data” does not include: 16
4545 (i) a digital or physical photograph; 17
4646 (ii) an audio or video recording; or 18
4747 (iii) any data generated from a digital or physical photograph, or 19
4848 an audio or video recording, unless such data is generated to identify a specific 20
4949 individual. 21 BILL AS INTRODUCED S.93
5050 2025 Page 3 of 45
5151
5252
5353 VT LEG #380226 v.1
5454 (5) “Business associate” has the same meaning as in HIPAA. 1
5555 (6) “Child” has the same meaning as in COPPA. 2
5656 (7)(A) “Consent” means a clear affirmative act signifying a consumer’s 3
5757 freely given, specific, informed, and unambiguous agreement to allow the 4
5858 processing of personal data relating to the consumer. 5
5959 (B) “Consent” may include a written statement, including by 6
6060 electronic means, or any other unambiguous affirmative action. 7
6161 (C) “Consent” does not include: 8
6262 (i) acceptance of a general or broad terms of use or similar 9
6363 document that contains descriptions of personal data processing along with 10
6464 other, unrelated information; 11
6565 (ii) hovering over, muting, pausing, or closing a given piece of 12
6666 content; or 13
6767 (iii) agreement obtained through the use of dark patterns. 14
6868 (8)(A) “Consumer” means an individual who is a resident of the State. 15
6969 (B) “Consumer” does not include an individual acting in a 16
7070 commercial or employment context or as an employee, owner, director, officer, 17
7171 or contractor of a company, partnership, sole proprietorship, nonprofit, or 18
7272 government agency whose communications or transactions with the controller 19
7373 occur solely within the context of that individual’s role with the company, 20
7474 partnership, sole proprietorship, nonprofit, or government agency. 21 BILL AS INTRODUCED S.93
7575 2025 Page 4 of 45
7676
7777
7878 VT LEG #380226 v.1
7979 (9) “Consumer health data” means any personal data that a controller 1
8080 uses to identify a consumer’s physical or mental health condition or diagnosis, 2
8181 including gender-affirming health data and reproductive or sexual health data. 3
8282 (10) “Consumer health data controller” means any controller that, alone 4
8383 or jointly with others, determines the purpose and means of processing 5
8484 consumer health data. 6
8585 (11) “Controller” means a person who, alone or jointly with others, 7
8686 determines the purpose and means of processing personal data. 8
8787 (12) “COPPA” means the Children’s Online Privacy Protection Act of 9
8888 1998, 15 U.S.C. § 6501–6506, and any regulations, rules, guidance, and 10
8989 exemptions adopted pursuant to the act, as the act and regulations, rules, 11
9090 guidance, and exemptions may be amended. 12
9191 (13) “Covered entity” has the same meaning as in HIPAA. 13
9292 (14) “Dark pattern” means a user interface designed or manipulated with 14
9393 the substantial effect of subverting or impairing user autonomy, decision-15
9494 making, or choice and includes any practice the Federal Trade Commission 16
9595 refers to as a “dark pattern.” 17
9696 (15) “Decisions that produce legal or similarly significant effects 18
9797 concerning the consumer” means decisions made by the controller that result in 19
9898 the provision or denial by the controller of financial or lending services, 20
9999 housing, insurance, education enrollment or opportunity, criminal justice, 21 BILL AS INTRODUCED S.93
100100 2025 Page 5 of 45
101101
102102
103103 VT LEG #380226 v.1
104104 employment opportunities, health care services, or access to essential goods or 1
105105 services. 2
106106 (16) “De-identified data” means data that does not identify and cannot 3
107107 reasonably be used to infer information about, or otherwise be linked to, an 4
108108 identified or identifiable individual, or a device linked to the individual, if the 5
109109 controller that possesses the data: 6
110110 (A) takes reasonable measures to ensure that the data cannot be 7
111111 associated with an individual; 8
112112 (B) publicly commits to process the data only in a de-identified 9
113113 fashion and not attempt to re-identify the data; and 10
114114 (C) contractually obligates any recipients of the data to satisfy the 11
115115 criteria set forth in subdivisions (A) and (B) of this subdivision (16). 12
116116 (17) “Gender-affirming health care services” has the same meaning as in 13
117117 1 V.S.A. § 150. 14
118118 (18) “Gender-affirming health data” means any personal data 15
119119 concerning a past, present, or future effort made by a consumer to seek, or a 16
120120 consumer’s receipt of, gender-affirming health care services. 17
121121 (19) “Geofence” means any technology that uses global positioning 18
122122 coordinates, cell tower connectivity, cellular data, radio frequency 19
123123 identification, wireless fidelity technology data, or any other form of location 20
124124 detection, or any combination of such coordinates, connectivity, data, 21 BILL AS INTRODUCED S.93
125125 2025 Page 6 of 45
126126
127127
128128 VT LEG #380226 v.1
129129 identification, or other form of location detection, to establish a virtual 1
130130 boundary. 2
131131 (20) “HIPAA” means the Health Insurance Portability and 3
132132 Accountability Act of 1996, Pub. L. No. 104-191, as may be amended. 4
133133 (21) “Identified or identifiable individual” means an individual who can 5
134134 be readily identified, directly or indirectly. 6
135135 (22) “Institution of higher education” means any individual who, or 7
136136 school, board, association, limited liability company or corporation that, is 8
137137 licensed or accredited to offer one or more programs of higher learning leading 9
138138 to one or more degrees. 10
139139 (23) “Mental health facility” means any health care facility in which at 11
140140 least 70 percent of the health care services provided in the facility are mental 12
141141 health services. 13
142142 (24) “Nonprofit organization” means any organization that is qualified 14
143143 for tax exempt status under I.R.C. § 501(c)(3), 501(c)(4), 501(c)(6), or 15
144144 501(c)(12), or any corresponding internal revenue code of the United States, as 16
145145 may be amended, 17
146146 (25) “Person” means an individual, association, company, limited 18
147147 liability company, corporation, partnership, sole proprietorship, trust, or other 19
148148 legal entity. 20 BILL AS INTRODUCED S.93
149149 2025 Page 7 of 45
150150
151151
152152 VT LEG #380226 v.1
153153 (26)(A) “Personal data” means any information that is linked or 1
154154 reasonably linkable to an identified or identifiable individual. 2
155155 (B) “Personal data” does not include de-identified data or publicly 3
156156 available information. 4
157157 (27)(A) “Precise geolocation data” means information derived from 5
158158 technology, including global positioning system level latitude and longitude 6
159159 coordinates or other mechanisms, that directly identifies the specific location 7
160160 of an individual with precision and accuracy within a radius of 1,750 feet. 8
161161 (B) “Precise geolocation data” does not include: 9
162162 (i) the content of communications; 10
163163 (ii) data generated by or connected to an advanced utility metering 11
164164 infrastructure system; or 12
165165 (iii) data generated by equipment used by a utility company. 13
166166 (28) “Process” or “processing” means any operation or set of operations 14
167167 performed, whether by manual or automated means, on personal data or on sets 15
168168 of personal data, such as the collection, use, storage, disclosure, analysis, 16
169169 deletion, or modification of personal data. 17
170170 (29) “Processor” means a person who processes personal data on behalf 18
171171 of a controller. 19
172172 (30) “Profiling” means any form of automated processing performed on 20
173173 personal data to evaluate, analyze, or predict personal aspects related to an 21 BILL AS INTRODUCED S.93
174174 2025 Page 8 of 45
175175
176176
177177 VT LEG #380226 v.1
178178 identified or identifiable individual’s economic situation, health, personal 1
179179 preferences, interests, reliability, behavior, location, or movements. 2
180180 (31) “Protected health information” has the same meaning as in HIPAA. 3
181181 (32) “Pseudonymous data” means personal data that cannot be attributed 4
182182 to a specific individual without the use of additional information, provided the 5
183183 additional information is kept separately and is subject to appropriate technical 6
184184 and organizational measures to ensure that the personal data is not attributed to 7
185185 an identified or identifiable individual. 8
186186 (33) “Publicly available information” means information that: 9
187187 (A) is lawfully made available through federal, state, or local 10
188188 government records or widely distributed media; or 11
189189 (B) a controller has a reasonable basis to believe that the consumer 12
190190 has lawfully made available to the general public. 13
191191 (34) “Reproductive or sexual health care” means any health care-related 14
192192 services or products rendered or provided concerning a consumer’s 15
193193 reproductive system or sexual well-being, including any such service or 16
194194 product rendered or provided concerning: 17
195195 (A) an individual health condition, status, disease, diagnosis, 18
196196 diagnostic test or treatment; 19
197197 (B) a social, psychological, behavioral, or medical intervention; 20
198198 (C) a surgery or procedure, including an abortion; 21 BILL AS INTRODUCED S.93
199199 2025 Page 9 of 45
200200
201201
202202 VT LEG #380226 v.1
203203 (D) a use or purchase of a medication, including a medication used or 1
204204 purchased for the purposes of an abortion, a bodily function, vital sign, or 2
205205 symptom; 3
206206 (E) a measurement of a bodily function, vital sign, or symptom; or 4
207207 (F) an abortion, including medical or nonmedical services, products, 5
208208 diagnostics, counseling, or follow-up services for an abortion. 6
209209 (35) “Reproductive or sexual health data” means any personal data 7
210210 concerning an effort made by a consumer to seek, or a consumer’s receipt of, 8
211211 reproductive or sexual health care. 9
212212 (36) “Reproductive or sexual health facility” means any health care 10
213213 facility in which at least 70 percent of the health care-related services or 11
214214 products rendered or provided in the facility are reproductive or sexual health 12
215215 care. 13
216216 (37)(A) “Sale of personal data” means the exchange of a consumer’s 14
217217 personal data by the controller to a third party for monetary or other valuable 15
218218 consideration. 16
219219 (B) “Sale of personal data” does not include: 17
220220 (i) the disclosure of personal data to a processor that processes the 18
221221 personal data on behalf of the controller; 19
222222 (ii) the disclosure of personal data to a third party for purposes of 20
223223 providing a product or service requested by the consumer; 21 BILL AS INTRODUCED S.93
224224 2025 Page 10 of 45
225225
226226
227227 VT LEG #380226 v.1
228228 (iii) the disclosure or transfer of personal data to an affiliate of the 1
229229 controller; 2
230230 (iv) the disclosure of personal data where the consumer directs the 3
231231 controller to disclose the personal data or intentionally uses the controller to 4
232232 interact with a third party; 5
233233 (v) the disclosure of personal data that the consumer: 6
234234 (I) intentionally made available to the general public via a 7
235235 channel of mass media; and 8
236236 (II) did not restrict to a specific audience; or 9
237237 (vi) the disclosure or transfer of personal data to a third party as an 10
238238 asset that is part of a merger, acquisition, bankruptcy or other transaction, or a 11
239239 proposed merger, acquisition, bankruptcy, or other transaction, in which the 12
240240 third party assumes control of all or part of the controller’s assets. 13
241241 (38) “Sensitive data” means personal data that includes: 14
242242 (A) data revealing racial or ethnic origin, religious beliefs, mental or 15
243243 physical health condition or diagnosis, sex life, sexual orientation, or 16
244244 citizenship or immigration status; 17
245245 (B) consumer health data; 18
246246 (C) the processing of genetic or biometric data for the purpose of 19
247247 uniquely identifying an individual; 20
248248 (D) personal data collected from a known child; 21 BILL AS INTRODUCED S.93
249249 2025 Page 11 of 45
250250
251251
252252 VT LEG #380226 v.1
253253 (E) data concerning an individual’s status as a victim of crime; and 1
254254 (F) an individual’s precise geolocation data. 2
255255 (39)(A) “Targeted advertising” means displaying advertisements to a 3
256256 consumer where the advertisement is selected based on personal data obtained 4
257257 or inferred from that consumer’s activities over time and across nonaffiliated 5
258258 websites or online applications to predict the consumer’s preferences or 6
259259 interests. 7
260260 (B) “Targeted advertising” does not include: 8
261261 (i) an advertisement based on activities within the controller’s own 9
262262 commonly branded website or online application; 10
263263 (ii) an advertisement based on the context of a consumer’s current 11
264264 search query, visit to a website, or use of an online application; 12
265265 (iii) an advertisement directed to a consumer in response to the 13
266266 consumer’s request for information or feedback; or 14
267267 (iv) processing personal data solely to measure or report 15
268268 advertising frequency, performance, or reach. 16
269269 (40) “Third party” means a person, public authority, agency, or body, 17
270270 other than the consumer, controller, or processor or an affiliate of the processor 18
271271 or the controller. 19
272272 (41) “Trade secret” has the same meaning as in section 4601 of this title. 20 BILL AS INTRODUCED S.93
273273 2025 Page 12 of 45
274274
275275
276276 VT LEG #380226 v.1
277277 § 2416. APPLICABILITY 1
278278 (a) Except as provided in subsection (b) of this section, this chapter applies 2
279279 to a person that conducts business in this State or a person that produces 3
280280 products or services that are targeted to residents of this State and that during 4
281281 the preceding calendar year: 5
282282 (1) controlled or processed the personal data of not fewer than 100,000 6
283283 consumers, excluding personal data controlled or processed solely for the 7
284284 purpose of completing a payment transaction; or 8
285285 (2) controlled or processed the personal data of not fewer than 25,000 9
286286 consumers and derived more than 25 percent of the person’s gross revenue 10
287287 from the sale of personal data. 11
288288 (b) Section 2426 of this title and the provisions of this chapter concerning 12
289289 consumer health data and consumer health data controllers apply to a person 13
290290 that conducts business in this State or a person that produces products or 14
291291 services that are targeted to residents of this State. 15
292292 § 2417. EXEMPTIONS 16
293293 (a) Except as provided in subsection (c) of this section, this chapter shall 17
294294 not apply to any: 18
295295 (1) body, authority, board, bureau, commission, district or agency of this 19
296296 State or of any political subdivision of this State; 20 BILL AS INTRODUCED S.93
297297 2025 Page 13 of 45
298298
299299
300300 VT LEG #380226 v.1
301301 (2) person who has entered into a contract with an entity described in 1
302302 subdivision (1) of this subsection to process consumer health data on behalf of 2
303303 the entity; 3
304304 (3) nonprofit organization; 4
305305 (4) institution of higher education; 5
306306 (5) national securities association that is registered under 15 U.S.C. 78o-6
307307 3 of the Securities Exchange Act of 1934, as may be amended; 7
308308 (6) financial institution or data subject to Title V of the Gramm-Leach-8
309309 Bliley Act, Pub. L. No. 106-102, and regulations adopted to implement that 9
310310 act; 10
311311 (7) covered entity or business associate, as defined in 45 C.F.R. 11
312312 § 160.103; 12
313313 (8) tribal nation government organization; or 13
314314 (9) air carrier, as: 14
315315 (A) defined in 49 U.S.C. § 40102, as may be amended; and 15
316316 (B) regulated under the Federal Aviation Act of 1958, 49 U.S.C. 16
317317 § 40101 et seq. and the Airline Deregulation Act of 1978, 49 U.S.C. § 41713, 17
318318 as may be amended. 18
319319 (b) The following information, data, and activities are exempt from this 19
320320 chapter: 20
321321 (1) protected health information under HIPAA; 21 BILL AS INTRODUCED S.93
322322 2025 Page 14 of 45
323323
324324
325325 VT LEG #380226 v.1
326326 (2) patient identifying information that is collected and processed in 1
327327 accordance with 42 C.F.R. Part 2 (confidentiality of substance use disorder 2
328328 patient records); 3
329329 (3) identifiable private information: 4
330330 (A) for purposes of the Federal Policy for the Protection of Human 5
331331 Subjects, codified as 45 C.F.R. Part 46 (HHS protection of human subjects) 6
332332 and in various other federal regulations; and 7
333333 (B) that is otherwise information collected as part of human subjects 8
334334 research pursuant to the good clinical practice guidelines issued by the 9
335335 International Council for Harmonisation of Technical Requirements for 10
336336 Pharmaceuticals for Human Use; 11
337337 (4) information that identifies a consumer in connection with the 12
338338 protection of human subjects under 21 C.F.R. Parts 6, 50, and 56, or personal 13
339339 data used or shared in research, as defined in 45 C.F.R. § 164.501, that is 14
340340 conducted in accordance with the standards set forth in this subdivision and in 15
341341 subdivision (3) of this subsection, or other research conducted in accordance 16
342342 with applicable law; 17
343343 (5) information or documents created for the purposes of the Healthcare 18
344344 Quality Improvement Act of 1986, 42 U.S.C. §§ 11101–11152, and regulations 19
345345 adopted to implement that act; 20 BILL AS INTRODUCED S.93
346346 2025 Page 15 of 45
347347
348348
349349 VT LEG #380226 v.1
350350 (6) patient safety work product that is created for purposes of improving 1
351351 patient safety under 42 C.F.R. Part 3 (patient safety organizations and patient 2
352352 safety work product); 3
353353 (7) information or documents created for the purposes of the Healthcare 4
354354 Quality Improvement Act of 1986, 42 U.S.C. §§ 11101–11152, and regulations 5
355355 adopted to implement that act; 6
356356 (8) information derived from any of the health care-related information 7
357357 listed in this subsection that is de-identified in accordance with the 8
358358 requirements for de-identification pursuant to HIPAA; 9
359359 (9) information originating from and intermingled to be 10
360360 indistinguishable with, or information treated in the same manner as, 11
361361 information exempt under this subsection that is maintained by a covered 12
362362 entity or business associate, program, or qualified service organization, as 13
363363 specified in 42 U.S.C. § 290dd-2, as may be amended; 14
364364 (10) information used for public health activities and purposes as 15
365365 authorized by HIPAA, community health activities, and population health 16
366366 activities; 17
367367 (11) the collection, maintenance, disclosure, sale, communication, or use 18
368368 of any personal information bearing on a consumer’s credit worthiness, credit 19
369369 standing, credit capacity, character, general reputation, personal characteristics, 20
370370 or mode of living by a consumer reporting agency, furnisher, or user that 21 BILL AS INTRODUCED S.93
371371 2025 Page 16 of 45
372372
373373
374374 VT LEG #380226 v.1
375375 provides information for use in a consumer report, and by a user of a consumer 1
376376 report, but only to the extent that such activity is regulated by and authorized 2
377377 under the Fair Credit Reporting Act, 15 U.S.C. § 1681 et seq., as may be 3
378378 amended; 4
379379 (12) personal data collected, processed, sold, or disclosed under and in 5
380380 compliance with: 6
381381 (A) the Driver’s Privacy Protection Act of 1994, 18 U.S.C. § 2721–7
382382 2725; and 8
383383 (B) the Farm Credit Act, Pub. L. No. 92-181, as may be amended; 9
384384 (13) personal data regulated by the Family Educational Rights and 10
385385 Privacy Act, 20 U.S.C. § 1232g, as may be amended; 11
386386 (14) data processed or maintained: 12
387387 (A) in the course of an individual applying to, employed by, or acting 13
388388 as an agent or independent contractor of a controller, processor, consumer 14
389389 health data controller, or third party, to the extent that the data is collected and 15
390390 used within the context of that role; 16
391391 (B) as the emergency contact information of a consumer pursuant to 17
392392 this chapter, used for emergency contact purposes, or 18
393393 (C) that is necessary to retain to administer benefits for another 19
394394 individual relating to the individual who is the subject of the information 20 BILL AS INTRODUCED S.93
395395 2025 Page 17 of 45
396396
397397
398398 VT LEG #380226 v.1
399399 pursuant to subdivision (1) of this subsection (b) and used for the purposes of 1
400400 administering such benefits; and 2
401401 (15) personal data collected, processed, sold, or disclosed in relation to 3
402402 price, route, or service, as such terms are used in the Federal Aviation Act of 4
403403 1958, 49 U.S.C. § 40101 et seq., as may be amended, and the Airline 5
404404 Deregulation Act of 1978, 49 U.S.C.§ 41713, as may be amended. 6
405405 (c) Controllers, processors, and consumer health data controllers that 7
406406 comply with the verifiable parental consent requirements of COPPA shall be 8
407407 deemed compliant with any obligation to obtain parental consent pursuant to 9
408408 this chapter. 10
409409 § 2418. CONSUMER RIGHTS; COMPLIANCE BY CONTROLLERS; 11
410410 APPEALS 12
411411 (a) A consumer shall have the right to: 13
412412 (1) confirm whether or not a controller is processing the consumer’s 14
413413 personal data and access the personal data, unless the confirmation or access 15
414414 would require the controller to reveal a trade secret; 16
415415 (2) correct inaccuracies in the consumer’s personal data, taking into 17
416416 account the nature of the personal data and the purposes of the processing of 18
417417 the consumer’s personal data; 19
418418 (3) delete personal data provided by, or obtained about, the consumer; 20 BILL AS INTRODUCED S.93
419419 2025 Page 18 of 45
420420
421421
422422 VT LEG #380226 v.1
423423 (4) obtain a copy of the consumer’s personal data processed by the 1
424424 controller, in a portable and, to the extent technically feasible, readily usable 2
425425 format that allows the consumer to transmit the data to another controller 3
426426 without hindrance, where the processing is carried out by automated means, 4
427427 provided the controller shall not be required to reveal any trade secret; and 5
428428 (5) opt out of the processing of the personal data for purposes of: 6
429429 (A) targeted advertising; 7
430430 (B) the sale of personal data, except as provided in subsection 8
431431 2420(b) of this title; or 9
432432 (C) profiling in furtherance of solely automated decisions that 10
433433 produce legal or similarly significant effects concerning the consumer. 11
434434 (b)(1) A consumer may exercise rights under this section by a secure and 12
435435 reliable means established by the controller and described to the consumer in 13
436436 the controller’s privacy notice. 14
437437 (2) A consumer may designate an authorized agent in accordance with 15
438438 section 2419 of this title to exercise the rights of the consumer to opt out of the 16
439439 processing of the consumer’s personal data for purposes of subdivision (a)(5) 17
440440 of this section on behalf of the consumer. 18
441441 (3) In the case of processing personal data of a known child, the parent 19
442442 or legal guardian may exercise the consumer rights on the child’s behalf. 20 BILL AS INTRODUCED S.93
443443 2025 Page 19 of 45
444444
445445
446446 VT LEG #380226 v.1
447447 (4) In the case of processing personal data concerning a consumer 1
448448 subject to a guardianship, conservatorship, or other protective arrangement, the 2
449449 guardian or the conservator of the consumer may exercise the rights on the 3
450450 consumer’s behalf. 4
451451 (c) Except as otherwise provided in this chapter, a controller shall comply 5
452452 with a request by a consumer to exercise the consumer rights authorized 6
453453 pursuant to this chapter as follows: 7
454454 (1)(A) A controller shall respond to the consumer without undue delay, 8
455455 but not later than 45 days after receipt of the request. 9
456456 (B) The controller may extend the response period by 45 additional 10
457457 days when reasonably necessary, considering the complexity and number of 11
458458 the consumer’s requests, provided the controller informs the consumer of the 12
459459 extension within the initial 45-day response period and of the reason for the 13
460460 extension. 14
461461 (2) If a controller declines to take action regarding the consumer’s 15
462462 request, the controller shall inform the consumer without undue delay, but not 16
463463 later than 45 days after receipt of the request, of the justification for declining 17
464464 to take action and instructions for how to appeal the decision. 18
465465 (3)(A) Information provided in response to a consumer request shall be 19
466466 provided by a controller, free of charge, once per consumer during any 12-20
467467 month period. 21 BILL AS INTRODUCED S.93
468468 2025 Page 20 of 45
469469
470470
471471 VT LEG #380226 v.1
472472 (B) If requests from a consumer are manifestly unfounded, excessive, 1
473473 or repetitive, the controller may charge the consumer a reasonable fee to cover 2
474474 the administrative costs of complying with the request or decline to act on the 3
475475 request. 4
476476 (C) The controller bears the burden of demonstrating the manifestly 5
477477 unfounded, excessive, or repetitive nature of the request. 6
478478 (4)(A) If a controller is unable to authenticate a request to exercise any 7
479479 of the rights afforded under subdivisions (a)(1)–(4) of this section using 8
480480 commercially reasonable efforts, the controller shall not be required to comply 9
481481 with a request to initiate an action pursuant to this section and shall provide 10
482482 notice to the consumer that the controller is unable to authenticate the request 11
483483 to exercise the right or rights until the consumer provides additional 12
484484 information reasonably necessary to authenticate the consumer and the 13
485485 consumer’s request to exercise the right or rights. 14
486486 (B) A controller shall not be required to authenticate an opt-out 15
487487 request, but a controller may deny an opt-out request if the controller has a 16
488488 good faith, reasonable, and documented belief that the request is fraudulent. 17
489489 (C) If a controller denies an opt-out request because the controller 18
490490 believes the request is fraudulent, the controller shall send a notice to the 19
491491 person who made the request disclosing that the controller believes the request 20 BILL AS INTRODUCED S.93
492492 2025 Page 21 of 45
493493
494494
495495 VT LEG #380226 v.1
496496 is fraudulent, why the controller believes the request is fraudulent, and that the 1
497497 controller shall not comply with the request. 2
498498 (5) A controller that has obtained personal data about a consumer from a 3
499499 source other than the consumer shall be deemed in compliance with a 4
500500 consumer’s request to delete the data pursuant to subdivision (a)(3) of this 5
501501 section by: 6
502502 (A) retaining a record of the deletion request and the minimum data 7
503503 necessary for the purpose of ensuring the consumer’s personal data remains 8
504504 deleted from the controller’s records and not using the retained data for any 9
505505 other purpose pursuant to the provisions of this chapter; or 10
506506 (B) opting the consumer out of the processing of the personal data for 11
507507 any purpose except for those exempted pursuant to the provisions of this 12
508508 chapter. 13
509509 (d)(1) A controller shall establish a process for a consumer to appeal the 14
510510 controller’s refusal to take action on a request within a reasonable period of 15
511511 time after the consumer’s receipt of the decision. 16
512512 (2) The appeal process shall be conspicuously available and similar to 17
513513 the process for submitting requests to initiate action pursuant to this section. 18
514514 (3) Not later than 60 days after receipt of an appeal, a controller shall 19
515515 inform the consumer in writing of any action taken or not taken in response to 20
516516 the appeal, including a written explanation of the reasons for the decisions. 21 BILL AS INTRODUCED S.93
517517 2025 Page 22 of 45
518518
519519
520520 VT LEG #380226 v.1
521521 (4) If the appeal is denied, the controller shall also provide the consumer 1
522522 with an online mechanism, if available, or other method through which the 2
523523 consumer may contact the Attorney General to submit a complaint. 3
524524 § 2419. AUTHORIZED AGENTS AND CONSUMER OPT -OUT 4
525525 (a) A consumer may designate another person to serve as the consumer’s 5
526526 authorized agent, and act on the consumer’s behalf, to opt out of the processing 6
527527 of the consumer’s personal data for one or more of the purposes specified in 7
528528 subdivision 2418(a)(5) of this title. 8
529529 (b) The consumer may designate an authorized agent by way of, among 9
530530 other things, a technology, including an internet link or a browser setting, 10
531531 browser extension, or global device setting, indicating the consumer’s intent to 11
532532 opt out of the processing. 12
533533 (c) A controller shall comply with an opt-out request received from an 13
534534 authorized agent if the controller is able to verify, with commercially 14
535535 reasonable effort, the identity of the consumer and the authorized agent’s 15
536536 authority to act on the consumer’s behalf. 16
537537 § 2420. CONTROLLERS’ DUTIES; SALE OF PERSONAL DATA TO 17
538538 THIRD PARTIES; NOTICE AND DISCLOSURE TO 18
539539 CONSUMERS; CONSUMER OPT -OUT 19
540540 (a) A controller: 20 BILL AS INTRODUCED S.93
541541 2025 Page 23 of 45
542542
543543
544544 VT LEG #380226 v.1
545545 (1) shall limit the collection of personal data to what is adequate, 1
546546 relevant, and reasonably necessary in relation to the purposes for which the 2
547547 data is processed, as disclosed to the consumer; 3
548548 (2) except as otherwise provided in this chapter, shall not process 4
549549 personal data for purposes that are neither reasonably necessary to, nor 5
550550 compatible with, the disclosed purposes for which the personal data is 6
551551 processed, as disclosed to the consumer, unless the controller obtains the 7
552552 consumer’s consent; 8
553553 (3) shall establish, implement, and maintain reasonable administrative, 9
554554 technical, and physical data security practices to protect the confidentiality, 10
555555 integrity, and accessibility of personal data appropriate to the volume and 11
556556 nature of the personal data at issue; 12
557557 (4) shall not process sensitive data concerning a consumer without 13
558558 obtaining the consumer’s consent or, in the case of the processing of sensitive 14
559559 data concerning a known child, without processing the data in accordance with 15
560560 COPPA; 16
561561 (5) shall not process personal data in violation of the laws of this State 17
562562 and federal laws that prohibit unlawful discrimination against consumers; 18
563563 (6) shall provide an effective mechanism for a consumer to revoke the 19
564564 consumer’s consent under this section that is at least as easy as the mechanism 20
565565 by which the consumer provided the consumer’s consent and, upon revocation 21 BILL AS INTRODUCED S.93
566566 2025 Page 24 of 45
567567
568568
569569 VT LEG #380226 v.1
570570 of the consent, cease to process the data as soon as practicable, but not later 1
571571 than 15 days after the receipt of the request; 2
572572 (7) shall not process the personal data of a consumer for purposes of 3
573573 targeted advertising, or sell the consumer’s personal data without the 4
574574 consumer’s consent, under circumstances where a controller has actual 5
575575 knowledge, and willfully disregards, that the consumer is at least 13 years of 6
576576 age but younger than 16 years of age; and 7
577577 (8) shall not discriminate against a consumer for exercising any of the 8
578578 consumer rights contained in this chapter, including denying goods or services, 9
579579 charging different prices or rates for goods or services, or providing a different 10
580580 level of quality of goods or services to the consumer. 11
581581 (b) Subsection (a) of this section shall not be construed to require a 12
582582 controller to provide a product or service that requires the personal data of a 13
583583 consumer that the controller does not collect or maintain, or prohibit a 14
584584 controller from offering a different price, rate, level, quality, or selection of 15
585585 goods or services to a consumer, including offering goods or services for no 16
586586 fee if the offering is in connection with a consumer’s voluntary participation in 17
587587 a bona fide loyalty, rewards, premium features, discounts, or club card 18
588588 program. 19
589589 (c) A controller shall provide consumers with a reasonably accessible, 20
590590 clear, and meaningful privacy notice that includes: 21 BILL AS INTRODUCED S.93
591591 2025 Page 25 of 45
592592
593593
594594 VT LEG #380226 v.1
595595 (1) the categories of personal data processed by the controller; 1
596596 (2) the purpose for processing personal data; 2
597597 (3) how consumers may exercise their consumer rights, including how a 3
598598 consumer may appeal a controller’s decision with regard to the consumer’s 4
599599 request; 5
600600 (4) the categories of personal data that the controller shares with third 6
601601 parties, if any; 7
602602 (5) the categories of third parties, if any, with which the controller 8
603603 shares personal data; and 9
604604 (6) an active email address or other online mechanism that the consumer 10
605605 may use to contact the controller. 11
606606 (d) If a controller sells personal data to third parties or processes personal 12
607607 data for targeted advertising, the controller shall clearly and conspicuously 13
608608 disclose the processing, as well as the manner in which a consumer may 14
609609 exercise the right to opt out of the processing. 15
610610 (e)(1) A controller shall establish, and shall describe in a privacy notice, 16
611611 one or more secure and reliable means for consumers to submit a request to 17
612612 exercise their consumer rights pursuant to this chapter. 18
613613 (2) The means shall take into account the ways in which consumers 19
614614 normally interact with the controller, the need for secure and reliable 20 BILL AS INTRODUCED S.93
615615 2025 Page 26 of 45
616616
617617
618618 VT LEG #380226 v.1
619619 communication of the requests, and the ability of the controller to verify the 1
620620 identity of the consumer making the request. 2
621621 (3) A controller shall not require a consumer to create a new account in 3
622622 order to exercise consumer rights but may require a consumer to use an 4
623623 existing account. 5
624624 (4)(A) The means shall include: 6
625625 (i) providing a clear and conspicuous link on the controller’s 7
626626 website to an web page that enables a consumer, or an agent of the consumer, 8
627627 to opt out of the targeted advertising or sale of the consumer’s personal data; 9
628628 and 10
629629 (ii) not later than January 1, 2026, allowing a consumer to opt out 11
630630 of any processing of the consumer’s personal data for the purposes of targeted 12
631631 advertising, or any sale of the personal data, through an opt-out preference 13
632632 signal sent to the controller with the consumer’s consent indicating the 14
633633 consumer’s intent to opt out of any the processing or sale, by a platform, 15
634634 technology, or other mechanism that shall: 16
635635 (I) not unfairly disadvantage another controller; 17
636636 (II) not make use of a default setting, but rather require the 18
637637 consumer to make an affirmative, freely given, and unambiguous choice to opt 19
638638 out of any processing of the consumer’s personal data pursuant to this chapter; 20 BILL AS INTRODUCED S.93
639639 2025 Page 27 of 45
640640
641641
642642 VT LEG #380226 v.1
643643 (III) be consumer-friendly and easy to use by the average 1
644644 consumer; 2
645645 (IV) be as consistent as possible with any other similar 3
646646 platform, technology, or mechanism required by any federal or State law or 4
647647 regulation; and 5
648648 (V) enable the controller to accurately determine whether the 6
649649 consumer is a resident of this State and whether the consumer has made a 7
650650 legitimate request to opt out of any sale of the consumer’s personal data or 8
651651 targeted advertising. 9
652652 (B) If a consumer’s decision to opt out of any processing of the 10
653653 consumer’s personal data for the purposes of targeted advertising, or any sale 11
654654 of the personal data, through an opt-out preference signal sent in accordance 12
655655 with the provisions of subdivision (A) of this subdivision (e)(4) conflicts with 13
656656 the consumer’s existing controller-specific privacy setting or voluntary 14
657657 participation in a controller’s bona fide loyalty, rewards, premium features, 15
658658 discounts, or club card program, the controller shall comply with the 16
659659 consumer’s opt-out preference signal but may notify the consumer of the 17
660660 conflict and provide to the consumer the choice to confirm the controller-18
661661 specific privacy setting or participation in the program. 19
662662 (5) If a controller responds to consumer opt-out requests received 20
663663 pursuant to subdivision (4)(A) of this subsection by informing the consumer of 21 BILL AS INTRODUCED S.93
664664 2025 Page 28 of 45
665665
666666
667667 VT LEG #380226 v.1
668668 a charge for the use of any product or service, the controller shall present the 1
669669 terms of any financial incentive offered pursuant to subsection (b) of this 2
670670 section for the retention, use, sale, or sharing of the consumer’s personal data. 3
671671 § 2421. PROCESSORS’ DUTIES; CONTRACTS BETWEEN 4
672672 CONTROLLERS AND PROCESSORS 5
673673 (a) A processor shall adhere to the instructions of a controller and shall 6
674674 assist the controller in meeting the controller’s obligations under this chapter, 7
675675 including: 8
676676 (1) taking into account the nature of processing and the information 9
677677 available to the processor, by appropriate technical and organizational 10
678678 measures, to the extent reasonably practicable, to fulfill the controller’s 11
679679 obligation to respond to consumer rights requests; 12
680680 (2) taking into account the nature of processing and the information 13
681681 available to the processor, by assisting the controller in meeting the 14
682682 controller’s obligations in relation to the security of processing the personal 15
683683 data and in relation to the notification of a data broker security breach or 16
684684 security breach, as defined in section 2430 of this title, of the system of the 17
685685 processor, in order to meet the controller’s obligations; and 18
686686 (3) providing necessary information to enable the controller to conduct 19
687687 and document data protection assessments. 20 BILL AS INTRODUCED S.93
688688 2025 Page 29 of 45
689689
690690
691691 VT LEG #380226 v.1
692692 (b)(1) A contract between a controller and a processor shall govern the 1
693693 processor’s data processing procedures with respect to processing performed 2
694694 on behalf of the controller. 3
695695 (2) The contract shall be binding and clearly set forth instructions for 4
696696 processing data, the nature and purpose of processing, the type of data subject 5
697697 to processing, the duration of processing, and the rights and obligations of both 6
698698 parties. 7
699699 (3) The contract shall require that the processor: 8
700700 (A) ensure that each person processing personal data is subject to a 9
701701 duty of confidentiality with respect to the data; 10
702702 (B) at the controller’s direction, delete or return all personal data to 11
703703 the controller as requested at the end of the provision of services, unless 12
704704 retention of the personal data is required by law; 13
705705 (C) upon the reasonable request of the controller, make available to 14
706706 the controller all information in its possession necessary to demonstrate the 15
707707 processor’s compliance with the obligations in this chapter; 16
708708 (D) after providing the controller an opportunity to object, engage 17
709709 any subcontractor pursuant to a written contract that requires the subcontractor 18
710710 to meet the obligations of the processor with respect to the personal data; and 19 BILL AS INTRODUCED S.93
711711 2025 Page 30 of 45
712712
713713
714714 VT LEG #380226 v.1
715715 (E) make available to the controller upon the reasonable request of 1
716716 the controller, all information in the processor’s possession necessary to 2
717717 demonstrate the processor’s compliance with this chapter. 3
718718 (4) A processor shall provide a report of an assessment to the controller 4
719719 upon request. 5
720720 (c) This section shall not be construed to relieve a controller or processor 6
721721 from the liabilities imposed on the controller or processor by virtue of the 7
722722 controller’s or processor’s role in the processing relationship, as described in 8
723723 this chapter. 9
724724 (d)(1) Determining whether a person is acting as a controller or processor 10
725725 with respect to a specific processing of data is a fact-based determination that 11
726726 depends upon the context in which personal data is to be processed. 12
727727 (2) A person who is not limited in the person’s processing of personal 13
728728 data pursuant to a controller’s instructions, or who fails to adhere to the 14
729729 instructions, is a controller and not a processor with respect to a specific 15
730730 processing of data. 16
731731 (3) A processor that continues to adhere to a controller’s instructions 17
732732 with respect to a specific processing of personal data remains a processor. 18
733733 (4) If a processor begins, alone or jointly with others, determining the 19
734734 purposes and means of the processing of personal data, the processor is a 20 BILL AS INTRODUCED S.93
735735 2025 Page 31 of 45
736736
737737
738738 VT LEG #380226 v.1
739739 controller with respect to the processing and may be subject to an enforcement 1
740740 action under section 2425 of this title. 2
741741 § 2422. CONTROLLERS’ DATA PROTECTION ASSESSMENTS; 3
742742 DISCLOSURE TO ATTORNEY GENERAL 4
743743 (a) A controller shall conduct and document a data protection assessment 5
744744 for each of the controller’s processing activities that presents a heightened risk 6
745745 of harm to a consumer, which for the purposes of this section includes: 7
746746 (1) the processing of personal data for the purposes of targeted 8
747747 advertising; 9
748748 (2) the sale of personal data; 10
749749 (3) the processing of personal data for the purposes of profiling, where 11
750750 the profiling presents a reasonably foreseeable risk of: 12
751751 (A) unfair or deceptive treatment of, or unlawful disparate impact on, 13
752752 consumers; 14
753753 (B) financial, physical, or reputational injury to consumers; 15
754754 (C) a physical or other intrusion upon the solitude or seclusion, or the 16
755755 private affairs or concerns, of consumers, where the intrusion would be 17
756756 offensive to a reasonable person; or 18
757757 (D) other substantial injury to consumers; and 19
758758 (4) the processing of sensitive data. 20 BILL AS INTRODUCED S.93
759759 2025 Page 32 of 45
760760
761761
762762 VT LEG #380226 v.1
763763 (b)(1) Data protection assessments conducted pursuant to subsection (a) of 1
764764 this section shall identify and weigh the benefits that may flow, directly and 2
765765 indirectly, from the processing to the controller, the consumer, other 3
766766 stakeholders, and the public against the potential risks to the rights of the 4
767767 consumer associated with the processing, as mitigated by safeguards that can 5
768768 be employed by the controller to reduce the risks. 6
769769 (2) The controller shall factor into any data protection assessment the 7
770770 use of de-identified data and the reasonable expectations of consumers, as well 8
771771 as the context of the processing and the relationship between the controller and 9
772772 the consumer whose personal data will be processed. 10
773773 (c)(1) The Attorney General may require that a controller disclose any data 11
774774 protection assessment that is relevant to an investigation conducted by the 12
775775 Attorney General, and the controller shall make the data protection assessment 13
776776 available to the Attorney General. 14
777777 (2) The Attorney General may evaluate the data protection assessment 15
778778 for compliance with the responsibilities set forth in this chapter. 16
779779 (3) Data protection assessments shall be confidential and shall be 17
780780 exempt from disclosure and copying under the Public Records Act. 18
781781 (4) To the extent any information contained in a data protection 19
782782 assessment disclosed to the Attorney General includes information subject to 20 BILL AS INTRODUCED S.93
783783 2025 Page 33 of 45
784784
785785
786786 VT LEG #380226 v.1
787787 attorney-client privilege or work product protection, the disclosure shall not 1
788788 constitute a waiver of the privilege or protection. 2
789789 (d) A single data protection assessment may address a comparable set of 3
790790 processing operations that include similar activities. 4
791791 (e) If a controller conducts a data protection assessment for the purpose of 5
792792 complying with another applicable law or regulation, the data protection 6
793793 assessment shall be deemed to satisfy the requirements established in this 7
794794 section if the data protection assessment is reasonably similar in scope and 8
795795 effect to the data protection assessment that would otherwise be conducted 9
796796 pursuant to this section. 10
797797 (f) Data protection assessment requirements shall apply to processing 11
798798 activities created or generated after July 1, 2025 and are not retroactive. 12
799799 § 2423. DE-IDENTIFIED AND PSEUDONYMOUS DATA; 13
800800 CONTROLLERS’ DUTIES; EXCEPTIONS; APPLICABILITY OF 14
801801 CONSUMERS’ RIGHTS; DISCLOSURE AND OVERSIGHT 15
802802 (a) A controller in possession of de-identified data shall: 16
803803 (1) take reasonable measures to ensure that the data cannot be associated 17
804804 with an individual; 18
805805 (2) publicly commit to maintaining and using de-identified data without 19
806806 attempting to re-identify the data; and 20 BILL AS INTRODUCED S.93
807807 2025 Page 34 of 45
808808
809809
810810 VT LEG #380226 v.1
811811 (3) contractually obligate any recipients of the de-identified data to 1
812812 comply with the provisions of this chapter. 2
813813 (b) This chapter shall not be construed to: 3
814814 (1) require a controller or processor to re-identify de-identified data or 4
815815 pseudonymous data; or 5
816816 (2) maintain data in identifiable form, or collect, obtain, retain, or access 6
817817 any data or technology, in order to be capable of associating an authenticated 7
818818 consumer request with personal data. 8
819819 (c) This chapter shall not be construed to require a controller or processor 9
820820 to comply with an authenticated consumer rights request if the controller: 10
821821 (1) is not reasonably capable of associating the request with the personal 11
822822 data or it would be unreasonably burdensome for the controller to associate the 12
823823 request with the personal data; 13
824824 (2) does not use the personal data to recognize or respond to the specific 14
825825 consumer who is the subject of the personal data, or associate the personal data 15
826826 with other personal data about the same specific consumer; and 16
827827 (3) does not sell the personal data to any third party or otherwise 17
828828 voluntarily disclose the personal data to any third party other than a processor, 18
829829 except as otherwise permitted in this section. 19
830830 (d) The rights afforded under subdivisions 2418(a)(1)–(4) of this title shall 20
831831 not apply to pseudonymous data in cases where the controller is able to 21 BILL AS INTRODUCED S.93
832832 2025 Page 35 of 45
833833
834834
835835 VT LEG #380226 v.1
836836 demonstrate that any information necessary to identify the consumer is kept 1
837837 separately and is subject to effective technical and organizational controls that 2
838838 prevent the controller from accessing the information. 3
839839 (e) A controller that discloses pseudonymous data or de-identified data 4
840840 shall exercise reasonable oversight to monitor compliance with any contractual 5
841841 commitments to which the pseudonymous data or de-identified data is subject 6
842842 and shall take appropriate steps to address any breaches of those contractual 7
843843 commitments. 8
844844 § 2424. CONSTRUCTION OF CONTROLLERS ’ AND PROCESSORS’ 9
845845 DUTIES 10
846846 (a) This chapter shall not be construed to restrict a controller’s, processor’s, 11
847847 or consumer health data controller’s ability to: 12
848848 (1) comply with federal, state, or municipal laws, ordinances, or 13
849849 regulations; 14
850850 (2) comply with a civil, criminal, or regulatory inquiry, investigation, 15
851851 subpoena, or summons by federal, state, municipal, or other governmental 16
852852 authorities; 17
853853 (3) cooperate with law enforcement agencies concerning conduct or 18
854854 activity that the controller, processor, or consumer health data controller 19
855855 reasonably and in good faith believes may violate federal, state, or municipal 20
856856 laws, ordinances, or regulations; 21 BILL AS INTRODUCED S.93
857857 2025 Page 36 of 45
858858
859859
860860 VT LEG #380226 v.1
861861 (4) investigate, establish, exercise, prepare for, or defend legal claims; 1
862862 (5) provide a product or service specifically requested by a consumer; 2
863863 (6) perform under a contract to which a consumer is a party, including 3
864864 fulfilling the terms of a written warranty; 4
865865 (7) take steps at the request of a consumer prior to entering into a 5
866866 contract; 6
867867 (8) take immediate steps to protect an interest that is essential for the life 7
868868 or physical safety of the consumer or another individual, and where the 8
869869 processing cannot be manifestly based on another legal basis; 9
870870 (9) prevent, detect, protect against, or respond to security incidents, 10
871871 identity theft, fraud, harassment, malicious, or deceptive activities or any 11
872872 illegal activity; preserve the integrity or security of systems; or investigate, 12
873873 report, or prosecute those responsible for the action; 13
874874 (10) engage in public or peer-reviewed scientific or statistical research 14
875875 in the public interest that adheres to all other applicable ethics and privacy laws 15
876876 and is approved, monitored, and governed by an institutional review board that 16
877877 determines, or similar independent oversight entities that determine: 17
878878 (A) whether the deletion of the information is likely to provide 18
879879 substantial benefits that do not exclusively accrue to the controller; 19
880880 (B) the expected benefits of the research outweigh the privacy risks; 20
881881 and 21 BILL AS INTRODUCED S.93
882882 2025 Page 37 of 45
883883
884884
885885 VT LEG #380226 v.1
886886 (C) whether the controller or consumer health data controller has 1
887887 implemented reasonable safeguards to mitigate privacy risks associated with 2
888888 research, including any risks associated with re-identification; 3
889889 (11) assist another controller, processor, consumer health data 4
890890 controller, or third party with any of the obligations under this chapter; or 5
891891 (12) process personal data for reasons of public interest in the area of 6
892892 public health, community health, or population health, but solely to the extent 7
893893 that the processing is: 8
894894 (A) subject to suitable and specific measures to safeguard the rights 9
895895 of the consumer whose personal data is being processed; and 10
896896 (B) under the responsibility of a professional subject to 11
897897 confidentiality obligations under federal, state, or local law. 12
898898 (b) The obligations imposed on controllers, processors, or consumer health 13
899899 data controllers under this chapter shall not restrict a controller’s, processor’s, 14
900900 or consumer health data controller’s ability to collect, use, or retain data for 15
901901 internal use to: 16
902902 (1) conduct internal research to develop, improve, or repair products, 17
903903 services, or technology; 18
904904 (2) effectuate a product recall; 19
905905 (3) identify and repair technical errors that impair existing or intended 20
906906 functionality; or 21 BILL AS INTRODUCED S.93
907907 2025 Page 38 of 45
908908
909909
910910 VT LEG #380226 v.1
911911 (4) perform internal operations that are reasonably aligned with the 1
912912 expectations of the consumer or reasonably anticipated based on the 2
913913 consumer’s existing relationship with the controller or consumer health data 3
914914 controller, or are otherwise compatible with processing data in furtherance of 4
915915 the provision of a product or service specifically requested by a consumer or 5
916916 the performance of a contract to which the consumer is a party. 6
917917 (c)(1) The obligations imposed on controllers, processors, or consumer 7
918918 health data controllers under this chapter shall not apply where compliance by 8
919919 the controller, processor, or consumer health data controller with this chapter 9
920920 would violate an evidentiary privilege under the laws of this State. 10
921921 (2) This chapter shall not be construed to prevent a controller, processor, 11
922922 or consumer health data controller from providing personal data concerning a 12
923923 consumer to a person covered by an evidentiary privilege under the laws of the 13
924924 State as part of a privileged communication. 14
925925 (d)(1) A controller, processor, or consumer health data controller that 15
926926 discloses personal data to a processor or third-party controller pursuant to this 16
927927 chapter shall not be deemed to have violated this chapter if the processor or 17
928928 third-party controller that receives and processes the personal data violates this 18
929929 chapter, provided, at the time the disclosing controller, processor, or consumer 19
930930 health data controller disclosed the personal data, the disclosing controller, 20 BILL AS INTRODUCED S.93
931931 2025 Page 39 of 45
932932
933933
934934 VT LEG #380226 v.1
935935 processor, or consumer health data controller did not have actual knowledge 1
936936 that the receiving processor or third-party controller would violate this chapter. 2
937937 (2) A third-party controller or processor receiving personal data from a 3
938938 controller, processor, or consumer health data controller in compliance with 4
939939 this chapter is not in violation of this chapter for the transgressions of the 5
940940 controller, processor, or consumer health data controller from which the third-6
941941 party controller or processor receives the personal data. 7
942942 (e) This chapter shall not be construed to: 8
943943 (1) impose any obligation on a controller or processor that adversely 9
944944 affects the rights or freedoms of any person, including the rights of any person: 10
945945 (A) to freedom of speech or freedom of the press guaranteed in the 11
946946 First Amendment to the United States Constitution; or 12
947947 (B) under 12 V.S.A. § 1615; 13
948948 (2) apply to any person’s processing of personal data in the course of the 14
949949 person’s purely personal or household activities; or 15
950950 (3) require an independent school as defined in 16 V.S.A. § 11(a)(8) or a 16
951951 private institution of higher education, as defined in 20 U.S.C. § 1001 et seq., 17
952952 to delete personal data or opt out of processing of personal data that would 18
953953 unreasonably interfere with the provision of education services by or the 19
954954 ordinary operation of the school or institution. 20 BILL AS INTRODUCED S.93
955955 2025 Page 40 of 45
956956
957957
958958 VT LEG #380226 v.1
959959 (f)(1) Personal data processed by a controller or consumer health data 1
960960 controller pursuant to this section may be processed to the extent that the 2
961961 processing is: 3
962962 (A) reasonably necessary and proportionate to the purposes listed in 4
963963 this section; and 5
964964 (B) adequate, relevant, and limited to what is necessary in relation to 6
965965 the specific purposes listed in this section. 7
966966 (2)(A) Personal data collected, used, or retained pursuant to subsection 8
967967 (b) of this section shall, where applicable, take into account the nature and 9
968968 purpose or purposes of the collection, use, or retention. 10
969969 (B) The data shall be subject to reasonable administrative, technical, 11
970970 and physical measures to protect the confidentiality, integrity, and accessibility 12
971971 of the personal data and to reduce reasonably foreseeable risks of harm to 13
972972 consumers relating to the collection, use, or retention of personal data. 14
973973 (g) If a controller or consumer health data controller processes personal 15
974974 data pursuant to an exemption in this section, the controller or consumer health 16
975975 data controller bears the burden of demonstrating that the processing qualifies 17
976976 for the exemption and complies with the requirements in subsection (f) of this 18
977977 section. 19 BILL AS INTRODUCED S.93
978978 2025 Page 41 of 45
979979
980980
981981 VT LEG #380226 v.1
982982 (h) Processing personal data for the purposes expressly identified in this 1
983983 section shall not solely make a legal entity a controller or consumer health data 2
984984 controller with respect to the processing. 3
985985 § 2425. ENFORCEMENT BY ATTORNEY GENERAL; NOTICE OF 4
986986 VIOLATION; CURE PERIOD; REPORT; PENALTY 5
987987 (a) The Attorney General shall have exclusive authority to enforce 6
988988 violations of this chapter. 7
989989 (b)(1) During the period beginning on July 1, 2025 and ending on 8
990990 December 31, 2026, the Attorney General shall, prior to initiating any action 9
991991 for a violation of any provision of this chapter, issue a notice of violation to the 10
992992 controller or consumer health data controller if the Attorney General 11
993993 determines that a cure is possible. 12
994994 (2) If the controller or consumer health data controller fails to cure the 13
995995 violation within 60 days after receipt of the notice of violation, the Attorney 14
996996 General may bring an action pursuant to this section. 15
997997 (3) Annually, on or before February 1, the Attorney General shall 16
998998 submit a report to the General Assembly disclosing: 17
999999 (A) the number of notices of violation the Attorney General has 18
10001000 issued; 19
10011001 (B) the nature of each violation; 20 BILL AS INTRODUCED S.93
10021002 2025 Page 42 of 45
10031003
10041004
10051005 VT LEG #380226 v.1
10061006 (C) the number of violations that were cured during the available 1
10071007 cure period; and 2
10081008 (D) any other matter the Attorney General deems relevant for the 3
10091009 purposes of the report. 4
10101010 (c) Beginning on January 1, 2027, the Attorney General may, in 5
10111011 determining whether to grant a controller or processor the opportunity to cure 6
10121012 an alleged violation described in subsection (b) of this section, consider: 7
10131013 (1) the number of violations; 8
10141014 (2) the size and complexity of the controller or processor; 9
10151015 (3) the nature and extent of the controller’s or processor’s processing 10
10161016 activities; 11
10171017 (4) the substantial likelihood of injury to the public; 12
10181018 (5) the safety of persons or property; 13
10191019 (6) whether the alleged violation was likely caused by human or 14
10201020 technical error; and 15
10211021 (7) the sensitivity of the data. 16
10221022 (d) This chapter shall not be construed as providing the basis for, or be 17
10231023 subject to, a private right of action for violations of this chapter or any other 18
10241024 law. 19
10251025 (e) Subjection to the exception in subsection (f) of this section, a violation 20
10261026 of the requirements of this chapter shall constitute an unfair and deceptive act 21 BILL AS INTRODUCED S.93
10271027 2025 Page 43 of 45
10281028
10291029
10301030 VT LEG #380226 v.1
10311031 in commerce in violation of section 2453 of this title and shall be enforced 1
10321032 solely by the Attorney General, provided that a consumer private right of 2
10331033 action under subsection 2461(b) of this title shall not apply to the violation. 3
10341034 (f) The Attorney General shall provide guidance to controllers and 4
10351035 processors for compliance with the terms of the Vermont Data Privacy Act. 5
10361036 Any processor or controller that, in the opinion of the Attorney General, 6
10371037 materially complies with the guidance provided by the Attorney General shall 7
10381038 not constitute an unfair and deceptive act in commerce. 8
10391039 § 2426. CONSUMER HEALTH DATA PRIVACY 9
10401040 (a) Except as provided in subsections (b) and (c) of this section and 10
10411041 subsections 2417(b) and (c) of this title, no person shall: 11
10421042 (1) provide any employee or contractor with access to consumer health 12
10431043 data unless the employee or contractor is subject to a contractual or statutory 13
10441044 duty of confidentiality; 14
10451045 (2) provide any processor with access to consumer health data unless the 15
10461046 person and processor comply with section 2421 of this title; 16
10471047 (3) use a geofence to establish a virtual boundary that is within 1,750 17
10481048 feet of any health care facility, including any mental health facility or 18
10491049 reproductive or sexual health facility, for the purpose of identifying, tracking, 19
10501050 collecting data from, or sending any notification to a consumer regarding the 20
10511051 consumer’s consumer health data; or 21 BILL AS INTRODUCED S.93
10521052 2025 Page 44 of 45
10531053
10541054
10551055 VT LEG #380226 v.1
10561056 (4) sell, or offer to sell, consumer health data without first obtaining the 1
10571057 consumer’s consent. 2
10581058 (b) Notwithstanding section 2416 of this title, subsection (a) of this section, 3
10591059 and the provisions of sections 2415–2425 of this title, inclusive, concerning 4
10601060 consumer health data and consumer health data controllers, apply to persons 5
10611061 that conduct business in this state and persons that produce products or 6
10621062 services that are targeted to residents of this state. 7
10631063 (c) Subsection (a) of this section shall not apply to any: 8
10641064 (1) body, authority, board, bureau, commission, district or agency of this 9
10651065 State or of any political subdivision of this State; 10
10661066 (2) person who has entered into a contract with an entity described in 11
10671067 subdivision (1) of this subsection to process consumer health data on behalf of 12
10681068 the entity; 13
10691069 (3) institution of higher education; 14
10701070 (4) national securities association that is registered under 15 U.S.C. 78o-15
10711071 3 of the Securities Exchange Act of 1934, as may be amended; 16
10721072 (5) financial institution or data subject to Title V of the Gramm-Leach-17
10731073 Bliley Act, Pub. L. No. 106-102, and regulations adopted to implement that 18
10741074 act; 19
10751075 (6) covered entity or business associate, as defined in 45 C.F.R. 20
10761076 § 160.103; 21 BILL AS INTRODUCED S.93
10771077 2025 Page 45 of 45
10781078
10791079
10801080 VT LEG #380226 v.1
10811081 (7) tribal nation government organization; or 1
10821082 (8) air carrier, as: 2
10831083 (A) defined in 49 U.S.C. § 40102, as may be amended; and 3
10841084 (B) regulated under the Federal Aviation Act of 1958, 49 U.S.C. 4
10851085 § 40101 et seq. and the Airline Deregulation Act of 1978, 49 U.S.C. § 41713, 5
10861086 as may be amended. 6
10871087 Sec. 2. EFFECTIVE DATE 7
10881088 This act shall take effect on July 1, 2026. 8