BILL AS INTRODUCED S.93
2025 Page 1 of 45
VT LEG #380226 v.1
S.93 1
Introduced by Senators Chittenden, Beck, Cummings, Mattos and Ram 2
Hinsdale 3
Referred to Committee on 4
Date: 5
Subject: Commerce and trade; consumer protection; data privacy 6
Statement of purpose of bill as introduced: This bill proposes to provide data 7
privacy protections to Vermonters. 8
An act relating to consumer data privacy 9
It is hereby enacted by the General Assembly of the State of Vermont: 10
Sec. 1. 9 V.S.A. chapter 61A is added to read: 11
CHAPTER 61A. VERMONT DATA PRIVACY ACT 12
§ 2415. DEFINITIONS 13
As used in this chapter: 14
(1) “Abortion” means terminating a pregnancy for any purpose other 15
than producing a live birth. 16
(2)(A) “Affiliate” means a legal entity that shares common branding 17
with another legal entity or controls, is controlled by, or is under common 18
control with another legal entity. 19 BILL AS INTRODUCED S.93
2025 Page 2 of 45
VT LEG #380226 v.1
(B) As used in subdivision (A) of this subdivision (2), “control” or 1
“controlled” means: 2
(i) ownership of, or the power to vote, more than 50 percent of the 3
outstanding shares of any class of voting security of a company; 4
(ii) control in any manner over the election of a majority of the 5
directors or of individuals exercising similar functions; or 6
(iii) the power to exercise controlling influence over the 7
management of a company. 8
(3) “Authenticate” means to use reasonable means to determine that a 9
request to exercise any of the rights afforded under subdivisions 2418(a)(1)–10
(4) of this title is being made by, or on behalf of, the consumer who is entitled 11
to exercise the consumer rights with respect to the personal data at issue. 12
(4)(A) “Biometric data” means personal data generated by automatic 13
measurements of an individual’s unique biological patterns or characteristics 14
that are used to identify a specific individual. 15
(B) “Biometric data” does not include: 16
(i) a digital or physical photograph; 17
(ii) an audio or video recording; or 18
(iii) any data generated from a digital or physical photograph, or 19
an audio or video recording, unless such data is generated to identify a specific 20
individual. 21 BILL AS INTRODUCED S.93
2025 Page 3 of 45
VT LEG #380226 v.1
(5) “Business associate” has the same meaning as in HIPAA. 1
(6) “Child” has the same meaning as in COPPA. 2
(7)(A) “Consent” means a clear affirmative act signifying a consumer’s 3
freely given, specific, informed, and unambiguous agreement to allow the 4
processing of personal data relating to the consumer. 5
(B) “Consent” may include a written statement, including by 6
electronic means, or any other unambiguous affirmative action. 7
(C) “Consent” does not include: 8
(i) acceptance of a general or broad terms of use or similar 9
document that contains descriptions of personal data processing along with 10
other, unrelated information; 11
(ii) hovering over, muting, pausing, or closing a given piece of 12
content; or 13
(iii) agreement obtained through the use of dark patterns. 14
(8)(A) “Consumer” means an individual who is a resident of the State. 15
(B) “Consumer” does not include an individual acting in a 16
commercial or employment context or as an employee, owner, director, officer, 17
or contractor of a company, partnership, sole proprietorship, nonprofit, or 18
government agency whose communications or transactions with the controller 19
occur solely within the context of that individual’s role with the company, 20
partnership, sole proprietorship, nonprofit, or government agency. 21 BILL AS INTRODUCED S.93
2025 Page 4 of 45
VT LEG #380226 v.1
(9) “Consumer health data” means any personal data that a controller 1
uses to identify a consumer’s physical or mental health condition or diagnosis, 2
including gender-affirming health data and reproductive or sexual health data. 3
(10) “Consumer health data controller” means any controller that, alone 4
or jointly with others, determines the purpose and means of processing 5
consumer health data. 6
(11) “Controller” means a person who, alone or jointly with others, 7
determines the purpose and means of processing personal data. 8
(12) “COPPA” means the Children’s Online Privacy Protection Act of 9
1998, 15 U.S.C. § 6501–6506, and any regulations, rules, guidance, and 10
exemptions adopted pursuant to the act, as the act and regulations, rules, 11
guidance, and exemptions may be amended. 12
(13) “Covered entity” has the same meaning as in HIPAA. 13
(14) “Dark pattern” means a user interface designed or manipulated with 14
the substantial effect of subverting or impairing user autonomy, decision-15
making, or choice and includes any practice the Federal Trade Commission 16
refers to as a “dark pattern.” 17
(15) “Decisions that produce legal or similarly significant effects 18
concerning the consumer” means decisions made by the controller that result in 19
the provision or denial by the controller of financial or lending services, 20
housing, insurance, education enrollment or opportunity, criminal justice, 21 BILL AS INTRODUCED S.93
2025 Page 5 of 45
VT LEG #380226 v.1
employment opportunities, health care services, or access to essential goods or 1
services. 2
(16) “De-identified data” means data that does not identify and cannot 3
reasonably be used to infer information about, or otherwise be linked to, an 4
identified or identifiable individual, or a device linked to the individual, if the 5
controller that possesses the data: 6
(A) takes reasonable measures to ensure that the data cannot be 7
associated with an individual; 8
(B) publicly commits to process the data only in a de-identified 9
fashion and not attempt to re-identify the data; and 10
(C) contractually obligates any recipients of the data to satisfy the 11
criteria set forth in subdivisions (A) and (B) of this subdivision (16). 12
(17) “Gender-affirming health care services” has the same meaning as in 13
1 V.S.A. § 150. 14
(18) “Gender-affirming health data” means any personal data 15
concerning a past, present, or future effort made by a consumer to seek, or a 16
consumer’s receipt of, gender-affirming health care services. 17
(19) “Geofence” means any technology that uses global positioning 18
coordinates, cell tower connectivity, cellular data, radio frequency 19
identification, wireless fidelity technology data, or any other form of location 20
detection, or any combination of such coordinates, connectivity, data, 21 BILL AS INTRODUCED S.93
2025 Page 6 of 45
VT LEG #380226 v.1
identification, or other form of location detection, to establish a virtual 1
boundary. 2
(20) “HIPAA” means the Health Insurance Portability and 3
Accountability Act of 1996, Pub. L. No. 104-191, as may be amended. 4
(21) “Identified or identifiable individual” means an individual who can 5
be readily identified, directly or indirectly. 6
(22) “Institution of higher education” means any individual who, or 7
school, board, association, limited liability company or corporation that, is 8
licensed or accredited to offer one or more programs of higher learning leading 9
to one or more degrees. 10
(23) “Mental health facility” means any health care facility in which at 11
least 70 percent of the health care services provided in the facility are mental 12
health services. 13
(24) “Nonprofit organization” means any organization that is qualified 14
for tax exempt status under I.R.C. § 501(c)(3), 501(c)(4), 501(c)(6), or 15
501(c)(12), or any corresponding internal revenue code of the United States, as 16
may be amended, 17
(25) “Person” means an individual, association, company, limited 18
liability company, corporation, partnership, sole proprietorship, trust, or other 19
legal entity. 20 BILL AS INTRODUCED S.93
2025 Page 7 of 45
VT LEG #380226 v.1
(26)(A) “Personal data” means any information that is linked or 1
reasonably linkable to an identified or identifiable individual. 2
(B) “Personal data” does not include de-identified data or publicly 3
available information. 4
(27)(A) “Precise geolocation data” means information derived from 5
technology, including global positioning system level latitude and longitude 6
coordinates or other mechanisms, that directly identifies the specific location 7
of an individual with precision and accuracy within a radius of 1,750 feet. 8
(B) “Precise geolocation data” does not include: 9
(i) the content of communications; 10
(ii) data generated by or connected to an advanced utility metering 11
infrastructure system; or 12
(iii) data generated by equipment used by a utility company. 13
(28) “Process” or “processing” means any operation or set of operations 14
performed, whether by manual or automated means, on personal data or on sets 15
of personal data, such as the collection, use, storage, disclosure, analysis, 16
deletion, or modification of personal data. 17
(29) “Processor” means a person who processes personal data on behalf 18
of a controller. 19
(30) “Profiling” means any form of automated processing performed on 20
personal data to evaluate, analyze, or predict personal aspects related to an 21 BILL AS INTRODUCED S.93
2025 Page 8 of 45
VT LEG #380226 v.1
identified or identifiable individual’s economic situation, health, personal 1
preferences, interests, reliability, behavior, location, or movements. 2
(31) “Protected health information” has the same meaning as in HIPAA. 3
(32) “Pseudonymous data” means personal data that cannot be attributed 4
to a specific individual without the use of additional information, provided the 5
additional information is kept separately and is subject to appropriate technical 6
and organizational measures to ensure that the personal data is not attributed to 7
an identified or identifiable individual. 8
(33) “Publicly available information” means information that: 9
(A) is lawfully made available through federal, state, or local 10
government records or widely distributed media; or 11
(B) a controller has a reasonable basis to believe that the consumer 12
has lawfully made available to the general public. 13
(34) “Reproductive or sexual health care” means any health care-related 14
services or products rendered or provided concerning a consumer’s 15
reproductive system or sexual well-being, including any such service or 16
product rendered or provided concerning: 17
(A) an individual health condition, status, disease, diagnosis, 18
diagnostic test or treatment; 19
(B) a social, psychological, behavioral, or medical intervention; 20
(C) a surgery or procedure, including an abortion; 21 BILL AS INTRODUCED S.93
2025 Page 9 of 45
VT LEG #380226 v.1
(D) a use or purchase of a medication, including a medication used or 1
purchased for the purposes of an abortion, a bodily function, vital sign, or 2
symptom; 3
(E) a measurement of a bodily function, vital sign, or symptom; or 4
(F) an abortion, including medical or nonmedical services, products, 5
diagnostics, counseling, or follow-up services for an abortion. 6
(35) “Reproductive or sexual health data” means any personal data 7
concerning an effort made by a consumer to seek, or a consumer’s receipt of, 8
reproductive or sexual health care. 9
(36) “Reproductive or sexual health facility” means any health care 10
facility in which at least 70 percent of the health care-related services or 11
products rendered or provided in the facility are reproductive or sexual health 12
care. 13
(37)(A) “Sale of personal data” means the exchange of a consumer’s 14
personal data by the controller to a third party for monetary or other valuable 15
consideration. 16
(B) “Sale of personal data” does not include: 17
(i) the disclosure of personal data to a processor that processes the 18
personal data on behalf of the controller; 19
(ii) the disclosure of personal data to a third party for purposes of 20
providing a product or service requested by the consumer; 21 BILL AS INTRODUCED S.93
2025 Page 10 of 45
VT LEG #380226 v.1
(iii) the disclosure or transfer of personal data to an affiliate of the 1
controller; 2
(iv) the disclosure of personal data where the consumer directs the 3
controller to disclose the personal data or intentionally uses the controller to 4
interact with a third party; 5
(v) the disclosure of personal data that the consumer: 6
(I) intentionally made available to the general public via a 7
channel of mass media; and 8
(II) did not restrict to a specific audience; or 9
(vi) the disclosure or transfer of personal data to a third party as an 10
asset that is part of a merger, acquisition, bankruptcy or other transaction, or a 11
proposed merger, acquisition, bankruptcy, or other transaction, in which the 12
third party assumes control of all or part of the controller’s assets. 13
(38) “Sensitive data” means personal data that includes: 14
(A) data revealing racial or ethnic origin, religious beliefs, mental or 15
physical health condition or diagnosis, sex life, sexual orientation, or 16
citizenship or immigration status; 17
(B) consumer health data; 18
(C) the processing of genetic or biometric data for the purpose of 19
uniquely identifying an individual; 20
(D) personal data collected from a known child; 21 BILL AS INTRODUCED S.93
2025 Page 11 of 45
VT LEG #380226 v.1
(E) data concerning an individual’s status as a victim of crime; and 1
(F) an individual’s precise geolocation data. 2
(39)(A) “Targeted advertising” means displaying advertisements to a 3
consumer where the advertisement is selected based on personal data obtained 4
or inferred from that consumer’s activities over time and across nonaffiliated 5
websites or online applications to predict the consumer’s preferences or 6
interests. 7
(B) “Targeted advertising” does not include: 8
(i) an advertisement based on activities within the controller’s own 9
commonly branded website or online application; 10
(ii) an advertisement based on the context of a consumer’s current 11
search query, visit to a website, or use of an online application; 12
(iii) an advertisement directed to a consumer in response to the 13
consumer’s request for information or feedback; or 14
(iv) processing personal data solely to measure or report 15
advertising frequency, performance, or reach. 16
(40) “Third party” means a person, public authority, agency, or body, 17
other than the consumer, controller, or processor or an affiliate of the processor 18
or the controller. 19
(41) “Trade secret” has the same meaning as in section 4601 of this title. 20 BILL AS INTRODUCED S.93
2025 Page 12 of 45
VT LEG #380226 v.1
§ 2416. APPLICABILITY 1
(a) Except as provided in subsection (b) of this section, this chapter applies 2
to a person that conducts business in this State or a person that produces 3
products or services that are targeted to residents of this State and that during 4
the preceding calendar year: 5
(1) controlled or processed the personal data of not fewer than 100,000 6
consumers, excluding personal data controlled or processed solely for the 7
purpose of completing a payment transaction; or 8
(2) controlled or processed the personal data of not fewer than 25,000 9
consumers and derived more than 25 percent of the person’s gross revenue 10
from the sale of personal data. 11
(b) Section 2426 of this title and the provisions of this chapter concerning 12
consumer health data and consumer health data controllers apply to a person 13
that conducts business in this State or a person that produces products or 14
services that are targeted to residents of this State. 15
§ 2417. EXEMPTIONS 16
(a) Except as provided in subsection (c) of this section, this chapter shall 17
not apply to any: 18
(1) body, authority, board, bureau, commission, district or agency of this 19
State or of any political subdivision of this State; 20 BILL AS INTRODUCED S.93
2025 Page 13 of 45
VT LEG #380226 v.1
(2) person who has entered into a contract with an entity described in 1
subdivision (1) of this subsection to process consumer health data on behalf of 2
the entity; 3
(3) nonprofit organization; 4
(4) institution of higher education; 5
(5) national securities association that is registered under 15 U.S.C. 78o-6
3 of the Securities Exchange Act of 1934, as may be amended; 7
(6) financial institution or data subject to Title V of the Gramm-Leach-8
Bliley Act, Pub. L. No. 106-102, and regulations adopted to implement that 9
act; 10
(7) covered entity or business associate, as defined in 45 C.F.R. 11
§ 160.103; 12
(8) tribal nation government organization; or 13
(9) air carrier, as: 14
(A) defined in 49 U.S.C. § 40102, as may be amended; and 15
(B) regulated under the Federal Aviation Act of 1958, 49 U.S.C. 16
§ 40101 et seq. and the Airline Deregulation Act of 1978, 49 U.S.C. § 41713, 17
as may be amended. 18
(b) The following information, data, and activities are exempt from this 19
chapter: 20
(1) protected health information under HIPAA; 21 BILL AS INTRODUCED S.93
2025 Page 14 of 45
VT LEG #380226 v.1
(2) patient identifying information that is collected and processed in 1
accordance with 42 C.F.R. Part 2 (confidentiality of substance use disorder 2
patient records); 3
(3) identifiable private information: 4
(A) for purposes of the Federal Policy for the Protection of Human 5
Subjects, codified as 45 C.F.R. Part 46 (HHS protection of human subjects) 6
and in various other federal regulations; and 7
(B) that is otherwise information collected as part of human subjects 8
research pursuant to the good clinical practice guidelines issued by the 9
International Council for Harmonisation of Technical Requirements for 10
Pharmaceuticals for Human Use; 11
(4) information that identifies a consumer in connection with the 12
protection of human subjects under 21 C.F.R. Parts 6, 50, and 56, or personal 13
data used or shared in research, as defined in 45 C.F.R. § 164.501, that is 14
conducted in accordance with the standards set forth in this subdivision and in 15
subdivision (3) of this subsection, or other research conducted in accordance 16
with applicable law; 17
(5) information or documents created for the purposes of the Healthcare 18
Quality Improvement Act of 1986, 42 U.S.C. §§ 11101–11152, and regulations 19
adopted to implement that act; 20 BILL AS INTRODUCED S.93
2025 Page 15 of 45
VT LEG #380226 v.1
(6) patient safety work product that is created for purposes of improving 1
patient safety under 42 C.F.R. Part 3 (patient safety organizations and patient 2
safety work product); 3
(7) information or documents created for the purposes of the Healthcare 4
Quality Improvement Act of 1986, 42 U.S.C. §§ 11101–11152, and regulations 5
adopted to implement that act; 6
(8) information derived from any of the health care-related information 7
listed in this subsection that is de-identified in accordance with the 8
requirements for de-identification pursuant to HIPAA; 9
(9) information originating from and intermingled to be 10
indistinguishable with, or information treated in the same manner as, 11
information exempt under this subsection that is maintained by a covered 12
entity or business associate, program, or qualified service organization, as 13
specified in 42 U.S.C. § 290dd-2, as may be amended; 14
(10) information used for public health activities and purposes as 15
authorized by HIPAA, community health activities, and population health 16
activities; 17
(11) the collection, maintenance, disclosure, sale, communication, or use 18
of any personal information bearing on a consumer’s credit worthiness, credit 19
standing, credit capacity, character, general reputation, personal characteristics, 20
or mode of living by a consumer reporting agency, furnisher, or user that 21 BILL AS INTRODUCED S.93
2025 Page 16 of 45
VT LEG #380226 v.1
provides information for use in a consumer report, and by a user of a consumer 1
report, but only to the extent that such activity is regulated by and authorized 2
under the Fair Credit Reporting Act, 15 U.S.C. § 1681 et seq., as may be 3
amended; 4
(12) personal data collected, processed, sold, or disclosed under and in 5
compliance with: 6
(A) the Driver’s Privacy Protection Act of 1994, 18 U.S.C. § 2721–7
2725; and 8
(B) the Farm Credit Act, Pub. L. No. 92-181, as may be amended; 9
(13) personal data regulated by the Family Educational Rights and 10
Privacy Act, 20 U.S.C. § 1232g, as may be amended; 11
(14) data processed or maintained: 12
(A) in the course of an individual applying to, employed by, or acting 13
as an agent or independent contractor of a controller, processor, consumer 14
health data controller, or third party, to the extent that the data is collected and 15
used within the context of that role; 16
(B) as the emergency contact information of a consumer pursuant to 17
this chapter, used for emergency contact purposes, or 18
(C) that is necessary to retain to administer benefits for another 19
individual relating to the individual who is the subject of the information 20 BILL AS INTRODUCED S.93
2025 Page 17 of 45
VT LEG #380226 v.1
pursuant to subdivision (1) of this subsection (b) and used for the purposes of 1
administering such benefits; and 2
(15) personal data collected, processed, sold, or disclosed in relation to 3
price, route, or service, as such terms are used in the Federal Aviation Act of 4
1958, 49 U.S.C. § 40101 et seq., as may be amended, and the Airline 5
Deregulation Act of 1978, 49 U.S.C.§ 41713, as may be amended. 6
(c) Controllers, processors, and consumer health data controllers that 7
comply with the verifiable parental consent requirements of COPPA shall be 8
deemed compliant with any obligation to obtain parental consent pursuant to 9
this chapter. 10
§ 2418. CONSUMER RIGHTS; COMPLIANCE BY CONTROLLERS; 11
APPEALS 12
(a) A consumer shall have the right to: 13
(1) confirm whether or not a controller is processing the consumer’s 14
personal data and access the personal data, unless the confirmation or access 15
would require the controller to reveal a trade secret; 16
(2) correct inaccuracies in the consumer’s personal data, taking into 17
account the nature of the personal data and the purposes of the processing of 18
the consumer’s personal data; 19
(3) delete personal data provided by, or obtained about, the consumer; 20 BILL AS INTRODUCED S.93
2025 Page 18 of 45
VT LEG #380226 v.1
(4) obtain a copy of the consumer’s personal data processed by the 1
controller, in a portable and, to the extent technically feasible, readily usable 2
format that allows the consumer to transmit the data to another controller 3
without hindrance, where the processing is carried out by automated means, 4
provided the controller shall not be required to reveal any trade secret; and 5
(5) opt out of the processing of the personal data for purposes of: 6
(A) targeted advertising; 7
(B) the sale of personal data, except as provided in subsection 8
2420(b) of this title; or 9
(C) profiling in furtherance of solely automated decisions that 10
produce legal or similarly significant effects concerning the consumer. 11
(b)(1) A consumer may exercise rights under this section by a secure and 12
reliable means established by the controller and described to the consumer in 13
the controller’s privacy notice. 14
(2) A consumer may designate an authorized agent in accordance with 15
section 2419 of this title to exercise the rights of the consumer to opt out of the 16
processing of the consumer’s personal data for purposes of subdivision (a)(5) 17
of this section on behalf of the consumer. 18
(3) In the case of processing personal data of a known child, the parent 19
or legal guardian may exercise the consumer rights on the child’s behalf. 20 BILL AS INTRODUCED S.93
2025 Page 19 of 45
VT LEG #380226 v.1
(4) In the case of processing personal data concerning a consumer 1
subject to a guardianship, conservatorship, or other protective arrangement, the 2
guardian or the conservator of the consumer may exercise the rights on the 3
consumer’s behalf. 4
(c) Except as otherwise provided in this chapter, a controller shall comply 5
with a request by a consumer to exercise the consumer rights authorized 6
pursuant to this chapter as follows: 7
(1)(A) A controller shall respond to the consumer without undue delay, 8
but not later than 45 days after receipt of the request. 9
(B) The controller may extend the response period by 45 additional 10
days when reasonably necessary, considering the complexity and number of 11
the consumer’s requests, provided the controller informs the consumer of the 12
extension within the initial 45-day response period and of the reason for the 13
extension. 14
(2) If a controller declines to take action regarding the consumer’s 15
request, the controller shall inform the consumer without undue delay, but not 16
later than 45 days after receipt of the request, of the justification for declining 17
to take action and instructions for how to appeal the decision. 18
(3)(A) Information provided in response to a consumer request shall be 19
provided by a controller, free of charge, once per consumer during any 12-20
month period. 21 BILL AS INTRODUCED S.93
2025 Page 20 of 45
VT LEG #380226 v.1
(B) If requests from a consumer are manifestly unfounded, excessive, 1
or repetitive, the controller may charge the consumer a reasonable fee to cover 2
the administrative costs of complying with the request or decline to act on the 3
request. 4
(C) The controller bears the burden of demonstrating the manifestly 5
unfounded, excessive, or repetitive nature of the request. 6
(4)(A) If a controller is unable to authenticate a request to exercise any 7
of the rights afforded under subdivisions (a)(1)–(4) of this section using 8
commercially reasonable efforts, the controller shall not be required to comply 9
with a request to initiate an action pursuant to this section and shall provide 10
notice to the consumer that the controller is unable to authenticate the request 11
to exercise the right or rights until the consumer provides additional 12
information reasonably necessary to authenticate the consumer and the 13
consumer’s request to exercise the right or rights. 14
(B) A controller shall not be required to authenticate an opt-out 15
request, but a controller may deny an opt-out request if the controller has a 16
good faith, reasonable, and documented belief that the request is fraudulent. 17
(C) If a controller denies an opt-out request because the controller 18
believes the request is fraudulent, the controller shall send a notice to the 19
person who made the request disclosing that the controller believes the request 20 BILL AS INTRODUCED S.93
2025 Page 21 of 45
VT LEG #380226 v.1
is fraudulent, why the controller believes the request is fraudulent, and that the 1
controller shall not comply with the request. 2
(5) A controller that has obtained personal data about a consumer from a 3
source other than the consumer shall be deemed in compliance with a 4
consumer’s request to delete the data pursuant to subdivision (a)(3) of this 5
section by: 6
(A) retaining a record of the deletion request and the minimum data 7
necessary for the purpose of ensuring the consumer’s personal data remains 8
deleted from the controller’s records and not using the retained data for any 9
other purpose pursuant to the provisions of this chapter; or 10
(B) opting the consumer out of the processing of the personal data for 11
any purpose except for those exempted pursuant to the provisions of this 12
chapter. 13
(d)(1) A controller shall establish a process for a consumer to appeal the 14
controller’s refusal to take action on a request within a reasonable period of 15
time after the consumer’s receipt of the decision. 16
(2) The appeal process shall be conspicuously available and similar to 17
the process for submitting requests to initiate action pursuant to this section. 18
(3) Not later than 60 days after receipt of an appeal, a controller shall 19
inform the consumer in writing of any action taken or not taken in response to 20
the appeal, including a written explanation of the reasons for the decisions. 21 BILL AS INTRODUCED S.93
2025 Page 22 of 45
VT LEG #380226 v.1
(4) If the appeal is denied, the controller shall also provide the consumer 1
with an online mechanism, if available, or other method through which the 2
consumer may contact the Attorney General to submit a complaint. 3
§ 2419. AUTHORIZED AGENTS AND CONSUMER OPT -OUT 4
(a) A consumer may designate another person to serve as the consumer’s 5
authorized agent, and act on the consumer’s behalf, to opt out of the processing 6
of the consumer’s personal data for one or more of the purposes specified in 7
subdivision 2418(a)(5) of this title. 8
(b) The consumer may designate an authorized agent by way of, among 9
other things, a technology, including an internet link or a browser setting, 10
browser extension, or global device setting, indicating the consumer’s intent to 11
opt out of the processing. 12
(c) A controller shall comply with an opt-out request received from an 13
authorized agent if the controller is able to verify, with commercially 14
reasonable effort, the identity of the consumer and the authorized agent’s 15
authority to act on the consumer’s behalf. 16
§ 2420. CONTROLLERS’ DUTIES; SALE OF PERSONAL DATA TO 17
THIRD PARTIES; NOTICE AND DISCLOSURE TO 18
CONSUMERS; CONSUMER OPT -OUT 19
(a) A controller: 20 BILL AS INTRODUCED S.93
2025 Page 23 of 45
VT LEG #380226 v.1
(1) shall limit the collection of personal data to what is adequate, 1
relevant, and reasonably necessary in relation to the purposes for which the 2
data is processed, as disclosed to the consumer; 3
(2) except as otherwise provided in this chapter, shall not process 4
personal data for purposes that are neither reasonably necessary to, nor 5
compatible with, the disclosed purposes for which the personal data is 6
processed, as disclosed to the consumer, unless the controller obtains the 7
consumer’s consent; 8
(3) shall establish, implement, and maintain reasonable administrative, 9
technical, and physical data security practices to protect the confidentiality, 10
integrity, and accessibility of personal data appropriate to the volume and 11
nature of the personal data at issue; 12
(4) shall not process sensitive data concerning a consumer without 13
obtaining the consumer’s consent or, in the case of the processing of sensitive 14
data concerning a known child, without processing the data in accordance with 15
COPPA; 16
(5) shall not process personal data in violation of the laws of this State 17
and federal laws that prohibit unlawful discrimination against consumers; 18
(6) shall provide an effective mechanism for a consumer to revoke the 19
consumer’s consent under this section that is at least as easy as the mechanism 20
by which the consumer provided the consumer’s consent and, upon revocation 21 BILL AS INTRODUCED S.93
2025 Page 24 of 45
VT LEG #380226 v.1
of the consent, cease to process the data as soon as practicable, but not later 1
than 15 days after the receipt of the request; 2
(7) shall not process the personal data of a consumer for purposes of 3
targeted advertising, or sell the consumer’s personal data without the 4
consumer’s consent, under circumstances where a controller has actual 5
knowledge, and willfully disregards, that the consumer is at least 13 years of 6
age but younger than 16 years of age; and 7
(8) shall not discriminate against a consumer for exercising any of the 8
consumer rights contained in this chapter, including denying goods or services, 9
charging different prices or rates for goods or services, or providing a different 10
level of quality of goods or services to the consumer. 11
(b) Subsection (a) of this section shall not be construed to require a 12
controller to provide a product or service that requires the personal data of a 13
consumer that the controller does not collect or maintain, or prohibit a 14
controller from offering a different price, rate, level, quality, or selection of 15
goods or services to a consumer, including offering goods or services for no 16
fee if the offering is in connection with a consumer’s voluntary participation in 17
a bona fide loyalty, rewards, premium features, discounts, or club card 18
program. 19
(c) A controller shall provide consumers with a reasonably accessible, 20
clear, and meaningful privacy notice that includes: 21 BILL AS INTRODUCED S.93
2025 Page 25 of 45
VT LEG #380226 v.1
(1) the categories of personal data processed by the controller; 1
(2) the purpose for processing personal data; 2
(3) how consumers may exercise their consumer rights, including how a 3
consumer may appeal a controller’s decision with regard to the consumer’s 4
request; 5
(4) the categories of personal data that the controller shares with third 6
parties, if any; 7
(5) the categories of third parties, if any, with which the controller 8
shares personal data; and 9
(6) an active email address or other online mechanism that the consumer 10
may use to contact the controller. 11
(d) If a controller sells personal data to third parties or processes personal 12
data for targeted advertising, the controller shall clearly and conspicuously 13
disclose the processing, as well as the manner in which a consumer may 14
exercise the right to opt out of the processing. 15
(e)(1) A controller shall establish, and shall describe in a privacy notice, 16
one or more secure and reliable means for consumers to submit a request to 17
exercise their consumer rights pursuant to this chapter. 18
(2) The means shall take into account the ways in which consumers 19
normally interact with the controller, the need for secure and reliable 20 BILL AS INTRODUCED S.93
2025 Page 26 of 45
VT LEG #380226 v.1
communication of the requests, and the ability of the controller to verify the 1
identity of the consumer making the request. 2
(3) A controller shall not require a consumer to create a new account in 3
order to exercise consumer rights but may require a consumer to use an 4
existing account. 5
(4)(A) The means shall include: 6
(i) providing a clear and conspicuous link on the controller’s 7
website to an web page that enables a consumer, or an agent of the consumer, 8
to opt out of the targeted advertising or sale of the consumer’s personal data; 9
and 10
(ii) not later than January 1, 2026, allowing a consumer to opt out 11
of any processing of the consumer’s personal data for the purposes of targeted 12
advertising, or any sale of the personal data, through an opt-out preference 13
signal sent to the controller with the consumer’s consent indicating the 14
consumer’s intent to opt out of any the processing or sale, by a platform, 15
technology, or other mechanism that shall: 16
(I) not unfairly disadvantage another controller; 17
(II) not make use of a default setting, but rather require the 18
consumer to make an affirmative, freely given, and unambiguous choice to opt 19
out of any processing of the consumer’s personal data pursuant to this chapter; 20 BILL AS INTRODUCED S.93
2025 Page 27 of 45
VT LEG #380226 v.1
(III) be consumer-friendly and easy to use by the average 1
consumer; 2
(IV) be as consistent as possible with any other similar 3
platform, technology, or mechanism required by any federal or State law or 4
regulation; and 5
(V) enable the controller to accurately determine whether the 6
consumer is a resident of this State and whether the consumer has made a 7
legitimate request to opt out of any sale of the consumer’s personal data or 8
targeted advertising. 9
(B) If a consumer’s decision to opt out of any processing of the 10
consumer’s personal data for the purposes of targeted advertising, or any sale 11
of the personal data, through an opt-out preference signal sent in accordance 12
with the provisions of subdivision (A) of this subdivision (e)(4) conflicts with 13
the consumer’s existing controller-specific privacy setting or voluntary 14
participation in a controller’s bona fide loyalty, rewards, premium features, 15
discounts, or club card program, the controller shall comply with the 16
consumer’s opt-out preference signal but may notify the consumer of the 17
conflict and provide to the consumer the choice to confirm the controller-18
specific privacy setting or participation in the program. 19
(5) If a controller responds to consumer opt-out requests received 20
pursuant to subdivision (4)(A) of this subsection by informing the consumer of 21 BILL AS INTRODUCED S.93
2025 Page 28 of 45
VT LEG #380226 v.1
a charge for the use of any product or service, the controller shall present the 1
terms of any financial incentive offered pursuant to subsection (b) of this 2
section for the retention, use, sale, or sharing of the consumer’s personal data. 3
§ 2421. PROCESSORS’ DUTIES; CONTRACTS BETWEEN 4
CONTROLLERS AND PROCESSORS 5
(a) A processor shall adhere to the instructions of a controller and shall 6
assist the controller in meeting the controller’s obligations under this chapter, 7
including: 8
(1) taking into account the nature of processing and the information 9
available to the processor, by appropriate technical and organizational 10
measures, to the extent reasonably practicable, to fulfill the controller’s 11
obligation to respond to consumer rights requests; 12
(2) taking into account the nature of processing and the information 13
available to the processor, by assisting the controller in meeting the 14
controller’s obligations in relation to the security of processing the personal 15
data and in relation to the notification of a data broker security breach or 16
security breach, as defined in section 2430 of this title, of the system of the 17
processor, in order to meet the controller’s obligations; and 18
(3) providing necessary information to enable the controller to conduct 19
and document data protection assessments. 20 BILL AS INTRODUCED S.93
2025 Page 29 of 45
VT LEG #380226 v.1
(b)(1) A contract between a controller and a processor shall govern the 1
processor’s data processing procedures with respect to processing performed 2
on behalf of the controller. 3
(2) The contract shall be binding and clearly set forth instructions for 4
processing data, the nature and purpose of processing, the type of data subject 5
to processing, the duration of processing, and the rights and obligations of both 6
parties. 7
(3) The contract shall require that the processor: 8
(A) ensure that each person processing personal data is subject to a 9
duty of confidentiality with respect to the data; 10
(B) at the controller’s direction, delete or return all personal data to 11
the controller as requested at the end of the provision of services, unless 12
retention of the personal data is required by law; 13
(C) upon the reasonable request of the controller, make available to 14
the controller all information in its possession necessary to demonstrate the 15
processor’s compliance with the obligations in this chapter; 16
(D) after providing the controller an opportunity to object, engage 17
any subcontractor pursuant to a written contract that requires the subcontractor 18
to meet the obligations of the processor with respect to the personal data; and 19 BILL AS INTRODUCED S.93
2025 Page 30 of 45
VT LEG #380226 v.1
(E) make available to the controller upon the reasonable request of 1
the controller, all information in the processor’s possession necessary to 2
demonstrate the processor’s compliance with this chapter. 3
(4) A processor shall provide a report of an assessment to the controller 4
upon request. 5
(c) This section shall not be construed to relieve a controller or processor 6
from the liabilities imposed on the controller or processor by virtue of the 7
controller’s or processor’s role in the processing relationship, as described in 8
this chapter. 9
(d)(1) Determining whether a person is acting as a controller or processor 10
with respect to a specific processing of data is a fact-based determination that 11
depends upon the context in which personal data is to be processed. 12
(2) A person who is not limited in the person’s processing of personal 13
data pursuant to a controller’s instructions, or who fails to adhere to the 14
instructions, is a controller and not a processor with respect to a specific 15
processing of data. 16
(3) A processor that continues to adhere to a controller’s instructions 17
with respect to a specific processing of personal data remains a processor. 18
(4) If a processor begins, alone or jointly with others, determining the 19
purposes and means of the processing of personal data, the processor is a 20 BILL AS INTRODUCED S.93
2025 Page 31 of 45
VT LEG #380226 v.1
controller with respect to the processing and may be subject to an enforcement 1
action under section 2425 of this title. 2
§ 2422. CONTROLLERS’ DATA PROTECTION ASSESSMENTS; 3
DISCLOSURE TO ATTORNEY GENERAL 4
(a) A controller shall conduct and document a data protection assessment 5
for each of the controller’s processing activities that presents a heightened risk 6
of harm to a consumer, which for the purposes of this section includes: 7
(1) the processing of personal data for the purposes of targeted 8
advertising; 9
(2) the sale of personal data; 10
(3) the processing of personal data for the purposes of profiling, where 11
the profiling presents a reasonably foreseeable risk of: 12
(A) unfair or deceptive treatment of, or unlawful disparate impact on, 13
consumers; 14
(B) financial, physical, or reputational injury to consumers; 15
(C) a physical or other intrusion upon the solitude or seclusion, or the 16
private affairs or concerns, of consumers, where the intrusion would be 17
offensive to a reasonable person; or 18
(D) other substantial injury to consumers; and 19
(4) the processing of sensitive data. 20 BILL AS INTRODUCED S.93
2025 Page 32 of 45
VT LEG #380226 v.1
(b)(1) Data protection assessments conducted pursuant to subsection (a) of 1
this section shall identify and weigh the benefits that may flow, directly and 2
indirectly, from the processing to the controller, the consumer, other 3
stakeholders, and the public against the potential risks to the rights of the 4
consumer associated with the processing, as mitigated by safeguards that can 5
be employed by the controller to reduce the risks. 6
(2) The controller shall factor into any data protection assessment the 7
use of de-identified data and the reasonable expectations of consumers, as well 8
as the context of the processing and the relationship between the controller and 9
the consumer whose personal data will be processed. 10
(c)(1) The Attorney General may require that a controller disclose any data 11
protection assessment that is relevant to an investigation conducted by the 12
Attorney General, and the controller shall make the data protection assessment 13
available to the Attorney General. 14
(2) The Attorney General may evaluate the data protection assessment 15
for compliance with the responsibilities set forth in this chapter. 16
(3) Data protection assessments shall be confidential and shall be 17
exempt from disclosure and copying under the Public Records Act. 18
(4) To the extent any information contained in a data protection 19
assessment disclosed to the Attorney General includes information subject to 20 BILL AS INTRODUCED S.93
2025 Page 33 of 45
VT LEG #380226 v.1
attorney-client privilege or work product protection, the disclosure shall not 1
constitute a waiver of the privilege or protection. 2
(d) A single data protection assessment may address a comparable set of 3
processing operations that include similar activities. 4
(e) If a controller conducts a data protection assessment for the purpose of 5
complying with another applicable law or regulation, the data protection 6
assessment shall be deemed to satisfy the requirements established in this 7
section if the data protection assessment is reasonably similar in scope and 8
effect to the data protection assessment that would otherwise be conducted 9
pursuant to this section. 10
(f) Data protection assessment requirements shall apply to processing 11
activities created or generated after July 1, 2025 and are not retroactive. 12
§ 2423. DE-IDENTIFIED AND PSEUDONYMOUS DATA; 13
CONTROLLERS’ DUTIES; EXCEPTIONS; APPLICABILITY OF 14
CONSUMERS’ RIGHTS; DISCLOSURE AND OVERSIGHT 15
(a) A controller in possession of de-identified data shall: 16
(1) take reasonable measures to ensure that the data cannot be associated 17
with an individual; 18
(2) publicly commit to maintaining and using de-identified data without 19
attempting to re-identify the data; and 20 BILL AS INTRODUCED S.93
2025 Page 34 of 45
VT LEG #380226 v.1
(3) contractually obligate any recipients of the de-identified data to 1
comply with the provisions of this chapter. 2
(b) This chapter shall not be construed to: 3
(1) require a controller or processor to re-identify de-identified data or 4
pseudonymous data; or 5
(2) maintain data in identifiable form, or collect, obtain, retain, or access 6
any data or technology, in order to be capable of associating an authenticated 7
consumer request with personal data. 8
(c) This chapter shall not be construed to require a controller or processor 9
to comply with an authenticated consumer rights request if the controller: 10
(1) is not reasonably capable of associating the request with the personal 11
data or it would be unreasonably burdensome for the controller to associate the 12
request with the personal data; 13
(2) does not use the personal data to recognize or respond to the specific 14
consumer who is the subject of the personal data, or associate the personal data 15
with other personal data about the same specific consumer; and 16
(3) does not sell the personal data to any third party or otherwise 17
voluntarily disclose the personal data to any third party other than a processor, 18
except as otherwise permitted in this section. 19
(d) The rights afforded under subdivisions 2418(a)(1)–(4) of this title shall 20
not apply to pseudonymous data in cases where the controller is able to 21 BILL AS INTRODUCED S.93
2025 Page 35 of 45
VT LEG #380226 v.1
demonstrate that any information necessary to identify the consumer is kept 1
separately and is subject to effective technical and organizational controls that 2
prevent the controller from accessing the information. 3
(e) A controller that discloses pseudonymous data or de-identified data 4
shall exercise reasonable oversight to monitor compliance with any contractual 5
commitments to which the pseudonymous data or de-identified data is subject 6
and shall take appropriate steps to address any breaches of those contractual 7
commitments. 8
§ 2424. CONSTRUCTION OF CONTROLLERS ’ AND PROCESSORS’ 9
DUTIES 10
(a) This chapter shall not be construed to restrict a controller’s, processor’s, 11
or consumer health data controller’s ability to: 12
(1) comply with federal, state, or municipal laws, ordinances, or 13
regulations; 14
(2) comply with a civil, criminal, or regulatory inquiry, investigation, 15
subpoena, or summons by federal, state, municipal, or other governmental 16
authorities; 17
(3) cooperate with law enforcement agencies concerning conduct or 18
activity that the controller, processor, or consumer health data controller 19
reasonably and in good faith believes may violate federal, state, or municipal 20
laws, ordinances, or regulations; 21 BILL AS INTRODUCED S.93
2025 Page 36 of 45
VT LEG #380226 v.1
(4) investigate, establish, exercise, prepare for, or defend legal claims; 1
(5) provide a product or service specifically requested by a consumer; 2
(6) perform under a contract to which a consumer is a party, including 3
fulfilling the terms of a written warranty; 4
(7) take steps at the request of a consumer prior to entering into a 5
contract; 6
(8) take immediate steps to protect an interest that is essential for the life 7
or physical safety of the consumer or another individual, and where the 8
processing cannot be manifestly based on another legal basis; 9
(9) prevent, detect, protect against, or respond to security incidents, 10
identity theft, fraud, harassment, malicious, or deceptive activities or any 11
illegal activity; preserve the integrity or security of systems; or investigate, 12
report, or prosecute those responsible for the action; 13
(10) engage in public or peer-reviewed scientific or statistical research 14
in the public interest that adheres to all other applicable ethics and privacy laws 15
and is approved, monitored, and governed by an institutional review board that 16
determines, or similar independent oversight entities that determine: 17
(A) whether the deletion of the information is likely to provide 18
substantial benefits that do not exclusively accrue to the controller; 19
(B) the expected benefits of the research outweigh the privacy risks; 20
and 21 BILL AS INTRODUCED S.93
2025 Page 37 of 45
VT LEG #380226 v.1
(C) whether the controller or consumer health data controller has 1
implemented reasonable safeguards to mitigate privacy risks associated with 2
research, including any risks associated with re-identification; 3
(11) assist another controller, processor, consumer health data 4
controller, or third party with any of the obligations under this chapter; or 5
(12) process personal data for reasons of public interest in the area of 6
public health, community health, or population health, but solely to the extent 7
that the processing is: 8
(A) subject to suitable and specific measures to safeguard the rights 9
of the consumer whose personal data is being processed; and 10
(B) under the responsibility of a professional subject to 11
confidentiality obligations under federal, state, or local law. 12
(b) The obligations imposed on controllers, processors, or consumer health 13
data controllers under this chapter shall not restrict a controller’s, processor’s, 14
or consumer health data controller’s ability to collect, use, or retain data for 15
internal use to: 16
(1) conduct internal research to develop, improve, or repair products, 17
services, or technology; 18
(2) effectuate a product recall; 19
(3) identify and repair technical errors that impair existing or intended 20
functionality; or 21 BILL AS INTRODUCED S.93
2025 Page 38 of 45
VT LEG #380226 v.1
(4) perform internal operations that are reasonably aligned with the 1
expectations of the consumer or reasonably anticipated based on the 2
consumer’s existing relationship with the controller or consumer health data 3
controller, or are otherwise compatible with processing data in furtherance of 4
the provision of a product or service specifically requested by a consumer or 5
the performance of a contract to which the consumer is a party. 6
(c)(1) The obligations imposed on controllers, processors, or consumer 7
health data controllers under this chapter shall not apply where compliance by 8
the controller, processor, or consumer health data controller with this chapter 9
would violate an evidentiary privilege under the laws of this State. 10
(2) This chapter shall not be construed to prevent a controller, processor, 11
or consumer health data controller from providing personal data concerning a 12
consumer to a person covered by an evidentiary privilege under the laws of the 13
State as part of a privileged communication. 14
(d)(1) A controller, processor, or consumer health data controller that 15
discloses personal data to a processor or third-party controller pursuant to this 16
chapter shall not be deemed to have violated this chapter if the processor or 17
third-party controller that receives and processes the personal data violates this 18
chapter, provided, at the time the disclosing controller, processor, or consumer 19
health data controller disclosed the personal data, the disclosing controller, 20 BILL AS INTRODUCED S.93
2025 Page 39 of 45
VT LEG #380226 v.1
processor, or consumer health data controller did not have actual knowledge 1
that the receiving processor or third-party controller would violate this chapter. 2
(2) A third-party controller or processor receiving personal data from a 3
controller, processor, or consumer health data controller in compliance with 4
this chapter is not in violation of this chapter for the transgressions of the 5
controller, processor, or consumer health data controller from which the third-6
party controller or processor receives the personal data. 7
(e) This chapter shall not be construed to: 8
(1) impose any obligation on a controller or processor that adversely 9
affects the rights or freedoms of any person, including the rights of any person: 10
(A) to freedom of speech or freedom of the press guaranteed in the 11
First Amendment to the United States Constitution; or 12
(B) under 12 V.S.A. § 1615; 13
(2) apply to any person’s processing of personal data in the course of the 14
person’s purely personal or household activities; or 15
(3) require an independent school as defined in 16 V.S.A. § 11(a)(8) or a 16
private institution of higher education, as defined in 20 U.S.C. § 1001 et seq., 17
to delete personal data or opt out of processing of personal data that would 18
unreasonably interfere with the provision of education services by or the 19
ordinary operation of the school or institution. 20 BILL AS INTRODUCED S.93
2025 Page 40 of 45
VT LEG #380226 v.1
(f)(1) Personal data processed by a controller or consumer health data 1
controller pursuant to this section may be processed to the extent that the 2
processing is: 3
(A) reasonably necessary and proportionate to the purposes listed in 4
this section; and 5
(B) adequate, relevant, and limited to what is necessary in relation to 6
the specific purposes listed in this section. 7
(2)(A) Personal data collected, used, or retained pursuant to subsection 8
(b) of this section shall, where applicable, take into account the nature and 9
purpose or purposes of the collection, use, or retention. 10
(B) The data shall be subject to reasonable administrative, technical, 11
and physical measures to protect the confidentiality, integrity, and accessibility 12
of the personal data and to reduce reasonably foreseeable risks of harm to 13
consumers relating to the collection, use, or retention of personal data. 14
(g) If a controller or consumer health data controller processes personal 15
data pursuant to an exemption in this section, the controller or consumer health 16
data controller bears the burden of demonstrating that the processing qualifies 17
for the exemption and complies with the requirements in subsection (f) of this 18
section. 19 BILL AS INTRODUCED S.93
2025 Page 41 of 45
VT LEG #380226 v.1
(h) Processing personal data for the purposes expressly identified in this 1
section shall not solely make a legal entity a controller or consumer health data 2
controller with respect to the processing. 3
§ 2425. ENFORCEMENT BY ATTORNEY GENERAL; NOTICE OF 4
VIOLATION; CURE PERIOD; REPORT; PENALTY 5
(a) The Attorney General shall have exclusive authority to enforce 6
violations of this chapter. 7
(b)(1) During the period beginning on July 1, 2025 and ending on 8
December 31, 2026, the Attorney General shall, prior to initiating any action 9
for a violation of any provision of this chapter, issue a notice of violation to the 10
controller or consumer health data controller if the Attorney General 11
determines that a cure is possible. 12
(2) If the controller or consumer health data controller fails to cure the 13
violation within 60 days after receipt of the notice of violation, the Attorney 14
General may bring an action pursuant to this section. 15
(3) Annually, on or before February 1, the Attorney General shall 16
submit a report to the General Assembly disclosing: 17
(A) the number of notices of violation the Attorney General has 18
issued; 19
(B) the nature of each violation; 20 BILL AS INTRODUCED S.93
2025 Page 42 of 45
VT LEG #380226 v.1
(C) the number of violations that were cured during the available 1
cure period; and 2
(D) any other matter the Attorney General deems relevant for the 3
purposes of the report. 4
(c) Beginning on January 1, 2027, the Attorney General may, in 5
determining whether to grant a controller or processor the opportunity to cure 6
an alleged violation described in subsection (b) of this section, consider: 7
(1) the number of violations; 8
(2) the size and complexity of the controller or processor; 9
(3) the nature and extent of the controller’s or processor’s processing 10
activities; 11
(4) the substantial likelihood of injury to the public; 12
(5) the safety of persons or property; 13
(6) whether the alleged violation was likely caused by human or 14
technical error; and 15
(7) the sensitivity of the data. 16
(d) This chapter shall not be construed as providing the basis for, or be 17
subject to, a private right of action for violations of this chapter or any other 18
law. 19
(e) Subjection to the exception in subsection (f) of this section, a violation 20
of the requirements of this chapter shall constitute an unfair and deceptive act 21 BILL AS INTRODUCED S.93
2025 Page 43 of 45
VT LEG #380226 v.1
in commerce in violation of section 2453 of this title and shall be enforced 1
solely by the Attorney General, provided that a consumer private right of 2
action under subsection 2461(b) of this title shall not apply to the violation. 3
(f) The Attorney General shall provide guidance to controllers and 4
processors for compliance with the terms of the Vermont Data Privacy Act. 5
Any processor or controller that, in the opinion of the Attorney General, 6
materially complies with the guidance provided by the Attorney General shall 7
not constitute an unfair and deceptive act in commerce. 8
§ 2426. CONSUMER HEALTH DATA PRIVACY 9
(a) Except as provided in subsections (b) and (c) of this section and 10
subsections 2417(b) and (c) of this title, no person shall: 11
(1) provide any employee or contractor with access to consumer health 12
data unless the employee or contractor is subject to a contractual or statutory 13
duty of confidentiality; 14
(2) provide any processor with access to consumer health data unless the 15
person and processor comply with section 2421 of this title; 16
(3) use a geofence to establish a virtual boundary that is within 1,750 17
feet of any health care facility, including any mental health facility or 18
reproductive or sexual health facility, for the purpose of identifying, tracking, 19
collecting data from, or sending any notification to a consumer regarding the 20
consumer’s consumer health data; or 21 BILL AS INTRODUCED S.93
2025 Page 44 of 45
VT LEG #380226 v.1
(4) sell, or offer to sell, consumer health data without first obtaining the 1
consumer’s consent. 2
(b) Notwithstanding section 2416 of this title, subsection (a) of this section, 3
and the provisions of sections 2415–2425 of this title, inclusive, concerning 4
consumer health data and consumer health data controllers, apply to persons 5
that conduct business in this state and persons that produce products or 6
services that are targeted to residents of this state. 7
(c) Subsection (a) of this section shall not apply to any: 8
(1) body, authority, board, bureau, commission, district or agency of this 9
State or of any political subdivision of this State; 10
(2) person who has entered into a contract with an entity described in 11
subdivision (1) of this subsection to process consumer health data on behalf of 12
the entity; 13
(3) institution of higher education; 14
(4) national securities association that is registered under 15 U.S.C. 78o-15
3 of the Securities Exchange Act of 1934, as may be amended; 16
(5) financial institution or data subject to Title V of the Gramm-Leach-17
Bliley Act, Pub. L. No. 106-102, and regulations adopted to implement that 18
act; 19
(6) covered entity or business associate, as defined in 45 C.F.R. 20
§ 160.103; 21 BILL AS INTRODUCED S.93
2025 Page 45 of 45
VT LEG #380226 v.1
(7) tribal nation government organization; or 1
(8) air carrier, as: 2
(A) defined in 49 U.S.C. § 40102, as may be amended; and 3
(B) regulated under the Federal Aviation Act of 1958, 49 U.S.C. 4
§ 40101 et seq. and the Airline Deregulation Act of 1978, 49 U.S.C. § 41713, 5
as may be amended. 6
Sec. 2. EFFECTIVE DATE 7
This act shall take effect on July 1, 2026. 8