According to the 2020 census, Vermont’s population of just under 650,000 residents makes it the second to last in population in the nation and the sixth smallest state by area. Yet, Vermont has introduced a privacy bill that rivals California in scope. This broad scope is also punctuated by two key provisions. First, Vermont’s applicability threshold, which is met if a business “processes or controls” the personal data of at least 6,500 Vermont residents. That’s just 1% of the state’s total residency, making it imperative to keep track of this bill if you do business in Vermont. Second, (and the other reason to keep an eye on this proposal), is the inclusion of a private right of action that allows both punitive damages and attorneys fees.
Similar to other state privacy laws, Vermont’s proposal would grant individuals the right to access their data, the right to correct their information, the right to delete, the right to opt-out of certain uses of their data, the right to opt out of targeted advertising and data sales, as well as, the right to a transparent disclosure about the collection and use of their data, among other things.
While there are similarities to California, there is one important distinction. The definition of “consumer” specifically excludes an individual acting in a commercial or employment context. This means that Vermont’s proposed law would apply almost exclusively to individuals in a traditional “consumer” context.
Vermont’s proposal also requires businesses to process personal data “only as reasonably necessary and proportionate to provide the services for which the personal data was collected, consistent with the reasonable expectations of the consumer” or with consent. The proposal would also require a way for the consumer to revoke consent (similar to GDPR), if the legitimate basis for processing the data is based on consent alone. Vermont’s proposal also places restrictions on the processing of sensitive personal data and requires consent to process same.
One of the most interesting parts of the proposed Vermont Data Privacy Act is that it includes a private right of action for any consumer harm that arises from any violation of the proposed law. The private right of action also allows for both punitive damages for willful violations and attorneys fees. The Electronic Privacy Information Center (EPIC), who regularly grades state privacy laws, gives the Vermont Data Privacy Act a B+. This rating would make Vermont’s proposed law the second-strongest privacy law in the country, behind only California.
Focused On Privacy 
Leave a comment