2025 Vt. Privacy Bill Edits Private Right of Action, Gets Bipartisan Support
Long-anticipated bills by Vermont state Rep. Monique Priestly (D) on comprehensive data privacy (H-208), an age-appropriate design code (H-210) and data broker deletion requirements (H-211) formally entered the legislature on Wednesday. The 2025 privacy bill “contains a number of adjustments that address concerns from stakeholders, including members of the business community, while maintaining the core consumer protections expected by Vermonters,” said an H-208 summary.
Sign up for a free preview to unlock the rest of this article
The comprehensive privacy bill had 50 co-sponsors, including three Republicans and four independents; as of Friday, the rest were Democrats. The kids code and data broker bills each had 52 co-sponsors from both parties, including four Republicans and four independents. The state House has 150 members.
Priestley aims to pass the three measures individually after Gov. Phil Scott (R) vetoed legislation combining them last year (see 2412300043). While Scott had raised concerns about Vermont being an outlier, Priestley’s 2025 privacy bill revives a private right of action (PRA) not seen in other states, as well as data minimization rules that are stricter than those seen in most state privacy laws. Vermont Attorney General Charity Clark (D) supported including a PRA last month (see 2501270025).
“Vermonters may vindicate their rights via a limited private right of action if they are harmed by certain violations by a data broker or large data holders,” defined as businesses that collect data of at least 100,000 Vermonters yearly, said the summary: Small businesses that earn less than $25 million in annual revenue would be exempt from the PRA. Unlike the 2024 bill, consumers “must first engage in intermediary steps with the Attorney General before pursuing a private right of action to address violations,” it said.
H-208 is based on Connecticut’s privacy law, as amended in 2023, according to the summary. In addition to the adjusted PRA, one change from Priestley’s 2024 bill is clearer “distinctions between first-and third-party marketing, as well as contextual and targeted advertising,” the document said. “Businesses can continue to use data they gather from their customers and website visitors to communicate and send ads.” Also, the bill now allows controllers and processors to use data for “product recalls, performing research projects, carrying out necessary internal operations, and identifying and repairing technical errors.” Last, businesses that already conducted a data protection assessment or privacy policy to comply with another state’s requirements wouldn’t have to repeat them for Vermont.
The Vermont bill would apply to businesses that meet any of these requirements: (1) hold data of more than 25,000 consumers, excluding data used only to process payments, (2) sell consumer data or (3) derive 25% of gross revenue from selling data of at least 12,500 consumers, said a separate explainer on business obligations.
On data minimization, the bill says entities must "limit the collection and processing of personal data to what is reasonably necessary and proportionate to provide or maintain: (A) a specific product or service requested by the consumer to whom the data pertains; and (B) a communication, that is not an advertisement, by the controller to the consumer that is reasonably anticipated within the context of the relationship between the controller and the consumer."
Like similar kids code laws in other states, H-210 requires online services likely to have minors access them to prioritize children’s safety in their design and offer default privacy settings. The AG would enforce the proposed law and make rules on age-assurance methods for determining whether a user is a minor. “The Act is careful to focus on regulating platforms’ harmful data management and design practices, not on harmful content,” said a summary.
Covered businesses may “only collect personal data of a user that is strictly necessary for age assurance,” and should immediately delete information used to determine age, says H-210. Businesses may “not use any personal data of a user collected for age assurance for any other purpose" or “combine personal data of a user collected for age assurance with any other personal data of the user, except whether the user is or is not determined to be a covered minor.” Finally, companies must provide a process for users to appeal age determinations.
Last, H-211 proposes a law like California’s Delete Act. It would require the Vermont secretary of state to create an online mechanism to handle user requests to delete data from the files of data brokers required to register with the state. “The Act also requires data brokers to provide notice of security breaches, to certify that the personal information they disclose will be used for legitimate purposes, and to report as part of the registration process what sensitive information they collect on consumers, including reproductive healthcare data,” said a summary. The AG and secretary of state would enforce the bill.