Tech Industry Doubts AG Rulemaking Can Fix Vermont Kids Code Law
A tech industry group on Friday ruled out the possibility that a rulemaking would alleviate its concerns with Vermont’s new age-appropriate design code law. Gov. Phil Scott (R) signed S-69 on Thursday (see 2506120094) despite vetoing a similar proposal last year. Businesses of all sizes will have to comply with the Vermont AADC or potentially face AG enforcement or lawsuits from individuals via a private right of action in the state's existing consumer protection law.
Sign up for a free preview to unlock the rest of this article
Vermont’s law, which will require that businesses provide the highest level of privacy by default, will take effect Jan. 1, 2027. The Vermont attorney general's office is required to complete a rulemaking in the 18-month period before the law's effective date.
The governor’s statement on signing the bill recognized the likelihood of a legal challenge. NetChoice and the Computer & Communications Industry Association (CCIA) have previously sued multiple states that made similar laws. Scott said he hoped, “with the enactment of this law delayed until January 1, 2027, it will allow enough time to provide clarity and change the law if necessary.”
However, CCIA threw water on the idea that the rulemaking could resolve its concerns. “This law raises significant compliance, privacy, and constitutional concerns,” State Director Megan Stokes said in a emailed statement to Privacy Daily. “We appreciate the effective date being in 2027 as detailed rules and regulations will have to be drafted to help provide a roadmap for all businesses impacted by this law. However, we believe that the constitutional concerns will not be able to be alleviated during the rulemaking process.” CCIA has joined NetChoice in litigating against similar laws in other states.
Unlike comprehensive privacy bills that typically include applicability thresholds, S-69 does not exempt small businesses from complying with it. However, it contains other exemptions, including for governments, researchers, journalists, financial institutions covered by the Gramm-Leach-Bliley Act and health information covered by the Health Insurance Portability and Accountability Act.
The law included a private right of action by way of the state’s consumer protection statute. S-69 says under an enforcement header that a "covered business or processor that violates this subchapter or rules adopted pursuant to this subchapter commits an unfair and deceptive act in commerce in violation of section 2453 of this title.” That’s a reference to “Vermont’s Consumer Protection Act, which includes a private right of action,” Electronic Privacy Information Center (EPIC) Deputy Director Caitriona Fitzgerald said in an email.
The Vermont AADC Act says that a “covered business that processes a covered minor’s data in any capacity owes a minimum duty of care to the covered minor.” This minimum duty "means the use of the personal data of a covered minor and the design of an online service, product, or feature will not result in: (1) “reasonably foreseeable emotional distress … to a covered minor,” (2) “reasonably foreseeable compulsive use of the online service, product, or feature by a covered minor,” or (3) “discrimination against a covered minor based upon race, ethnicity, sex, disability, sexual orientation, gender identity, gender expression, religion, or national origin.”"
Also, the state law requires covered businesses to “prominently and clearly provide” their “privacy information, terms of service, policies, and community standards” and the purpose of and inputs used for algorithms. Moreover, it must provide “descriptions, for every feature of the service that uses the personal data of covered minors,” of the feature’s purpose, what personal data is collected by or used by the feature, how the personal data is used and how long it’s retained, and “any personal data transferred to or shared with a processor or third party by the service feature, the identity of the processor or third party, and the purpose of the transfer or sharing.”
Covered businesses may not “collect, sell, share, or retain any personal data of a covered minor that is not necessary to provide an online service, product, or feature with which the covered minor is actively and knowingly engaged,” says S-69: Nor may they “use previously collected personal data of a covered minor for any purpose other than a purpose for which the personal data was collected, unless necessary to comply with any obligation under this chapter.”
Additionally, companies may not “permit any individual, including a parent or guardian of a covered minor, to monitor the online activity of a covered minor or to track the location of the covered minor without providing a conspicuous signal to the covered minor when the covered minor is being monitored or tracked.” And they can’t “use the personal data of a covered minor to select, recommend, or prioritize media for the covered minor,” unless the minor gave “express and unambiguous” consent or if the data in question comprises “user-selected privacy or accessibility settings” or a search query. Last, companies may not send push notifications to covered minors between midnight and 6 a.m.
State Rep ‘Floored’ by Governor’s Signature
Scott’s signature on S-69 surprised the bill’s author, Rep. Monique Priestley (D). When it passed the legislature on a bipartisan basis last month, Priestley predicted that the Vermont AADC Act would likely become law without the governor’s signature (see 2505290036). In 2024, Scott vetoed a similar kids code proposal that was included in a larger privacy omnibus bill.
“I wasn’t expecting it, and I’m still floored,” Priestley said in a Thursday post on LinkedIn. “There’s a much longer story I’ll tell another day. One that includes the late nights, the day-long cram sessions, the hundreds of Zoom calls, and the intense behind-the-scenes battles that come with taking on Big Tech. … This bill took thousands of hours.”
Signing the Vermont AADC law was “especially meaningful” to Design It For Us “because just last year, this very bill was vetoed by the Governor,” said the advocacy group’s co-chair, Zamaan Qureshi, in a statement Thursday.
Design It For Us was created in 2022 to support California’s AADC law, which has been blocked by litigation (see 2504140058). “Today’s signature reflects the growing momentum and undeniable power of young people and families demanding safer, healthier online spaces,” said Qureshi.
The Transparency Coalition agreed Scott's signing was "a surprise move and a positive step for kids online safety."
Megan Iorio, Electronic Privacy Information Center (EPIC) senior counsel, said in a statement that the Vermont law responds to Big Tech “ignoring the privacy and safety risks their design choices cause kids.” S-69 “mitigates these privacy and safety risks and does so in a way that Big Tech’s lawyers won’t be able to easily overturn in court.”