Vermont’s legislature has passed the Vermont Data Privacy Act, which is now pending the governor’s final approval. Once approved, it is expected to take effect on July 2025 (together with Tennessee‘s new privacy law). The new act appears to provide wider rights and requirements comparing to previous privacy laws in US states, featuring a privacy right of action, low applicability thresholds, and provisions governing health data.

The new act joins 17 additional US states that have enacted comprehensive data protection laws in recent years, with the latest ones being those of Nebraska, Maryland and Kentucky.

Scope of Application

The new act applies to any person that conducts business in Vermont or produces products or services that are targeted to Vermont residents, and who either:

• Controls or processes personal data of at least 25,000 consumers; or
• Derived more than 50% of their gross revenue from selling personal data.

It should be noted that the act includes provisions to gradually lower these thresholds, such that until July 2027, the legislation will apply to businesses that:

• Control or process personal data of at least 6,250 consumers, or
• Control or process personal data of at least 3,125 consumers and derive more than 20% of their gross revenue from selling personal data.

Notwithstanding the foregoing, the act includes specific provisions regarding the processing of health data, which is defined as any personal data used to identify an individual’s physical or mental health condition or diagnosis. These health data provisions apply to any person who conducts business in Vermont or produces products or services that are targeted to residents of Vermont, regardless of the above thresholds.

The act includes several exemptions, such as for entities and data subject to Gramm-Leach-Bliley Act or the Health Insurance Portability and Accountability Act (HIPAA), for certain financial and health institutions as well as non-profit organizations.

Importantly, excluded from the act’s scope are information of business-to-business contacts, employees’ data and publicly available information. Publicly available information is defined as information that: (A) is lawfully made available through the records of governmental entities or through widely distributed media; or (B) the controller reasonably believes a consumer has lawfully made available to the general public.

Controllers Obligations

Similar to other US state privacy laws, the act required data controllers to provide a detailed privacy notice and clearly and conspicuously disclose if they sell personal data or process personal data for targeted advertising or for the purpose of profiling the consumer in furtherance of decisions that produce legal or similarly significant effects.

Additionally, the controller’s obligations pursuant to the new act include, inter alia:

• Ensuring that data processing is limited to the purpose for which it was collected;
• Not discriminating against consumers who exercise their rights;
• Establishing administrative, technical and physical data security practices;
• Processing sensitive personal data only after obtaining the consumer’s consent;
• Providing a clear and conspicuous link for the consumer to opt out of the processing of personal data for targeted advertising, profiling and selling of personal data; and
• Allowing consumers to opt out of targeted advertising or the selling of personal data through a signal to the controller.

In addition, all processing of personal data by third-party processors must be governed by a binding agreement. The act provides details regarding the clauses that must be included in the agreement which shall govern the processor’s obligations towards the controller.

Consumers Rights

The new act empowers consumers with wide range of rights over their personal data, including the right to access, correct, delete, data portability, opt-out of certain uses of their personal data, including targeted advertising, the sale of personal data and certain automated profiling.

Consumers have the right to exercise their rights once a year, and the controller must provide the relevant information free of charge, unless the request is manifestly unfounded, excessive, or repetitive, in which case the controller may charge the consumer a reasonable fee. The controller must reply to a consumer without undue delay, and in any case no later than 60 days from receiving the request.

Additionally, the act provides consumers with a right to appeal the controller’s decision to reject their request.

Confidentiality of Health Data

The act prohibits anyone (regardless of whether they meet the act’s applicability thresholds) from the following actions concerning consumer health data:

• Providing access to consumer health data to an employee or contractor who does not have a contractual or statutory duty of confidentiality.
• Providing consumer health data to any processor unless the processor complies with the obligations outlined in the act.
• Using a geofence to create a virtual boundary within 1,850 feet of any health care facility for processing or otherwise using consumer health data.
• Selling consumer health data without obtaining the consumer’s consent.

Enforcement

Except as provided below, Vermont’s attorney general has exclusive enforcement power per the new act. A violation of the act constitutes an unfair and deceptive act in commerce in violation of Vermont consumer protection legislation , and may result in a civil penalty of up to $10,000. The attorney general may issue a prior notice of violation, allowing a 60-day period to cure the alleged violation.

The act also provides a private right of action for consumers harmed by a data broker or large data holder’s (as defined below) violation of the following provisions:

• Processing sensitive data without the prior consent of the consumer.
• Processing personal data in a discriminatory manner.
• Infringing provisions concerning the processing of health data.

A large data holder is defined as a person that processes the personal data of at least 100,000 consumers. A data broker is defined as a business that collects and sells or licenses to third parties the brokered personal information of a consumer with whom the business does not have a direct relationship.

Companies providing services to consumers in the United States should evaluate their exposure to this additional data protection regulatory regime in Vermont. Feel free to contact us if you have any questions regarding the new act and its practical implications.