Vermont Data Privacy Act: What Does the Bill Have for Businesses?

The Vermont Data Privacy Act aims to provide extensive privacy safeguards for users' personal information. Passed by the Vermont legislature on May 12, 2024, the law is pending the Governor's approval and is set to be enforced starting July 1, 2025. Nonetheless, the provision allowing individuals to sue for violations will not be in effect until 2027.

Like Maryland's privacy legislation, the VDPA imposes strict rules on handling personal and sensitive data. However, the VDPA covers a broader range of situations due to its lower applicability threshold.

Does the VDPA apply to my business?

The Vermont Data Protection Act (VDPA) covers individuals and businesses operating in Vermont or offering products or services to Vermont residents who, in the previous calendar year:

  • Managed or handled the personal data of at least 25,000 consumers, excluding data used only for payment transactions.
  • Managed or handled the personal data of at least 12,500 consumers and earned over 25% of their gross revenue from selling personal data.

The health data regulations apply to all businesses and individuals operating in Vermont or targeting Vermont residents, regardless of the amount of consumer data they manage or handle.

What are the sensitive personal data requirements under VDPA?

Personal data refers to any information that can identify a person, either directly or indirectly.

The VDPA provides a specific definition for sensitive data, which is crucial because the law imposes special rules for handling this type of information.

The following categories of data are considered sensitive:

The VDPA defines "sensitive data" as personal information that includes:

  • Government-issued identifiers such as Social Security numbers, passport numbers, state ID cards, or driver's licenses that are not meant to be publicly displayed.
  • Details about racial or ethnic origin, national origin, citizenship or immigration status, religious or philosophical beliefs, or union membership.
  • Information on sexual orientation, sex life, sexuality, or status as transgender or non-binary.
  • Status as a crime victim.
  • Financial information, including tax returns, account numbers, financial account logins, debit or credit card numbers with access codes, passwords, and credentials.
  • Consumer health data and personal data analyzed from it.
  • Personal data revealing past, present, or future mental or physical health status, treatment, disability, or diagnosis, including pregnancy.
  • Biometric or genetic data.
  • Personal data collected from a known child.
  • Precise geolocation data.

What are the privacy notice requirements under VDPA?

Transparency is fundamental to data privacy, and the VDPA mandates that businesses disclose the following information to consumers:

  • Types of personal data, including sensitive data, that the business handles.
  • Reasons for processing personal data.
  • Procedures for exercising consumer rights and filing appeals.
  • Types of personal data, including sensitive data, shared with third parties.
  • Categories of third parties, with some details about them and their data processing activities.
  • Email address or other online contact methods for consumers to reach the business.
  • Identification of the business, including its registered or assumed business name.
  • Description of how personal data is processed for targeted advertising, sold, or used for profiling, along with opt-out procedures.
  • Description of the process for submitting consumer requests.

What are the duties of businesses under VDPA?

Businesses handling personal data of Vermont consumers must adhere to these obligations under the VDPA:

Data Minimization: Collect only the personal data necessary for providing the specific product or service requested by the consumer, rather than just limiting data processing to a specific purpose.

Security Safeguards: Implement appropriate security measures at physical, administrative, and technical levels based on the nature and volume of personal data stored.

Consent:

  • Obtain consumer consent before processing personal data for any undisclosed purposes.
  • Do not process sensitive data without prior consumer consent.
  • For data from children under 13, acquire verifiable parental consent in line with COPPA regulations.
  • Ensure consent is freely given, specific, unambiguous, and informed, and not obtained through deceptive means.
  • Allow consumers to revoke consent easily, ceasing data processing within 15 days of revocation.

Response to Consumer Requests:

  • Respond to consumer requests within 45 days, with a possible extension of another 45 days after notifying the consumer.
  • Fulfill consumer requests free of charge once per year per individual.
  • Establish a process for consumers to appeal decisions, responding within 45 days.

Sensitive Data:

  • Do not sell sensitive data.
  • Obtain consent before processing sensitive data.

Non-Discrimination:

  • Do not discriminate against consumers for exercising their rights, such as by denying products, increasing prices, or lowering quality.
  • Avoid processing personal data in a discriminatory manner based on race, origin, color, gender identity, etc.

Global Opt-Out:

  • Recognize global opt-out signals, allowing consumers to designate another person or use a global device setting to exercise their rights.

Transparency:

  • Provide a clear and meaningful privacy notice, as previously detailed, and ensure it meets accessibility guidelines under the ADA and Section 508 of the Rehabilitation Act.

Duties of Controllers to Minors:

  • Take measures to prevent heightened harm risks when offering online services, products, or features to known children.
  • Limit data retention to the time needed to provide the specific product, service, or feature.
  • Restrict the collection of minors’ geographical locations.

Contractual Relationship:

  • Maintain a valid contract with processors and third parties who have access to the personal data, outlining the rights and obligations, data nature, processing duration, and other relevant terms.

Data Protection Impact Assessment:

  • Regularly conduct and document data protection impact assessments for processing activities involving high-risk data, including sensitive data, data used for profiling, targeted advertising, and the sale of personal data.

What are the duties of controllers and processors?

Controllers (companies that decide to process data) have these general duties:

  • Limit data processing to the purpose for which the data was collected.
  • Process only the minimum amount of data needed for the intended purposes.
  • Do not sell sensitive data.
  • Do not engage in discriminatory practices.
  • Implement technical and organizational measures to ensure data security.
  • Honor consumer requests.
  • Maintain written contracts with data processors.
  • Conduct data protection assessments when required.

Processors (companies hired to process data on behalf of controllers) have these duties:

  • Follow the controller's instructions regarding data processing.
  • Enable the controller to respond to consumer requests.
  • Ensure data security.
  • Assist the controller in conducting data protection assessments.

What are the rights of consumers under VDPA?

Vermont privacy law provides consumers with the following rights:

  • Right to Confirm and Access: Consumers can confirm if a business is processing their personal data and access that data if it is being processed.
  • Right to Obtain Information: Consumers can find out which third parties the controller shares their personal data with. If the controller doesn’t have this data in an accessible format, consumers can get a list of third parties that generally receive personal data.
  • Right to Correct: Consumers can correct any inaccuracies in their personal data held by businesses.
  • Right to Delete: Consumers can request businesses to delete their personal data, unless it is required to be kept by law.
  • Right to Data Portability: If personal data is processed by automated means, consumers can receive a copy of their data in a portable, usable, and transmittable format.
  • Right to Opt-Out: Consumers can opt out of targeted advertising, profiling, and the sale of their personal data, similar to other US state privacy laws.

What are the enforcement and penalties for violating VDPA?

The Vermont privacy law is enforced by the Attorney General, with fines reaching up to $10,000 per violation, which is higher than the typical $7,500 fines in other states.

However, no fines will be imposed if the violation is corrected within a 60-day cure period.

The VDPA also allows for a private right of action in certain situations. Specifically, this right is available to consumers harmed by violations committed by data brokers or large data holders, as specified in the law.

About Ardent Privacy

Ardent’s mission is to help enterprises implement meaningful security and privacy programs aligned to their business mission, building trust and protecting data assets. Ardent’s technology “TurtleShield” is a holistic software platform that empowers enterprise security, legal, and data teams to implement and manage data privacy within the organizations with rapid data asset visibility and actions to enable privacy compliance, govern AI risk, meaningful data protection, and reduce cost of compliance and data breaches. Our unique and patented ML/AI-powered technology helps organizations comply with evolving privacy and AI regulations and accelerates adoption of AI technologies. Ardent offers a low code platform to automate Privacy & AI governance, rapid discovery of data assets and consent management with regional focus for global regulations.