The Vermont Public Interest Research Group hailed the passage of a comprehensive consumer data privacy bill Saturday.
The bill, H.121, passed after a series of back-and-forth amendments between the House and Senate in the final days of the legislative session.
VPIRG called the legislation a win for consumers, while recognizing that the final bill includes several concessions that reflect the intense lobbying of the tech and data industry.
“This is not a perfect bill, by any means,” said Zach Tomanelli, consumer protection advocate for VPIRG. “But make no mistake, this represents a significant and meaningful step forward in our effort to better protect Vermonters’ personal information.”
“Right now, Vermonters’ web searches, online purchases and location check-ins are being harvested, bought, and sold by companies totally legally,” Tomanelli said. “The unchecked spread of our personal information exposes consumers to all sorts of threats like scams, identity theft, harassment, and discrimination. Vermonters deserve common sense protections that limit companies from harvesting whatever data they want and doing whatever they want with it.”
If enacted, the Vermont Data Privacy Act would, among other things, require businesses to limit the information they collect on consumers to only that which is necessary to deliver the good or service a consumer has requested.
It would give consumers the ability to opt-out of having their data sold, used for targeted advertising, or profiling.
It would prohibit businesses from processing Vermonters’ sensitive data (e.g. financial data, health data, biometric data, data related to race, ethnic identity or sexual orientation, data of a minor, precise geolocation data, etc.) without a consumer’s consent. And the bill would prohibit the sale of such data outright.
The bill notably includes a private right of action that will allow consumers to hold companies that violate their privacy rights accountable in court.
The private right of action that was included in the final bill was significantly narrowed from that which initially passed the House earlier this year. Its implementation was delayed until 2027, it only applies to large data collectors and data brokers, and it’s only available for violations of the sensitive data and health data portions of the bill.
Nevertheless, this represents a significant win over Big Tech and Big Data who had successfully lobbied to completely remove a private right of action from almost every state-level comprehensive data privacy bill enacted to date.
For its part, VPIRG committed to work to strengthen the legislation in the years ahead.
“This is just the start for reining in companies out-of-control data practices and making our online lives safer,” Tomanelli said. “It’s a great start, but there’s more work to be done.”