Protections for Personal Information (Act 138) - Overview & Analysis

Protections for Personal Information (Act 138) - Overview & Analysis

Act 138 (which began life as H.211) overhauls Vermont's data broker and personal information protection laws, strengthening consumer privacy protections, data broker registration and enforcement, security breach notification requirements, cybersecurity governance, and educational technology oversight, covering topics such as data privacy, consumer protection, cybersecurity infrastructure, government transparency, and student data protection.

The Details:

  • Redefines key terms in the data privacy statute, including "brokered personal information," "data broker," "publicly available information," and "sale," broadening the scope of data covered (e.g., adding "precise geolocation," "genetic information," and "GenAI system" definitions) and narrowing the "direct relationship" exception so that businesses cannot avoid data broker status simply by having incidental contact with consumers.

  • Prohibits any person from acquiring brokered personal information through fraud or using it to stalk, harass, defraud, or unlawfully discriminate against another person.

  • Expands data broker registration requirements administered by the Secretary of State, increasing the annual registration fee from $100 to $900, requiring registration within 30 days of meeting the data broker definition, and mandating disclosure of additional details such as whether the broker collects sensitive categories of data (e.g., reproductive health, biometric, immigration status, sexual orientation, union membership) and whether it has shared or sold data to foreign actors, government entities, law enforcement, or GenAI developers.

  • Increases penalties for noncompliance with registration requirements, raising the daily fine for failure to register from $50 (capped at $10,000/year) to $200 per day (uncapped), and adding new penalties for omitted or materially incorrect registration information (up to $25,000 plus $1,000/day for uncorrected errors).

  • Directs the Secretary of State to create a public consumer rights webpage listing registered data brokers and consumer information about their rights.

  • Establishes a separate Data Broker Security Breach Notice Act requiring data brokers to notify affected consumers within 45 days of discovering a breach and to notify the Attorney General within 14 business days, with provisions for law-enforcement-requested delays and an exception when misuse is determined not reasonably possible.

  • Directs the Secretary of State to study the feasibility of a centralized "accessible deletion mechanism" allowing consumers to request deletion of their brokered personal information from all registered data brokers through a single request, with interim and final reports due by December 1, 2027, and December 1, 2028, respectively.

  • Expands the Cybersecurity Advisory Council's membership to include legislative committee chairs and a judiciary representative, and extends the statutory repeal date for the state's cybersecurity chapter from June 30, 2028, to June 30, 2033.

  • Creates a new educational technology registration requirement (Subchapter 3B) requiring providers of ed-tech products used in Vermont schools to register with the Secretary of State, disclose privacy policies, list schools and products in use, and attest to compliance with student privacy laws and federal children's privacy laws (COPPA).

  • Sets effective dates: the personal information and educational technology provisions take effect January 1, 2027; the study, registration fee changes, and cybersecurity provisions take effect July 1, 2026.

The Good:

  • The expanded and clarified definitions of "data broker" and "brokered personal information" close loopholes that previously allowed some data-collecting businesses to avoid registration and oversight, improving transparency about who holds Vermonters' personal data.

  • Higher registration fees and steeper penalties for noncompliance create stronger financial incentives for data brokers to register accurately and promptly, potentially improving the reliability of the public data broker registry.

  • The new public consumer rights webpage and detailed disclosure requirements (including disclosures about sharing data with foreign actors, government agencies, or AI developers) give Vermonters more visibility into how their information is used and by whom.

  • The educational technology registration requirement extends privacy accountability into schools, helping parents and school districts verify that products used with students meet state and federal child privacy standards.

  • Extending the Cybersecurity Advisory Council's sunset date and broadening its membership supports continuity in the state's cybersecurity planning and brings more legislative and judicial perspectives into infrastructure protection discussions.

The Bad:

  • The near tenfold increase in registration fees ($100 to $900) and steep new penalties could create compliance burdens for smaller data brokers, potentially disadvantaging smaller Vermont-based businesses relative to larger national firms with more compliance resources.

  • The accessible deletion mechanism—arguably the provision most directly beneficial to ordinary consumers wanting control over their data—is only being studied, with a final report not due until December 2028; Vermonters seeking a "delete all my data" option will not see one for several years, if at all.

  • The bill relies heavily on Attorney General enforcement through the state's unfair-and-deceptive-practices statute, and it is unclear whether current staffing and resources are sufficient to investigate the expanded registration and disclosure requirements effectively.
  • The educational technology registration provisions require attestations of compliance but do not appear to include independent verification mechanisms, so schools and families may need to trust provider self-certification rather than an audited compliance process.

Analysis:

Act 138 represents a substantial expansion of Vermont's data privacy framework, reflecting national trends toward more granular oversight of data brokers as sensitive categories of information (geolocation, biometric data, reproductive health data, and immigration status) become more commercially valuable and more susceptible to misuse. By tightening the definition of "data broker" and closing the "direct relationship" loophole, the bill should bring more entities under regulatory scrutiny, which cuts in favor of transparency but may also increase compliance costs that some businesses could pass on to consumers or absorb as a cost of doing business in Vermont.

A central trade-off in the bill is between immediate transparency and longer-term consumer empowerment. The registration and disclosure requirements take effect relatively quickly and give the public and the Attorney General more information about data broker practices right away. However, the more consumer-empowering "accessible deletion mechanism" (which would let a Vermonter request deletion of their information from all registered brokers at once) remains only a feasibility study, with recommendations not expected until 2028. Vermonters concerned about their personal data circulating among brokers will need to wait for a comprehensive deletion tool, even as the state collects more information about broker practices in the interim.

The educational technology provisions raise separate but related questions about educational quality and access. Requiring ed-tech providers to register and attest to compliance with student privacy and COPPA standards is a meaningful step toward accountability in a sector that increasingly shapes classroom instruction, but the reliance on self-attestation rather than independent audits leaves open the question of how rigorously these commitments will be verified. Parents, school districts, and the Agency of Education may reasonably differ on whether attestation alone is sufficient or whether additional enforcement mechanisms are needed to ensure student data is truly protected.

From an economic and security standpoint, the bill's increased fees and penalties, along with expanded disclosure obligations, add regulatory weight that larger, well-resourced data brokers may absorb more easily than smaller firms. Vermonters may benefit from stronger breach notification timelines and more visibility into who holds their data, but reasonable people may disagree about whether the compliance burden is proportionate to the privacy gains, particularly for smaller Vermont businesses that only incidentally handle brokered personal information. The extended cybersecurity council sunset and expanded membership suggest a long-term institutional commitment to infrastructure protection, which supports economic security broadly, even as the bill's core consumer-facing tools (like the deletion mechanism) remain on the table for future legislative sessions.

 

Current Status:

The bill passed both chambers of the Vermont General Assembly and was signed into law by Governor Phil Scott on June 16, 2026, with most provisions taking effect July 1, 2026, and the personal information and educational technology sections taking effect January 1, 2027.

 

Last updated: 7/8/2026

DISCLAIMER: Generative AI used to assist in the production of this report.

News coverage on H.211

Read the Bill

More bill summaries

 

Recent responses