Consumer Data Privacy (S.71) - Overview

This legislation aims to address issues surrounding the protection of consumer data and the regulation of online surveillance practices. The effort reflects growing concerns about digital privacy rights.

Summary:

S.71, introduced by a group of Vermont Senators, aims to strengthen data privacy and online surveillance protections for residents by establishing the "Vermont Data Privacy and Online Surveillance Act." This new chapter introduces key definitions such as "consumer," "personal data," and "biometric data," which form the foundation for consumer rights regarding their data. The bill emphasizes the necessity of obtaining clear and informed consent from consumers before processing their personal data, particularly for sensitive categories like health and biometric data. It also addresses the manipulation of consumer choices through "dark patterns" in user interfaces, aiming to create a comprehensive legal framework that enhances consumer control over personal information.

The legislation outlines specific rights for consumers, including the ability to access, correct, and delete their personal data, as well as opt out of certain processing activities. It mandates that data controllers respond to consumer requests within designated timeframes and emphasizes responsible data collection practices, particularly concerning minors. Additionally, the bill introduces requirements for data protection assessments for high-risk processing activities and clarifies the responsibilities of both data controllers and processors. Notably, it reduces the thresholds for applicability under the Act, lowering the number of consumers whose data processing triggers compliance requirements. The Attorney General is granted enforcement powers, including the ability to issue notices of violation and oversee public education initiatives about consumer rights and obligations under the Act.

The Details:

• Applicability: The data privacy regulations in the bill applies to any business operating in or has customers in the state which meet one of the following criteria:

  • Controls or processes data on at least 100,000 consumers.

  • Controls or processes data on at least 25,000 consumers AND over 25% of the business's gross revenue is from the sale of personal data.

  • The company handles consumer health data (no threshold).
    
    
• Consumer Rights: consumers would have the right to...
  • Confirm whether or not a business is processing the consumer's personal data.
  • Access and make corrections to their personal data.
  • Have the company delete their personal data.
  • Receive a transportable copy of their personal data that would allow a customer to take it to a different business.
  • Opt-out of the processing of their personal data for the purposes of:
    • Targeted advertising
    • The sale of personal data
    • Profiling the consumer
  • Designate an authorized agent to opt them out of the processing of their personal data. An agent can be technology, including a "browser setting" indicating the consumers intent to opt out of processing.
    
    
• Restrictions: businesses may not...
  • Process sensitive data without the consumer's consent.
  • Process data for minors unless it is in accordance with COPPA.
  • Process personal data of minors for the purposes of targeted advertising.
  • Sell personal data of minors without consent.
  • Sell personal data or process personal data for targeted advertising without clear disclosure and an online opt-out process.
  • Sell consumer health data without express consent.
  • Retain any personal data processed on behalf of a another business after the expiration of services.
  • Delete data for the purposes of avoiding or obstructing a subpoena.
  • Provide any employee or contractor access to consumer health data unless they are contractually subject to confidentiality.
    
    
• Process:
  • Businesses must respond to a consumer request within 45 days.
  • If a business declines to take action, they must provide a justification for doing so along with instructions on how to appeal.
  • If requests from a consumer are unfounded, excessive, or repetitive the business may decline to act on the request or charge a fee to cover administrative costs.
  • A business may deny an opt-out request if they believe it is fraudulent, but must provide justification for doing so.
  • Businesses must establish a process for a consumer to appeal any decision. If an appeal is denied, the business must provide the consumer with an "online mechanism" to submit a complaint to the Attorney General.
  • Businesses are required to conduct a data protection assessment for any activities that present a "heightened risk" of harm to a consumer. The Attorney General may request these assessments if they are relevant to an investigation.

• Exemptions:

  • All government agencies or boards (including tribal nations).
  • Any government contractor.
  • Non profit organizations (including schools and colleges).
  • National securities association or financial institution.
  • Airlines
  • Information protected under HIPAA or substance use disorder records.
  • Any activity regulated under the Fair Credit Reporting Act.
  • Business may still collect personal data for internal use to support or refine products or services.

• Enforcement:

  • The Attorney General (AG) will enforce the provisions in this bill.
  • The AG will issue a notice of violation if they believe one has occurred. The business will have 60 days to "cure" the violation.
  • Until December 2026, the AG may bring legal action against a business that has not cured a violation after 60 days.
  • Starting in January 2027 the AG has more discretion in enforcement and can take into consideration things like the size and complexity of the business, and the likelihood of injury to the public.
  • The bill does NOT create a private right of action for anyone to bring a suit. Only the AG may enforce the provisions of the bill.

Analysis:

The parameters of the bill seem mostly intent on giving the Attorney General tools to litigate against large software companies like Google, Meta, and TikTok. The applicability of 100k consumers or 25% of revenue stemming from the sale of personal data seems to target these kinds of companies.

The legislation seems to model the California Consumer Privacy Act (CCPA), which went into effect in January of 2020. Since the CCPA's inception, hundreds of lawsuits have been filed that invoke or relate to its provisions. By early 2023, estimates suggest nearly 300 cases had been filed alleging violations of the CCPA. The pace of filings has varied, with around 100 new complaints in 2021 alone, though the number reportedly declined in 2022 as plaintiffs shifted toward negligence and tort-based privacy claims.

This spate of legal actions prompted California lawmakers to reform the CCPA, by replacing it with the California Privacy Rights Act (CPRA) which went into effect in January 2023. Most of the lawsuits related to provisions allowing consumers to sue businesses for damages related to data breaches. Legal filings against companies like Zoom and Ring around opt-out notices were largely dismissed.

S.71 does not permit the private right of action like CCPA did, which limits the risk for businesses operating in Vermont when it comes to frivolous lawsuits they may need to defend against. However, the applicability may be broader than it might initially look. For example, there is no size threshold for businesses dealing with consumer health data. The definition for what encompasses consumer health data is quite broad (any personal data that may be used to "identify a consumer's physical or mental health condition or diagnosis"). This could apply to a yoga studio, weight lifting gym, ski rental shop, message therapist, etc. Each of them would likely need to comply with the provisions of the bill - encompassing 45 pages of legal requirements. If you are a sole proprietor of small business, it could be quite challenging to understand the requirements and incorporate them into your operations.

Additionally, while 100,000 consumers seems like a high threshold, we would likely be surprised how many Vermont businesses would be subject to the full requirements of the bill. There are a handful of recognizable businesses who are handling data for millions of customers - think Dealer.com, MyWebGrocer, Keurig, Orvis, Burton, etc. There are likely dozens, if not hundreds of Vermont-based companies that you have never heard of that would hit the 100,000 consumer threshold. Remember, they don't need to have that many customers themselves, they could be processing data on behalf of another business.

Case law has also developed around data privacy laws and you might be surprised how some of these things are considered from a legal perspective. For example, having third-party cookies on your website is considered "selling data." Installing google tag manager (a very common tool for small businesses) on your website to monitor traffic or a tracking pixel to see how well your Instagram ad is performing would qualify has having "sold" data. A business or individual happens to get 100,000 visitors to their website and they would become subject to all the provisions of this bill. Jen Ellis, the women whose mittens went viral after Bernie Sanders wore them to President Biden's inauguration, would likely have become subject to this bill overnight.

There is also a concern that as states implement their own data-privacy laws it becomes increasingly difficult for companies to navigate the patchwork landscape of different requirements. This could lead to certain companies pulling out of specific markets where compliance is difficult. This could also impact small Vermont businesses as technology they rely on to market and track their business operations becomes unavailable. Europe chose to implement their data privacy laws, GDPR, at EU level. Canada chose to do the same with their privacy laws. It might be prudent for the US to follow suit.

There is no question that protecting consumer's data is important, and making them aware of how and when their private data is being used should be everyone's right. There is a point, however, when these things get in the way of user experience. All those annoying cookie banners we see and have to acknowledge on many of the websites we visit? The result of data privacy laws. Soon, you may even need to confirm your age to access many websites so they don't accidentally market to minors.

There is a way to balance all of these things where we can protect people's personal data without damaging their user experience and without placing onerous burdens on local businesses just trying to keep up. This bill strikes this balance better than CCPA originally did, but perhaps this task is still better left up to the federal government to ensure a uniform approach the way Europe and Canada have done.

It is also worth noting here that companies large enough to operate at a national scale are already required to comply with CCPA and those who operate internationally are likely required to comply with GDPR and other countries data privacy laws. This bill does not add much to those protections aside from giving the Vermont Attorney General tools to bring suit against such businesses. However, due to the definitions in the bill, some Vermont businesses are likely to be caught in the crossfire.

Current Status:

The bill was passed by the Senate on 3/27/2025 and was referred to the House Commerce and Economic Development Committee.

Last updated: 5/20/2025

DISCLAIMER: Generative AI used to assist in the production of this report.