On June 12, 2025, Governor Phil Scott signed into law S.69, the Vermont Age-Appropriate Design Code Act (the “AADC” or “Vermont Kids Code”). Vermont’s AADC focuses on protecting children and ensuring that online products and services are designed to protect children’s privacy and safety. The AADC will go into effect on January 1, 2027.
Key Provisions
Definition of Covered Businesses. Subject to certain data- and entity-level exclusions noted below, the AADC applies to “covered businesses,” which include any business or other legal entity: (1) that conducts business in Vermont; (2) that generates a majority of its annual revenue from online services; (3) whose online products, services, or features are reasonably likely to be accessed by a minor; (4) that collects Vermont consumers’ data (or for whom Vermont consumers’ data is collected); and (5) that determines the purposes and means of processing that data. Products, services, or features are reasonably likely to be accessed by a minor if they are directed to children or if their audience is or is likely composed of at least 2% minors aged 2-17 years old.
Minimum Duty of Care. Covered businesses that process covered minors’ data owe a minimum duty of care to those minors such that the design of the online service, product, or feature will not result in reasonably foreseeable emotional distress, compulsive use, or discrimination.
Privacy by Design and Default. Covered businesses must configure default privacy settings for minors at the highest level of privacy. For example, online interactions between a covered minor and an adult and the visibility of a covered minor to an adult must be limited to situations where the covered minor has expressly and unambiguously allowed permissions with a specific known adult user. Default privacy settings must also be such that push notifications cannot be sent to covered minors and search engine indexing of covered minors’ account profiles is disabled. In addition, covered minors have the right to request that their accounts on social media platforms be unpublished or deleted.
Transparency. The AADC requires covered businesses to publicly disclose their privacy, data use, and design practices. This must include a description of the purpose of and inputs used by any algorithmic recommendation systems and how and when personal data of covered minors is used.
Data Minimization & Restrictions on Sharing. The AADC requires data minimization by (1) limiting the collection, selling, sharing, or retention of covered minors’ data to purposes necessary to provide the online service, product, or feature, and (2) restricting the use of such data to only those purposes (except as otherwise provided under the AADC). Covered businesses are also prohibited from permitting any individual, including parents or guardians, to monitor online activities or track the location of a covered minor without providing a signal to the minor that he or she is being monitored or tracked. Finally, covered businesses may not send push notifications to covered minors between midnight and 6:00 a.m.
Age Assurance. The AADC mandates that data collected for determining the age of a user only be used for that purpose and that it promptly be deleted after determining the user’s age range.
Exclusions
The following are excluded from the AADC:
- Government entities;
- Protected health information processed in accordance with HIPAA;
- Information used for public health activities;
- Information that identifies a consumer in connection with activities under the Federal Policy for the Protection of Human Subjects or that are subject to protections provided for clinical investigations regulated by the FDA and Institutional Review Boards;
- Information identifying a consumer in connection with research on human subjects in accordance with clinical practice guidelines, or other research conducted in accordance with state or federal laws;
- Entities whose primary purpose is journalism; and
- Financial institutions subject to the Gramm-Leach-Bliley Act.
The AADC does not impose liability in a manner that is inconsistent with the Communications Decency Act (47 U.S.C. § 230), nor does it prevent or preclude covered minors from deliberately or independently searching for, or specifically requesting, any media.
Enforcement
The Vermont Attorney General may enforce the AADC under its general consumer protection authority. In addition, violations of the AADC are deemed unfair and deceptive practices under the Vermont Consumer Protection Act (9 V.S.A. §§ 2451 et seq.), which permits either the Attorney General or affected consumers to bring claims.
Further Rules
Effective July 1, 2025, the AADC directs the Vermont Attorney General to adopt rules describing practices that would violate the AADC – including providing further explanation of data processing or practices that would result in reasonably foreseeable compulsive use or would subvert or impair user autonomy, decision making, or choice – and rules identifying appropriate methods for determining whether a user is a covered minor. Any rules adopted must be reviewed and updated periodically to keep pace with emerging technology.
