Since 2020, in the wake of the General Data Protection Regulation (GDPR) established in the EU, there has been a growing wave of U.S. states enacting omnibus laws governing the privacy of personal information (i.e., information that identifies particular individuals).
To date, five states in the U.S. – California, Virginia, Colorado, Utah, and Connecticut – have enacted such laws, and legislation is pending in at least 14 other states. One of those other states is Vermont, which introduced a new privacy bill earlier this year.
On January 26, 2023, members of the Vermont House introduced H.121, titled “An act relating to enhancing consumer privacy.” The rather lengthy bill proposes a number of amendments to Title 9, Chapter 62 of the Vermont Statutes, which generally covers the protection of personal information. Specifically, the bill does six things, each of which are summarized further below:
- Adds definitions for several terms used throughout the bill;
- Adds a new section outlining general requirements for data collection and use;
- Modifies the scope of requirements for safe document destruction;
- Modifies and adds to requirements pertaining to data brokers;
- Adds a new section addressing protection of biometric information; and
- Directs a study to be performed on the issue of public information.
As of the date of this article, H.121 is presently with the House Committee on Commerce and Economic Development, where it has been discussed at meetings on February 9 and 23, 2023. The Committee has also received various public comments regarding the bill – some for and some against.
The Vermont bill makes three proposed changes to the definitions governing Chapter 62. First, the bill adds a definition for “biometric identifier,” specifically as “unique biometric data generated from measurements or technical analysis of human body characteristics used by the owner or licensee of the data to identify or authenticate the consumer, including a fingerprint, retina or iris image, or other unique physical representation or digital representation of biometric data.” 9 V.S.A. § 2430(1) (proposed). This same language currently appears in the definitions of “personally identifiable information” and “brokered personal information,” and is removed from those definitions in the bill and replaced with “biometric identifier.” The purpose of these changes appears to be to streamline the definitions and also dovetail with the new proposed section on protection of biometric information.
The bill also adds a definition for “personal information,” which includes other terms already defined in the statute. Under the bill, personal information is defined as “any information that identifies, relates to, describes, or is capable of being associated with a particular consumer, and includes personally identifiable information, brokered personal information, login credentials, and covered information.” 9 V.S.A. § 2430(12) (proposed). This definition is consistent with the broad definition of personal information or similar terms in GDPR and the various U.S. state privacy laws. And, in fact, the definition in the bill expressly states that the term “shall be interpreted broadly.” Id. On the other hand, the definition does not expressly include commonly-seen carve outs such as publicly available information (see Section F, below), aggregated information, de-identified information, and pseudonymized information.
Finally, the bill adds a definition for the terms “sell,” “selling,” “sale,” and “sold” as meaning “selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means personal information by the business to another business or a third party for monetary or other valuable consideration.” 9 V.S.A. § 2430(16) (proposed). As is obvious from the language, the definition goes far beyond actual “selling” as that term is typically understood, and the bill again proposes that the definition “shall be interpreted broadly.” Id. The proposed definition is similar to the definitions that are included in other U.S. state laws. Notably, Vermont is proposing to follow the model set by California, Colorado, and Connecticut by including the language “or other valuable consideration,” which significantly broadens the reach of the definition to cover situations where personal information is shared with third parties in return for anything of value (not just money, as in the Virginia and Utah laws).
B. Data Collection and Use
The Vermont bill proposes to add a new section (§ 2432) to Chapter 62 entitled “General Requirements for Collection and Use of Data,” which would be applicable to all data collectors who own, license, maintain, or possess personal information. 9 V.S.A. § 2432(a) (proposed). First, the bill codifies data minimization as an express requirement. The principle of data minimization is well-known and underlies virtually every legal and regulatory privacy framework in the world – and for good reason: unneeded personal information is nothing but a liability, and nothing good can come from it. The bill would specifically require that collection, use, retention, and sharing of personal information be limited only to that “reasonably necessary and proportionate to achieve the purposes for which the personal information was collected or processed or for another disclosed purpose that is compatible with the context in which the personal information was collected and not further processed in a manner that is incompatible with those purposes.” 9 V.S.A. § 2432(b) (proposed). This makes sense.
Next, the bill would add restrictions on what data collectors are permitted to do with personal information they obtain from sources other than the consumer. 9 V.S.A. § 2432(c) (proposed). This requirement appears to be driven by the concepts of notice, consent, and control. If consumers are not aware that their data has been collected (i.e., because it did not come directly from them), then they are unable to provide any consent or exercise any control that might be required under the circumstances.
A major component of GDPR and the existing U.S. state privacy laws is the provision of various rights to consumers with respect to personal information collected about them, such as the right to know what information has been collected, sold, or shared; the right to access or receive a copy of the information; the right to correct or delete the information; and the right to opt out of certain actions with respect to the information. The Vermont bill follows this lead and adds a section on consumer rights, but rather than delineating these rights, the bill simply provides that the Vermont Attorney General may specify these rights via rulemaking. 9 V.S.A. § 2432(d) (proposed). In the event the Vermont bill ultimately is passed, it is reasonable to expect that the consumer rights specified by the Attorney General will largely mirror those from other existing laws.
Finally, the proposed new section 2432 includes a section that would allow consumers to opt out of any sale of their personal information or use of that information for targeted advertising, predictive analytics, or tracking. 9 V.S.A. § 2432(e) (proposed). Similar opt-out rights exist under GDPR and the existing U.S. state privacy laws. The opt-out would be exercised using “a user-selected universal opt-out mechanism that meets the technical specifications established by the Attorney General.” Id. One issue of note is that, while the bill defines “sale” (see above), it does not define “targeted advertising,” “predictive analytics,” or “tracking,” which could lead to confusion given the various nuances in these types of activities.
C. Safe Destruction of Documents
Section 2445 of Chapter 62 presently addresses the safe destruction of documents containing what is currently defined as “personal information” (e.g., signature, Social Security number, government-issued ID number, credit card number, etc.). The Vermont bill would amend this section to replace the reference to “personal information” with a reference to “personally identifiable information.” This change is fairly insignificant given the overlap between the definitions of these two terms. However, the change would mean that four types of information – signature, physical characteristics or description, insurance policy number (non-health), and certain financial information – would no longer be covered under the safe destruction requirements.
D. Data Broker Requirements
In 2018, Vermont became the first state to enact legislation regulating “data brokers,” which are businesses (or units of a business) that knowingly collect, and then sell or license to third parties, the “brokered personal information” of consumers with whom they do not have a direct relationship. 9 V.S.A. § 2430(4)(A). The law requires data brokers to register annually with the Vermont Secretary of State, describe their data collection/sale/licensing practices, and develop comprehensive, written information security programs containing a variety of required policies, procedures, and safeguards. 9 V.S.A. §§ 2446-2447.
The Vermont bill proposes to add a number of new provisions applicable to data brokers. First, the bill creates a new section (§ 2436) that sets forth notification requirements for data broker security breaches, which are breaches that involve brokered personal information maintained by a data broker. These requirements largely track the existing requirements in 9 V.S.A. § 2435 for all other types of data breaches, including breaches involving data brokers. One notable departure from those requirements is that data brokers would not have the option of providing “substitute notice” of a breach, which, for data collectors that are not data brokers, can be done by “conspicuously posting the notice on the data collector’s website if the data collector maintains one” and “notifying major statewide and regional media.” 9 V.S.A. § 2435(b)(6)(B)(ii).
Second, it amends the annual registration disclosures for data brokers under section 2446 in various respects. Most of these proposed changes appear designed to dovetail with the requirements that would be added by proposed new section 2448 (see below). In addition, several changes are proposed regarding civil penalties that can be assessed against data brokers for various categories of non-compliance:
- Increases the civil penalty where a data broker fails to register from $50 per day of non-compliance to $100 per day, and removes the $10,000 annual cap on civil penalties for failure to register;
- Imposes a civil penalty of $1,000 per day of non-compliance where a data broker omits required information from its registration and fails to file an amendment including the omitted information within five business days of being notified of the omission; and
- Imposes a civil penalty of $25,000 where a data broker files “materially incorrect” information in its registration, as well as an additional penalty of $1,000 per day of non-compliance where the data broker fails to correct the “false” information within five business days of discovering or being notified of the incorrect information.
9 V.S.A. § 2446(b)-(d) (proposed). Regarding the last item above, the bill does not define the phrase “materially incorrect,” and in the same breath it uses the term “false.” As these two concepts are not necessarily equal, it seems that further clarity will be needed.
Vermont’s current data broker statute contains a number of provisions governing data brokers’ duty to protect personally identifiable information and the particulars of information security programs that data brokers must have in place. 9 V.S.A. § 2447. The Vermont bill adds a new section (§ 2448) that outlines consumer opt-out requests as well as additional duties for data brokers:
- “Individual opt-out” – A consumer would be able to request that a data broker stop collecting his or her data, delete all data in its possession regarding him or her, and/or stop selling his or her data. Data brokers would be required to establish a simple procedure for consumer opt-out requests (including compliance with the requests within 10 days of receipt) and describe that procedure in their annual registrations and on their websites.
- “General opt-out” – A consumer would be able to file an online opt-out request with the Vermont Secretary of State that all data brokers registered in Vermont must honor. The Secretary of State would create and maintain a “Data Broker Opt-Out List,” which must contain information necessary for data brokers to identify consumers who have opted out, and which data brokers would need to review at least once every 31 days to determine newly-added opt-out requests.
- “Credentialing” – Data brokers would be required to maintain reasonable procedures for ensuring that third parties to whom they disclose brokered personal information only use that data for legitimate and legal purposes. These procedures would require data brokers to have third parties identify themselves, certify the purposes for receiving the information, and certify that it will be used only for those purposes. If the data broker has reasonable grounds to believe that a third party will not use the brokered personal information for a legitimate and legal purpose, the broker may not disclose the information to that third party.
9 V.S.A. § 2448(a)-(c) (proposed).
E. Protection of Biometric Information
Three U.S. states – Illinois, Texas, and Washington – have enacted laws that specifically address privacy issues related to biometric information. In addition, the five omnibus state privacy laws that have been enacted each define personal information and/or sensitive personal information to include biometric data. Proposed legislation addressing biometric data is pending in at least ten other states.
The Vermont bill follows the trend set by Illinois, Texas, and Washington by proposing comprehensive requirements for “biometric identifiers,” defined above in Section A. The requirements are fairly onerous and would certainly require businesses and others collecting and using biometric identifiers to do so carefully. First, and subject to certain enumerated exceptions, biometric identifiers may not be collected or retained from consumers without first providing clear and conspicuous notice, obtaining consent, and providing a mechanism to prevent subsequent use of biometric identifiers. 9 V.S.A. §§ 2449(a)(1) and 2449(a)(8)(A)-(C) (proposed). The required notice must include a description of the biometric identifiers collected or retained; the specific purpose for colleting or retaining them; the length of time they will be retained or used; third parties to whom they may be sold, leased, or otherwise disclosed; the purpose of such disclosure; and the means by which consumers may prevent subsequent use. 9 V.S.A. § 2449(a)(3)(A)-(D) (proposed). Consumer consent must be obtained through an opt-in process, whether in writing through an electronic form, through a verbal recording, or in another confirmable manner. 9 V.S.A. § 2449(a)(5) (proposed).
Second, any person who collects or retains biometric identifiers must set up a retention schedule and guidelines for the permanent destruction of biometric identifiers and information after the purpose for collection or retention has been satisfied or within one year of the person’s last interaction with the applicable consumer, whichever is sooner. 9 V.S.A. § 2449(a)(2)(A) (proposed).
Third, biometric identifiers that have been collected or retained may not be sold, leased, or otherwise disclosed to third parties for a specific purpose except where
(a) the consumer provides consent in the manner noted above;
(b) the sale, lease, or other disclosure is necessary to provide a product or service requested by the consumer and the consumer is notified of the third-party recipients and the purpose of the disclosure;
(c) the sale, lease, or other disclosure is necessary to complete, administer, or enforce a financial transaction requested or initiated by the consumer, the consumer is notified of the third-party recipients, and these recipients maintain the confidentiality of the biometric identifiers; or
(d) the sale, lease, or other disclosure is authorized by a statute or court order. 9 V.S.A. § 2449(a)(4)(A)-(D) (proposed).
Fourth, persons collecting or retaining biometric identifiers must guard against unauthorized access or acquisition of them and must follow the data security standards applicable to data brokers. 9 V.S.A. § 2449(a)(6)(A)-(B) (proposed). Also, biometric identifiers may be retained for no longer than is reasonably necessary to provide the services for which they were collected or stored, to comply with legal obligations, or to protect against fraud or other illegal activity. 9 V.S.A. § 2449(a)(6)(C) (proposed).
Fifth, a person who collects, receives, or stores biometric identifiers either directly from consumers or indirectly from third parties may not use those identifiers in a manner that is materially inconsistent with the terms under which the identifiers were originally provided unless consent from consumers is obtained first. 9 V.S.A. § 2449(a)(7) (proposed).
Sixth, the bill includes several provisions regarding enforcement of the proposed requirements and remedies for violations. The Vermont Attorney General and the various state’s attorneys are given authority to enforce the requirements and bring actions in the Vermont Superior Court for any remedies (e.g., civil penalties) provided in Vermont’s consumer protection statutes (Title 9, Chapter 63 of the Vermont Statutes). 9 V.S.A. § 2449(b)(1)(A) (proposed). Any civil penalties imposed must take into consideration the number of violations, the seriousness of the violations, the size and sophistication of the business that committed the violations, and the business’s “history of respecting or failing to respect the privacy of consumers.” 9 V.S.A. § 2449(b)(1)(B) (proposed). These factors are broad and somewhat undefined, which could lead to challenges down the road. The bill also provides a 180-day grace period for persons who possess biometric identifiers that were not acquired in accordance with the requirements outlined above. In that instance, the person must either obtain consent or delete the identifiers within 180 days of enactment of the bill, after which a penalty of $10,000 per day of non-compliance applies. 9 V.S.A. § 2449(b)(1)(C) (proposed).
Finally, like the Illinois law, the Vermont bill would provide a private right of action for any consumers aggrieved by violations, with potential remedies to include damages, injunctive relief, punitive damages, and reasonable costs and attorneys’ fees. 9 V.S.A. § 2449(b)(2) (proposed). Recoverable damages would amount to the greater of (a) the consumer’s actual damages or (b) $1,000 for a negligent violation or $5,000 for a willful or reckless violation.
F. Public Information
The five omnibus state privacy laws currently in effect each exclude “publicly available information” from the scope of regulated (i.e., personal) information. These laws generally define publicly available information to include
(1) lawfully-available information from federal, state, or local government records; or
(2) information that a business has a reasonable basis to believe is lawfully made available to the general public through widely distributed media, by the consumer, or by a person to whom the consumer has disclosed the information if the consumer has not restricted the information to a specific audience.
As noted above, Vermont bill H.121 includes a new definition for “personal information” but does not explicitly exclude publicly available information from that definition. The exclusion of at least some public information is implied, however, given that “personal information” is defined to include “personally identifiable information,” “brokered personal information,” and “covered information,” each of which exclude certain publicly available information from their respective definitions. But these particular carve outs do not cover all public information that might qualify as “personal information” under the bill. Perhaps in recognition of this fact, the bill includes a directive requiring the Attorney General to report to the Vermont Legislature by December 1, 2023 regarding how the term “public” has been interpreted in the personal information context and whether public information should be excluded from the scope of personal information.