Vermont Consumer Privacy Law

Primary law

Vermont's breach-notification statute is formally named the Security Breach Notice Act.

This section shall be known as the Security Breach Notice Act.

See 9 V.S.A. § 2435(a).

Primary law

A data broker is a business that knowingly collects and sells or licenses to third parties the brokered personal information of consumers with whom it has no direct relationship.

“Data broker” means a business, or unit or units of a business, separately or together, that knowingly collects and sells or licenses to third parties the brokered personal information of a consumer with whom the business does not have a direct relationship.

See 9 V.S.A. § 2430(4)(A).

Primary law

Vermont's student-data subchapter applies to operators of websites, online services, and applications used primarily for PreK-12 school purposes and designed and marketed for those purposes.

“Operator” means, to the extent that an entity is operating in this capacity, the operator of an Internet website, online service, online application, or mobile application with actual knowledge that the site, service, or application is used primarily for PreK-12 school purposes and was designed and marketed for PreK-12 school purposes.

See 9 V.S.A. § 2443(2).

Primary law

The Vermont Consumer Protection Act declares unfair methods of competition and unfair or deceptive acts or practices in commerce unlawful — the enforcement hook into which the privacy statutes route violations.

Unfair methods of competition in commerce and unfair or deceptive acts or practices in commerce are hereby declared unlawful.

See 9 V.S.A. § 2453(a).

Primary law

The Age-Appropriate Design Code Act takes effect on January 1, 2027, except its effective-date section and the Attorney General rulemaking authority, which took effect July 1, 2025.

This act shall take effect on January 1, 2027, except that this section (effective dates) and, in Sec. 1, 9 V.S.A. § 2449f(b) and 9 V.S.A. § 2449g(b) (rulemaking authority) shall take effect on July 1, 2025.

See 2025, No. 63 (Act 63), Sec. 2.

Primary law

Section 5 of the FTC Act declares unfair or deceptive acts or practices in or affecting commerce unlawful, reaching deceptive privacy practices nationwide.

Unfair methods of competition in or affecting commerce, and unfair or deceptive acts or practices in or affecting commerce, are hereby declared unlawful.

See 15 U.S.C. § 45(a)(1).

Primary law

S.71 would apply to businesses operating in or targeting Vermont that processed personal data of at least 25,000 consumers, or at least 12,500 consumers with more than 25 percent of gross revenue from data sales, in the preceding calendar year.

Except as provided in subsection (b) of this section, this chapter applies to a person who conducts business in this State or a person who produces products or services that are targeted to residents of this State and that during the preceding calendar year: (1) controlled or processed the personal data of not fewer than 25,000 consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction; or (2) controlled or processed the personal data of not fewer than 12,500 consumers and derived more than 25 percent of the person’s gross revenue from the sale of personal data.

See S.71 (Vt. 2026), proposed 9 V.S.A. § 2416(a) (passed both chambers; not enacted).

Primary law

S.71 would give consumers rights to confirm and access their personal data and to know whether their personal data is or will be used in any artificial intelligence system and for what purpose.

A consumer shall have the right to: (1) confirm whether a controller is processing the consumer’s personal data and, if a controller is processing the consumer’s personal data, access the personal data; (2) know whether a consumer’s personal data is or will be used in any artificial intelligence system and for what purpose;

See S.71 (Vt. 2026), proposed 9 V.S.A. § 2418(a)(1)–(2) (passed both chambers; not enacted).

Primary law

S.71 would give consumers the right to opt out of processing for targeted advertising, the sale of personal data, and profiling in furtherance of automated decisions with legal or similarly significant effects.

opt out of the processing of personal data for purposes of: (A) targeted advertising; (B) the sale of personal data; or (C) profiling in furtherance of automated decisions that produce legal or similarly significant effects concerning the consumer.

See S.71 (Vt. 2026), proposed 9 V.S.A. § 2418(a)(7) (passed both chambers; not enacted).

Primary law

S.71 would prohibit using a geofence within 1,850 feet of any health care facility to identify, track, collect data from, or send notifications to a consumer regarding the consumer's health data.

use a geofence to establish a virtual boundary that is within 1,850 feet of any health care facility, including any mental health facility or reproductive or sexual health facility, for the purpose of identifying, tracking, collecting data from, or sending any notification to a consumer regarding the consumer’s consumer health data.

See S.71 (Vt. 2026), proposed 9 V.S.A. § 2425(3) (passed both chambers; not enacted).

Primary law

Under S.71, violations would be unfair and deceptive acts under the Consumer Protection Act, with the Attorney General holding exclusive enforcement authority outside the bill's narrow private-action carve-out.

A person who violates this chapter or rules adopted pursuant to this chapter commits an unfair and deceptive act in commerce in violation of section 2453 of this title, and the Attorney General shall have exclusive authority to enforce such violations except as provided in subsection (d) of this section.

See S.71 (Vt. 2026), proposed 9 V.S.A. § 2424(a) (passed both chambers; not enacted).

Primary law

If enacted, S.71's operative provisions would take effect July 1, 2026, with applicability-threshold step-downs taking effect July 1, 2027 and July 1, 2028.

(b) Sec. 1 (Vermont Data Privacy and Online Surveillance Act) shall take effect on July 1, 2026. (c) Sec. 3 (Vermont Data Privacy Online Surveillance Act middle applicability threshold) shall take effect on July 1, 2027. (d) Sec. 4 (Vermont Data Privacy Online Surveillance Act low applicability threshold) shall take effect on July 1, 2028.

See S.71 (Vt. 2026), Sec. 5 (passed both chambers; not enacted).

Primary law

The Age-Appropriate Design Code Act takes effect January 1, 2027; only the effective-date section and the Attorney General's rulemaking authority took effect July 1, 2025.

This act shall take effect on January 1, 2027, except that this section (effective dates) and, in Sec. 1, 9 V.S.A. § 2449f(b) and 9 V.S.A. § 2449g(b) (rulemaking authority) shall take effect on July 1, 2025.

See 2025, No. 63 (Act 63), Sec. 2.

Primary law

A covered business is an entity that conducts business in Vermont, generates a majority of its annual revenue from online services, offers products reasonably likely to be accessed by a minor, and determines the purposes and means of processing consumers' personal data.

“Covered business” means a sole proprietorship, partnership, limited liability company, corporation, association, other legal entity, or an affiliate thereof: (A) that conducts business in this State; (B) that generates a majority of its annual revenue from online services; (C) whose online products, services, or features are reasonably likely to be accessed by a minor; (D) that collects consumers’ personal data or has consumers’ personal data collected on its behalf by a processor; and (E) that alone or jointly with others determines the purposes and means of the processing of consumers’ personal data.

See 9 V.S.A. § 2449a(10) (effective Jan. 1, 2027).

Primary law

A covered business that processes a covered minor's data owes a minimum duty of care: its data use and design must not result in reasonably foreseeable emotional distress, reasonably foreseeable compulsive use, or discrimination.

A covered business that processes a covered minor’s data in any capacity owes a minimum duty of care to the covered minor. (b) As used in this subchapter, “a minimum duty of care” means the use of the personal data of a covered minor and the design of an online service, product, or feature will not result in: (1) reasonably foreseeable emotional distress as defined in 13 V.S.A. § 1061(2) to a covered minor; (2) reasonably foreseeable compulsive use of the online service, product, or feature by a covered minor; or (3) discrimination against a covered minor based upon race, ethnicity, sex, disability, sexual orientation, gender identity, gender expression, religion, or national origin.

See 9 V.S.A. § 2449c(a)–(b) (effective Jan. 1, 2027).

Primary law

A covered business must configure all default privacy settings provided to a covered minor to the highest level of privacy.

A covered business shall configure all default privacy settings provided to a covered minor through the online service, product, or feature to the highest level of privacy, including the following default settings:

See 9 V.S.A. § 2449d(a)(1) (effective Jan. 1, 2027).

Primary law

A covered business may not collect, sell, share, or retain a covered minor's personal data beyond what is necessary to provide the service the minor is actively and knowingly engaged with.

A covered business shall not: (1) collect, sell, share, or retain any personal data of a covered minor that is not necessary to provide an online service, product, or feature with which the covered minor is actively and knowingly engaged;

See 9 V.S.A. § 2449f(a)(1) (effective Jan. 1, 2027).

Primary law

A covered business may not send push notifications to a covered minor between midnight and 6:00 a.m.

send push notifications to a covered minor between 12:00 midnight and 6:00 a.m.

See 9 V.S.A. § 2449f(a)(5) (effective Jan. 1, 2027).

Primary law

During age assurance, a covered business may collect only the personal data strictly necessary for the age determination, must delete it (except the age range) once a user's status is determined, and may not use it for any other purpose.

During the process of conducting age assurance, covered businesses and processors shall: (1) only collect personal data of a user that is strictly necessary for age assurance; (2) immediately upon determining whether a user is a covered minor, delete any personal data collected of that user for age assurance, except the determination of the user’s age range; (3) not use any personal data of a user collected for age assurance for any other purpose;

See 9 V.S.A. § 2449g(a)(1)–(3) (effective Jan. 1, 2027).

Primary law

A covered business must provide a prominent, accessible, and responsive tool for a covered minor to request that a social-media account be unpublished or deleted, and must honor the request within 15 days.

A covered business shall: (1) provide a prominent, accessible, and responsive tool to allow a covered minor to request the covered minor’s account on a social media platform be unpublished or deleted; and (2) honor that request not later than 15 days after a covered business receives the request.

See 9 V.S.A. § 2449d(b) (effective Jan. 1, 2027).

Primary law

The Attorney General must adopt rules on or before January 1, 2027 prohibiting data processing or design practices that lead to compulsive use or subvert user autonomy, and must review them at least every two years.

The Attorney General shall, on or before January 1, 2027, adopt rules pursuant to this subchapter that prohibit data processing or design practices of a covered business that, in the opinion of the Attorney General, lead to compulsive use or subvert or impair user autonomy, decision making, or choice during the use of an online service, product, or feature of the covered business.

See 9 V.S.A. § 2449f(b).

Primary law

A violation of the design-code subchapter or its rules is an unfair and deceptive act in commerce under the Consumer Protection Act.

A covered business or processor that violates this subchapter or rules adopted pursuant to this subchapter commits an unfair and deceptive act in commerce in violation of section 2453 of this title.

See 9 V.S.A. § 2449h(a) (effective Jan. 1, 2027).

Primary law

COPPA makes it unlawful for an operator of a child-directed website or online service, or one with actual knowledge it is collecting children's personal information, to collect that information in violation of the FTC's implementing regulations.

It is unlawful for an operator of a website or online service directed to children, or any operator that has actual knowledge that it is collecting personal information from a child, to collect personal information from a child in a manner that violates the regulations prescribed under subsection (b).

See 15 U.S.C. § 6502(a)(1).

Primary law

Vermont courts construing the Consumer Protection Act are directed by the legislature to follow the construction of FTC Act § 5(a)(1) by the FTC and the federal courts.

It is the intent of the Legislature that in construing subsection (a) of this section, the courts of this State will be guided by the construction of similar terms contained in Section 5(a)(1) of the Federal Trade Commission Act as from time to time amended by the Federal Trade Commission and the courts of the United States.

See 9 V.S.A. § 2453(b).

Primary law

Section 5 of the FTC Act declares unfair or deceptive acts or practices unlawful, which reaches a privacy policy that misstates a business's actual data practices.

Unfair methods of competition in or affecting commerce, and unfair or deceptive acts or practices in or affecting commerce, are hereby declared unlawful.

See 15 U.S.C. § 45(a)(1).

Primary law

From January 1, 2027, a covered business must prominently and clearly post its privacy information, terms, policies, and community standards, plus the purpose of each algorithmic recommendation system it uses.

A covered business shall prominently and clearly provide on their website or mobile application: (1) the covered business’s privacy information, terms of service, policies, and community standards; (2) the purpose of each algorithmic recommendation system in use by the covered business;

See 9 V.S.A. § 2449e(1)–(2) (effective Jan. 1, 2027).

Primary law

A financial institution may not disclose nonpublic personal information to a nonaffiliated third party unless it has provided the consumer a notice complying with the GLBA's privacy-notice requirements.

Except as otherwise provided in this subchapter, a financial institution may not, directly or through any affiliate, disclose to a nonaffiliated third party any nonpublic personal information, unless such financial institution provides or has provided to the consumer a notice that complies with section 6803 of this title.

See 15 U.S.C. § 6802(a).

Primary law

A HIPAA covered entity must give individuals adequate notice of the uses and disclosures of their protected health information and of their rights and the entity's legal duties.

an individual has a right to adequate notice of the uses and disclosures of protected health information that may be made by the covered entity, and of the individual's rights and the covered entity's legal duties with respect to protected health information

See 45 C.F.R. § 164.520(a)(1).

Primary law

S.71 would require controllers to provide a reasonably accessible, clear, and meaningful privacy notice listing the categories of personal data — including sensitive data — that the controller processes.

A controller shall provide to consumers a reasonably accessible, clear, and meaningful privacy notice that: (A) lists the categories of personal data, including the categories of sensitive data, that the controller processes with a clear description of what data each category includes;

See S.71 (Vt. 2026), proposed 9 V.S.A. § 2419(f)(1)(A) (passed both chambers; not enacted).

Primary law

S.71's privacy notice would also have to describe processing purposes, rights-exercise and appeal methods, the categories of personal data sold or shared with third parties, the categories of those third parties, and retention periods.

(B) describes the controller’s purposes for processing each category of personal data the controller processes in a way that gives consumers a meaningful understanding of how each category of their personal data will be used; (C) describes how a consumer may exercise the consumer’s rights under this chapter, including how a consumer may appeal a controller’s denial of a consumer’s request under section 2418 of this title; (D) lists all categories of personal data, including the categories of sensitive data, that the controller sells or shares with third parties; (E) describes all categories of third parties with which the controller sells or shares personal data at a level of detail that enables the consumer to understand what type of entity each third party is and, to the extent possible, how each third party may process personal data; (F) describes the length of time the controller intends to retain each category of personal data or, if it is not possible to identify the length of time, the criteria used to determine the length of time the controller intends to retain categories of personal data;

See S.71 (Vt. 2026), proposed 9 V.S.A. § 2419(f)(1)(B)–(F) (passed both chambers; not enacted).

Primary law

S.71's privacy notice would have to clearly and conspicuously describe any processing for targeted advertising, sale to third parties, or significant-decision profiling, plus a procedure for opting out of that processing.

provides a clear and conspicuous description of any processing of personal data in which the controller engages for the purposes of targeted advertising, sale of personal data to third parties, or profiling the consumer in furtherance of decisions that produce legal or similarly significant effects concerning the consumer, and a procedure by which the consumer may opt out of this type of processing;

See S.71 (Vt. 2026), proposed 9 V.S.A. § 2419(f)(1)(J) (passed both chambers; not enacted).

Primary law

A data broker is a business that knowingly collects and sells or licenses to third parties the brokered personal information of consumers with whom it has no direct relationship.

“Data broker” means a business, or unit or units of a business, separately or together, that knowingly collects and sells or licenses to third parties the brokered personal information of a consumer with whom the business does not have a direct relationship.

See 9 V.S.A. § 2430(4)(A).

Primary law

A data broker must register with the Secretary of State annually by January 31, pay a $100 fee, and disclose its addresses, opt-out practices, and other prescribed information.

Annually, on or before January 31 following a year in which a person meets the definition of data broker as provided in section 2430 of this title, a data broker shall: (1) register with the Secretary of State; (2) pay a registration fee of $100.00; and (3) provide the following information: (A) the name and primary physical, e-mail, and Internet addresses of the data broker;

See 9 V.S.A. § 2446(a).

Primary law

A data broker that fails to register is liable for a civil penalty of $50 per day capped at $10,000 per year, plus the registration fees it should have paid.

A data broker that fails to register pursuant to subsection (a) of this section is liable to the State for: (1) a civil penalty of $50.00 for each day, not to exceed a total of $10,000.00 for each year, it fails to register pursuant to this section; (2) an amount equal to the fees due under this section during the period it failed to register pursuant to this section; and (3) other penalties imposed by law.

See 9 V.S.A. § 2446(b).

Primary law

A data broker must develop, implement, and maintain a comprehensive written information security program with administrative, technical, and physical safeguards appropriate to its size, resources, data volume, and confidentiality needs.

A data broker shall develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts and contains administrative, technical, and physical safeguards that are appropriate to: (A) the size, scope, and type of business of the data broker obligated to safeguard the personally identifiable information under such comprehensive information security program; (B) the amount of resources available to the data broker; (C) the amount of stored data; and (D) the need for security and confidentiality of personally identifiable information.

See 9 V.S.A. § 2447(a)(1).

Primary law

No person may acquire brokered personal information through fraudulent means or acquire or use it to stalk or harass, commit fraud, or engage in unlawful discrimination.

A person shall not acquire brokered personal information through fraudulent means. (2) A person shall not acquire or use brokered personal information for the purpose of: (A) stalking or harassing another person; (B) committing a fraud, including identity theft, financial fraud, or e-mail fraud; or (C) engaging in unlawful discrimination, including employment discrimination and housing discrimination.

See 9 V.S.A. § 2431(a).

Primary law

A violation of the data-broker security-program duty is a per se unfair and deceptive act in commerce under the Consumer Protection Act.

A person who violates a provision of this section commits an unfair and deceptive act in commerce in violation of section 2453 of this title.

See 9 V.S.A. § 2447(d)(1).

Primary law

A data broker's information security program must include supervising service providers by selecting capable providers and requiring them by contract to implement and maintain appropriate security measures.

supervision of service providers, by: (A) taking reasonable steps to select and retain third-party service providers that are capable of maintaining appropriate security measures to protect personally identifiable information consistent with applicable law; and (B) requiring third-party service providers by contract to implement and maintain appropriate security measures for personally identifiable information;

See 9 V.S.A. § 2447(b)(6).

Primary law

A data collector that maintains personal information it does not own or license must notify the owner or licensee of any security breach immediately following discovery.

Any data collector that maintains or possesses computerized data containing personally identifiable information or login credentials that the data collector does not own or license or any data collector that acts or conducts business in Vermont that maintains or possesses records or data containing personally identifiable information or login credentials that the data collector does not own or license shall notify the owner or licensee of the information of any security breach immediately following discovery of the breach, consistent with the legitimate needs of law enforcement as provided in subdivisions (3) and (4) of this subsection.

See 9 V.S.A. § 2435(b)(2).

Primary law

The GLBA Safeguards Rule requires a financial institution to oversee service providers, including by requiring them by contract to implement and maintain appropriate safeguards for customer information.

Requiring your service providers by contract to implement and maintain such safeguards

See 16 C.F.R. § 314.4(f)(2).

Primary law

HIPAA requires the business-associate contract to establish the permitted uses and disclosures of protected health information and to bind the business associate to use appropriate safeguards, report unauthorized uses and disclosures including breaches, and flow the same restrictions down to subcontractors.

A contract between the covered entity and a business associate must: (i) Establish the permitted and required uses and disclosures of protected health information by the business associate. The contract may not authorize the business associate to use or further disclose the information in a manner that would violate the requirements of this subpart, if done by the covered entity, except that: (A) The contract may permit the business associate to use and disclose protected health information for the proper management and administration of the business associate, as provided in paragraph (e)(4) of this section; and (B) The contract may permit the business associate to provide data aggregation services relating to the health care operations of the covered entity. (ii) Provide that the business associate will: (A) Not use or further disclose the information other than as permitted or required by the contract or as required by law; (B) Use appropriate safeguards and comply, where applicable, with subpart C of this part with respect to electronic protected health information, to prevent use or disclosure of the information other than as provided for by its contract; (C) Report to the covered entity any use or disclosure of the information not provided for by its contract of which it becomes aware, including breaches of unsecured protected health information as required by § 164.410; (D) In accordance with § 164.502(e)(1)(ii), ensure that any subcontractors that create, receive, maintain, or transmit protected health information on behalf of the business associate agree to the same restrictions and conditions that apply to the business associate with respect to such information;

See 45 C.F.R. § 164.504(e)(2).

Primary law

S.71 would require processing by a processor to be governed by a binding contract setting clear processing instructions, the nature and purpose of processing, data types, limitations, and duration, plus confidentiality, deletion-or-return, compliance-information, subcontractor flow-down, and audit-cooperation terms.

Processing by a processor must be governed by a contract between the controller and the processor. The contract must: (1) be valid and binding on both parties; (2) set forth clear instructions for processing data, the nature and purpose of the processing, the type of data that is subject to processing, limitations, and the duration of the processing; (3) specify the rights and obligations of both parties with respect to the subject matter of the contract; (4) ensure that each person that processes personal data is subject to a duty of confidentiality with respect to the personal data; (5) require the processor to delete the personal data or return the personal data to the controller at the controller’s direction or at the end of the provision of services, unless a law requires the processor to retain the personal data; (6) require the processor to make available to the controller, at the controller’s request, all information the controller needs to verify that the processor has complied with all obligations the processor has under this chapter; (7) require the processor to enter into a subcontract with a person the processor engages to assist with processing personal data on the controller’s behalf and in the subcontract require the subcontractor to meet the processor’s obligations concerning personal data; (8)(A) allow the controller, the controller’s designee, or a qualified and independent person the processor engages, in accordance with an appropriate and accepted control standard, framework, or procedure, to assess the processor’s policies and technical and organizational measures for complying with the processor’s obligations under this chapter; (B) require the processor to cooperate with the assessment; and (C) at the controller’s request, report the results of the assessment to the controller;

See S.71 (Vt. 2026), proposed 9 V.S.A. § 2420(b)(1)–(8) (passed both chambers; not enacted).

Primary law

No person may acquire or use brokered personal information for stalking or harassment, fraud, or unlawful employment or housing discrimination.

A person shall not acquire or use brokered personal information for the purpose of: (A) stalking or harassing another person; (B) committing a fraud, including identity theft, financial fraud, or e-mail fraud; or (C) engaging in unlawful discrimination, including employment discrimination and housing discrimination.

See 9 V.S.A. § 2431(a)(2).

Primary law

A business must take all reasonable steps to destroy customer records containing personal information that it no longer retains, by shredding, erasing, or otherwise making the information unreadable.

A business shall take all reasonable steps to destroy or arrange for the destruction of a customer’s records within its custody or control containing personal information that is no longer to be retained by the business by shredding, erasing, or otherwise modifying the personal information in those records to make it unreadable or indecipherable through any means for the purpose of: (1) ensuring the security and confidentiality of customer personal information;

See 9 V.S.A. § 2445(b).

Primary law

A data broker's annual registration must disclose whether it permits consumer opt-outs, the method for requesting one, the activities it covers, and whether a third-party agent may exercise it.

if the data broker permits a consumer to opt out of the data broker’s collection of brokered personal information, opt out of its databases, or opt out of certain sales of data: (i) the method for requesting an opt-out; (ii) if the opt-out applies to only certain activities or sales, which ones; and (iii) whether the data broker permits a consumer to authorize a third party to perform the opt-out on the consumer’s behalf;

See 9 V.S.A. § 2446(a)(3)(B).

Primary law

S.71 would give consumers rights to confirm and access their personal data and to know whether it is or will be used in any artificial intelligence system and for what purpose.

A consumer shall have the right to: (1) confirm whether a controller is processing the consumer’s personal data and, if a controller is processing the consumer’s personal data, access the personal data; (2) know whether a consumer’s personal data is or will be used in any artificial intelligence system and for what purpose;

See S.71 (Vt. 2026), proposed 9 V.S.A. § 2418(a)(1)–(2) (passed both chambers; not enacted).

Primary law

S.71 would give consumers the right to opt out of processing for targeted advertising, the sale of personal data, and profiling in furtherance of significant automated decisions.

opt out of the processing of personal data for purposes of: (A) targeted advertising; (B) the sale of personal data; or (C) profiling in furtherance of automated decisions that produce legal or similarly significant effects concerning the consumer.

See S.71 (Vt. 2026), proposed 9 V.S.A. § 2418(a)(7) (passed both chambers; not enacted).

Primary law

S.71 would require controllers to let consumers or authorized agents exercise the sale and targeted-advertising opt-outs through a preference signal sent by a platform, technology, or mechanism.

allow a consumer or authorized agent to send a signal to the controller that indicates the consumer’s preference to opt out of the sale of personal data or targeted advertising pursuant to subdivision 2418(a)(7) of this title by means of a platform, technology, or mechanism that:

See S.71 (Vt. 2026), proposed 9 V.S.A. § 2419(g)(3) (passed both chambers; not enacted).

Primary law

Consumer breach notice must be made in the most expedient time possible and without unreasonable delay, and no later than 45 days after discovery or notification of the breach.

Notice of the security breach shall be made in the most expedient time possible and without unreasonable delay, but not later than 45 days after the discovery or notification, consistent with the legitimate needs of the law enforcement agency, as provided in subdivisions (3) and (4) of this subsection, or with any measures necessary to determine the scope of the security breach and restore the reasonable integrity, security, and confidentiality of the data system.

See 9 V.S.A. § 2435(b)(1).

Primary law

The data collector must give the Attorney General or the Department of Financial Regulation the breach and discovery dates and a preliminary description within 14 business days of discovery or consumer notice, whichever is sooner.

The data collector shall notify the Attorney General or the Department, as applicable, of the date of the security breach and the date of discovery of the breach and shall provide a preliminary description of the breach within 14 business days, consistent with the legitimate needs of the law enforcement agency as provided in this subdivision (3) and subdivision (4) of this subsection (b), of the data collector’s discovery of the security breach or when the data collector provides notice to consumers pursuant to this section, whichever is sooner.

See 9 V.S.A. § 2435(b)(3)(B)(i).

Primary law

A security breach is the unauthorized acquisition, or reasonable belief of unauthorized acquisition, of electronic data compromising the security, confidentiality, or integrity of personally identifiable information or login credentials.

“Security breach” means unauthorized acquisition of electronic data, or a reasonable belief of an unauthorized acquisition of electronic data, that compromises the security, confidentiality, or integrity of a consumer’s personally identifiable information or login credentials maintained by a data collector.

See 9 V.S.A. § 2430(13)(A).

Primary law

Personally identifiable information means a consumer's first name or initial and last name combined with unencrypted, unredacted data elements such as a Social Security number.

“Personally identifiable information” means a consumer’s first name or first initial and last name in combination with one or more of the following digital data elements, when the data elements are not encrypted, redacted, or protected by another method that renders them unreadable or unusable by unauthorized persons: (i) a Social Security number;

See 9 V.S.A. § 2430(10)(A).

Primary law

Login credentials means a consumer's username or email address combined with a password or security-question answer that together permit access to an online account.

“Login credentials” means a consumer’s user name or e-mail address, in combination with a password or an answer to a security question, that together permit access to an online account.

See 9 V.S.A. § 2430(9).

Primary law

When a breach is limited to login credentials for an email account, the data collector must not deliver the breach notice through that email account.

If a security breach is limited to an unauthorized acquisition of login credentials for an email account: (A) the data collector shall not provide notice of the security breach through the email account;

See 9 V.S.A. § 2435(d)(4).

Primary law

The consumer notice must be clear and conspicuous and describe the incident, the information involved, the protective steps taken, a contact number, vigilance advice, and the approximate breach date.

The notice to a consumer required in subdivision (1) of this subsection shall be clear and conspicuous. A notice to a consumer of a security breach involving personally identifiable information shall include a description of each of the following, if known to the data collector: (A) the incident in general terms; (B) the type of personally identifiable information that was subject to the security breach; (C) the general acts of the data collector to protect the personally identifiable information from further security breach; (D) a telephone number, toll-free if available, that the consumer may call for further information and assistance; (E) advice that directs the consumer to remain vigilant by reviewing account statements and monitoring free credit reports; and (F) the approximate date of the security breach.

See 9 V.S.A. § 2435(b)(5).

Primary law

Substitute notice is available only when the lowest-cost direct method would exceed $10,000 or the data collector lacks sufficient contact information.

Substitute notice, if: (I) the data collector demonstrates that the lowest cost of providing notice to affected consumers pursuant to subdivision (6)(A) of this subsection among written, e-mail, or telephonic notice would exceed $10,000.00; or (II) the data collector does not have sufficient contact information.

See 9 V.S.A. § 2435(b)(6)(B)(i).

Primary law

Notice to more than 1,000 consumers at one time also requires notifying the nationwide consumer reporting agencies of the timing, distribution, and content of the notice.

In the event a data collector provides notice to more than 1,000 consumers at one time pursuant to this section, the data collector shall notify, without unreasonable delay, all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis, as defined in 15 U.S.C. § 1681a(p), of the timing, distribution, and content of the notice.

See 9 V.S.A. § 2435(c).

Primary law

Consumer notice is excused only if the data collector establishes that misuse is not reasonably possible and files that determination with the Attorney General or the Department of Financial Regulation.

Notice of a security breach pursuant to subsection (b) of this section is not required if the data collector establishes that misuse of personally identifiable information or login credentials is not reasonably possible and the data collector provides notice of the determination that the misuse of the personally identifiable information or login credentials is not reasonably possible pursuant to the requirements of this subsection.

See 9 V.S.A. § 2435(d)(1).

Primary law

A data collector invoking the no-reasonable-misuse exception must file its determination, with a detailed explanation, with the Vermont Attorney General or the Department of Financial Regulation.

If the data collector establishes that misuse of the personally identifiable information or login credentials is not reasonably possible, the data collector shall provide notice of its determination that misuse of the personally identifiable information or login credentials is not reasonably possible and a detailed explanation for said determination to the Vermont Attorney General or to the Department of Financial Regulation in the event that the data collector is a person or entity licensed or registered with the Department under Title 8 or this title.

See 9 V.S.A. § 2435(d)(1).

Primary law

If a data collector that withheld notice under the no-reasonable-misuse exception later obtains facts indicating misuse has occurred or is occurring, it must provide the breach notice.

If a data collector established that misuse of personally identifiable information or login credentials was not reasonably possible under subdivision (1) of this subsection, and subsequently obtains facts indicating that misuse of the personally identifiable information or login credentials has occurred or is occurring, the data collector shall provide notice of the security breach pursuant to subsection (b) of this section.

See 9 V.S.A. § 2435(d)(2).

Primary law

A HIPAA-regulated data collector is deemed compliant with the Vermont breach statute for a health-record-only breach if it notifies affected consumers under the federal breach-notification rule.

A data collector that is subject to the privacy, security, and breach notification rules adopted in 45 C.F.R. Part 164 pursuant to the federal Health Insurance Portability and Accountability Act, P.L. 104-191 (1996) is deemed to be in compliance with this subchapter if: (1) the data collector experiences a security breach that is limited to personally identifiable information specified in 2430(10)(A)(vii); and (2) the data collector provides notice to affected consumers pursuant to the requirements of the breach notification rule in 45 C.F.R. Part 164, Subpart D.

See 9 V.S.A. § 2435(e).

Primary law

Any waiver of the Security Breach Notice Act is contrary to public policy and void, so the notification duty cannot be contracted around.

Any waiver of the provisions of this subchapter is contrary to public policy and is void and unenforceable.

See 9 V.S.A. § 2435(f).

Primary law

The Attorney General and State's Attorneys have sole and full authority to investigate and enforce breach-statute violations against entities not regulated by the Department of Financial Regulation.

With respect to all data collectors and other entities subject to this subchapter, other than a person or entity licensed or registered with the Department of Financial Regulation under Title 8 or this title, the Attorney General and State’s Attorney shall have sole and full authority to investigate potential violations of this subchapter and to enforce, prosecute, obtain, and impose remedies for a violation of this subchapter or any rules or regulations made pursuant to this chapter as the Attorney General and State’s Attorney have under chapter 63 of this title.

See 9 V.S.A. § 2435(h)(1).

Primary law

For data collectors licensed or registered with the Department of Financial Regulation, the Department — not the Attorney General — investigates and enforces breach-statute violations.

With respect to a data collector that is a person or entity licensed or registered with the Department of Financial Regulation under Title 8 or this title, the Department of Financial Regulation shall have the full authority to investigate potential violations of this subchapter and to prosecute, obtain, and impose remedies for a violation of this subchapter or any rules or regulations adopted pursuant to this subchapter, as the Department has under Title 8 or this title or any other applicable law or regulation.

See 9 V.S.A. § 2435(h)(2).

Primary law

A violation of the data-broker security statute is a per se unfair and deceptive act in commerce under § 2453, routing enforcement through the Consumer Protection Act.

A person who violates a provision of this section commits an unfair and deceptive act in commerce in violation of section 2453 of this title. (2) The Attorney General has the same authority to adopt rules to implement the provisions of this chapter and to conduct civil investigations, enter into assurances of discontinuance, and bring civil actions as provided under chapter 63, subchapter 1 of this title.

See 9 V.S.A. § 2447(d).

Primary law

A consumer who contracts in reliance on, or sustains damages from, a practice prohibited by § 2453 may sue for equitable relief, damages or the consideration given, attorney's fees, and exemplary damages up to three times the consideration.

Any consumer who contracts for goods or services in reliance upon false or fraudulent representations or practices prohibited by section 2453 of this title, or who sustains damages or injury as a result of any false or fraudulent representations or practices prohibited by section 2453 of this title, or prohibited by any rule or regulation made pursuant to section 2453 of this title, may sue for appropriate equitable relief and may sue and recover from the seller, solicitor, or other violator the amount of his or her damages, or the consideration or the value of the consideration given by the consumer, reasonable attorney’s fees, and exemplary damages not exceeding three times the value of the consideration given by the consumer.

See 9 V.S.A. § 2461(b).

Primary law

Violating the terms of a Consumer Protection Act injunction carries a civil penalty of up to $10,000 per violation, payable to the State.

Any person who violates the terms of an injunction issued under section 2458 of this title shall forfeit and pay to the State a civil penalty of not more than $10,000.00 for each violation.

See 9 V.S.A. § 2461(a).

Primary law

S.71 would allow a consumer harmed by a data broker's or large data holder's violation of specified duties to sue in Superior Court for the greater of $5,000 or actual damages.

Subject to the requirements of subdivisions (3) and (4) of this subsection (d), a consumer who is harmed by a data broker’s or large data holder’s violation of subsection 2419(c) of this title or section 2425 of this title may bring an action under subsection 2461(b) of this title in Superior Court for: (i) the greater of $5,000.00 or actual damages;

See S.71 (Vt. 2026), proposed 9 V.S.A. § 2424(d)(2)(A) (passed both chambers; not enacted).

Primary law

Under S.71, the private right of action for violations of the chapter would be exclusively as provided in the enforcement section's private-action subsection.

The private right of action available to a consumer for violations of this chapter or rules adopted pursuant to this chapter shall be exclusively as provided under this subsection.

See S.71 (Vt. 2026), proposed 9 V.S.A. § 2424(d)(1) (passed both chambers; not enacted).

Primary law

S.71 would require pre-suit notice to the Attorney General and a demand letter at least 65 days before filing, and would let the Attorney General screen out frivolous claims, barring the consumer's suit on a frivolousness determination.

At least 65 days prior to the filing of any action pursuant to subdivision (2)(A) of this subsection, the consumer shall: (A) only once notify the Attorney General of the alleged harm in a form and manner prescribed by the Attorney General, which, at minimum, shall require the name of the consumer and a reasonable description of the alleged violation and the harm suffered; and (B) mail to the alleged violator a written demand letter that identifies the consumer and reasonably describes the alleged violation and the harm suffered, unless the alleged violator does not maintain a place of business in Vermont or does not keep assets in Vermont. (4) Within 65 days after receiving the notice required by subdivision (3)(A) of this subsection, the Attorney General shall review the alleged harm to determine whether the claim is frivolous or nonfrivolous. (A) If the Attorney General determines that the claim is frivolous, the Attorney General shall notify the consumer in writing, and the consumer is prohibited from proceeding with an action under subsection 2461(b) of this title for the alleged harm.

See S.71 (Vt. 2026), proposed 9 V.S.A. § 2424(d)(3)–(4) (passed both chambers; not enacted).

Primary law

S.71 would bar private actions for any violation of the chapter other than the specifically permitted data-broker and large-data-holder claims, and against registered controllers earning under $25 million in the prior year.

No action may be taken under subsection 2461(b) of this title: (i) for a violation of any provision of this chapter or rules adopted pursuant to this chapter other than what is specifically permitted in subdivision (A) of this subdivision (2); or (ii) against a controller that is registered in the State and that earned less than $25 million in revenue in the previous calendar year.

See S.71 (Vt. 2026), proposed 9 V.S.A. § 2424(d)(2)(B) (passed both chambers; not enacted).