Vermont is likely to become the 15^th state with comprehensive privacy legislation after passage by the House. The Vermont Data Privacy Act (VDPA) aims to enhance consumer privacy rights, regulate the collection and use of personal data, and establish robust data protection standards for businesses operating in the state.

Understanding the Vermont Data Privacy Act will be critical if you conduct a lot of business in Vermont or selectively provide consumer rights. If enacted, this extends the streak of state-led privacy legislation and builds on the momentum we’ve seen over the last few years. Most importantly, the Act is likely to be the basis around which Vermont legislators craft AI legislation.

Let’s delve into the key requirements outlined in the VDPA:

Scope of Application:

• The Vermont Data Privacy Act applies to any business that collects, processes, or controls the personal data of Vermont residents, regardless of the business’s physical location.
• It covers a wide range of personal data, including but not limited to names, addresses, social security numbers, biometric data, and online identifiers.

Consumer Rights:

• The VDPA grants consumers various rights over their data, including the right to access, correct, delete, and restrict the processing of their information.
• Consumers have the right to opt out of the sale or sharing of their personal data to third parties.

Data Protection Obligations for Businesses:

• Businesses subject to the VDPA must implement reasonable security measures to safeguard personal data from unauthorized access, disclosure, or alteration.
• They are required to conduct data protection assessments and regularly review and update their privacy policies to ensure compliance with the law.
• Businesses must also provide clear and transparent disclosures about their data collection and processing practices, including the purposes for which data is used and any third parties with whom it is shared.

Data Breach Notification Requirements:

• In the event of a data breach involving personal data, businesses must notify affected consumers and the Vermont Attorney General within a specified timeframe.
• The notification must include detailed information about the breach, the types of data compromised, and any steps taken to mitigate the impact on affected individuals.

Enforcement and Penalties:

• The VDPA empowers the Vermont Attorney General to enforce compliance with the law and investigate violations.
• Non-compliance with the VDPA may result in significant fines and penalties imposed on businesses found to be in breach of its provisions.

Exemptions and Exceptions:

• Certain exemptions may apply to small businesses or entities already subject to federal data privacy laws, such as the Health Insurance Portability and Accountability Act (HIPAA) or the Gramm-Leach-Bliley Act (GLBA).
• The VDPA includes exceptions for data collected or processed for specific purposes, such as employment-related activities or national security.

The Vermont Data Privacy Act represents a significant step forward in protecting consumer privacy rights and promoting transparency and accountability in data handling practices. Businesses operating in Vermont must familiarize themselves with the requirements outlined in the VDPA and take proactive measures to ensure compliance with its provisions. By prioritizing data privacy and security, businesses can not only comply with legal obligations of the Vermont Data Privacy Act, but also build trust and confidence among their customers.