In a significant move, Vermont Governor Phil Scott has vetoed a comprehensive data privacy bill that aimed to impose strict regulations on companies’ use of online personal data. The proposed Vermont Data Privacy Act would have allowed consumers to file civil lawsuits against companies that violated certain privacy rules, making it one of the strongest privacy laws in the country. 

Click here to register for the final part in our Mastering AI Governance Webinar Series featuring Jon Leibowitz, Former Chairman of the FTC on state and federal AI legislation and the intersection with privacy law

Truyo President Dan Clarke says, “The inclusion of a private right of action in the Vermont privacy bill was the tipping point for its veto. When you push too far in granting consumers the power to sue, lobbyists push back even harder.” This isn’t the first time we’ve seen a pushback on PRA when it comes to privacy bills. States like California ended up limiting the PRA to obtain passage, Texas has seen similar hurdles, and Florida hit gridlock over a PRA.  

Let’s look at the journey of Vermont’s data privacy bill’s veto.  

 Governor Phil Scott Halts Privacy Bill with Veto 
  • Veto Decision: Republican Governor Phil Scott vetoed the bill, expressing concerns that it would make Vermont a national outlier and hostile to businesses and non-profits. 
  • Impact on Businesses: Scott emphasized that, although the provision allowing private lawsuits was narrow, it could negatively impact mid-sized employers and generate significant fear among small businesses. 
 Bill’s Provisions 
  • Sensitive Data Protection: The bill would have prohibited the sale of sensitive data, such as social security and driver’s license numbers, financial information, and health data. 
  • Data Minimization: It aimed to set limits on the amount of personal data companies could collect and use. 
  • Private Right of Action: Notably, it included a private right of action, allowing consumers to sue companies for privacy violations, which faced strong opposition from business groups. 
 Legislative Response 
  • Override Attempt: The Democrat-controlled Legislature plans to override the governor’s veto in a special session. The bill initially passed with overwhelming support (139-3 in the House). 
  • EPIC’s Support: The Electronic Privacy Information Center (EPIC) has urged the Legislature to override the veto, stating the bill would provide meaningful privacy rights lacking in other state laws. 
 Critique of the Veto 
  • Consumer Protection: House Speaker Jill Krowinski criticized the veto, highlighting that the bill was designed to protect consumers from scams and identity theft, and to restrict Big Tech’s access to personal information. 
  • Business Interests: Critics argue that the veto supports business interests over consumer protection, suggesting that companies prefer to operate without facing legal consequences for privacy violations. 
 Context of Data Exploitation 
  • Data Usage: Companies have extensively exploited personal data for business purposes, often leading to significant data breaches and exploitation without substantial penalties. 
  • Need for Regulation: There is a growing consensus that the “notice and choice” framework for data privacy has failed, necessitating stronger regulatory control over the human information economy. 
 Merits of Vermont’s Bill 
  • Data Minimization and Protection: The bill aimed for meaningful change by enforcing data minimization and protecting against manipulative designs, especially those targeting children. 
  • Private Right of Action: The provision for a private right of action, although limited, would have provided consumers with a mechanism to enforce their privacy rights. 

The veto of Vermont’s data privacy bill prevents the state from setting a new precedent in privacy protection, reflecting a preference for industry-friendly policies. There is a concern that future privacy laws may be diluted, failing to provide real consumer protection and giving lawmakers undeserved credit for addressing privacy issues. This situation highlights the ongoing conflict between minimal, ineffective privacy laws and the necessity for robust protections.  

Meaningful privacy legislation is essential and requires state lawmakers to resist industry pressures and enact strong, enforceable laws. The debate over the Vermont Data Privacy Act underscores the urgent need for effective privacy regulation in the digital age. As states continue to grapple with balancing consumer protection and business innovation, Vermont’s legislative efforts will be closely watched as a potential model for future data privacy laws. 

To stay abreast of the latest developments in state and federal privacy law, subscribe to the Truyo Privacy Newsletter at Truyo.com/blog.

About Ale Johnson

Ale Johnson is the Marketing Manager at Truyo.