Written by: Haim Ravia, Dotan Hammer
Vermont has enacted Act 145 (S.71), known as the Vermont Data Privacy and Online Surveillance Act. The law establishes a broad set of obligations for businesses that handle the personal data of Vermont residents.
Scope. The Act applies to a person that conducts business in Vermont, or that produces products or services targeted to Vermont residents, and that during the preceding calendar year controlled or processed the personal data of at least 35,000 consumers; controlled or processed the sensitive data of at least 3,000 consumers; or offered for sale the personal data of at least 3,000 consumers, in each case excluding data processed solely to complete a payment transaction. Consumer health data provisions apply without regard to these thresholds.
Broad definitions. “Personal data” is defined expansively to include derived data and unique identifiers that are reasonably linkable to an identified or identifiable individual or to a device. “Sensitive data” sweeps in consumer health data; genetic and biometric data; precise geolocation; neural data; data revealing race or ethnicity, religious beliefs, sex life, sexual orientation, status as nonbinary or transgender, or citizenship or immigration status; data about an individual the controller knows is a child; financial account credentials; and government-issued identification numbers.
Minors and health data. A “minor” is any consumer younger than 18 years of age, and the Act gives specific protection to reproductive or sexual health data and to gender-affirming health data. Valid “consent” must be a clear affirmative act that is freely given, specific, informed, and unambiguous; it cannot be obtained through acceptance of broad terms of use or through dark patterns, which the Act defines by reference to practices the Federal Trade Commission treats as such.
Obligations. Organizations covered by the Act must provide consumer rights with respect to consumers’ personal data. Organizations must follow the data minimization and purpose limitation principle and establish proper processor agreements. Heightened-risk processing must be accompanied by a data protection impact assessment, disclosable to the Vermont attorney general.
Click here to read the Vermont Data Privacy and Online Surveillance Act (Act 145).
