Vermont Passes Landmark Data Privacy Bill

May 11, 2024

The Vermont Legislature has passed the Vermont Data Privacy Act, which EPIC supported and which represents a significant step forward for state privacy laws.

The bill goes further than many existing state privacy laws by including:

  • data minimization requirements that set meaningful limits on the amount of personal data companies can collect and use;
  • a prohibition on the sale of sensitive data;
  • strong civil rights protections to prohibit digital discrimination;
  • a limited private right of action that will allow consumers to hold businesses accountable for violations of the sensitive data rules.

In a speech last night on the floor of the House of Representatives, sponsor Representative Monique Priestley said:

“At a time when everything we do and everything we are is monetized in a surveillance economy, the urgency of this moment cannot be overstated. Without incredibly thoughtful and comprehensive measures, we leave gaps that can be exploited, undermining the very protections we seek to establish.”

Vermont Representative Monique Priestley

The passage of Vermont’s bill comes the same week as the Maryland Governor signed the Maryland Online Data Privacy Act, which contains similarly strong provisions.  

“State lawmakers are sick of companies collecting massive amounts of data about us and using it whatever way they please, and they are doing something about it. The Vermont Data Privacy Act will force meaningful changes to harmful business practices such as the sale of geolocation data. We commend Representative Priestley and her colleagues for their incredible work on this legislation.”

Caitriona Fitzgerald, Deputy Director, Electronic Privacy Information Center (EPIC)

Last year, EPIC crafted the State Data Privacy and Protection Act, modeled on American Data Privacy and Protection Act (“ADPPA”), to give state legislators the opportunity to use the bipartisan consensus language from ADPPA to strengthen state bills. The Vermont Data Privacy Act pulls many of its strong provisions from that model. The Act’s data minimization requirements include limiting the collection of personal data to what is reasonably necessary for the product or service requested by a consumer and prohibits the processing of personal data in ways that discriminate.  

EPIC recently released The State of Privacy: How State “Privacy” Laws Fail to Protect Privacy and What They Can Do Better, which found that nearly half of the 14 states that have passed so-called comprehensive privacy laws at the time received a failing grade, and none received an A. State lawmakers from across the country recently testified to Vermont’s House Committee on Commerce and Economic Development about how industry lobbying affected their experiences championing privacy bills in their states. 

The bill heads to Governor Phil Scott’s desk for signature.

Support Our Work

EPIC's work is funded by the support of individuals like you, who allow us to continue to protect privacy, open government, and democratic values in the information age.