Update: As of June 13, 2024, the VDPA was vetoed by Governor Scott and returned to the legislature without a signature. The legislature then failed to overturn the veto. The future of the VDPA remains uncertain. Read Governor Scott’s explanation of the veto here and the IAPP’s reporting of the story here.

On May 12, Vermont’s House and Senate passed HB 121, better known as the Vermont Data Privacy Act (VDPA). The law awaits Governor Phil Scott’s signature. Once signed, the majority of the law will go into effect on July 1, 2025.

An AP report quotes Caitriona Fitzgerald, deputy director of the Electronic Privacy Information Center (EPIC), describing the VDPA as “among the strongest, if not the strongest” state privacy laws passed to date. Let’s take a closer look at what this robust new law entails.

Key Provisions of the Vermont Data Privacy Act

The VDPA sets forth robust requirements for businesses that control or process the personal data of over 25,000 consumers or derive more than half of their revenue from selling personal data. Among its provisions are:

• AI usage and development: the bill establishes the Artificial Intelligence and Data Privacy Advisory Council to monitor and provide guidance on the usage of AI in the Vermont government. This provision takes effect on July 1, 2024, a year before the rest of the law’s provisions.
• Age-Appropriate Design Code: the law requires businesses to consider the needs and preferences of minor users in separate developmental stages and edit their services accordingly. All data collected on minors is subject to COPPA-like guidelines that, under the VDPA, appear to extend to the age of 18 rather than 13. Critically, covered businesses also cannot track a minor’s healthcare center visits or treatments.
• Consumer rights: the VDPA enshrines the rights of consumers to access, correct, transfer, or delete their data, as well as opt out of processing. Rights requests must be fulfilled within 60 days and the company must provide the information free of charge once per consumer, per year.
• Data Broker requirements: the law establishes specific credentials an appointed data broker must have.
• Privacy notice requirements: covered businesses must provide a privacy notice that is easily available, substantial, and clearly worded.
• Data security: common-sense data security measures at every level are mandated.
• Data minimization: collected data must be processed for its original intended purpose, and not to an excessive degree.
• Dark patterns prohibition: “dark patterns” are defined as subtle tricks that trick consumers into making a purchase or giving up private data, or that discourage consumers from making decisions the company might not like. (For instance, a brightly colored marketing email might hide the unsubscribe button in tiny, barely visible font at the very bottom while the purchase button is huge and impossible to miss.) The VDPA prohibits these practices.

Enforcement of the VDPA will be under the jurisdiction of the Vermont Attorney General.

Impact on Marketers

Marketing teams with Vermont contacts will need to examine their existing strategies closely. The VDPA’s emphasis on data minimization and the prohibition against “dark patterns” in email marketing could require changing existing practices. Additionally, the robust protections for minors’ data will require marketers to design and implement more age-sensitive approaches in digital advertising.

If you’re not sure how to adapt to what could be the strongest state privacy law to date, don’t worry—our team is here to help. Get in touch with our privacy experts today to bring your marketing strategy into full compliance and keep it that way.