Earlier today, on June 13, 2024, Governor Phil Scott vetoed the Vermont Data Privacy Act (VDPA). Governor Scott cited the “unnecessary and avoidable level of risk” that the VDPA's enactment would have created, and noted that the bill would make “Vermont a national outlier, and more hostile than any other state to many businesses.” The Vermont legislative session has concluded for the year, so any further efforts to pass another bill must wait until 2025.
The veto of the VDPA is significant because the VDPA would have been the 20th comprehensive privacy law in the U.S. and one of the first to include a private right of action. VDPA’s private right of action applied to data brokers and large data holders (a business processing the personal data of 100,000 Vermont residents annually) that handle sensitive data. Washington’s My Health My Data – effective March 31, 2024 – and the CCPA gave consumers a right to sue for certain violations related to consumer health data and personal information security breaches, respectively, but neither bill’s private right of action would have had the reach of the VDPA.
While the VDPA will not take effect, there are still 19 other comprehensive privacy laws enacted in the U.S., and more under consideration. Additionally, the VDPA's provisions on data minimization and age-appropriate design are indicative of trends in privacy legislation. Companies should expect further comprehensive state privacy laws, and potentially some state laws which include a private right of action.
Pursuant to Chapter II, Section 11 of the Vermont Constitution, I’m returning H.121, An act relating to enhancing consumer privacy and the age-appropriate design code, without my signature because of my objections herein. This bill creates an unnecessary and avoidable level of risk.