Vermont Passes Extra Strong Privacy Bill

Six years ago there were no second generation privacy laws. No we are dealing with stronger and stronger laws. And more challenges for businesses.

The rub is that the legislature is controlled by the democrats, the governor is a republican and the legislative session has ended, so the bill could get vetoed.

The bill outlaws the sale of sensitive data, which includes social security and drivers’ license numbers, and financial and health information. It also limits the amount of personal data companies can collect and use. My guess is that the gov is okay with the first and has concerns with the second.

The bill also allows consumers to sue – like California does. The lawsuit route does have some speed bumps. If a person wants to sue the company has 60 days to fix the problem. That might work for technical violations, but it does not work with breaches.

The governor is concerned about what that might mean for small businesses and if we are talking about a minor technical violation and the company can get sued for that, well, that probably not great. The purists will say just follow the law, but, especially for small businesses, that is hard and the law is often gray.

Apparently the legislators heard the governor’s concern and limited the ability to sue to data brokers who make most of their money from selling your data and companies that process data for more than 100,000 Vermonters (is that a word?) in a year.

The bill also includes bits and pieces of a previous bill aimed at protecting kids. What they included in this bill is the parts of the previous bill that covers minimizing addictive features.

This comes just two weeks after Maryland’s governor signed two bills that are designed to protect kids from Big Tech. Those bills limit the data that big tech can collect from kinds as well as new consumer protections and rights and new disclosure obligations.

Here is an interesting piece of the Vermont bill. Most of the features go into effect in 2025. The right to sue doesn’t go into effect until 2026 and sunsets in 2028 – requiring a study to examine that part of the law’s effectiveness.

Here is another twist. Congress has reintroduced the concept of a federal privacy law. It would nullify all state privacy laws, which will make businesses happy and likely be relatively watered down to allow it to pass. The states are none too happy with this and with more and more states having passed some form of privacy law, their folks in the Capitol might be concerned about losing their job if the federal law passes.

The challenge here is that at least some people would prefer to pass a fig leaf of a law that pretends to protect your privacy but, in reality, allows campaign donations (and bad privacy practices) to continue unabated.

Stay tuned.

Credit: Security Week and The Record

by