Vermont legislators recently disregarded national trends by passing the strictest state law protecting online data privacy — and they did so by using an unusual approach designed to avoid industrial pressure.
The Vermont Data Privacy Law: An Overview
Right to Sue: Under the law, Vermont residents can directly sue companies that collect or share their sensitive data without their consent. This provision is a departure from the usual regulatory approach, which relies on government agencies to enforce privacy rules.
Sensitive Data Definition: The law defines sensitive data broadly, encompassing not only personally identifiable information (PII) but also health-related data, biometric information, and geolocation data.
Transparency Requirements: Companies must be transparent about their data practices. They are required to disclose what data they collect, how it is used, and whether it is shared with third parties.
Opt-In Consent: Companies must obtain explicit consent from users before collecting or sharing their sensitive data. This opt-in approach puts control back in the hands of consumers.
Lawmakers collaborated with counterparts from other states
The Vermont scenario is a rare but dramatic exception to a growing national trend: with little action from Congress, the responsibility of regulating technology has shifted to the states. This sets state lawmakers, who frequently have limited staff and part-time occupations, against big national lobbies with corporate and political influence.
It's unclear whether Vermont's new strategy will work: Republican Gov. Phil Scott has yet to sign the bill, and lawmakers and industry are still arguing about it.
However, national consumer advocacy groups are already turning to Vermont as a possible model for lawmakers hoping to impose severe state tech restrictions throughout the country – a struggle that states have mostly lost up to this point.
The State Lawmaker Alliance
Vermont’s data privacy law has galvanized state lawmakers across the country. Here’s why:
Grassroots Playbook: Lawmakers collaborated with counterparts from other states to create a “grassroots playbook.” This playbook outlines strategies for passing similar legislation elsewhere. By sharing insights and tactics, they hope to create a united front against tech industry lobbying.
Pushback Against Industry Pressure: Tech lobbyists have historically opposed stringent privacy regulations. Vermont’s law represents a bold move, and lawmakers anticipate pushback from industry giants. However, the alliance aims to stand firm and protect consumers’ rights.
Potential Model for Other States: If Vermont successfully implements its data privacy law, other states may follow suit. The alliance hopes to create a domino effect, encouraging more states to prioritize consumer privacy.
Lobbying at its best
The fight for privacy legislation has been fought in states since 2018 when California became the first to implement a comprehensive data privacy law.
In March 2024, Vermont's House of Representatives began debating a state privacy law that would allow residents the right to sue firms for privacy infractions and limit the amount of data that businesses may collect on their customers. Local businesses and national groups warned that the plan would destroy the industry, but the House passed it overwhelmingly.
The bill was then sent to the state Senate, where it was met with further support from local businesses.
The CFO of Vermont outdoor outfitter Orvis wrote to state legislators saying limiting data collecting would "put Vermont businesses at a significant if not crippling disadvantage."
A spokesman for Orvis stated that the corporation did not collaborate with tech sector groups opposing Vermont's privacy measure.
On April 12, the Vermont Chamber of Commerce informed its members that it had met with state senators and that they had "improved the bill to ensure strong consumer protections that do not put an undue burden on Vermont businesses."
Priestley expressed concern about the pressure in an interview. It reminded her of L.L. Bean's significant resistance to Maine's privacy legislation. She discovered similar industry attacks against state privacy rules in Maryland, Montana, Oklahoma, and Kentucky. She invited politicians from all five states to discuss their experiences to demonstrate this trend to her colleagues.
Industry Response
Predictably, tech companies and industry associations have expressed concerns. They argue that a patchwork of state laws could hinder innovation and create compliance challenges. Some argue for a federal approach to data privacy, emphasizing consistency across all states.