HOUSE PROPOSAL OF AMENDMENT H.121
TO SENATE PROPOSAL OF AMENDMENT Page 1 of 98
2024
1 H.121
2 An act relating to enhancing consumer privacy
3 The House concurs in the Senate proposal of amendment with further
4 proposal of amendment thereto by striking out all after the enacting clause and
5 inserting in lieu thereof the following:
6 Sec. 1. 9 V.S.A. chapter 61A is added to read:
7 CHAPTER 61A. VERMONT DATA PRIVACY ACT
8 § 2415. DEFINITIONS
9 As used in this chapter:
10 (1)(A) “Affiliate” means a legal entity that shares common branding
11 with another legal entity or controls, is controlled by, or is under common
12 control with another legal entity.
13 (B) As used in subdivision (A) of this subdivision (1), “control” or
14 “controlled” means:
15 (i) ownership of, or the power to vote, more than 50 percent of the
16 outstanding shares of any class of voting security of a company;
17 (ii) control in any manner over the election of a majority of the
18 directors or of individuals exercising similar functions; or
19 (iii) the power to exercise controlling influence over the
20 management of a company.
VT LEG #377334 v.1
HOUSE PROPOSAL OF AMENDMENT H.121
TO SENATE PROPOSAL OF AMENDMENT Page 2 of 98
2024
1 (2) “Age estimation” means a process that estimates that a consumer is
2 likely to be of a certain age, fall within an age range, or is over or under a
3 certain age.
4 (A) Age estimation methods include:
5 (i) analysis of behavioral and environmental data the controller
6 already collects about its consumers;
7 (ii) comparing the way a consumer interacts with a device or with
8 consumers of the same age;
9 (iii) metrics derived from motion analysis; and
10 (iv) testing a consumer’s capacity or knowledge.
11 (B) Age estimation does not require certainty, and if a controller
12 estimates a consumer’s age for the purpose of advertising or marketing, that
13 estimation may also be used to comply with this chapter.
14 (3) “Age verification” means a system that relies on hard identifiers or
15 verified sources of identification to confirm a consumer has reached a certain
16 age, including government-issued identification or a credit card.
17 (4) “Authenticate” means to use reasonable means to determine that a
18 request to exercise any of the rights afforded under subdivisions 2418(a)(1)–
19 (5) of this title is being made by, or on behalf of, the consumer who is entitled
20 to exercise the consumer rights with respect to the personal data at issue.
VT LEG #377334 v.1
HOUSE PROPOSAL OF AMENDMENT H.121
TO SENATE PROPOSAL OF AMENDMENT Page 3 of 98
2024
1 (5)(A) “Biometric data” means data generated from the technological
2 processing of an individual’s unique biological, physical, or physiological
3 characteristics that is linked or reasonably linkable to an individual, including:
4 (i) iris or retina scans;
5 (ii) fingerprints;
6 (iii) facial or hand mapping, geometry, or templates;
7 (iv) vein patterns;
8 (v) voice prints; and
9 (vi) gait or personally identifying physical movement or patterns.
10 (B) “Biometric data” does not include:
11 (i) a digital or physical photograph;
12 (ii) an audio or video recording; or
13 (iii) any data generated from a digital or physical photograph, or
14 an audio or video recording, unless such data is generated to identify a specific
15 individual.
16 (6) “Broker-dealer” has the same meaning as in 9 V.S.A. § 5102.
17 (7) “Business associate” has the same meaning as in HIPAA.
18 (8) “Child” has the same meaning as in COPPA.
VT LEG #377334 v.1
HOUSE PROPOSAL OF AMENDMENT H.121
TO SENATE PROPOSAL OF AMENDMENT Page 4 of 98
2024
1 (9)(A) “Consent” means a clear affirmative act signifying a consumer’s
2 freely given, specific, informed, and unambiguous agreement to allow the
3 processing of personal data relating to the consumer.
4 (B) “Consent” may include a written statement, including by
5 electronic means, or any other unambiguous affirmative action.
6 (C) “Consent” does not include:
7 (i) acceptance of a general or broad terms of use or similar
8 document that contains descriptions of personal data processing along with
9 other, unrelated information;
10 (ii) hovering over, muting, pausing, or closing a given piece of
11 content; or
12 (iii) agreement obtained through the use of dark patterns.
13 (10)(A) “Consumer” means an individual who is a resident of the State.
14 (B) “Consumer” does not include an individual acting in a
15 commercial or employment context or as an employee, owner, director, officer,
16 or contractor of a company, partnership, sole proprietorship, nonprofit, or
17 government agency whose communications or transactions with the controller
18 occur solely within the context of that individual’s role with the company,
19 partnership, sole proprietorship, nonprofit, or government agency.
VT LEG #377334 v.1
HOUSE PROPOSAL OF AMENDMENT H.121
TO SENATE PROPOSAL OF AMENDMENT Page 5 of 98
2024
1 (11) “Consumer health data” means any personal data that a controller
2 uses to identify a consumer’s physical or mental health condition or diagnosis,
3 including gender-affirming health data and reproductive or sexual health data.
4 (12) “Consumer health data controller” means any controller that, alone
5 or jointly with others, determines the purpose and means of processing
6 consumer health data.
7 (13) “Consumer reporting agency” has the same meaning as in the Fair
8 Credit Reporting Act, 15 U.S.C. § 1681a(f);
9 (14) “Controller” means a person who, alone or jointly with others,
10 determines the purpose and means of processing personal data.
11 (15) “COPPA” means the Children’s Online Privacy Protection Act of
12 1998, 15 U.S.C. § 6501–6506, and any regulations, rules, guidance, and
13 exemptions promulgated pursuant to the act, as the act and regulations, rules,
14 guidance, and exemptions may be amended.
15 (16) “Covered entity” has the same meaning as in HIPAA.
16 (17) “Credit union” has the same meaning as in 8 V.S.A. § 30101.
17 (18) “Dark pattern” means a user interface designed or manipulated with
18 the substantial effect of subverting or impairing user autonomy, decision-
19 making, or choice and includes any practice the Federal Trade Commission
20 refers to as a “dark pattern.”
VT LEG #377334 v.1
HOUSE PROPOSAL OF AMENDMENT H.121
TO SENATE PROPOSAL OF AMENDMENT Page 6 of 98
2024
1 (19) “Data broker” has the same meaning as in section 2430 of this title.
2 (20) “Decisions that produce legal or similarly significant effects
3 concerning the consumer” means decisions made by the controller that result in
4 the provision or denial by the controller of financial or lending services,
5 housing, insurance, education enrollment or opportunity, criminal justice,
6 employment opportunities, health care services, or access to essential goods or
7 services.
8 (21) “De-identified data” means data that does not identify and cannot
9 reasonably be used to infer information about, or otherwise be linked to, an
10 identified or identifiable individual, or a device linked to the individual, if the
11 controller that possesses the data:
12 (A)(i) takes reasonable measures to ensure that the data cannot be
13 used to re-identify an identified or identifiable individual or be associated with
14 an individual or device that identifies or is linked or reasonably linkable to an
15 individual or household;
16 (ii) for purposes of this subdivision (A), “reasonable measures”
17 shall include the de-identification requirements set forth under 45 C.F.R.
18 § 164.514 (other requirements relating to uses and disclosures of protected
19 health information);
VT LEG #377334 v.1
HOUSE PROPOSAL OF AMENDMENT H.121
TO SENATE PROPOSAL OF AMENDMENT Page 7 of 98
2024
1 (B) publicly commits to process the data only in a de-identified
2 fashion and not attempt to re-identify the data; and
3 (C) contractually obligates any recipients of the data to satisfy the
4 criteria set forth in subdivisions (A) and (B) of this subdivision (21).
5 (22) “Financial institution”:
6 (A) as used in subdivision 2417(a)(12) of this title, has the same
7 meaning as in 15 U.S.C. § 6809; and
8 (B) as used in subdivision 2417(a)(14) of this title, has the same
9 meaning as in 8 V.S.A. § 11101.
10 (23) “Gender-affirming health care services” has the same meaning as in
11 1 V.S.A. § 150.
12 (24) “Gender-affirming health data” means any personal data
13 concerning a past, present, or future effort made by a consumer to seek, or a
14 consumer’s receipt of, gender-affirming health care services, including:
15 (A) precise geolocation data that is used for determining a
16 consumer’s attempt to acquire or receive gender-affirming health care services;
17 (B) efforts to research or obtain gender-affirming health care
18 services; and
19 (C) any gender-affirming health data that is derived from nonhealth
20 information.
VT LEG #377334 v.1
HOUSE PROPOSAL OF AMENDMENT H.121
TO SENATE PROPOSAL OF AMENDMENT Page 8 of 98
2024
1 (25) “Genetic data” means any data, regardless of its format, that results
2 from the analysis of a biological sample of an individual, or from another
3 source enabling equivalent information to be obtained, and concerns genetic
4 material, including deoxyribonucleic acids (DNA), ribonucleic acids (RNA),
5 genes, chromosomes, alleles, genomes, alterations or modifications to DNA or
6 RNA, single nucleotide polymorphisms (SNPs), epigenetic markers,
7 uninterpreted data that results from analysis of the biological sample or other
8 source, and any information extrapolated, derived, or inferred therefrom.
9 (26) “Geofence” means any technology that uses global positioning
10 coordinates, cell tower connectivity, cellular data, radio frequency
11 identification, wireless fidelity technology data, or any other form of location
12 detection, or any combination of such coordinates, connectivity, data,
13 identification, or other form of location detection, to establish a virtual
14 boundary.
15 (27) “Health care facility” has the same meaning as in 18 V.S.A. § 9432.
16 (28) “Heightened risk of harm to a minor” means processing the
17 personal data of a minor in a manner that presents a reasonably foreseeable risk
18 of:
19 (A) unfair or deceptive treatment of, or unlawful disparate impact on,
20 a minor;
VT LEG #377334 v.1
HOUSE PROPOSAL OF AMENDMENT H.121
TO SENATE PROPOSAL OF AMENDMENT Page 9 of 98
2024
1 (B) financial, physical, or reputational injury to a minor;
2 (C) unintended disclosure of the personal data of a minor; or
3 (D) any physical or other intrusion upon the solitude or seclusion, or
4 the private affairs or concerns, of a minor if the intrusion would be offensive to
5 a reasonable person.
6 (29) “HIPAA” means the Health Insurance Portability and
7 Accountability Act of 1996, Pub. L. No. 104-191, and any regulations
8 promulgated pursuant to the act, as may be amended.
9 (30) “Identified or identifiable individual” means an individual who can
10 be readily identified, directly or indirectly, including by reference to an
11 identifier such as a name, an identification number, specific geolocation data,
12 or an online identifier.
13 (31) “Independent trust company” has the same meaning as in 8 V.S.A.
14 § 2401.
15 (32) “Investment adviser” has the same meaning as in 9 V.S.A. § 5102.
16 (33) “Large data holder” means a person that during the preceding
17 calendar year processed the personal data of not fewer than 100,000
18 consumers.
VT LEG #377334 v.1
HOUSE PROPOSAL OF AMENDMENT H.121
TO SENATE PROPOSAL OF AMENDMENT Page 10 of 98
2024
1 (34) “Mental health facility” means any health care facility in which at
2 least 70 percent of the health care services provided in the facility are mental
3 health services.
4 (35) “Nonpublic personal information” has the same meaning as in
5 15 U.S.C. § 6809.
6 (36)(A) “Online service, product, or feature” means any service,
7 product, or feature that is provided online, except as provided in subdivision
8 (B) of this subdivision (36).
9 (B) “Online service, product, or feature” does not include:
10 (i) telecommunications service, as that term is defined in the
11 Communications Act of 1934, 47 U.S.C. § 153;
12 (ii) broadband internet access service, as that term is defined in
13 47 C.F.R. § 54.400 (universal service support); or
14 (iii) the delivery or use of a physical product.
15 (37) “Patient identifying information” has the same meaning as in
16 42 C.F.R. § 2.11 (confidentiality of substance use disorder patient records).
17 (38) “Patient safety work product” has the same meaning as in 42 C.F.R.
18 § 3.20 (patient safety organizations and patient safety work product).
19 (39)(A) “Personal data” means any information, including derived data
20 and unique identifiers, that is linked or reasonably linkable to an identified or
VT LEG #377334 v.1
HOUSE PROPOSAL OF AMENDMENT H.121
TO SENATE PROPOSAL OF AMENDMENT Page 11 of 98
2024
1 identifiable individual or to a device that identifies, is linked to, or is
2 reasonably linkable to one or more identified or identifiable individuals in a
3 household.
4 (B) “Personal data” does not include de-identified data or publicly
5 available information.
6 (40)(A) “Precise geolocation data” means information derived from
7 technology that can precisely and accurately identify the specific location of a
8 consumer within a radius of 1,850 feet.
9 (B) “Precise geolocation data” does not include:
10 (i) the content of communications;
11 (ii) data generated by or connected to an advanced utility metering
12 infrastructure system; or
13 (iii) data generated by equipment used by a utility company.
14 (41) “Process” or “processing” means any operation or set of operations
15 performed, whether by manual or automated means, on personal data or on sets
16 of personal data, such as the collection, use, storage, disclosure, analysis,
17 deletion, or modification of personal data.
18 (42) “Processor” means a person who processes personal data on behalf
19 of a controller.
VT LEG #377334 v.1
HOUSE PROPOSAL OF AMENDMENT H.121
TO SENATE PROPOSAL OF AMENDMENT Page 12 of 98
2024
1 (43) “Profiling” means any form of automated processing performed on
2 personal data to evaluate, analyze, or predict personal aspects related to an
3 identified or identifiable individual’s economic situation, health, personal
4 preferences, interests, reliability, behavior, location, or movements.
5 (44) “Protected health information” has the same meaning as in HIPAA.
6 (45) “Pseudonymous data” means personal data that cannot be attributed
7 to a specific individual without the use of additional information, provided the
8 additional information is kept separately and is subject to appropriate technical
9 and organizational measures to ensure that the personal data is not attributed to
10 an identified or identifiable individual.
11 (46)(A) “Publicly available information” means information that:
12 (i) is l