BILL AS INTRODUCED H.712
2024 Page 1 of 22
1 H.712
2 Introduced by Representatives Priestley of Bradford, Anthony of Barre City,
3 Arsenault of Williston, Austin of Colchester, Berbeco of
4 Winooski, Buss of Woodstock, Carpenter of Hyde Park, Casey
5 of Montpelier, Chase of Chester, Christie of Hartford, Cole of
6 Hartford, Dodge of Essex, Elder of Starksboro, Farlice-Rubio of
7 Barnet, Graning of Jericho, Hango of Berkshire, Headrick of
8 Burlington, Howard of Rutland City, Hyman of South
9 Burlington, Jerome of Brandon, Mrowicki of Putney,
10 Mulvaney-Stanak of Burlington, Nugent of South Burlington,
11 Ode of Burlington, Sibilia of Dover, Sims of Craftsbury,
12 Stebbins of Burlington, and Templeman of Brownington
13 Referred to Committee on
14 Date:
15 Subject: Commerce and trade; protection of personal information; data privacy
16 Statement of purpose of bill as introduced: This bill proposes to require that
17 any covered entity that develops and provides online services, products, or
18 features that children are reasonably likely to access must consider the best
19 interests of children when designing, developing, and providing that online
20 service, product, or feature.
VT LEG #373035 v.1
 BILL AS INTRODUCED H.712
2024 Page 2 of 22
1 An act relating to age-appropriate design code
2 It is hereby enacted by the General Assembly of the State of Vermont:
3 Sec. 1. 9 V.S.A. chapter 62, subchapter 6 is added to read:
4 Subchapter 6. Age-Appropriate Design Code
5 § 2449a. DEFINITIONS
6 As used in this subchapter:
7 (1) “Affiliate” means any person that, directly or indirectly, controls, is
8 controlled by, or is under common control with another person. As used in this
9 subdivision, “Control” means ownership of, or the power to vote, more than 50
10 percent of the outstanding shares of any class of voting security of a covered
11 entity; control in any manner over the election of a majority of the directors or
12 of individuals exercising similar functions; or the power to exercise a
13 controlling influence over the management of a covered entity.
14 (2) “Age-appropriate” means a recognition of the distinct needs and
15 diversities of children at different age ranges. In order to help support the
16 design of online services, products, and features, covered entities should take
17 into account the unique needs and diversities of different age ranges, including
18 the following developmental stages: 0 to 5 years of age or “preliterate and
19 early literacy”; 6 to 9 years of age or “core primary school years”; 10 to 12
20 years of age or “transition years”; 13 to 15 years of age or “early teens”; and
21 16 to 17 years or age or “approaching adulthood.”
VT LEG #373035 v.1
 BILL AS INTRODUCED H.712
2024 Page 3 of 22
1 (3) “Child” means an individual who is under 18 years of age.
2 (4) “Collect” means buying, renting, gathering, obtaining, receiving, or
3 accessing any personal data pertaining to a consumer by any means. This
4 includes receiving data from the consumer, either actively or passively, or by
5 observing the consumer’s behavior.
6 (5) “Consumer” means a natural person who is a Vermont resident,
7 however identified, including by any unique identifier.
8 (6) “Covered entity” means:
9 (A) A sole proprietorship, partnership, limited liability company,
10 corporation, association, or other legal entity that is organized or operated for
11 the profit or financial benefit of its shareholders or other owners.
12 (B) An affiliate of a covered entity that shares common branding
13 with the covered entity. As used in this subdivision (6)(B), “common
14 branding” means a shared name, servicemark, or trademark that the average
15 consumer would understand that two or more entities are commonly owned.
16 For purposes of this subchapter, for a joint venture or partnership composed of
17 covered entities in which each covered entity has at least a 40 percent interest,
18 the joint venture or partnership and each covered entity that composes the joint
19 venture or partnership shall separately be considered a single covered entity,
20 except that personal data in the possession of each covered entity and disclosed VT LEG #373035 v.1
 BILL AS INTRODUCED H.712
2024 Page 4 of 22
1 to the joint venture or partnership must not be shared with the other covered
2 entity.
3 (7) “Dark pattern” means a user interface designed or manipulated with
4 the purpose of subverting or impairing user autonomy, decision making, or
5 choice.
6 (8) “Default” means a preselected option adopted by the covered entity
7 for the online service, product, or feature.
8 (9) “Deidentified” means data that cannot reasonably be used to infer
9 information about, or otherwise be linked to, an identified or identifiable
10 consumer, or a device linked to such consumer, provided that the covered
11 entity that possesses the data:
12 (A) takes reasonable measures to ensure that the data cannot be
13 associated with a consumer;
14 (B) publicly commits to maintain and use the data only in a
15 deidentified fashion and not attempt to re-identify the data; and
16 (C) contractually obligates any recipients of the data to comply with
17 all provisions of this subchapter.
18 (10) “Derived data” means data that is created by the derivation of
19 information, data, assumptions, correlations, inferences, predictions, or
20 conclusions from facts, evidence, or another source of information or data
21 about a child or a child’s device.
VT LEG #373035 v.1
 BILL AS INTRODUCED H.712
2024 Page 5 of 22
1 (11) “Online service, product, or feature” does not mean any of the
2 following:
3 (A) telecommunications service, as defined in 47 U.S.C. § 153;
4 (B) a broadband internet access service as defined in 3 V.S.A.
5 § 348(d); or
6 (C) the sale, delivery, or use of a physical product.
7 (12) “Personal data” means any information, including derived data, that
8 is linked or reasonably linkable, alone or in combination with other
9 information, to an identified or identifiable consumer. Personal data does not
10 include deidentified data or publicly available information. As used in this
11 subdivision, “publicly available information” means information that:
12 (A) is lawfully made available from federal, state, or local
13 government records or widely distributed media; and
14 (B) a covered entity has a reasonable basis to believe a consumer has
15 lawfully made available to the public.
16 (13) “Precise geolocation” means any data that is derived from a device
17 and that is used or intended to be used to locate a consumer within a
18 geographic area that is equal to or less than the area of a circle with a radius of
19 1,850 feet.
20 (14) “Process” or “processing” means to conduct or direct any operation
21 or set of operations performed, whether by manual or automated means, on VT LEG #373035 v.1
 BILL AS INTRODUCED H.712
2024 Page 6 of 22
1 personal data or on sets of personal data, such as the collection, use, storage,
2 disclosure, analysis, deletion, modification, or otherwise handling of personal
3 data.
4 (15) “Product experimentation results” means the data that companies
5 collect to understand the experimental impact of their products.
6 (16) “Profile” or “profiling” means any form of automated processing of
7 personal data to evaluate, analyze, or predict personal aspects concerning an
8 identified or identifiable consumer’s economic situation, health, personal
9 preferences, interests, reliability, behavior, location, or movements.
10 “Profiling” does not include the processing of information that does not result
11 in an assessment or judgment about a consumer.
12 (17) “Reasonably likely to be accessed” means an online service,
13 product, or feature that is likely to be accessed by children based on any of the
14 following indicators:
15 (A) the online service, product, or feature is directed to children, as
16 defined by the Children’s Online Privacy Protection Act, 15 U.S.C., §§ 6501–
17 6506 and the Federal Trade Commission rules implementing that Act;
18 (B) the online service, product, or feature is determined, based on
19 competent and reliable evidence regarding audience composition, to be
20 routinely accessed by a significant number of children;
VT LEG #373035 v.1
 BILL AS INTRODUCED H.712
2024 Page 7 of 22
1 (C) the online service, product, or feature contains advertisements
2 marketed to children;
3 (D) the online service, product, or feature is substantially similar or
4 the same as an online service, product, or feature subject to subdivision (B) of
5 this subdivision (17);
6 (E) a significant number of the audience of the online service,
7 product, or feature is determined, based on internal company research, to be
8 children; or
9 (F) the covered entity knew or should have known that a significant
10 number of users are children, provided that, in making this assessment, the
11 covered entity shall not collect or process any personal data that is not
12 reasonably necessary to provide an online service, product, or feature with
13 which a child is actively and knowingly engaged.
14 (18) “Sale,” “sell,” or “sold” means the exchange of personal data for
15 monetary or other valuable consideration by a covered entity to a third party.
16 It does not include the following:
17 (A) the disclosure of personal data to a third party who processes the
18 personal data on behalf of the covered entity;
19 (B) the disclosure of personal data to a third party with whom the
20 consumer has a direct relationship for purposes of providing a product or
21 service requested by the consumer;
VT LEG #373035 v.1
 BILL AS INTRODUCED H.712
2024 Page 8 of 22
1 (C) the disclosure or transfer of personal data to an affiliate of the
2 covered entity;
3 (D) the disclosure of data that the consumer intentionally made
4 available to the general public via a channel of mass media and did not restrict
5 to a specific audience; or
6 (E) the disclosure or transfer of personal data to a third party as an
7 asset that is part of a completed or proposed merger, acquisition, bankruptcy,
8 or other transaction in which the third party assumes control of all or part of
9 the covered entity’s assets.
10 (19) “Share” means sharing, renting, releasing, disclosing,
11 disseminating, making available, transferring, or otherwise communicating
12 orally, in writing, or by electronic or other means a consumer’s personal data
13 by the covered entity to a third party for cross-context behavioral advertising,
14 whether or not for monetary or other valuable consideration, including
15 transactions between a covered entity and a third party for cross-context
16 behavioral advertising for the benefit of a covered entity in which no money is
17 exchanged.
18 (20) “Third party” means a natural or legal person, public authority,
19 agency, or body other than the consumer or the covered entity.
VT LEG #373035 v.1
 BILL AS INTRODUCED H.712
2024 Page 9 of 22
1 § 2449b. SCOPE; EXCLUSIONS
2 (a) A person is considered a covered entity for the purposes of this
3 subchapter if it:
4 (1) collects consumers’ personal data or has individuals’ personal data
5 collected on its behalf by a third party;
6 (2) alone or jointly with others, determines the purposes and means of
7 the processing of individuals’ personal data;
8 (3) operates in Vermont; and
9 (4) satisfies one or more of the following thresholds:
10 (A) has annual gross revenues in excess of $25,000,000.00, as
11 adjusted every odd-numbered year to reflect the Consumer Price Index;
12 (B) alone or in combination, annually buys, receives for the covered
13 entity’s commercial purposes, sells, or shares for commercial purposes, alone
14 or in combination, the personal data of 50,000 or more individuals, households,
15 or devices; or
16 (C) derives 50 percent or more of its annual revenues from selling
17 individuals’ personal data.
18 (b) This subchapter does not apply to:
19 (1) protected health information that is collected by a covered entity or
20 covered entity associate governed by the privacy, security, and breach VT LEG #373035 v.1
 BILL AS INTRODUCED H.712
2024 Page 10 of 22
1 notification rules issued by the U.S. Department of Health and Human
2 Services, 45 C.F.R. Parts 160 and 164;
3 (2) a covered entity governed by the privacy, security, and breach
4 notification rules issued by the U.S. Department of Health and Human
5 Services, 45 C.F.R. Parts 160 and 164, to the extent the provider or covered
6 entity maintains patient information in the same manner as medical
7 information or protected health information as described in subdivision (1) of
8 this subsection; and
9 (3) information collected as part of a clinical trial subject to the Federal
10 Policy for the Protection of Human Subjects, also known as the Common Rule,
11 pursuant to good clinical practice guidelines issued by the International
12 Council for Harmonisation of Technical Requirements for Pharmaceuticals for
13 Human Use or pursuant to human subject protection requirements of the U.S.
14 Food and Drug Administration.
15 § 2449c. BEST INTERESTS OF CHILDREN
16 (a) All covered entities that process children’s data in any capacity shall do
17 so in a manner consistent with the best interests of children.
18 (b) As used in this section, “a manner consistent with the best interests of
19 children” means the use of the personal data of a child or the design of an
20 online service, product, or feature that:
21 (1) will not benefit the covered entity to the detriment of the child; and VT LEG #373035 v.1
 BILL AS INTRODUCED H.712
2024 Page 11 of 22
1 (2) will not result in:
2 (A) reasonably foreseeable and material physical or financial harm to
3 the child;
4 (B) reasonably foreseeable and severe psychological or emotional
5 harm to the child;
6 (C) a highly offensive intrusion on the reasonable privacy
7 expectations of the child; or
8 (D) discrimination against the child based upon race, color, religion,
9 national origin, disability, sex, or sexual orientation.
10 § 2449d. COVERED ENTITY OBLIGATIONS
11 (a) A covered entity subject to this subchapter must:
12 (1) Complete a data protection impact assessment for an online service,
13 product, or feature that is reasonably likely to be to accessed by children and
14 maintain documentation of the data protection impact assessment for as long as
15 the online service, product, or feature is reasonably likely to be accessed by
16 children. A data protection impact assessment is a systematic survey to assess
17 compliance with the duty to act in the best interests of children and shall
18 include a plan to ensure that all online products, services, or features provided
19 by the covered entity are designed and offered in a manner consistent with the
20 best interests of children reasonably likely to access the online product,
21 service, or feature. Such a plan shall include a description of steps the covered VT LEG #373035 v.1
 BILL AS INTRODUCED H.712
2024 Page 12 of 22
1 entity has taken and will take to comply with the duty to act in the best
2 interests of children.
3 (2) Review and modify all data protection impact assessments as
4 necess