AS PASSED BY SENATE S.289
2024 Page 1 of 15
1 S.289
2 An act relating to age-appropriate design code
3 It is hereby enacted by the General Assembly of the State of Vermont:
4 Sec. 1. 9 V.S.A. chapter 62, subchapter 6 is added to read:
5 Subchapter 6. Age-Appropriate Design Code
6 § 2449a. DEFINITIONS
7 As used in this subchapter:
8 (1) “Affiliate” means any person that, directly or indirectly, controls, is
9 controlled by, or is under common control with another person. As used in this
10 subdivision, “control” means ownership of, or the power to vote, more than
11 50 percent of the outstanding shares of any class of voting security of a
12 covered entity; control in any manner over the election of a majority of the
13 directors or of individuals exercising similar functions; or the power to
14 exercise a controlling influence over the management of a covered entity.
15 (2) “Age-appropriate” means a recognition of the distinct needs and
16 diversities of children at different age ranges. In order to help support the
17 design of online services, products, and features, covered entities should take
18 into account the unique needs and diversities of different age ranges, including
19 the following developmental stages: zero to five years of age or “preliterate
20 and early literacy”; six to nine years of age or “core primary school years”; 10
21 to 12 years of age or “transition years”; 13 to 15 years of age or “early teens”;
VT LEG #375598 v.1
 AS PASSED BY SENATE S.289
2024 Page 2 of 15
1 and 16 to 17 years or age or “approaching adulthood.”
2 (3) “Collect” means buying, renting, gathering, obtaining, receiving, or
3 accessing any personal data pertaining to a consumer by any means. This
4 includes receiving data from the consumer, either actively or passively, or by
5 observing the consumer’s behavior.
6 (4) “Consumer” means a individual who is a Vermont resident, and who
7 provides consideration for goods or services either for sale or not for sale.
8 (5) “Covered entity” means:
9 (A) A sole proprietorship, partnership, limited liability company,
10 corporation, association, or other legal entity that is organized or operated for
11 the profit or financial benefit of its shareholders or other owners.
12 (B) An affiliate of a covered entity that shares common branding
13 with the covered entity. As used in this subdivision (5)(B), “common
14 branding” means a shared name, servicemark, or trademark that the average
15 consumer would understand that two or more entities are commonly owned.
16 For purposes of this subchapter, for a joint venture or partnership composed of
17 covered entities in which each covered entity has at least a 40 percent interest,
18 the joint venture or partnership and each covered entity that composes the joint
19 venture or partnership shall separately be considered a single covered entity,
20 except that personal data in the possession of each covered entity and disclosed
21 to the joint venture or partnership shall not be shared with the other covered VT LEG #375598 v.1
 AS PASSED BY SENATE S.289
2024 Page 3 of 15
1 entity.
2 (6) “Dark pattern” means a user interface designed or manipulated with
3 the effect of subverting or impairing user autonomy, decision making, or
4 choice, and includes any practice the Federal Trade Commission categorizes as
5 a “dark pattern.”
6 (7) “Default” means a preselected option adopted by the covered entity
7 for the online service, product, or feature.
8 (8) “Deidentified” means data that cannot reasonably be used to infer
9 information about, or otherwise be linked to, an identified or identifiable
10 consumer, or a device linked to such consumer, provided that the covered
11 entity that possesses the data:
12 (A) takes reasonable measures to ensure that the data cannot be
13 associated with a consumer;
14 (B) publicly commits to maintain and use the data only in a
15 deidentified fashion and not attempt to re-identify the data; and
16 (C) contractually obligates any recipients of the data to comply with
17 all provisions of this subchapter.
18 (9) “Derived data” means data that is created by the derivation of
19 information, data, assumptions, correlations, inferences, predictions, or
20 conclusions from facts, evidence, or another source of information or data
21 about a minor consumer or a minor consumer’s device.
VT LEG #375598 v.1
 AS PASSED BY SENATE S.289
2024 Page 4 of 15
1 (10)(A) “Low-friction variable reward” means a design feature or
2 virtual item that intermittently rewards consumers for scrolling, tapping,
3 opening, or continuing to engage in an online service, product, or feature.
4 (B) Examples of low-friction variable reward designs include
5 endless scroll, auto play, and nudges meant to encourage reengagement.
6 (11) “Minor consumer” means a natural person under 18 years of age,
7 who is a Vermont resident and who provides consideration for goods or
8 services either for sale or not for sale.
9 (12) “Online service, product, or feature” does not mean any of the
10 following:
11 (A) telecommunications service, as defined in 47 U.S.C. § 153;
12 (B) a broadband internet access service as defined in 3 V.S.A.
13 § 348(d); or
14 (C) the sale, delivery, or use of a physical product.
15 (13) “Personal data” means any information, including derived data, that
16 is linked or reasonably linkable, alone or in combination with other
17 information, to an identified or identifiable consumer. Personal data does not
18 include deidentified data or publicly available information. As used in this
19 subdivision, “publicly available information” means information that:
20 (A) is lawfully made available from federal, State, or local
21 government records or widely distributed media; and VT LEG #375598 v.1
 AS PASSED BY SENATE S.289
2024 Page 5 of 15
1 (B) a covered entity has a reasonable basis to believe a consumer has
2 lawfully made available to the public.
3 (14) “Precise geolocation” means any data that is derived from a device
4 and that is used or intended to be used to locate a consumer within a
5 geographic area that is equal to or less than the area of a circle with a radius of
6 1,850 feet.
7 (15) “Process” or “processing” means to conduct or direct any operation
8 or set of operations performed, whether by manual or automated means, on
9 personal data or on sets of personal data, such as the collection, use, storage,
10 disclosure, analysis, deletion, modification, or otherwise handling of personal
11 data.
12 (16) “Profile” or “profiling” means any form of automated processing of
13 personal data to evaluate, analyze, or predict personal aspects concerning an
14 identified or identifiable consumer’s economic situation, health, personal
15 preferences, interests, reliability, behavior, location, or movements.
16 “Profiling” does not include the processing of information that does not result
17 in an assessment or judgment about a consumer.
18 (17) “Reasonably likely to be accessed” means an online service,
19 product, or feature that is likely to be accessed by minor consumers based on
20 any of the following indicators:
21 (A) the online service, product, or feature is directed to children, as VT LEG #375598 v.1
 AS PASSED BY SENATE S.289
2024 Page 6 of 15
1 defined by the Children’s Online Privacy Protection Act, 15 U.S.C. §§ 6501–
2 6506 and the Federal Trade Commission rules implementing that Act;
3 (B) the online service, product, or feature is determined, based on
4 competent and reliable evidence regarding audience composition, to be
5 routinely accessed by an audience that is composed of at least two percent of
6 minor consumers two through under 18 years of age;
7 (C) the online service, product, or feature contains advertisements
8 marketed to minor consumers;
9 (D) the online service, product, or feature is substantially similar or
10 the same as an online service, product, or feature subject to subdivision (B) of
11 this subdivision (17);
12 (E) the audience of the online service, product, or feature is
13 determined, based on internal company research, to be composed of at least
14 two percent of minor consumers two through under 18 years of age; or
15 (F) the covered entity knew or should have known that at least two
16 percent of the audience of the online service, product, or feature includes
17 minor consumers two through under 18 years of age, provided that, in making
18 this assessment, the covered entity shall not collect or process any personal
19 data that is not reasonably necessary to provide an online service, product, or
20 feature with which a minor consumer is actively and knowingly engaged.
21 (18) “Sale,” “sell,” or “sold” means the exchange of personal data for VT LEG #375598 v.1
 AS PASSED BY SENATE S.289
2024 Page 7 of 15
1 monetary or other valuable consideration by a covered entity to a third party.
2 It does not include the following:
3 (A) the disclosure of personal data to a third party who processes the
4 personal data on behalf of the covered entity;
5 (B) the disclosure of personal data to a third party with whom the
6 consumer has a direct relationship for purposes of providing a product or
7 service requested by the consumer;
8 (C) the disclosure or transfer of personal data to an affiliate of the
9 covered entity;
10 (D) the disclosure of data that the consumer intentionally made
11 available to the general public via a channel of mass media and did not restrict
12 to a specific audience; or
13 (E) the disclosure or transfer of personal data to a third party as an
14 asset that is part of a completed or proposed merger, acquisition, bankruptcy,
15 or other transaction in which the third party assumes control of all or part of
16 the covered entity’s assets.
17 (19)(A) “Social media platform” means a public or semi-public internet-
18 based service or application that is primarily intended to connect and allow a
19 user to socially interact within such service or application and enables a user
20 to:
21 (i) construct a public or semi-public profile for the purposes of
VT LEG #375598 v.1
 AS PASSED BY SENATE S.289
2024 Page 8 of 15
1 signing into and using such service or application;
2 (ii) populate a public list of other users with whom the user shares
3 a social connection within such service or application; and
4 (iii) create or post content that is viewable by other users,
5 including content on message boards and in chat rooms, and that presents the
6 user with content generated by other users.
7 (B) “Social media platform” does not mean a public or semi-public
8 internet-based service or application that:
9 (i) exclusively provides electronic mail or direct messaging
10 services;
11 (ii) primarily consists of news, sports, entertainment, interactive
12 video games, electronic commerce, or content that is preselected by the
13 provider for which any interactive functionality is incidental to, directly related
14 to, or dependent on the provision of such content; or
15 (iii) is used by and under the direction of an educational entity,
16 including a learning management system or a student engagement program.
17 (20) “Third party” means a natural or legal person, public authority,
18 agency, or body other than the consumer or the covered entity.
19 § 2449b. SCOPE; EXCLUSIONS
20 (a) A person is considered a covered entity for the purposes of this
21 subchapter if it:
VT LEG #375598 v.1
 AS PASSED BY SENATE S.289
2024 Page 9 of 15
1 (1) collects consumers’ personal data or has consumers’ personal data
2 collected on its behalf by a third party;
3 (2) alone or jointly with others, determines the purposes and means of
4 the processing of consumers’ personal data;
5 (3) operates in Vermont; and
6 (4) alone or in combination, annually buys, receives for the covered
7 entity’s commercial purposes, sells, or shares for commercial purposes, alone
8 or in combination, the personal data of at least 50 percent of its consumers.
9 (b) This subchapter does not apply to:
10 (1) protected health information that is collected by a covered entity or
11 covered entity associate governed by the privacy, security, and breach
12 notification rules issued by the U.S. Department of Health and Human
13 Services, 45 C.F.R. Parts 160 and 164;
14 (2) a covered entity governed by the privacy, security, and breach
15 notification rules issued by the U.S. Department of Health and Human
16 Services, 45 C.F.R. Parts 160 and 164, to the extent the provider or covered
17 entity maintains patient information in the same manner as medical
18 information or protected health information as described in subdivision (1) of
19 this subsection;
20 (3) information collected as part of a clinical trial subject to the Federal
21 Policy for the Protection of Human Subjects, also known as the Common Rule,
VT LEG #375598 v.1
 AS PASSED BY SENATE S.289
2024 Page 10 of 15
1 pursuant to good clinical practice guidelines issued by the International
2 Council for Harmonisation of Technical Requirements for Pharmaceuticals for
3 Human Use or pursuant to human subject protection requirements of the U.S.
4 Food and Drug Administration; and
5 (4) a business whose primary purpose is journalism as defined in
6 12 V.S.A. § 1615(a)(2) and that has a majority of its workforce consisting of
7 individuals engaging in journalism.
8 § 2449c. MINIMUM DUTY OF CARE
9 (a) A covered entity that processes a minor consumer’s data in any capacity
10 owes a minimum duty of care to the minor consumer.
11 (b) As used in this subchapter, “a minimum duty of care” means the use of
12 the personal data of a minor consumer and the design of an online service,
13 product, or feature will not benefit the covered entity to the detriment of a
14 minor consumer and will not result in:
15 (1) reasonably foreseeable and material physical or financial injury to a
16 minor consumer;
17 (2) reasonably foreseeable emotional distress as defined in 13 V.S.A. §
18 1061(2) to a minor consumer;
19 (3) a highly offensive intrusion on the reasonable privacy expectations
20 of a minor consumer;
21 (4) the encouragement of excessive or compulsive use of the online VT LEG #375598 v.1
 AS PASSED BY SENATE S.289
2024 Page 11 of 15
1 service, product, or feature by a minor consumer; or
2 (5) discrimination against the minor consumer based upon race,
3 ethnicity, sex, disability, sexual orientation, gender identity, gender expression,
4 or national origin.
5 § 2449d. COVERED ENTITY OBLIGATIONS
6 (a) A covered entity subject to this subchapter shall:
7 (1) configure all default privacy settings provided to a minor consumer
8 through the online service, product, or feature to a high level of privacy;
9 (2) provide privacy information, terms of service, policies, and
10 community standards concisely, prominently, and in language suited to the age
11 of a minor consumer reasonably likely to access that online service, product, or
12 feature;
13 (3) provide prominent, accessible, and responsive tools to help a minor
14 consumer or, if applicable, their parents or guardians to exercise their privacy
15 rights and report concerns to the covered entity;
16 (4) honor the request of a minor consumer to unpublish the minor
17 consumer’s social media platform account not later than 15 business days after
18 a covered entity receives such a request from a minor consumer; and
19 (5) provide easily accessible and age-appropriate tools for a minor
20 consumer to limit the ability of users or covere