BILL AS INTRODUCED S.269
2024 Page 1 of 62
1 S.269
2 Introduced by Senators Clarkson, Harrison, Perchlik, Ram Hinsdale, Watson
3 and Wrenner
4 Referred to Committee on
5 Date:
6 Subject: Commerce and trade; consumer protection
7 Statement of purpose of bill as introduced: This bill proposes to afford data
8 privacy protections to Vermonters.
9 An act relating to enhancing consumer privacy
10 It is hereby enacted by the General Assembly of the State of Vermont:
11 Sec. 1. 9 V.S.A. chapter 61A is added to read:
12 CHAPTER 61A. VERMONT DATA PRIVACY ACT
13 § 2415. DEFINITIONS
14 As used in this chapter:
15 (1)(A) “Affiliate” means a legal entity that shares common branding
16 with another legal entity or controls, is controlled by, or is under common
17 control with another legal entity.
18 (B) As used in subdivision (A) of this subdivision (1), “control” or
19 “controlled” means:
VT LEG #372878 v.1
 BILL AS INTRODUCED S.269
2024 Page 2 of 62
1 (i) ownership of, or the power to vote, more than 50 percent of the
2 outstanding shares of any class of voting security of a company;
3 (ii) control in any manner over the election of a majority of the
4 directors or of individuals exercising similar functions; or
5 (iii) the power to exercise controlling influence over the
6 management of a company.
7 (2) “Authenticate” means to use reasonable means to determine that a
8 request to exercise any of the rights afforded under subdivisions 2418(a)(1)
9 through (4) of this title is being made by, or on behalf of, the consumer who is
10 entitled to exercise the consumer rights with respect to the personal data at
11 issue.
12 (3)(A) “Biometric data” means data generated by automatic
13 measurements of an individual’s biological characteristics, such as a
14 fingerprint, a voiceprint, eye retinas, irises, or other unique biological patterns
15 or characteristics that are used to identify a specific individual.
16 (B) “Biometric data” does not include:
17 (i) a digital or physical photograph;
18 (ii) an audio or video recording; or
19 (iii) any data generated from a digital or physical photograph, or
20 an audio or video recording, unless the data is generated to identify a specific
21 individual.
VT LEG #372878 v.1
 BILL AS INTRODUCED S.269
2024 Page 3 of 62
1 (4) “Business associate” has the same meaning as provided in HIPAA.
2 (5) “Child” has the same meaning as provided in COPPA.
3 (6)(A) “Consent” means a clear affirmative act signifying a consumer’s
4 freely given, specific, informed, and unambiguous agreement to allow the
5 processing of personal data relating to the consumer.
6 (B) “Consent” may include a written statement, including by
7 electronic means, or any other unambiguous affirmative action.
8 (C) “Consent” does not include:
9 (i) acceptance of a general or broad terms of use or similar
10 document that contains descriptions of personal data processing along with
11 other, unrelated information;
12 (ii) hovering over, muting, pausing, or closing a given piece of
13 content; or
14 (iii) agreement obtained through the use of dark patterns.
15 (7)(A) “Consumer” means an individual who is a resident of this State.
16 (B) “Consumer” does not include an individual acting in a
17 commercial or employment context or as an employee, owner, director, officer,
18 or contractor of a company, partnership, sole proprietorship, nonprofit, or
19 government agency whose communications or transactions with the controller
20 occur solely within the context of that individual’s role with the company,
21 partnership, sole proprietorship, nonprofit, or government agency.
VT LEG #372878 v.1
 BILL AS INTRODUCED S.269
2024 Page 4 of 62
1 (8) “Controller” means an individual who, or legal entity that, alone or
2 jointly with others, determines the purpose and means of processing personal
3 data.
4 (9) “COPPA” means the Children’s Online Privacy Protection Act of
5 1998, 15 U.S.C. § 6501 et seq., and the regulations, rules, guidance, and
6 exemptions adopted pursuant to the act, as the act and regulations, rules,
7 guidance, and exemptions may be amended from time to time.
8 (10) “Covered entity” has the same meaning as provided in HIPAA.
9 (11) “Dark pattern”:
10 (A) means a user interface designed or manipulated with the
11 substantial effect of subverting or impairing user autonomy, decision-making,
12 or choice; and
13 (B) includes any practice the Federal Trade Commission refers to as
14 a “dark pattern.”
15 (12) “Decisions that produce legal or similarly significant effects
16 concerning the consumer” means decisions made by the controller that result in
17 the provision or denial by the controller of financial or lending services,
18 housing, insurance, education enrollment or opportunity, criminal justice,
19 employment opportunities, health care services, or access to essential goods or
20 services.
VT LEG #372878 v.1
 BILL AS INTRODUCED S.269
2024 Page 5 of 62
1 (13) “De-identified data” means data that cannot reasonably be used to
2 infer information about, or otherwise be linked to, an identified or identifiable
3 individual, or a device linked to the individual, if the controller that possesses
4 the data:
5 (A) takes reasonable measures to ensure that the data cannot be
6 associated with an individual;
7 (B) publicly commits to process the data only in a de-identified
8 fashion and not attempt to re-identify the data; and
9 (C) contractually obligates any recipients of the data to satisfy the
10 criteria set forth in subdivisions (A) and (B) of this subdivision (13).
11 (14) “HIPAA” means the Health Insurance Portability and
12 Accountability Act of 1996, 42 U.S.C. § 1320d et seq., as amended from time
13 to time.
14 (15) “Identified or identifiable individual” means an individual who can
15 be readily identified, directly or indirectly.
16 (16) “Institution of higher education” means any individual who, or
17 school, board, association, limited liability company or corporation that, is
18 licensed or accredited to offer one or more programs of higher learning leading
19 to one or more degrees.
20 (17) “Nonprofit organization” means any organization that is exempt
21 from taxation under Section 501(c)(3), 501(c)(4), 501(c)(6), or 501(c)(12) of VT LEG #372878 v.1
 BILL AS INTRODUCED S.269
2024 Page 6 of 62
1 the Internal Revenue Code of 1986, or any subsequent corresponding internal
2 revenue code of the United States, as amended from time to time.
3 (18)(A) “Personal data” means any information that is linked or
4 reasonably linkable to an identified or identifiable individual.
5 (B) “Personal data” does not include de-identified data or publicly
6 available information.
7 (19)(A) “Precise geolocation data” means information derived from
8 technology, including global positioning system level latitude and longitude
9 coordinates or other mechanisms, that directly identifies the specific location
10 of an individual with precision and accuracy within a radius of 1,750 feet.
11 (B) “Precise geolocation data” does not include the content of
12 communications or any data generated by or connected to advanced utility
13 metering infrastructure systems or equipment for use by a utility.
14 (20) “Process” or “processing” means any operation or set of operations
15 performed, whether by manual or automated means, on personal data or on sets
16 of personal data, such as the collection, use, storage, disclosure, analysis,
17 deletion, or modification of personal data.
18 (21) “Processor” means an individual who, or legal entity that, processes
19 personal data on behalf of a controller.
20 (22) “Profiling” means any form of automated processing performed on
21 personal data to evaluate, analyze, or predict personal aspects related to an VT LEG #372878 v.1
 BILL AS INTRODUCED S.269
2024 Page 7 of 62
1 identified or identifiable individual’s economic situation, health, personal
2 preferences, interests, reliability, behavior, location, or movements.
3 (23) “Protected health information” has the same meaning as provided
4 in HIPAA.
5 (24) “Pseudonymous data” means personal data that cannot be attributed
6 to a specific individual without the use of additional information, provided the
7 additional information is kept separately and is subject to appropriate technical
8 and organizational measures to ensure that the personal data is not attributed to
9 an identified or identifiable individual.
10 (25) “Publicly available information” means information that:
11 (A) is lawfully made available through federal, state, or municipal
12 government records or widely distributed media; and
13 (B) a controller has a reasonable basis to believe a consumer has
14 lawfully made available to the general public.
15 (26)(A) “Sale of personal data” means the exchange of personal data for
16 monetary or other valuable consideration by the controller to a third party.
17 (B) “Sale of personal data” does not include:
18 (i) the disclosure of personal data to a processor that processes the
19 personal data on behalf of the controller;
20 (ii) the disclosure of personal data to a third party for purposes of
21 providing a product or service requested by the consumer;
VT LEG #372878 v.1
 BILL AS INTRODUCED S.269
2024 Page 8 of 62
1 (iii) the disclosure or transfer of personal data to an affiliate of the
2 controller;
3 (iv) the disclosure of personal data where the consumer directs the
4 controller to disclose the personal data or intentionally uses the controller to
5 interact with a third party;
6 (v) the disclosure of personal data that the consumer:
7 (I) intentionally made available to the general public via a
8 channel of mass media; and
9 (II) did not restrict to a specific audience; or
10 (vi) the disclosure or transfer of personal data to a third party as an
11 asset that is part of a merger, acquisition, bankruptcy, or other transaction, or a
12 proposed merger, acquisition, bankruptcy, or other transaction, in which the
13 third party assumes control of all or part of the controller’s assets.
14 (27) “Sensitive data” means personal data that includes:
15 (A) data revealing racial or ethnic origin, religious beliefs, mental or
16 physical health condition or diagnosis, sex life, sexual orientation, or
17 citizenship or immigration status;
18 (B) the processing of genetic or biometric data for the purpose of
19 uniquely identifying an individual;
20 (C) personal data collected from a known child; or
21 (D) precise geolocation data.
VT LEG #372878 v.1
 BILL AS INTRODUCED S.269
2024 Page 9 of 62
1 (28)(A) “Targeted advertising” means displaying advertisements to a
2 consumer where the advertisement is selected based on personal data obtained
3 or inferred from that consumer’s activities over time and across nonaffiliated
4 websites or online applications to predict the consumer’s preferences or
5 interests.
6 (B) “Targeted advertising” does not include:
7 (i) advertisements based on activities within a controller’s own
8 websites or online applications;
9 (ii) advertisements based on the context of a consumer’s current
10 search query, visit to an website, or online application;
11 (iii) advertisements directed to a consumer in response to the
12 consumer’s request for information or feedback; or
13 (iv) processing personal data solely to measure or report
14 advertising frequency, performance, or reach.
15 (29) “Third party” means an individual or legal entity, such as a public
16 authority, agency, or body, other than the consumer, controller, or processor or
17 an affiliate of the processor or the controller.
18 (30) “Trade secret” has the same meaning as provided in section 4601 of
19 this title.
VT LEG #372878 v.1
 BILL AS INTRODUCED S.269
2024 Page 10 of 62
1 § 2416. APPLICABILITY
2 This chapter applies to a person that conducts business in this State or a
3 person that produces products or services that are targeted to residents of this
4 State and that during the preceding calendar year:
5 (1) controlled or processed the personal data of not less than
6 100,000 consumers, excluding personal data controlled or processed solely for
7 the purpose of completing a payment transaction; or
8 (2) controlled or processed the personal data of not less than
9 25,000 consumers and derived more than 25 percent of the person’s gross
10 revenue from the sale of personal data.
11 § 2417. EXEMPTIONS
12 (a) This chapter shall not apply to:
13 (1) a national securities association that is registered under 15 U.S.C.
14 § 78o-3 of the Securities Exchange Act of 1934, as amended from time to time;
15 (2) a financial institution or data subject to Title V of the Gramm-Leach-
16 Bliley Act, 15 U.S.C. § 6801 et seq.; or
17 (3) a covered entity or business associate, as defined in 45 C.F.R.
18 § 160.103.
19 (b) The following information and data are exempt from the provisions of
20 this chapter:
21 (1) protected health information under HIPAA;
VT LEG #372878 v.1
 BILL AS INTRODUCED S.269
2024 Page 11 of 62
1 (2) patient-identifying information for purposes of 42 U.S.C. § 290dd-2;
2 (3) identifiable private information for purposes of the federal policy for
3 the protection of human subjects under 45 C.F.R. § 46;
4 (4) identifiable private information that is otherwise information
5 collected as part of human subjects research pursuant to the good clinical
6 practice guidelines issued by the International Council for Harmonization of
7 Technical Requirements for Pharmaceuticals for Human Use;
8 (5) the protection of human subjects under 21 C.F.R. Parts 50 and 56, or
9 personal data used or shared in research, as defined in 45 C.F.R. § 164.501,
10 that is conducted in accordance with the standards set forth in this subdivision
11 and subdivisions (3) and (4) of this subsection, or other research conducted in
12 accordance with applicable law;
13 (6) information and documents created for purposes of the Health Care
14 Quality Improvement Act of 1986, 42 U.S.C. § 11101 et seq.;
15 (7) patient safety work product for purposes of the Patient Safety and
16 Quality Improvement Act, 42 U.S.C. § 299b-21 et seq., as amended from time
17 to time;
18 (8) information derived from any of the health care-related information
19 listed in this subsection that is de-identified in accordance with the
20 requirements for de-identification pursuant to HIPAA;
VT LEG #372878 v.1
 BILL AS INTRODUCED S.269
2024 Page 12 of 62
1 (9) information originating from and intermingled to be
2 indistinguishable with, or information treated in the same manner as,
3 information exempt under this subsection that is maintained by a covered
4 entity or business associate, program, or qualified service organization, as
5 specified in 42 U.S.C. § 290dd-2, as amended fro