Bill H.208, introduced by Vermont representatives, seeks to strengthen data privacy and online surveillance protections for residents. It establishes the "Vermont Data Privacy and Online Surveillance Act," which includes comprehensive definitions related to data privacy, such as "consumer," "personal data," and "biometric data." The legislation emphasizes the necessity of obtaining clear and informed consent from consumers before processing their personal data, detailing specific requirements for how this consent must be obtained and documented. Additionally, the bill introduces definitions for "consumer health data" and outlines the responsibilities of data controllers in processing such data, aiming to enhance consumer control over personal information and transparency regarding data usage.

The bill also introduces new provisions regarding consumer rights related to personal data, including the right to access, correct, and delete their data, as well as opt-out of certain processing activities. It mandates that data controllers limit data collection to what is necessary, implement security practices, and handle minors' data with extra care. Furthermore, the bill outlines the responsibilities of data processors, requiring adherence to controllers' instructions and the establishment of contracts governing data processing. It introduces requirements for data protection assessments for high-risk processing activities and grants the Attorney General enforcement powers, including the ability to issue notices of violation. The bill modifies applicability thresholds for businesses handling personal data, reducing the number of consumers from 25,000 to 12,500 for certain provisions, and from 12,500 to 6,250 for others, while also mandating public education initiatives to inform stakeholders about their rights and obligations under the Act.

Statutes affected:
As Introduced: 9-2416(a), 9-2416