Bill H.211 aims to strengthen the protection of personal information for Vermont residents by implementing new regulations for data brokers. Key provisions require data brokers to notify consumers of security breaches, certify that personal information will be used legitimately, and provide a mechanism for consumers to request the deletion of their personal information. The bill introduces new definitions, such as "authorized agent," "biometric data," and "data broker," while also amending existing definitions to clarify the responsibilities of data brokers. Significant changes include the removal of certain definitions related to biometric data and the introduction of terms like "consumer health data controller" and "processor." The Attorney General is granted enhanced authority to investigate and enforce compliance, with a specific timeline established for notifying consumers and the Attorney General in the event of a data breach.

Additionally, the bill mandates that data brokers register annually with the Secretary of State and pay a registration fee, which should not exceed the reasonable costs of maintaining an informational website and deletion mechanism. The registration must include detailed practices, opt-out options, and information on security breaches. The bill establishes penalties for non-compliance, including administrative fines, and creates a publicly accessible webpage listing registration information of data brokers. A Data Brokers Registry Fund is established to support the costs of maintaining the website and enforcing the act, which is set to take effect on July 1, 2025. The Secretary of State is required to implement a consumer-friendly deletion mechanism by January 1, 2028, ensuring that data brokers process deletion requests regularly and comply with consumer rights and data protection standards.

Statutes affected:
As Introduced: 9-62