Bill S.70 seeks to strengthen the protection of personal information for Vermont residents by implementing new regulations for data brokers. Key provisions require data brokers to notify consumers of security breaches, certify that disclosed personal information will be used legitimately, and provide a mechanism for consumers to request the deletion of their personal information. The bill introduces new definitions, such as "authorized agent," "biometric data," and "data broker," while also amending existing definitions to clarify the scope of personal information and the responsibilities of data brokers. Significant changes include the deletion of certain definitions related to biometric data and the introduction of terms like "consumer health data controller" and "processor."

The bill mandates that data brokers notify the Attorney General of any security breaches involving brokered personal information, including details about the number of affected consumers and a copy of the consumer notice. It also establishes a requirement for annual registration with the Secretary of State, replacing the fixed registration fee with a variable fee based on the costs of maintaining a public registry. Additionally, the bill requires the Secretary of State to create a public web page for registration information and an accessible deletion mechanism for consumers by January 1, 2028. The act will take effect on July 1, 2025, and aims to enhance consumer privacy and control over personal information held by data brokers, with penalties for non-compliance and audits every three years to ensure adherence to the new regulations.

Statutes affected:
As Introduced: 9-62