Bill S.70 aims to enhance the protection of personal information for Vermont residents by implementing new regulations for data brokers. Key provisions require data brokers to notify consumers of security breaches within 45 days, certify that disclosed personal information will be used for legitimate purposes, and establish an accessible mechanism for consumers to request the deletion of their personal information. The bill introduces new terms such as "authorized agent," "biometric data," and "consumer health data controller," clarifying the roles of entities handling personal data. Additionally, it modifies enforcement mechanisms, granting the Attorney General authority to investigate compliance and requiring data brokers to inform the Attorney General of breach details within 14 business days.

The bill mandates annual registration for data brokers with the Secretary of State, including detailed operational information and payment of a registration fee. It establishes penalties for non-compliance, including administrative fines, and creates a publicly accessible webpage listing registration information to enhance transparency. A deletion mechanism will be implemented by January 1, 2028, allowing consumers to request the deletion of their brokered personal information with a single verifiable request. The bill also establishes the Data Brokers Registry Fund to cover associated costs and is set to take effect on July 1, 2025.

Statutes affected:
As Introduced: 9-62