AS PASSED BY HOUSE H.121
2024 Page 1 of 80
1 H.121
2 An act relating to enhancing consumer privacy
3 It is hereby enacted by the General Assembly of the State of Vermont:
4 Sec. 1. 9 V.S.A. chapter 61A is added to read:
5 CHAPTER 61A. VERMONT DATA PRIVACY ACT
6 § 2415. DEFINITIONS
7 As used in this chapter:
8 (1) “Abortion” has the same meaning as in section 2492 of this title.
9 (2)(A) “Affiliate” means a legal entity that shares common branding
10 with another legal entity or controls, is controlled by, or is under common
11 control with another legal entity.
12 (B) As used in subdivision (A) of this subdivision (2), “control” or
13 “controlled” means:
14 (i) ownership of, or the power to vote, more than 50 percent of the
15 outstanding shares of any class of voting security of a company;
16 (ii) control in any manner over the election of a majority of the
17 directors or of individuals exercising similar functions; or
18 (iii) the power to exercise controlling influence over the
19 management of a company.
20 (3) “Authenticate” means to use reasonable means to determine that a
21 request to exercise any of the rights afforded under subdivisions 2418(a)(1)–
VT LEG #375731 v.1
 AS PASSED BY HOUSE H.121
2024 Page 2 of 80
1 (5) of this title is being made by, or on behalf of, the consumer who is entitled
2 to exercise the consumer rights with respect to the personal data at issue.
3 (4) “Biometric data” means personal data generated from the
4 technological processing of an individual’s unique biological, physical, or
5 physiological characteristics that is linked or reasonably linkable to an
6 individual, including:
7 (A) iris or retina scans;
8 (B) fingerprints;
9 (C) facial or hand mapping, geometry, or templates;
10 (D) vein patterns;
11 (E) voice prints;
12 (F) gait or personally identifying physical movement or patterns;
13 (G) depictions, images, descriptions, or recordings; and
14 (H) data derived from any data in subdivision (G) of this subdivision
15 (4), to the extent that it would be reasonably possible to identify the specific
16 individual from whose biometric data the data has been derived.
17 (5) “Broker-dealer” has the same meaning as in 9 V.S.A. § 5102.
18 (6) “Business associate” has the same meaning as in HIPAA.
19 (7) “Child” has the same meaning as in COPPA.
VT LEG #375731 v.1
 AS PASSED BY HOUSE H.121
2024 Page 3 of 80
1 (8)(A) “Consent” means a clear affirmative act signifying a consumer’s
2 freely given, specific, informed, and unambiguous agreement to allow the
3 processing of personal data relating to the consumer.
4 (B) “Consent” may include a written statement, including by
5 electronic means, or any other unambiguous affirmative action.
6 (C) “Consent” does not include:
7 (i) acceptance of a general or broad terms of use or similar
8 document that contains descriptions of personal data processing along with
9 other, unrelated information;
10 (ii) hovering over, muting, pausing, or closing a given piece of
11 content; or
12 (iii) agreement obtained through the use of dark patterns.
13 (9)(A) “Consumer” means an individual who is a resident of the State.
14 (B) “Consumer” does not include an individual acting in a
15 commercial or employment context or as an employee, owner, director, officer,
16 or contractor of a company, partnership, sole proprietorship, nonprofit, or
17 government agency whose communications or transactions with the controller
18 occur solely within the context of that individual’s role with the company,
19 partnership, sole proprietorship, nonprofit, or government agency.
VT LEG #375731 v.1
 AS PASSED BY HOUSE H.121
2024 Page 4 of 80
1 (10) “Consumer health data” means any personal data that a controller
2 uses to identify a consumer’s physical or mental health condition or diagnosis,
3 including gender-affirming health data and reproductive or sexual health data.
4 (11) “Consumer health data controller” means any controller that, alone
5 or jointly with others, determines the purpose and means of processing
6 consumer health data.
7 (12) “Consumer reporting agency” has the same meaning as in the Fair
8 Credit Reporting Act, 15 U.S.C. § 1681a(f);
9 (13) “Controller” means a person who, alone or jointly with others,
10 determines the purpose and means of processing personal data.
11 (14) “COPPA” means the Children’s Online Privacy Protection Act of
12 1998, 15 U.S.C. § 6501–6506, and any regulations, rules, guidance, and
13 exemptions promulgated pursuant to the act, as the act and regulations, rules,
14 guidance, and exemptions may be amended.
15 (15) “Covered entity” has the same meaning as in HIPAA.
16 (16) “Credit union” has the same meaning as in 8 V.S.A. § 30101.
17 (17) “Dark pattern” means a user interface designed or manipulated with
18 the substantial effect of subverting or impairing user autonomy, decision-
19 making, or choice and includes any practice the Federal Trade Commission
20 refers to as a “dark pattern.”
VT LEG #375731 v.1
 AS PASSED BY HOUSE H.121
2024 Page 5 of 80
1 (18) “Decisions that produce legal or similarly significant effects
2 concerning the consumer” means decisions made by the controller that result in
3 the provision or denial by the controller of financial or lending services,
4 housing, insurance, education enrollment or opportunity, criminal justice,
5 employment opportunities, health care services, or access to essential goods or
6 services.
7 (19) “De-identified data” means data that does not identify and cannot
8 reasonably be used to infer information about, or otherwise be linked to, an
9 identified or identifiable individual, or a device linked to the individual, if the
10 controller that possesses the data:
11 (A)(i) takes reasonable measures to ensure that the data cannot be
12 used to re-identify an identified or identifiable individual or be associated with
13 an individual or device that identifies or is linked or reasonably linkable to an
14 individual or household;
15 (ii) for purposes of this subdivision (A), “reasonable measures”
16 shall include the de-identification requirements set forth under 45 C.F.R.
17 § 164.514 (other requirements relating to uses and disclosures of protected
18 health information);
19 (B) publicly commits to process the data only in a de-identified
20 fashion and not attempt to re-identify the data; and VT LEG #375731 v.1
 AS PASSED BY HOUSE H.121
2024 Page 6 of 80
1 (C) contractually obligates any recipients of the data to satisfy the
2 criteria set forth in subdivisions (A) and (B) of this subdivision (19).
3 (20) “Financial institution”:
4 (A) as used in subdivision 2417(a)(12) of this title, has the same
5 meaning as in 15 U.S.C. § 6809; and
6 (B) as used in subdivision 2417(a)(14) of this title, has the same
7 meaning as in 8 V.S.A. § 11101.
8 (21) “Gender-affirming health care services” has the same meaning as in
9 1 V.S.A. § 150.
10 (22) “Gender-affirming health data” means any personal data
11 concerning a past, present, or future effort made by a consumer to seek, or a
12 consumer’s receipt of, gender-affirming health care services, including:
13 (A) precise geolocation data that is used for determining a
14 consumer’s attempt to acquire or receive gender-affirming health care services;
15 (B) efforts to research or obtain gender-affirming health care
16 services; and
17 (C) any gender-affirming health data that is derived from nonhealth
18 information.
19 (23) “Genetic data” means any data, regardless of its format, that results
20 from the analysis of a biological sample of an individual, or from another
21 source enabling equivalent information to be obtained, and concerns genetic VT LEG #375731 v.1
 AS PASSED BY HOUSE H.121
2024 Page 7 of 80
1 material, including deoxyribonucleic acids (DNA), ribonucleic acids (RNA),
2 genes, chromosomes, alleles, genomes, alterations or modifications to DNA or
3 RNA, single nucleotide polymorphisms (SNPs), epigenetic markers,
4 uninterpreted data that results from analysis of the biological sample or other
5 source, and any information extrapolated, derived, or inferred therefrom.
6 (24) “Geofence” means any technology that uses global positioning
7 coordinates, cell tower connectivity, cellular data, radio frequency
8 identification, wireless fidelity technology data, or any other form of location
9 detection, or any combination of such coordinates, connectivity, data,
10 identification, or other form of location detection, to establish a virtual
11 boundary.
12 (25) “Health care facility” has the same meaning as in 18 V.S.A. § 9432.
13 (26) “Heightened risk of harm to a minor” means processing the
14 personal data of a minor in a manner that presents a reasonably foreseeable risk
15 of:
16 (A) unfair or deceptive treatment of, or unlawful disparate impact on,
17 a minor;
18 (B) financial, physical, mental, emotional, or reputational injury to a
19 minor;
20 (C) unintended disclosure of the personal data of a minor; or VT LEG #375731 v.1
 AS PASSED BY HOUSE H.121
2024 Page 8 of 80
1 (D) any physical or other intrusion upon the solitude or seclusion, or
2 the private affairs or concerns, of a minor if the intrusion would be offensive to
3 a reasonable person.
4 (27) “HIPAA” means the Health Insurance Portability and
5 Accountability Act of 1996, Pub. L. No. 104-191, and any regulations
6 promulgated pursuant to the act, as may be amended.
7 (28) “Identified or identifiable individual” means an individual who can
8 be readily identified, directly or indirectly, including by reference to an
9 identifier such as a name, an identification number, specific geolocation data,
10 or an online identifier.
11 (29) “Independent trust company” has the same meaning as in 8 V.S.A.
12 § 2401.
13 (30) “Investment adviser” has the same meaning as in 9 V.S.A. § 5102.
14 (31) “Mental health facility” means any health care facility in which at
15 least 70 percent of the health care services provided in the facility are mental
16 health services.
17 (32) “Nonpublic personal information” has the same meaning as in 15
18 U.S.C. § 6809.
19 (33)(A) “Online service, product, or feature” means any service,
20 product, or feature that is provided online, except as provided in subdivision
21 (B) of this subdivision (33).
VT LEG #375731 v.1
 AS PASSED BY HOUSE H.121
2024 Page 9 of 80
1 (B) “Online service, product, or feature” does not include:
2 (i) telecommunications service, as that term is defined in the
3 Communications Act of 1934, 47 U.S.C. § 153;
4 (ii) broadband internet access service, as that term is defined in
5 47 C.F.R. § 54.400 (universal service support); or
6 (iii) the delivery or use of a physical product.
7 (34) “Patient identifying information” has the same meaning as in
8 42 C.F.R. § 2.11 (confidentiality of substance use disorder patient records).
9 (35) “Patient safety work product” has the same meaning as in 42 C.F.R.
10 § 3.20 (patient safety organizations and patient safety work product).
11 (36)(A) “Personal data” means any information, including derived data
12 and unique identifiers, that is linked or reasonably linkable to an identified or
13 identifiable individual or to a device that identifies, is linked to, or is
14 reasonably linkable to one or more identified or identifiable individuals in a
15 household.
16 (B) “Personal data” does not include de-identified data or publicly
17 available information.
18 (37)(A) “Precise geolocation data” means personal data that accurately
19 identifies within a radius of 1,850 feet a consumer’s present or past location or
20 the present or past location of a device that links or is linkable to a consumer or
21 any data that is derived from a device that is used or intended to be used to
VT LEG #375731 v.1
 AS PASSED BY HOUSE H.121
2024 Page 10 of 80
1 locate a consumer within a radius of 1,850 feet by means of technology that
2 includes a global positioning system that provides latitude and longitude
3 coordinates.
4 (B) “Precise geolocation data” does not include the content of
5 communications or any data generated by or connected to advanced utility
6 metering infrastructure systems or equipment for use by a utility.
7 (38) “Process” or “processing” means any operation or set of operations
8 performed, whether by manual or automated means, on personal data or on sets
9 of personal data, such as the collection, use, storage, disclosure, analysis,
10 deletion, or modification of personal data.
11 (39) “Processor” means a person who processes personal data on behalf
12 of a controller.
13 (40) “Profiling” means any form of automated processing performed on
14 personal data to evaluate, analyze, or predict personal aspects related to an
15 identified or identifiable individual’s economic situation, health, personal
16 preferences, interests, reliability, behavior, location, or movements.
17 (41) “Protected health information” has the same meaning as in HIPAA.
18 (42) “Pseudonymous data” means personal data that cannot be attributed
19 to a specific individual without the use of additional information, provided the
20 additional information is kept separately and is subject to appropriate technical VT LEG #375731 v.1
 AS PASSED BY HOUSE H.121
2024 Page 11 of 80
1 and organizational measures to ensure that the personal data is not attributed to
2 an identified or identifiable individual.
3 (43) “Publicly available information” means information that:
4 (A) is lawfully made available through federal, state, or local
5 government records; or
6 (B) a controller has a reasonable basis to believe that the consumer
7 has lawfully made available to the general public through widely distributed
8 media.
9 (44) “Qualified service organization” has the same meaning as in
10 42 C.F.R. § 2.11 (confidentiality of substance use disorder patient records).
11 (45) “Reproductive or sexual health care” has the same meaning as
12 “reproductive health care services” in 1 V.S.A. § 150(c)(1).
13 (46) “Reproductive or sexual health data” means any personal data
14 concerning a past, present, or future effort made by a consumer to seek, or a
15 consumer’s receipt of, reproductive or sexual health care.
16 (47) “Reproductive or sexual health facility” means any health care
17 facility in which at least 70 percent of the health care-related services or
18 products rendered or provided in the facility are reproductive or sexual health
19 care.
20 (48)(A) “Sale of personal data” means the sale, rent, release, disclosure,
21 dissemination, provision, transfer, or other communication, whether oral, in VT LEG #375731 v.1
 AS PASSED BY HOUSE H.121
2024 Page 12 of 80
1 writing, or by electronic or other means, of a consumer’s personal data by the
2 controller to a third party for monetary or other valuable consideration or
3 otherwise for a commercial purpose.
4 (B) For purposes of this subdivision (48), “commercial purpose”
5 means to advance a person’s commercial or economic interests, such as by
6 inducing another person to buy, rent, lease, join, subscribe to, provide, or
7 exchange products, goods, property, inf