Consumer Privacy Bill Fails in Vermont

The Vermont General Assembly this week failed to override Gov. Phil Scott's veto of H.121, a bill that would have given the state one of the strongest data privacy protection laws in the US. While the Vermont House voted 128-17 to override, the state Senate voted 14 yeas to 15 nays, leaving the governor's veto standing and killing the bill.

The bill, officially named "An act relating to enhancing consumer privacy and the age-appropriate design code," notably contained a right-of-action provision that would allow consumers to sue companies that misused their sensitive data. The other half of the bill, dubbed "Kids Code," would have required online services targeted at people under 18 years old to account for privacy and to ensure that all content kids could access was appropriate for children.

In his June 13 letter to the General Assembly, Gov. Scott said he was vetoing the bill because the data privacy component would create a hostile business environment in the Green Mountain State. Scott also noted that the Kids Code part of the bills brought up First Amendment issues that California was already dealing with in courts. He recommended that Vermont adopt Connecticut's less litigious data privacy law to address the first half and wait for California to straighten out legal challenges to the second.

Companies might breathe a sigh of relief to avoid having to meet yet another set of data privacy requirements. If an organization conducts business in the European Union, for example, it has to comply with the General Data Protection Regulation (GDPR). As many as 19 US states have passed data privacy laws of their own, according to an industry interest group. And while federal data privacy legislation is still under development, US President Joe Biden issued an executive order at the end of February to firm up policies about how user data is handled nationally and internationally.