Data Privacy
Securing Privacy, Enabling Business Growth, and Creating an Internet that Vermonters Want to Use
In a digitally driven marketplace, Vermont businesses and nonprofits rely on basic consumer data to engage with and retain customers in an efficient and cost-effective way. Any new privacy legislation should ensure Vermont businesses can continue to responsibly utilize data-driven approaches, such as email marketing, targeted advertising, and customer retention efforts, without imposing undue restrictions that hinder their ability to thrive in the 21st-century economy.
While the Legislature considered well-intentioned privacy legislation during the 2024 legislative session, it missed the mark. In 2025, the legislature will again take up the issue. Of utmost concern, there is an appetite to consider implementing the first comprehensive private right of action in the U.S. to enforce its general privacy law. This approach could expose Vermont businesses to a surge of shakedown lawsuits and litigation, significantly impacting how consumers and businesses interact online in the state.
There is a path forward that creates significant opportunities for consumers to protect their data as they see fit and allow businesses the opportunity to comply with a regional compatible, clear law. Lawmakers must consider this balanced approach to a data privacy law to best serve all of their constituents.
Privacy legislation mirroring what was considered in 2024 made Vermont an outlier in data privacy and included an extreme and unclear regulatory framework. This would significantly limit how businesses, particularly small and medium-sized businesses and nonprofits across the state, engage with current and prospective Vermont customers, undermining the ability of businesses and nonprofits to compete effectively in the digital marketplace.
Vermont businesses will need to invest substantial resources to comply with Vermont-specific regulations, which could ultimately disengage consumers and place additional burdens on businesses trying to compete effectively in a global marketplace. As costs for Vermont businesses continue to rise due to new taxes and fees, adding a complex regulatory compliance burden could push many local businesses to the breaking point, potentially leading to a decline in Vermont’s business landscape as some may no longer be able to sustain operations.
As we head toward 2025, it is important to consider what provisions are important to give consumers choice over their data without unintentionally impacting Vermont businesses and nonprofits. Policymakers should find a balanced approach that protects the interests of both Vermont businesses and consumers. A clear map forward exists following the example of other New England states that have passed strong privacy legislation in recent years.
Private Right of Action (PRA)
Concern: With the first-of-its-kind private right of action, Vermont will be the test case for the plaintiffs bar, and laws with private right of action often result in class action lawsuits that primarily benefit the plaintiff’s attorneys, and inclusion of PRA will only hurt Vermont businesses and consumers, changing products and services for Vermont and introducing the threat of a lawsuit. National plaintiff attorney groups are lobbying hard in Montpelier for this provision and Vermont businesses need to stand up to them.
Proposed Solution: Empower enforcement authority solely with the attorney general, ensuring penalties are targeted and proportionate.
Data Minimization & Regional Conformity
Concern: By limiting interaction to only those services specifically requested by a user, the bill would prevent Vermont businesses from communicating with consumers at the point of sale and measuring website traffic and ad performance, leading to wasted investments in marketing, creation of paywalls for select websites, new pop-ups and consent screens that frustrate the user experience, and among other complications in communicating with consumers.
Proposed Solution: Follow data minimization language found in 18 US states (including NH, CT, and CA) and across Europe, ensuring regional conformity, and remove the proposed requirement that every use of personal data be first “requested” by consumers. This would allow companies to use basic customer data to develop new products, lower their costs, create consumer online experiences that Vermonters enjoy, and grow their business.