Vermont governor rejects state’s tough data privacy bill
Vermont Gov. Phil Scott has vetoed comprehensive consumer privacy legislation that would allow individuals an unprecedented right to sue companies which violate their data privacy rights.
The state’s General Assembly can override the veto with a two-thirds vote in each chamber. Those hearings are scheduled for Monday. The bill passed in the state House 139-3 but its support in the Senate was less broad.
If the legislature overrides the Republican governor’s veto, the law would make Vermont one of a few states offering strong comprehensive data privacy rights to its residents. Eighteen states have enacted comprehensive privacy laws to date, but the patchwork of legislation includes many with weak protections.
In his veto message Thursday, Scott cited the bill’s potentially first-in-the-nation, sweeping provision allowing individual lawsuits — also known as a private right of action — as a key reason. He called the measure a “risk” that would make Vermont “more hostile than any other state to many businesses and nonprofits.”
Illinois law currently gives state residents a private right of action, but the provision only applies to biometric data.
The Vermont law’s private right of action would cover companies processing sensitive data without consent, selling sensitive data and violating the law’s confidentiality of consumers’ health data provision. The right to sue also would go away after being in effect for only two years, in January 2029.
Scott also said the bill’s complexity and “unique expansive definitions and provisions create big and expensive new burdens and competitive disadvantages for the small and mid-sized businesses Vermont communities rely on,” in a letter to the Clerk of the House.
The Vermont bill additionally contains a so-called Kids Code that would require online services likely to be used by children under age 18 to incorporate privacy in their design and ensure only age appropriate content is accessible to children.
Scott’s letter called that provision an “important goal we can all support,” but said he believes the state should wait for legal challenges to similar legislation elsewhere to play out first since such a provision could “trigger high risk and expensive lawsuits.”
On Friday, Vermont Attorney General Charity Clark issued a public statement saying she is “extremely disappointed” by the veto.
“The process to arrive at this bill took years of public forums, research, broad and various testimony and collaboration among the legislature, my office, industry groups, nonprofits, small and mid-sized businesses, and consumers,” the statement said.
“The Governor’s Office and Administration were almost entirely absent from this process and may lack the relevant and important knowledge that would have been gained had they participated,” it added.
Meanwhile, Scott urged the state legislature to start over and create a bill modeled after Connecticut’s state data privacy legislation, citing the fact that New Hampshire did so and arguing that “regional consistency is good for both consumers and the economy.”
Privacy advocates have criticized the Connecticut bill, which has become a model for legislatures around the country, calling its privacy language weak.
While the Connecticut legislation allows consumers to automatically opt-out of websites gathering data, it does not give the state’s Attorney General or any other regulator the right to weigh in on how the opt out would be designed.
It also allows data collection for any purpose so long as the practice is disclosed in privacy policies, a provision which the advocacy groups Electronic Privacy Information Center (EPIC) and the U.S. PIRG Education Fund have said maintains the “failed” status quo.
Bill sponsor fights back
In April, Democratic state legislator and bill sponsor Monique Priestley drew headlines for holding a hearing at which Montana, Maryland, Vermont, Oklahoma, Kentucky and Maine lawmakers who sponsored their own privacy legislation testified about the intense lobbying they faced from a tech industry determined to eviscerate their bills.
Late Thursday, Priestley took to LinkedIn, posting a tweet from the tech industry coalition the Chamber of Progress thanking Scott for the veto. Chamber of Progress members include Google, Meta, Apple and Amazon along with a raft of other tech companies.
“Well, that’s just straight up embarrassing - Big Tech thanking the Governor for doing their bidding,” Priestley wrote. “Major props to the Big Tech lobbyists who pulled out all the stops for this one. You win this round for sure.”
“Our Governor and trade associations played right into your hands every step of the way,” Priestley added. “Vermonters deserve better, but instead, we’re handing them and their loved ones over to you on a silver platter to pick apart and sell the pieces.”
Priestley told Recorded Future News on Friday that she is working furiously to secure enough Senate votes to override the veto.
Adam Kovacevich, the founder and CEO of the Chamber of Progress, said via email that the Vermont bill “interferes with online platforms' constitutional rights to moderate the content they host, and forcing age verification for users creates an unconstitutional barrier to accessing online speech.”
“Similar legislation in Ohio, California, Texas, and Florida has been put on hold by the courts, and there are lots of better ways to address online privacy and safety within the bounds of the Constitution," he added.
Kovacevich declined to comment on Priestley’s LinkedIn post.
Suzanne Smalley
is a reporter covering privacy, disinformation and cybersecurity policy for The Record. She was previously a cybersecurity reporter at CyberScoop and Reuters. Earlier in her career Suzanne covered the Boston Police Department for the Boston Globe and two presidential campaign cycles for Newsweek. She lives in Washington with her husband and three children.