Vermont passes data privacy law allowing consumers to sue companies
Vermont’s legislature on Friday passed one of the country’s strongest comprehensive data privacy laws, with language allowing individuals to sue companies for violating their privacy rights — an unprecedented provision among similar existing state laws.
The bill includes data minimization requirements, which significantly constrain what personal data companies can gather and use and bans companies from selling consumers’ sensitive data, allowing individuals to sue if they believe businesses have done so.
The private right of action allows individuals to hold companies which they believe have violated their rights accountable without relying on state authorities to bring action. A similar provision included in Illinois’ biometric privacy law has led to a wave of class action lawsuits alleging corporate malfeasance.
The Vermont bill’s private right of action will need to be reauthorized after two years and applies to any business or person that processes more than 100,000 consumer records. The legislation also establishes tough civil rights safeguards to prevent discrimination.
California’s strong comprehensive data privacy law also allows individuals to sue businesses they believe have violated their rights n, but the provision only applies to data breaches and not digital privacy.
“At a time when everything we do and everything we are is monetized in a surveillance economy, the urgency of this moment cannot be overstated,” bill sponsor Rep. Monique Priestley said Friday on the Vermont House floor.
Earlier last week, strong digital privacy legislation was signed by Maryland governor Wes Moore, giving advocates two major wins following the passage of a string of weak state-level bills. In all, 17 states have passed data privacy laws to date.
“The inclusion of a private right of action in this law, while limited, is enormously significant,” said Matt Schwartz, a policy analyst at Consumer Reports. “It means that consumers who have been harmed by big tech’s data abuses will actually be granted the ability to defend their rights.”
The Vermont bill also limits how companies can use geolocation data, according to a second privacy advocate, Caitriona Fitzgerald of the Electronic Privacy Information Center.
Vermont’s legislation coincides with efforts by Congressional leaders to enact a federal comprehensive data privacy bill after years of failing to do so.
Sen. Maria Cantwell (D-WA) and Rep. Cathy McMorris Rodgers (R-WA) introduced the American Privacy Rights Act (APRA) last month, a sweeping bill which would make privacy a consumer right and allow Americans the ability to block the transfer and sale of their data, according to the legislators.
The new bill follows McMorris Rodgers’ prior attempt at comprehensive data privacy legislation in the form of a bill known as the American Data and Privacy Protection Act (ADPPA), which has been languishing in committee.
As with its predecessor, APRA includes controversial language which would allow the federal law to preempt state laws.
California Attorney General Rob Bonta and a coalition of 14 other state attorneys general wrote congressional leaders a letter Thursday, imploring them not to allow federal legislation to preempt state rules.
“A federal legal framework for privacy protections must allow flexibility to keep pace with technology; this is best accomplished by federal legislation that respects — and does not preempt — more rigorous and protective state laws,” they wrote.
Suzanne Smalley
is a reporter covering privacy, disinformation and cybersecurity policy for The Record. She was previously a cybersecurity reporter at CyberScoop and Reuters. Earlier in her career Suzanne covered the Boston Police Department for the Boston Globe and two presidential campaign cycles for Newsweek. She lives in Washington with her husband and three children.