Committee reviews H.208 data privacy bill, outlining consumer rights, controller duties and limited private suits

The Vermont House Committee on Commerce & Economic Development on May 1, 2025 continued a line‑by‑line review of H.208, a proposed consumer data privacy law that would give Vermonters new rights to access, correct, delete and opt out of uses of their personal data and establish duties for entities that collect and process that data.

The bill matters because it would create defined consumer rights and compliance obligations for businesses that meet specified Vermont thresholds, set a framework for oversight by the attorney general and — in narrow circumstances — allow individual consumers to sue certain categories of data companies.

Rick Segal, legislative counsel in the Office of Legislative Council, led the committee through sections 24.18–24.25, summarizing the consumer rights H.208 would grant and the corresponding duties it would impose on controllers and processors. Segal told the committee that "a consumer shall have the right to confirm whether a controller is processing the consumer's personal data and, if they are, access that data," and he read the bill's enumerated rights, which include the ability to: know whether a consumer's data is used in an artificial intelligence system; obtain a list of third parties that have received the data; correct inaccuracies; delete personal data (including derived data) subject to legal retention requirements; and obtain a portable copy of personal data to transmit to another controller.

The bill would also allow consumers to opt out of targeted advertising, the sale of personal data, and profiling that produces legal or similarly significant effects. Segal emphasized procedural protections in the draft: controllers would generally have 45 days to respond to consumer requests, with a single 45‑day extension allowed for complex or numerous requests. The draft permits a controller to charge a reasonable fee only when requests are "manifestly unfounded, excessive, or repetitive," and places the burden on the controller to demonstrate that characterization.

H.208 assigns duties to controllers to limit collection to what is reasonably necessary, to maintain reasonable administrative, technical and physical security measures, to provide clear and accessible privacy notices and opt‑out mechanisms, and to delete personal data according to retention schedules when it is no longer necessary or required to be kept by law. Segal read the bill's privacy‑notice requirements and said the notice must describe any processing for targeted advertising, sales of personal data, or profiling and provide a method for consumers to opt out.

Processors would be required to follow controller instructions and assist controllers in complying with consumer requests; the draft mandates written contracts between controllers and processors that describe the nature and duration of processing, confidentiality duties, deletion or return of data at the end of processing, and requirements for any subcontractors. Segal said those provisions are designed to close a potential loophole where a processor hires another processor and responsibility becomes unclear.

The bill would require controllers to conduct and document data protection assessments for processes that present a heightened risk of harm, specifically listing targeted advertising, sale of personal data, profiling that could cause unfair or deceptive treatment or substantial injury, and processing of sensitive data. Assessments must identify categories of data processed, purposes of processing, whether data is transferred to third parties, weigh benefits against risks, consider deidentified data and consumer expectations, and be retained for at least three years. Segal said the attorney general may require production of assessments relevant to an investigation, and that assessments would be confidential and exempt from public records disclosure to the extent allowed by law.

On enforcement, the draft designates violations of the chapter as unfair and deceptive acts in commerce under the Vermont Consumer Protection Act and gives the attorney general primary enforcement authority, including rulemaking. The attorney general may issue a notice of violation and a 60‑day cure period before initiating enforcement action. Segal also summarized a limited private right of action: an individual consumer harmed by a data broker or by a "large data holder" (defined in the draft as a person processing data for 100,000 consumers in the last year) may bring suit, but only after providing notice to the attorney general and a written demand to the alleged violator and subject to a 65‑day review by the attorney general to determine whether the claim is frivolous. Damages in a successful private suit would be the greater of $5,000 or actual damages, plus injunctive relief, and potential punitive damages for intentional violations.

The committee discussed thresholds and applicability at length. H.208 applies to a person who conducts business in Vermont or offers products targeted to Vermont residents and who, during the preceding calendar year, either controlled or processed the personal data of not fewer than 25,000 Vermont consumers (with alternative thresholds for smaller entities that derive a significant share of revenue from data). Segal explained phased thresholds and staggered effective dates: the public education and outreach obligation would begin July 1, 2025; the main data privacy provisions would take effect July 1, 2026; and two scheduled reductions in the applicability thresholds would occur on July 1, 2027 and July 1, 2028.

The draft also includes special protections for children: controllers that offer online services reasonably expected to be used by minors would be held to a "knows or should have known" standard for identifying minors, must avoid processing that poses high risk of harm to minors, must give conspicuous signals when precise geolocation data is collected, and may not process minors' data for targeted advertising or sell minors' data.

Segal described limits and exemptions in the draft: the chapter would not prohibit controllers from complying with federal, state or municipal laws, responding to subpoenas or law‑enforcement requests, or processing data for public health, product recalls, or internal research in the public interest — subject to safeguards. The bill would not require use of age‑verification systems in schools or employers, and it carves out several other ordinary‑business exceptions.

On next steps, Segal said the attorney general must implement public education and assistance programs, provide guidance and templates for privacy notices and opt‑out mechanisms, and report back to the legislature on implementation by December 2027. Committee members asked technical and drafting questions but took no formal vote during the session.

If enacted, H.208 would create a state framework for consumer data rights, impose contract and assessment obligations on controllers and processors, and give the attorney general primary enforcement authority with a narrowly defined private right of action for certain types of large data companies.