House committee reviews S.71 data-privacy bill, highlights differences from H.208 and enforcement questions

Rick Segal, legislative counsel, told the House Committee on Commerce & Economic Development on May 1 that S.71 (the Senate-passed version of a consumer data privacy bill) is broadly similar to H.208 but contains key differences committee members should note.

Segal said S.71 and H.208 are about “90% the same,” but “that 10 percent’s important,” pointing to differences in definitions (for example, inclusion of biometric data, gender-affirming health data, and a definition for abortion in S.71), applicability thresholds, and exemptions. He summarized several consumer rights included in the bill, including the right to confirm whether a controller processes a consumer’s personal data, correct inaccuracies, obtain deletion, receive a portable copy of data, and opt out of targeted advertising, sales of personal data and certain profiling.

Why it matters: the committee was asked to note where S.71 narrows or widens coverage compared with H.208. Segal highlighted enforcement and implementation differences that could materially affect businesses, nonprofits and consumers — notably the bill’s enforcement structure and the exemptions that remove some entities from coverage.

Key technical and scope points discussed

- Applicability thresholds: S.71 applies to persons that do business in the state or target residents and that either process personal data of at least 100,000 consumers in the prior year or process personal data of at least 25,000 consumers and derive more than 25% of gross revenue from sale of personal data. Segal contrasted that with H.208’s lower threshold discussion (12,500 in some versions). He cautioned members to compare exemptions and thresholds side-by-side.

- Consumer rights and response deadlines: Segal summarized the controller duties and consumer remedies in S.71. Controllers must generally respond to consumer requests “without undue delay, but not later than 45 days” and may extend that period by an additional 45 days. He explained that controllers may charge a reasonable fee only if requests are “manifestly unfounded, excessive, or repetitive,” but the controller bears the burden of proving that characterization.

- Opt-out mechanisms and platform signals: S.71 requires controllers to provide consumer-friendly opt-out mechanisms and to honor an opt-out preference signal by a platform technology beginning no later than Jan. 1, 2026 (Segal noted the bill’s effective date language must be reconciled with other dates in the text). He said the statute would require an opt-out mechanism that is “consumer friendly and easy to use by the average consumer.”

- Consumer health data and geofencing: S.71 contains a separate consumer-health-data section with distinct exemptions and narrower applicability language. The bill forbids use of geofences within a short distance of covered health facilities for the purpose of identifying, tracking, collecting data from, or sending notifications about consumer health data; Segal read a distance that the transcript records as “70 hundred 50 feet” and noted committee staff will check and correct numeric drafting errors.

- Exemptions: S.71 lists entity- and data-level exemptions including state and local governmental entities and many federally regulated sectors (for example, data covered by HIPAA, the Gramm-Leach-Bliley Act, FERPA, the Fair Credit Reporting Act, the Driver’s Privacy Protection Act, and certain aviation data). Segal pointed out that, unlike H.208, S.71 explicitly exempts nonprofits that meet the bill’s definition.

- Data protection assessments and timing: S.71 requires controllers to conduct and document data protection assessments for processing that presents a heightened risk of harm (for example, targeted advertising, sale of personal data, profiling that creates significant effects, processing of sensitive data). Segal noted the bill ties assessments to processing activities created on or after July ’25 (he suggested the committee might want to confirm whether the intended start date should instead be 2026).

Enforcement and the Attorney General

Segal explained that S.71 gives the Attorney General (AG) exclusive authority to enforce the statute and removes a consumer private right of action for violations of the chapter. During an initial transition period the AG must, where a cure is possible, issue a notice of violation and provide a cure period before initiating enforcement; if the violation isn’t cured within 60 days the AG may bring action. Segal emphasized that S.71 also directs the AG to issue guidance to controllers and processors and provides that compliance in good faith with AG guidance may shield an entity from being treated as having committed an unfair or deceptive act under the Vermont Consumer Protection Act.

Committee concerns and remaining questions

Committee members asked for clarification about (1) the AG’s exclusive enforcement role and whether guidance would create a safe harbor that could leave consumers without an individual remedy; (2) ambiguous drafting and numeric errors (dates and a drafting artifact Segal acknowledged were likely editing mistakes); (3) how federal law references (for example COPPA/COPPA’s age thresholds and HIPAA) interact with the state bill where entities are not subject to the federal law; and (4) the practical effect of the exemptions and the standards for when an entity is treated as a controller versus a processor.

No vote or formal action was taken; Segal recommended a later hearing with more witnesses — including the AG’s office — to resolve drafting questions and to demonstrate the practical implications of S.71 versus H.208.

Ending note: committee staff flagged multiple drafting fixes and recommended additional testimony; Segal said he would schedule a follow-up hearing so members could compare versions and hear outside testimony before any formal committee vote.