Citizen Portal
Sign In

Vermont committee reviews bill to tighten data-broker rules with new breach notices, deletion tool and audits

Vermont House Committee on Commerce & Economic Development · January 9, 2026
Article hero
AI-Generated Content: All content on this page was generated by AI to highlight key points from the meeting. For complete details and context, we recommend watching the full video. so we can fix them.

Summary

The Vermont House Commerce & Economic Development Committee heard a legislative-counsel walkthrough of a bill that expands definitions of brokered data, creates a data-broker–specific breach-notice regime (45 days to consumers; 14 business days to the attorney general), requires an accessible statewide deletion mechanism and independent audits, and increases registration penalties.

Unidentified Speaker 2, legislative counsel, told the Vermont House Committee on Commerce & Economic Development on Jan. 8 that the bill would amend Title 9, Chapter 62 (protection of personal information) to expand definitions, strengthen breach reporting and create a single deletion mechanism for consumers. “Vermont, as I said last year, was the first state to regulate data brokers,” Unidentified Speaker 2 said, citing California’s Delete Act as a point of comparison.

The bill would add or clarify definitions — including an expanded biometric-data definition that lists iris and retina scans, fingerprints, facial-mapping, gait and other templates — and add phone numbers to the list of brokered personal information. It also proposes a five‑year lookback to determine when a business has a direct relationship with a consumer and therefore is excluded from the data-broker definition.

A new Data Broker Security Breach Notice Act (identified in the bill as a separate section) would require a data broker, after discovery or notification of a breach affecting a Vermont consumer, to notify the consumer "in the most expedient time possible and without delay, but not later than 45 days," subject to limited law‑enforcement delay. The same section would require a preliminary notice to the attorney general, including dates and a description, within 14 business days of discovery.

Consumer notice must describe the incident in general terms, list categories of brokered personal information affected, state actions the broker has taken to secure data, give a telephone contact for more information, advise consumers to monitor accounts and provide the approximate breach date. Methods permitted include written mail, direct electronic notice or telephone calls (not prerecorded messages); publication in a statewide newspaper is listed as an option when other methods are not possible.

To make deletion feasible, the bill directs the Secretary of State to build an accessible deletion mechanism by Jan. 1, 2028. Through a single verifiable request, a consumer or an authorized agent could ask that every registered data broker delete brokered personal information. Data brokers would be required to check the mechanism at least every 45 days starting Aug. 1, 2028, process verifiable deletion requests received during the prior 45 days, delete the data, and treat the request as an opt‑out of sale or sharing. The mechanism must be free, accessible to people with disabilities and permit authorized agents to act for consumers.

The measure would also require independent third‑party audits to determine compliance at least once every three years, with the first audit completed on or before Dec. 2030; audit reports and related materials must be retained for six years and produced to the Secretary of State on request. The registration system would be expanded to collect data about whether brokers hold precise geolocation, reproductive health data, Social Security numbers, driver’s license numbers, biometric data, immigration status, sexual orientation or union membership, and to report deletion‑request and processing metrics beginning Jan. 1, 2029, and audit status beginning Jan. 1, 2031.

Penalties would rise: the draft raises the administrative fine for failing to register to $200 per day (from $50), establishes $1,000‑per‑day penalties for late amendments or uncorrected materially incorrect registration information (and a $25,000 penalty for materially incorrect registration) and authorizes recovery of reasonable investigative costs; collected fees and fines would flow into a new Data Brokerage Registry Fund to be administered by the Secretary of State.

The bill adds credentialing requirements for prospective purchasers of brokered data — requiring identity verification, purpose certification and reasonable efforts to verify end‑users — and empowers brokers to refuse to furnish data when there are reasonable grounds to suspect illicit use.

Committee members pressed for clarity on exceptions for data already regulated by federal law or by financial/insurance regulators, the scope and content of third‑party audits, what constitutes "misuse not reasonably possible" (the bill allows an exception to consumer notice if misuse is judged unlikely and documented), and whether deletion would conflict with public‑record obligations (for example, criminal or offender records). Unidentified Speaker 2 suggested structural amendments to make carve‑outs explicit and recommended inviting technical witnesses for detailed questions about how deletion and audits would operate.

The committee did not take a vote in this session; members signaled interest in amendments to tighten audit specifications, clarify exceptions for regulated sectors and ensure the Data Brokerage Registry Fund can support both the Secretary of State’s and the attorney general’s enforcement costs. The committee scheduled a short break and said it would return to consider amendments and possibly summon witnesses for technical testimony.