Citizen Portal
Sign In

Get AI Briefings, Transcripts & Alerts on Local & National Government Meetings — Forever.

Claim Your Spot

House committee reviews S.71, a proposed Vermont data privacy and online surveillance act

Vermont House Committee on Commerce & Economic Development · April 24, 2026

Loading...

AI-Generated Content: All content on this page was generated by AI to highlight key points from the meeting. For complete details and context, we recommend watching the full video. so we can fix them.

Summary

The Vermont House Committee on Commerce & Economic Development began a line‑by‑line review of S.71. Legislative counsel Rick Segal walked members through draft 2.3, explaining applicability thresholds (35,000 consumers and sensitive‑data triggers), consumer rights, controller/processor duties, data‑protection assessments, and a proposed Attorney General enforcement unit funded at $650,000.

The Vermont House Committee on Commerce & Economic Development opened a session on April 24 to begin detailed consideration of S.71, a proposed statewide data privacy law that the draft calls the Vermont Data Privacy and Online Surveillance Act. Legislative counsel Rick Segal walked members through amendment draft 2.3 and highlighted where the document derives from language the senate passed last year and where it differs from House proposals.

Segal told the committee the draft would create a new data‑privacy subchapter and said, "This chapter shall be known as the Vermont data privacy and online surveillance act." He described the measure as a foundational state law that would set consumer rights and controller obligations while noting several areas are policy choices for the committee.

The bill in the current draft would apply to any business that during the preceding calendar year controlled or processed personal data for at least 35,000 consumers; Segal said the numeric threshold is subject to negotiation. He added that certain categories of data—Social Security numbers, genetic information, and specific health data—would trigger coverage regardless of the numeric threshold. "So if it's under that, then you would not be subject to the bill; however, if you control or process consumer sensitive data, even one person would be subject to the bill unless you meet an exception," Segal explained.

The draft lists common exemptions: federal, state, tribal and local governments and instrumentalities; data subject to HIPAA and related protected‑health‑information rules; and other federal statutes referenced in the text such as the Fair Credit Reporting Act, the Driver's Privacy Protection Act, and FERPA. Segal said the committee should expect witness testimony from specialty experts on health‑data and federal‑law interactions.

On consumer rights, the draft grants consumers a set of rights including confirming whether a controller processes their personal data, correcting inaccuracies, deleting data (subject to legal exceptions), obtaining a portable copy in a machine‑readable format, receiving a list of third parties to whom their data was sold, and opting out of targeted advertising, sales, and profiling that produces legal or similarly significant effects. The draft sets an initial controller response period of 45 days and allows a single extension of an additional 45 days when reasonably necessary.

Committee members pressed Segal about profiling and automated decisions. One member asked for a concrete example of profiling and whether the bill requires consumers to be notified when automated decisions occur. Segal said the consumer would be able to request whether profiling or automated decision‑making affected them but that the draft does not yet mandate an automatic notice at decision time; he suggested the committee could consider language to make notice more explicit.

The draft places several operational duties on controllers: limit collection and processing to what is reasonably necessary and proportionate, implement administrative and technical safeguards scaled to the sensitivity and volume of data, not sell sensitive data, avoid discrimination against consumers who exercise rights (for example by denying goods or services or charging different prices), and provide clear, easily accessible privacy notices and mechanisms to opt out. Segal also described companion processor obligations and recommended contracts that bind processors to controllers' instructions and require assistance with breach notification and data‑protection assessments.

For high‑risk processing—targeted advertising, sale of personal data, profiling with foreseeable risk of harm, and processing sensitive categories—the draft requires controllers to conduct and document data protection assessments. Segal said the Attorney General may require disclosure of assessments relevant to investigations and that the draft treats assessments provided to the AG as confidential and not subject to public records disclosure to the extent already protected by privilege.

On enforcement, the draft would fold violations into Vermont's Consumer Protection Act, make violations enforceable by the Attorney General, and remove a private right of action for consumers under that framework. It would also create a data privacy unit in the AG's office (at least two attorneys and one investigator) and proposes a $650,000 general fund appropriation to establish and staff the unit. The draft sets an assessment applicability date of July 1, 2026, though Segal noted effective dates can be changed.

Members asked for a side‑by‑side comparison with prior senate language and related House bills (including H.208 and H.211) to ensure the measures align and do not conflict. The chair recessed for lunch and scheduled a continuation of the textual review in the afternoon, when members planned to examine definitions and outstanding differences.

The committee did not vote on S.71 during the session; the meeting was an informational and drafting review to help members decide policy choices in the coming weeks.