Citizen Portal
Sign In

Get AI Briefings, Transcripts & Alerts on Local & National Government Meetings — Forever.

Claim Your Spot

Vermont committee reviews data-minimization choices in S.71, weighs Connecticut, Maryland and California models

Vermont House Committee on Commerce & Economic Development · May 5, 2026
AI-Generated Content: All content on this page was generated by AI to highlight key points from the meeting. For complete details and context, we recommend watching the full video. so we can fix them.

Summary

The House Commerce & Economic Development Committee continued review of S.71 (draft 2.3) on May 5, 2026. Legislative counsel Rick Segal presented a side-by-side comparison of the bill's data-minimization provisions with Connecticut (2025), Maryland and California; members debated consent, minors and treatment of sensitive data.

BURLINGTON, Vt. — The Vermont House Committee on Commerce & Economic Development on May 5 continued its review of S.71, draft 2.3, the state's proposed consumer data privacy bill, with legislative counsel Rick Segal walking members through a side-by-side comparison of data-minimization language in Vermont's draft and comparable provisions in Connecticut (2025 amendments), Maryland and California.

Segal told the committee the document focuses narrowly on data minimization — not on thresholds, exemptions or broad definitions — and read the draft's controlling language: "A controller shall limit the collection and processing of personal data to what is reasonably necessary and proportionate to provide or maintain a specific product or service requested by the consumer," language he said is similar in Connecticut and Maryland but structured differently in California. "A controller shall limit the collection and processing of personal data to what is reasonably necessary and proportionate to provide or maintain a specific product or service requested by the consumer," Segal said while reading the draft aloud for the committee.

Why it matters: the committee must decide whether to keep draft 2.3's current structure, align the bill more closely with the Senate-passed S.71, or adopt elements of other states' approaches. Those choices affect what data Vermont businesses may collect and how consumers may control later uses of their information.

Connecticut's 2025 amendments add a five-factor compatibility test — consumer expectation at time of collection, relationship between purposes, the impact of the new purpose on the consumer, the context of collection and the presence of safeguards such as pseudonymization — that Segal said would limit "material new purposes" unless the controller obtains consent. Segal told the panel Connecticut's new language, which takes effect July 1, 2026, attempts to import pieces of California's regulatory approach into statute and therefore includes explicit guidance on when a new use is compatible with original disclosures.

On minors and targeted advertising, draft 2.3 specifies that controllers may not process personal data for targeted advertising or sell personal data if the controller "knew or willfully disregarded" the consumer is a minor. Maryland and Connecticut use similar prohibitions with different age thresholds; California's framework relies more heavily on regulatory rulemaking and an opt-out model for targeted advertising and some sensitive-data uses.

Segal also warned committee members to consider Vermont's recently enacted age-appropriate design law (the "kids code") and federal rules such as COPPA when drafting S.71 to avoid statutory conflicts and overlapping regulatory obligations. He said Vermont's kids-code regime gives the Attorney General rulemaking authority to help businesses determine whether they are a covered business and how to verify age online.

Committee members were split on how protective Vermont should be. One member said, "I don't think we should be leading on this," arguing for a middle path between the Senate-passed S.71 and Connecticut's more expansive 2025 language, citing potential burdens on businesses in a small state. Another member said the committee should prioritize consumer protections for sensitive categories and give consumers clear affirmative choices; "If people want to sell their data to get a deal ... I don't think it's our right to tell them they shouldn't," a member said, urging strong disclosures and tiered consent for routine versus sensitive data.

On sensitive data, Segal said draft 2.3 and Maryland generally restrict processing to what is "strictly necessary" to provide a requested product or service and include a ban on the sale of sensitive data; Connecticut's approach permits opt-in for certain sensitive-data sales. Segal emphasized California's model is rule-driven, with lengthy CPPA regulations that expand definitions and enforcement expectations beyond the statute's baseline.

The committee did not vote on any changes. Chair closed the session by asking members to consider policy priorities overnight and said the committee will continue with additional testimony and targeted discussion in its next meeting, giving Segal direction for the next draft if the committee chooses a specific path.

The committee's next scheduled continuation of S.71 discussion is on the committee calendar; members also expected testimony from the Department of Labor the following morning on an unrelated agenda item.