WeVote

Bill

Bill

S 93

An act relating to consumer data privacy

2025-2026 Regular Session Introduced by Scott Beck and 4 co-sponsors

S.93 creates a Vermont consumer data privacy framework requiring entities to protect Vermonters’ personal data, grant user rights, and enforce with penalties.

Read 1st time & referred to Committee on Economic Development, Housing and General Affairs
0
WeVote Research Nonpartisan
Bill Summary · S 93

Overview

S.93 (2025-2026) is a Vermont bill titled An act relating to consumer data privacy. The measure was introduced in the Senate and referred to the Committee on Economic Development, Housing and General Affairs after its first reading on February 27, 2025. The bill has several cosponsors, led by primary and additional sponsors including Kesha Ram Hinsdale, Chris Mattos, Ann Cummings, Thomas Chittenden, and Scott Beck.

Purpose and Intent

  • Establish a framework to protect consumer privacy by regulating the collection, use, and disclosure of Vermonters’ personal data by entities operating in Vermont or handling Vermonters’ data.
  • Provide Vermont residents with certain rights over their personal data and create responsibilities for data controllers and processors to safeguard data and be transparent about practices.

Key Provisions and Changes (as typically found in consumer data privacy legislation)

While the specific text of S.93 is not provided here, Vermont consumer data privacy bills generally include several common elements. A comprehensive summary of likely provisions you would expect to see in S.93 includes:

  • Definitions:

    • Personal data, sensitive data, consumer, business, data processor/controller, and other key terms.
    • Criteria for when a business is subject to the law (e.g., targeting Vermont residents, collecting data from Vermonters, or processing data of Vermont residents).
  • Consumer Rights:

    • Right to access personal data held by a controller.
    • Right to delete (delete request) certain personal data.
    • Right to data portability (receive data in a structured, commonly used format).
    • Right to correct inaccurate data.
    • Right to opt out of certain processing (e.g., sale or targeted advertising) if applicable.
    • Right to object to processing under certain circumstances.
    • Right to be notified about data breaches affecting their data.
  • Obligations on Controllers and Processors:

    • Prohibition or restrictions on data collection, use, sharing, and retention beyond what is necessary.
    • Requirements to implement reasonable data security practices, including administrative, technical, and physical safeguards.
    • Requirements for data minimization and purpose limitation.
    • Obligation to conduct data impact assessments for certain high-risk processing activities.
    • Requirements to maintain a documented data privacy program and designate a data protection officer or point of contact (depending on scope).
  • Third-Party Data Handling:

    • Obligations for contracts with service providers and processors.
    • Requirements for data breach notification to affected individuals and possibly to the state authorities within a specified timeframe.
  • Enforcement and Penalties:

    • Establishment of a state agency or authority to enforce the act (likely the Vermont Attorney General’s Office or a designated privacy regulator).
    • Civil penalties for violations, with potential tiered penalties depending on severity and repeated offenses.
    • Procedures for consumer complaints and agency investigations.
    • Possible private right of action or limitations on such actions (some states restrict or allow limited private enforcement).
  • Exemptions:

    • Common exemptions for data governed by other federal laws (e.g., HIPAA, GLBA), entertainment or employee records, or aggregated/anonymized data.
    • Small businesses or de minimis data thresholds may be established to limit applicability.
  • Effective Date and Phase-In:

    • Effective date after enactment with potential grace periods for compliance.
    • Possible phased compliance timelines for different obligations.

Who Would Be Affected

  • Data controllers: Businesses and organizations that determine the purposes and means of processing Vermonters’ personal data.
  • Data processors: Service providers handling data on behalf of controllers.
  • Vermonters: Residents whose personal data is collected or processed by covered entities.
  • Covered entities could include a wide range of sectors: tech companies, retailers, financial services, healthcare entities, and any entity handling personal data of Vermont residents.

Procedural and Timeline Considerations

  • Initial action: 1st reading in the Vermont Senate on February 27, 2025, followed by referral to the Committee on Economic Development, Housing and General Affairs.
  • Next steps likely include committee hearings, potential amendments, floor votes in the Senate, and eventual consideration by the House, with potential conference committee if differences arise.
  • Depending on amendments, the act would specify an effective date and any required compliance deadlines.

Practical Impact

  • Consumers would gain clearer rights to access, control, and protect their personal data.
  • Businesses would face new compliance requirements, including data security standards, privacy notices, data retention controls, and breach notification protocols.
  • The bill could influence data handling practices, vendor management, and consumer-facing transparency standards across Vermont.

If you’d like, I can adjust this summary once the full text or committee summary is available, to include exact definitions, specific rights, deadlines, and enforcement mechanisms as enacted in S.93.

Compiled from official sources — confirm details with the bill’s official record.

Sign in to ask a question.