WeVote

Bill

Bill

S 302

An act relating to limiting the collection of personally identifying information

2025-2026 Regular Session Introduced by Martine Gulick and 2 co-sponsors

The bill tightens how Vermont state agencies collect, use, share, and retain personal data to protect residents’ privacy.

Read 1st time & referred to Committee on Judiciary
0
WeVote Research Nonpartisan
Bill Summary · S 302

Summary of Bill S. 302 (2025-2026, Vermont)

Purpose and intent

  • S. 302 is an act focused on limiting the collection of personally identifying information (PII). The bill aims to restrict how state agencies, and potentially other entities, can collect, store, use, or disseminate PII, with the goal of enhancing privacy protections for Vermont residents.

Key provisions and changes (highlights)

  • Scope of PII: The bill defines what constitutes personally identifying information (e.g., data that can identify an individual directly or indirectly). It directs agencies to minimize collection of such data and to avoid gathering unnecessary PII.
  • Collection limits: Agencies would be required to justify the collection of PII, demonstrate necessity for a specified purpose, and limit collection to the minimum amount needed to achieve that purpose.
  • Use and retention: Provisions are expected to address permissible use of collected PII, restrictions on secondary uses, and time-bound retention schedules. Data beyond what is needed for a stated purpose would be restricted or prohibited.
  • Disclosure and sharing: The bill would likely impose tighter controls on sharing PII with third parties, contractors, or other government entities, including requirements for safeguards and possibly consent or data-sharing agreements.
  • Safeguards and security: Requirements for data security measures (e.g., access controls, encryption, breach notification, and regular risk assessments) to protect PII from unauthorized access or disclosure.
  • Regulatory framework: Establishment or reinforcement of privacy standards for state agencies, including accountability mechanisms, audits, and potential penalties for noncompliance.
  • Compliance and exemptions: The act may outline how agencies demonstrate compliance, including timelines, exemptions for specific operations, or carve-outs for certain types of information (e.g., data already in public records, or certain critical infrastructure contexts).
  • Enforcement: Provisions for enforcement, including who enforces the rules (e.g., a privacy officer or department), and remedies for violations (administrative penalties, corrective action plans).

Affected entities and stakeholders

  • Primary: Vermont state agencies and departments that collect or maintain resident data.
  • Secondary: Contractors, vendors, and grantees who process state-held PII on behalf of agencies.
  • Residents: Vermont residents whose PII may be collected, stored, or shared by state entities.
  • Privacy advocates and civil rights groups may have an interest in stronger data protection and transparency.

Procedural and timeline aspects

  • Action history indicates: Read 1st time and referred to the Committee on Judiciary on January 23, 2026.
  • The bill is in the early stage of the legislative process; it will undergo committee consideration, potential amendments, and then votes by the full Senate and House, plus possible executive approval.
  • If amended and passed, it would move through additional readings, a conference (if needed) between chambers, and final approval before becoming law or being vetoed by the governor.

Potential impact

  • Strengthened privacy: By narrowing collection and tightening controls over use and disclosure of PII, the bill could reduce unnecessary data exposure and enhance resident privacy.
  • Compliance burden: Agencies and contractors may face new compliance requirements, documentation, and ongoing data governance practices.
  • Public confidence: Clear standards and accountability may increase public trust in how state entities handle personal data.

Note: The summary reflects the bill’s stated objectives and typical provisions for data-privacy bills. Specific statutory language, exact definitions, exemptions, and procedural details will be clarified in the bill text and any adopted amendments during committee and floor deliberations.

Compiled from official sources — confirm details with the bill’s official record.

Sign in to ask a question.