Who’s afraid of Vermont’s privacy law? Why this powerful privacy bill got vetoed

For the first time, a comprehensive US privacy law has been passed by a state’s legislature only to be vetoed by its governor. 

Vermont’s H.121 was an ambitious attempt to create strong privacy protections in the “Green Mountain State.” Vermont eschewed the cookie-cutter legislation present across many other states to draft a bold – if risky – privacy law. 

But with businesses lobbying against its strict obligations, H.121 was arguably doomed to fail. Here’s a look at why Governor Phil Scott and Vermont’s senate were so worried about this bill. 

Outline of Vermont’s H.121

H.121 was a particularly serious attempt at a comprehensive privacy law. 

Like many state privacy bills, H.121 was built on the framework provided by the Virginia Consumer Data Protection Act (VCDPA). But like certain other states, Vermont went further than Virginia by including the following provisions: 

• Data protection assessments: Controllers would have been required to balance the potential harms and benefits before engaging in certain risky data-processing activities.
• Universal opt-out mechanisms: Controller would have been obliged to recognize users’ requests to opt out of targeted ads and the sale of their personal data via protocols such as the Global Privacy Control (GPC).
• Data minimization: Similar to Maryland’s Online Data Privacy Act (MODPA), H.121 would have generally prohibited the processing of personal data except where it aligned with consumers’ reasonable expectations or for one of several other predetermined purposes. 

However, the most contentious aspect of Vermont’s privacy law was its private right of action. 

H.121’s private right of action

Since the California Consumer Privacy Act (CCPA) passed in 2018, no other state has adopted a comprehensive privacy law with a private right of action, a provision that enables consumers to sue businesses for certain violations of the law. 

Even California’s private right of action is relatively weak, requiring litigants to show that a business has experienced a specific type of data breach involving specific types of personal information. 

Since its early drafts, Vermont’s H.121 has included a private right of action that went beyond California’s. But it was re-written several times following pressure from industry groups. 

In its final iteration, H.121 would have required Vermont’s governor to design “legislative language for implementing a private right of action” while having regard to the risk of time-wasting lawsuits and the interests of smaller businesses. 

As such, Vermont’s private right of action might have been relatively narrow by the time it impacted businesses. Nonetheless, this provision was what primarily prompted Governor Scott to veto the law. 

Governor Scott’s objections to H.121

In a letter to Vermont’s General Assembly dated 13 June, Governor Scott explained that he was “returning H.121… without (his) signature” for the following reasons: 

• The private right of action
• The “Kids’ Code” provision (a design code intended to protect privacy in child-directed online services)
• The bill’s “complexity and unique expansive definitions”. 

On the first point, Scott said that H.121’s private right of action, although “narrow in its impact,” was causing “significant fear and concern among many small businesses.” 

“…the bill’s ‘private right of action’… would make Vermont a national outlier, and more hostile than any other state to many businesses and non-profits,” Scott wrote. 

Scott compared the bill’s “Kids’ Code” with California’s Age Appropriate Design Code Act (AADCA), the implementation of which has been delayed following a successful court challenge alleging that it violated the First Amendment of the US Constitution. 

Scott did not provide detail on H.121’s alleged complexity and expansiveness, except to say that it would “create big and expensive new burdens and competitive disadvantages for the small and mid-sized businesses Vermont communities rely on.” 

“The bottom line is, we have simply accumulated too much risk,” Scott wrote, urging lawmakers to pass a bill similar to the Connecticut Data Privacy Act (CTDPA) to ensure “regional consistency.” 

What happened next?

The Vermont Legislature had an opportunity to reverse Scott’s decision and pass the bill again. While the House enthusiastically voted to overturn the veto, the Senate narrowly voted to maintain it (by one vote), meaning that H.121 is officially dead. 

So what happens now? 

Vermont lawmakers could draft a less radical law that assuages Scott’s and others’ concerns. Or they could double down, producing another strong privacy bill and trying once more to get the state’s approval. 

Either way, the case of Vermont’s H.121 illustrates how unpredictable the US privacy landscape has become. Unless Congress passes a federal law, privacy professionals will need to continue watching state lawmaking activity very carefully.