Last week, the Vermont legislature passed H. 121, the Vermont Data Privacy Act. This law will make Vermont the 18th state to grant consumers privacy rights similar to those under the California Consumer Privacy Act (CCPA). It is scheduled to go into effect on July 1, 2025.

While the Vermont Data Privacy Act includes provisions similar to those granted under the CCPA (e.g., consumer rights to delete, access, correct, and opt-out), the Act also includes some provisions that are more protective than the CCPA:

  • The Act includes data minimization requirements that prohibit businesses from collecting personal information for ANY purpose outside of providing the product or service.
  • The Act grants consumers a private right of action against businesses not only when the entity causes a breach of personal information (as is the case under the CCPA) but also if the business misuses data about their race, religion, sexual orientation, health, or other categories of sensitive information. 

Note, however that the law’s private right of action must be reauthorized after two years and only applies to large data brokers. The Vermont legislature pushed this law along amidst the push by the federal government to pass a comprehensive privacy law, which has yet to come to fruition over the last decade. We will continue to monitor new consumer privacy rights laws and how these laws may affect your business and its data collection and use practices.

Photo of Kathryn Rattigan Kathryn Rattigan

Kathryn Rattigan is a member of the Business Litigation Group and the Data Privacy+ Cybersecurity Team. She concentrates her practice on privacy and security compliance under both state and federal regulations and advising clients on website and mobile app privacy and security…

Kathryn Rattigan is a member of the Business Litigation Group and the Data Privacy+ Cybersecurity Team. She concentrates her practice on privacy and security compliance under both state and federal regulations and advising clients on website and mobile app privacy and security compliance. Kathryn helps clients review, revise and implement necessary policies and procedures under the Health Insurance Portability and Accountability Act (HIPAA). She also provides clients with the information needed to effectively and efficiently handle potential and confirmed data breaches while providing insight into federal regulations and requirements for notification and an assessment under state breach notification laws. Prior to joining the firm, Kathryn was an associate at Nixon Peabody. She earned her J.D., cum laude, from Roger Williams University School of Law and her B.A., magna cum laude, from Stonehill College. She is admitted to practice law in Massachusetts and Rhode Island. Read her full rc.com bio here.