Vermont Enacts Additional Data Privacy and Consumer Protection Provisions

Vermont recently signed into law legislation (Senate Bill 110) to address a number of issues related to data privacy and consumer protection – such as expanding the definition of personally identifiable information (PII) for purposes of data breach notification requirements for data collectors – effective July 1, 2020.

Under the Vermont Security Breach Notice Act, data collectors are required, in certain instances, to report data breaches of PII.  The recent legislation expands the definition of PII, including elements such as additional identification numbers (e.g., individual taxpayer identification number, passport number, etc.), certain unique biometric data used for identification or authentication purposes, genetic information, and certain health information.  Moreover, the recent legislation expands the definition of, and notices required in connection with, a security breach to address login credentials (i.e., a consumer’s user name or e-mail address, in combination with a password or an answer to a security question, that together permit access to an online account) in addition to PII.  Additional changes, including those related to options for substitute notice and the addition of login credentials to these provisions, were made to various other sections of the Vermont Security Breach Notice Act as well.

The recent legislation also generally adds state statutes that require the state to conduct a data privacy audit in which it analyzes consumer information it collects and uses, protect student online privacy, and impose communication requirements on sellers or lessors of certain types of consumer contracts.