Via Community News Service, a University of Vermont journalism internship
Two of a group of three data privacy-centric bills in the Legislature advanced past the crossover date, with the third remaining grounded in committee until next year.
Each bill in the triplet focuses on a different aspect of online privacy protections for Vermonters: age-appropriate design, more guards on consumer data and stricter regulations for data brokers operating in Vermont.
All three bills are remnants of H.121, a bill that was initially vetoed by Gov. Phil Scott in 2024. House lawmakers overrode the veto, but their colleagues in the Senate didn’t.
“These bills are really just trying to put guardrails on our internet experience,” said Rep. Monique Priestley, D-Bradford, who wrote the House versions of the two passed bills and was the lead sponsor on the third.
“(They) make sure that people’s personal data is protected and used in a way they’re expecting and consenting to.”
The first bill to pass into the opposite chamber this year was S.69, better known as the “Kids Code,” which would require companies with online products to make certain existing settings factory standard, such as turning off endless scroll or restricting the type of content kids can see.
Doing so would ensure platforms are not targeting younger audiences for engagement or to sell products, supporters say.
“They have the ability to restrict whether or not kids are being seen by unwanted adult attention,” Priestley said. “We’re really talking about trying to make the ‘for kids’ setting they already have the default.”
Vermont Attorney General Charity Clark said children are especially susceptible to those types of practices, given they spend more time on their phones, have more free time and have still-developing brains more vulnerable to addiction than adults.
“Targeting children is useful because once you have a loyal consumer, you have them for life,” Clark said. “That’s a good investment to make for a company.”
Clark offered a troubling example: If someone has an eating disorder, they might be more prone to look at social media content that promotes fitness or skinny body types.
In that situation, an algorithm designed to show users more of what they frequently view may perpetuate unhealthy practices.
“The algorithm doesn’t judge,” Clark said. “The algorithm is not there to be helpful for anyone. It’s just there to make money.”
Adam Locklin, executive director of the Vermont Technology Alliance, said his organization, which advocates for the state’s tech sector, wants to find a balance between protecting Vermonters and allowing growth.
But Locklin argues that S.69 fails to do so. The Kids Code bill would kick in when at least 2% of a company’s audience is under 18 years old. Locklin sees this as too broad a threshold that could spell unintended consequences for small businesses in Vermont.
“A reservation app for a restaurant built in Vermont, or ones that operate in Vermont, do they hit 2% of under 18? Probably,” he said. “They would be susceptible to this, even though making a reservation has nothing to do with the point of this bill.”
Locklin also took issue with some of the bills’ language, which he said was too ambiguous and would be difficult for companies to understand.
“Why would we put the onus on businesses?” he said. “The legislatures and the people implementing these should have strong, strict definitions and guardrails.”
Five senators voted against S.69, citing similar concerns to Locklin’s.
“I do not believe that this bill will accurately identify minors,” said Sen. Samuel Douglass, R-Orleans, in a floor speech. “We were told multiple times that age verification methods are very difficult, if not impossible, to implement.”
The second of the three bills to survive the crossover deadline was S.71, a companion bill of Priestley’s original, H.208, that aims to increase online consumer data privacy protections for Vermonters.
There’s a lot of data collection happening all the time, Priestley said. Companies use that data to market to users or sell it to data brokers — companies that literally broker data sales — which in turn sell the data to other companies looking to target people with ads or spam.
“If you are on the web at any given time and you have different pixel trackers, cookies — they are tracking your behavior everywhere and scraping what you’re doing and looking at and who,” Priestley said.
A common but untrue assumption is that only big tech companies take part in this kind of activity, Priestley said.
“Many of our activities are done online, and online is fueled by our data,” she said. “Every one operates, to some extent, on data collection and processing.”
Priestley said she did not want to interfere with businesses’ marketing plans, which are often informed by user data. But she wants to ensure consumers are not unwittingly giving up sensitive data.
Clark said her office’s Consumer Assistance Program receives thousands of scam reports per year.
“We have been asking for a comprehensive data privacy law for a while now, and to me every year it becomes more urgent,” she said.
H.211, the third bill, was not so fortunate.
It would add stipulations to Vermont’s data broker laws, including requiring brokers to notify the state of security breaches and guarantee that the data they sell will be used for “legitimate” purposes.
The bill would also require data brokers to set up a system to delete the personal information of any consumer who makes a request.
Vermont is the first state to have a data broker registry — a compendium of companies that make their money selling people’s data.
“There’s a lot of data collection happening all the time, and that is happening without most people realizing it is happening,” Priestley said. “That information and activity is sold amongst different companies.”
Clark said her top priority is regulating the collection of users’ biometric data — face, eyes, fingerprints, for example, often recorded through pictures or fingerprint scans.
“Taking ownership of who owns our own data, especially data about us that is exclusive to us, is critical,” she said. “I really feel like we need to enter an era where it is very clear that our data belongs to us.”
H.211 incorporates pieces of California’s Delete Act, which became law in the Golden State in 2023.
Though H.21 remains in the House Committee on Commerce and Economic Development , Priestly is optimistic about her legislative triad, even if the bills don’t all cross the finish line during this session.
“I think that they all have good chances of making it through the biennium,” she said. “People are really starting to realize and think about the fact that everything they are, and everything they do, is in records online and can be used against them.”