Vermont Slated to Grant a Private Right of Action to Consumers in New Data Privacy Bill


As Vermont joins the growing number of states with comprehensive consumer data privacy laws, it stands out from the crowd with the ability of Vermonters to bring a private right of action (PRA) against large data holders. In its proposed legislation, House Bill 121 (H.121), Vermont takes a stand against Big Tech’s use of consumer information. The PRA gives individual consumers the ability to pursue damages against large-scale data businesses that misuse their sensitive data.

“Vermonters value their privacy. It is embodied in our state motto: freedom and unity,” said Charity Clark, Vermont Attorney General. Clark has been an outspoken proponent of H.121, noting the potential consumer privacy concerns that arise in an age of artificial intelligence, biometric information, and commodified consumer data. Clark supports the idea that Vermonters have a right to control the use of their own data, as well as take personal action when that right is violated.  

The PRA in H.121 would give consumers the ability to seek damages against data holders that process the data of more than 100,000 Vermonters. Policy Analyst Matt Schwartz, who testified in front of the House Committee on Commerce and Economic Development, said that under H.121, “consumers who have been harmed by Big Tech’s data abuses will actually be granted the ability to defend their rights.” He went on to say that he “hope[fully] this marks a turning point in state privacy law, where lawmakers will become more comfortable with the idea of providing strong enforcement remedies for consumers, instead of punting the issue to under-resources (attorney general offices).”

H.121 is expected to be published and delivered to Governor Phil Scott of Vermont any day now. The latest status of the house bill came on 10 May. From the Senate floor, the House delivered the message that it “concurred in Senate proposal of amendment to House proposal of amendment.” After ample deliberation and bipartisan compromise over the past four months, Scott still has reservations about the power of the PRA. Indeed, the latest iteration of the bill nods at Vermont’s skepticism about the PRA being leveled against good-faith actors or small businesses.

The 10 May iteration of H.121 reduced the power of the PRA in response to concerns from small and mid-size businesses. Section 8 of H.121 states that the Attorney General will be tasked with supplying implementation reports on the PRA’s effects. Among the points of consideration are applicability thresholds ensuring that the PRA is not harming Vermont’s small businesses, whether damages are adequately balancing consumers’ interests in enforcing personal data rights against incentives for frivolous claims, and other mechanisms to ensure the PRA is targeting actors who actually engage in unfair or deceptive practices.

The Attorney General’s reports on these criteria, among others, will assist with the development of legislative language for the implementation of the PRA within 9 V.S.A. chapter 61A. Should H.121 be signed into law by the Governor, businesses will have some additional time before the PRA takes effect. It is slated for enactment on July 1, 2025, and the private right of action will become effective on January 1, 2027. There is a two-year sunset provision with an option for renewal. After the two-year trial period, the Attorney General’s aforementioned reports will direct the future expansion or reduction of the PRA.  

H. 121 is positioned to join New Jersey, New Hampshire, Kentucky, Nebraska, and Maryland in passing comprehensive privacy laws in 2024. 

*This article was drafted with assistance from Olivia Lane, student at Wake Forest School of Law and summer law clerk at Burr & Forman.

Jump to Page

Contact Us

About Burr & Forman Cybersecurity & Data Privacy Law

Burr & Forman's experienced team helps clients navigate the complex cybersecurity and data privacy landscape with strategies designed to assess current risks, develop a corrective action plan, implement best practices, and provide immediate and appropriate responses to a cybersecurity breach.

We use cookies to improve your website experience, provide additional security, and remember you when you return to the website. This website does not respond to "Do Not Track" signals. By clicking "Accept," you agree to our use of cookies. To learn more about how we use cookies, please see our Privacy Policy.

Necessary Cookies

Necessary cookies enable core functionality such as security, network management, and accessibility. These cookies may only be disabled by changing your browser settings, but this may affect how the website functions.

Analytical Cookies

Analytical cookies help us improve our website by collecting and reporting information on its usage. We access and process information from these cookies at an aggregate level.