Skip to main content
Menu Icon Menu Icon

InfoBytes Blog

Financial Services Law Insights and Observations

Vermont enacts data privacy and consumer protections

State Issues State Legislation Privacy/Cyber Risk & Data Security Consumer Protection

State Issues

On March 5, the Vermont governor signed SB 110 to expand data privacy and consumer protection measures in the state. Among other things, SB 110 (i) expands the definition of personally identifiable information (PII) subject to the Security Breach Notice Act to also include taxpayer identification numbers, passport numbers, military identification card numbers, other government-originated identification numbers “commonly used to verify identity for a commercial transaction,” unique biometric data, and health records; (ii) provides that if a data breach is limited to the unauthorized acquisition of login credentials, data collectors are only required to provide notice to the state attorney general or the Department of Financial Regulation “if the login credentials were acquired directly from the data collector or its agent”; (iii) establishes requirements to ensure consumers are provided notice of a data breach; (iv) adopts online privacy protections for students, including prohibitions on the use of targeted advertising and the sale or rent of student information, as well as responsibilities for operators of online services or mobile applications; and (v) requires that consumer contracts clearly disclose any automatic renewal provisions and allow consumers to easily terminate contracts. SB 110 takes effect July 1.