News Stories

Sponsored by Earth Etch. Regulatory insight and compliance solutions for today’s energy markets.

Massive Consumers’ Personal Data Protection Act Awaits Vermont Governor’s Signature

By: MAGNIFYI Staff

Published May 10, 2024

Category: Uncategorized

A massive customers’ personal data protection bill awaits the Governor’s signature.  The effective date if signed is July 1, 2025.

Controlled or processed personal data of over 6,500 consumers; or controlled or processed personal data of over 3,250 consumers and more than 20% of the gross revenue derived from the sale of personal data.

Consumers will be afforded the following rights free of charge once every 12 months:

  • Right to Know and Access
  • Right to Obtain a List of Third Parties personal data has been transferred to
  • Right to Correct
  • Right to Delete
  • Right to Data Portability
  • Right to Opt Out of
  • Targeted Advertising
  • Sale of Personal Data
  • Automated Decisioning

Businesses will have up to 45 days to respond and may obtain an additional 45 days if it is reasonably necessary based on the complexity and the consumer is informed of the extension within the first 45 days of the initial request. If a consumer request is declined, the business shall inform the consumer without delay and within 45 days with the justification for declining the request and provide instruction on how to appeal the decision and allow reasonable time. If an appeal is made a consumer should be informed within 45 days in writing of the decision and the reasons. If the appeal is denied the consumer must be provided information on how to contact the Attorney General to submit a complaint.

Business must:

  • Only process personal data that is reasonably necessary and proportionate to provide the service which the data was collected for and then consumer reasonably expects;
  • Establish and maintain data security practices;
  • Provide an effective mechanism for consumers to revoke consent as easy as it was to provide consent;
  • Once consumer revokes consent the personal data must cease processing no later than 15 days;
  • Provide a clear and conspicuous link to a website where a consumer may opt out of processing, if a business does not have the capacity to provide a link another method must be provided;
  • Allow opt out signals on consumer’s behalf that does not discriminate and require an affirmative choice to opt out;
  • Conduct a data protection assessment for each processing activity that presents a heightened risk of harm and must be retained for 5 year;

Business may not:

  • Process personal data beyond what is reasonably necessary and proportionate to the purpose;
  • Process sensitive personal data without obtaining consumer consent;
  • Process personal data in a way that would discriminate against a consumer;
  • Discriminate against a consumer who exercises their rights;

Notice requirements:

  • The Privacy Policy must provide the consumer with a reasonably accessible, clear, and meaningful notice that includes:
  • Express the purposes for collecting and processing personal data
  • List of categories of personal and sensitive data this is processed
  • List of categories of personal and sensitive data that is shared with third parties
  • The purpose for processing personal data
  • How a consumer can exercise their rights
  • Categories of third parties they share personal data, with levels of details so consumers understand the type of business and if possible how they process personal data
  • Provide an email or other online option for a consumer to contact the business
  • Identifies the business name, the name registered with the Secretary of State, and any assumed business names used in the state
  • Clear description of any processing of personal data for targeted advertising, sales to third parties, or profiling of personal data and how a consumer may opt out
  • How a consumer may submit a request to exercise their rights

If a consumer is harmed and notifies the business and then fails to cure a violation within 60 days of notice, the consumer may bring an action in Superior Court

  • the greater of $1,000.00 or actual damages;
  • injunctive relief;
  • punitive damages in the case of an intentional violation; or
  • reasonable costs and attorney’s fees.

The AG’s office may issue a notice to cure prior to initiating actions, however, that will be determined by set criteria.

Official House Text as Amended
H.121 –  Passes both chambers and awaiting Governor’s signature.

Copyright 2026 MAGNIFYI.com. Unauthorized copying, retransmission, or republication prohibited. You are not permitted to copy any work or text of MAGNIFYI.com without the separate and express written consent of MAGNIFYI.com.

Editor’s Picks

Illinois ICC Approves ComEd’s New Large Load Proposed Tariff Changes
Ohio Reminder:  House Bill 15 Rules Continue to be Implemented
Legislation Energy Storage and Virtual Power Plant Bills to Watch
Ohio Petition for a Constitutional Amendment on the ‘Prohibition of Construction of a Data Center’ is filed by the Ohio Attorney General
Texas PUCT Staff Seeks Comments On Proposed Rules Re: Certification and Obligations of Retail Electric Providers

Trending

Marketing The Real Reason Retail Energy Marketing Falls Short
Michigan Expansion of Retail C&I Power Markets Considered in Michigan
Legislation Energy Storage and Virtual Power Plant Bills to Watch
Pennsylvania PECO Files Electric and Gas Rate Cases at PA PUC
Artificial Intelligence AI Regulations Must be Pro-innovation, Pro-consumer and Pro-safety