Some businesses are pushing for a veto of Vermont’s privacy bill, Wiley attorney Joan Stewart said on a webinar Wednesday. The Vermont legislature passed H-121 earlier this month but Gov. Phil Scott (R) hasn’t signed it yet (see 2405130050). “Outlier provisions” in Vermont’s bill have raised grave concerns in the business community “and there are some strong efforts going on right now to try and persuade the governor to veto that [proposed] law,” said Stewart. One key difference with other state laws is the Vermont bill’s broad private right of action (see 2403220040). Most existing privacy laws allow enforcement by only the state attorney general, though California gives individuals a more limited right to sue, she said. Vermont could be the 20th state to enact a privacy law. Minnesota became the 19th on Friday (see 2405280038).
The House Innovation Subcommittee on Thursday passed a federal privacy bill and a kids’ privacy bill despite objections to the latter from House Commerce Committee ranking member Frank Pallone, D-N.J.
The Vermont legislature passed bills on privacy and kids’ online safety Friday. After back-and-forth on amendments, the House and Senate agreed to a comprehensive data privacy bill (H-121). While final text wasn’t available Monday, “reports indicate that it has a narrow private right of action focused on data brokers and larger data holders and limited to the bill’s sensitive data and consumer health data provisions,” Husch Blackwell attorney David Stauss blogged. That might be a first among states (see 2403220040). The legislature also agreed to an age-appropriate design code bill (S-289) like the California law. Pouncing immediately, tech industry group NetChoice urged Vermont Gov. Phil Scott (R) to veto S-289. The bill “would chill lawful speech online and negatively impact Vermont’s vibrant small business community,” wrote NetChoice General Counsel Carl Szabo: “Similar requirements … have already been challenged and are currently enjoined.” Design It For Us, a youth advocacy group that originally campaigned to pass California’s kids code law, applauds the legislature “for working to protect young people from online harms and passing much needed Kids Code legislation despite industry efforts to defeat it,” said co-Chair Zamaan Qureshi in a statement. Accountable Tech, another supporter of such laws, also lauded passage of S-289. “It’s clear that momentum is on the side of young people fighting for safer online spaces as Vermont becomes the third state to pass age-appropriate design code legislation with the Vermont Kids Code,” said Executive Director Nicole Gill.
The Consumer Technology Association looks forward to working with congressional committees to pass a federal privacy law, CEO Gary Shapiro said in a statement Monday. CTA “appreciates” the American Privacy Rights Act, a “bipartisan, bicameral effort to pass a federal data privacy law to protect consumers’ personal information,” he said. The organization supports a “national privacy standard that preempts state laws, providing legal clarity for companies to operate and consistent protections across state borders for consumers.” CTA didn’t address the bill’s private right of action provision. Senate Commerce Committee ranking member Ted Cruz, R-Texas, has said he won’t “support any data privacy bill that empowers trial lawyers” and that the APRA has “no chance” of passing (see 2404080062 and 2404150059). Senate Commerce Committee Chair Maria Cantwell, D-Wash., and House Commerce Committee Chair Cathy McMorris Rodgers, R-Wash., are moving forward with committee deliberation. A House Commerce Committee legislative hearing is scheduled for Wednesday. It’s “possible” Senate Commerce will hold a legislative hearing, but there will definitely be a markup “at some point,” Cantwell’s senior counsel on the committee, Shannon Smith, said Monday. Cantwell and Rodgers began negotiating in late December, said Smith. The senator didn’t support the House Commerce Committee’s previous privacy bill, the American Data Privacy Protection Act, largely because its private right of action provision allowed companies to address claims through arbitration, said Smith. It was important for Cantwell to prohibit forced arbitration in the APRA, she said.
Privacy legislation proposed by Senate Commerce Committee Chair Maria Cantwell, D-Wash., has "no chance of passing," ranking member Ted Cruz, R-Texas, told us last week. Cantwell said she supports the bill as written and is encouraged to see the House Commerce Committee moving toward a markup on the American Privacy Rights Act (APRA).
The Nebraska Legislature approved a comprehensive privacy bill as part of a larger package last week. The unicameral legislature voted 47-0 Thursday to approve a legislative omnibus (LB-1074) including the proposal from LB-1294 by Sen. Eliot Bostar (D). The privacy measure goes too easy on businesses, Consumer Reports (CR) said Friday. However, the Computer & Communications Industry Association (CCIA) said differences with other state laws will increase businesses’ burden.
An Alabama bill aiming to protect kids’ online neared the finish line after it passed the state Senate unanimously on Tuesday. HB-164 would require a reasonable age-verification method to restrict those younger than 18 from accessing pornographic websites (see 2403210064). The House approved the bill Feb. 29 but must vote again to align it with a short Senate amendment, including a clarification about the appropriate venue for the bill’s private right of action. A day earlier, Arizona Gov. Katie Hobbs (D) vetoed a similar bill requiring age verification for adult websites (HB-2586). “The legislation goes against settled case law,” wrote Hobbs. “Children’s online safety is a pressing issue for parents and the state,” but the answer “should be bipartisan and work within the bounds of the First Amendment, which this bill does not.” In addition, the Democratic governor vetoed the Republican-controlled legislature’s HB-2793, which would have required school policies restricting social media access and limiting cellphone usage. “This legislation establishes an unnecessary mandate for an issue schools are already addressing,” said Hobbs.
The House Commerce Committee plans to mark up a bipartisan, bicameral privacy bill this month, Chair Cathy McMorris Rodgers, R-Wash., announced Sunday in a draft bill agreement with Senate Commerce Committee Chair Maria Cantwell, D-Wash.
A Maine privacy bill with strict data minimization standards is moving to the final stages. The joint Judiciary Committee voted 7-1 Tuesday evening to say that the Democratic caucus’ LD-1977 “ought to pass,” while rejecting a Republican alternative (LD-1973). A nuanced exemption for broadband providers, currently in LD-1977, could mean that the proposed law would still apply to mobile services provided by a company that’s covered by the state’s 2019 ISP privacy law, two consumer privacy advocates said Wednesday.
Vermont could be the first state to include a private right of action in a comprehensive privacy bill. The Vermont House voted 139-0 Friday to approve H-121, which would allow individuals to sue in privacy cases and give the state's attorney general an enforcement role. The bill will go next to the Senate. Initially, the House Commerce Committee decided not to advance H-121 in 2023 after members determined it needed work (see 2304060060). But on Thursday, lawmakers amended the bill, teeing up H-121 for a Friday vote. The Commerce Committee considered privacy testimony for four years to draft a “protective but largely technology-and industry-neutral proposal,” Rep. Monique Priestley (D) said. The amended bill would align with privacy laws in Connecticut and many other states, taking some features from each, Priestley added. Some would be “unique to Vermont,” including the private right of action and restrictions on “how businesses may use data to what is consistent with the reasonable expectations of consumers,” she said. For the Computer & Communications Industry Association, the “private right of action is our main point of concern with the bill's current language,” said CCIA State Policy Director Khara Boender: “The bill otherwise is largely harmonized with existing privacy frameworks” like Connecticut’s. Private rights of action in state laws such as the Illinois Biometric Information Privacy Act “have resulted in plaintiffs advancing frivolous claims with little evidence of actual injury,” Boender said. No other comprehensive privacy bill has a broad private right of action, though the California Consumer Privacy Act has a narrower one, said Husch Blackwell privacy attorney David Stauss. Whether it survives the Vermont Senate is an open question, he said. "I certainly expect that there will be significant pushback."