Vermont's legislature on Friday passed one of the country's strongest comprehensive data privacy laws, with language allowing individuals to sue companies for violating their privacy rights - an unprecedented provision among similar existing state laws.
The bill includes data minimization requirements, which significantly constrain what personal data companies can gather and use and bans companies from selling consumers' sensitive data, allowing individuals to sue if they believe businesses have done so.
The private right of action allows individuals to hold companies which they believe have violated their rights accountable without relying on state authorities to bring action.
A similar provision included in Illinois' biometric privacy law has led to a wave of class action lawsuits alleging corporate malfeasance.
The Vermont bill's private right of action will need to be reauthorized after two years and applies to any business or person that processes more than 100,000 consumer records.
The legislation also establishes tough civil rights safeguards to prevent discrimination.
California's strong comprehensive data privacy law also allows individuals to sue businesses they believe have violated their rights n, but the provision only applies to data breaches and not digital privacy.
Earlier last week, strong digital privacy legislation was signed by Maryland governor Wes Moore, giving advocates two major wins following the passage of a string of weak state-level bills.
In all, 17 states have passed data privacy laws to date.
The Vermont bill also limits how companies can use geolocation data, according to a second privacy advocate, Caitriona Fitzgerald of the Electronic Privacy Information Center.
Vermont's legislation coincides with efforts by Congressional leaders to enact a federal comprehensive data privacy bill after years of failing to do so.
Sen. Maria Cantwell and Rep. Cathy McMorris Rodgers introduced the American Privacy Rights Act last month, a sweeping bill which would make privacy a consumer right and allow Americans the ability to block the transfer and sale of their data, according to the legislators.
The new bill follows McMorris Rodgers' prior attempt at comprehensive data privacy legislation in the form of a bill known as the American Data and Privacy Protection Act, which has been languishing in committee.
As with its predecessor, APRA includes controversial language which would allow the federal law to preempt state laws.
California Attorney General Rob Bonta and a coalition of 14 other state attorneys general wrote congressional leaders a letter Thursday, imploring them not to allow federal legislation to preempt state rules.
Is a reporter covering privacy, disinformation and cybersecurity policy for The Record.
She was previously a cybersecurity reporter at CyberScoop and Reuters.
Earlier in her career Suzanne covered the Boston Police Department for the Boston Globe and two presidential campaign cycles for Newsweek.
She lives in Washington with her husband and three children.
This Cyber News was published on therecord.media. Publication date: Tue, 14 May 2024 18:13:05 +0000