By 
Vermont Governor Philip Scott has chosen not to sign H.121, a proposed data protection law that would have introduced extensive consumer privacy measures and age-appropriate design standards, returning the bill unsigned. The legislation, titled “An act relating to enhancing consumer privacy and the age-appropriate design code,” includes provisions that Governor Scott believes pose significant risks to the state.
Chief among Governor Scott’s concerns is the inclusion of a private right of action, which would enable individuals to file civil lawsuits against businesses for violating the law. Currently, only California and Illinois allow for limited private rights of action through their Consumer Privacy Act and Biometric Information Privacy Act (BIPA), respectively.
In a letter explaining his decision, Governor Scott stated, “The provision would make Vermont an outlier nationally and create a more hostile environment for many businesses and nonprofits.” He emphasized Vermont’s existing reputation for being less business-friendly, asserting that the state cannot afford to exacerbate this perception.
Governor Scott also pointed out potential legal pitfalls in the “Kids Code” provision, cautioning that similar legislation in California has faced court challenges for potentially violating First Amendment rights. He suggested waiting for the outcome of those cases before moving forward with legislation that could lead to costly and risky legal battles.
Ultimately, Governor Scott argued that Vermont already bears substantial legal risks, notably in ongoing efforts to hold major corporations accountable for environmental damage related to climate change. While he allowed legislation on climate accountability to pass without his signature, he expressed concerns about accumulating additional risks.
However, Governor Scott remains open to alternative approaches for consumer data privacy and child protection. “Vermont should consider adopting a data privacy law similar to Connecticut’s, which has been embraced by neighboring New Hampshire,” he suggested, advocating for regional consistency that benefits both consumers and the economy.
The landscape of state-level privacy laws complicates the path toward a federal standard, such as the proposed American Privacy Rights Act (APRA). Vermont’s Attorney General is among a coalition urging Congress to revise APRA’s preemptive clause, citing challenges posed by diverse state regulations.
Meanwhile, ongoing debates over U.S. data privacy laws underscore their varying effectiveness and the need for cohesive national standards. Privacy advocate Rob Shavell, CEO of DeleteMe, criticized many state laws for lacking stringent protections comparable to Europe’s GDPR and highlighted deficiencies such as limited private rights of action and enforcement capabilities.
Despite these critiques, support for a federal data privacy law continues to grow, albeit with reservations about current proposals. TechNet’s United for Privacy coalition urged Congress to establish a unified national privacy standard under APRA, emphasizing the necessity of preempting inconsistent state laws.
In a separate development, Texas Attorney General Ken Paxton announced the formation of a dedicated team focused on enforcing data privacy laws. Paxton’s office aims to uphold Texas’ Data Privacy and Security Act (TDPSA) and other relevant state and federal statutes, signaling robust enforcement efforts in the privacy arena.
For those interested in further exploration of biometric privacy issues, The Sedona Conference released its U.S. Biometric Systems Privacy Primer, designed to assist policymakers, judges, and legal professionals in navigating the complexities of biometric technologies and related privacy concerns.
The evolving landscape of data privacy laws in the U.S. reflects ongoing challenges and opportunities in balancing innovation, consumer protection, and regulatory clarity across state and federal levels.
Comments