Vermont governor rejects privacy law that would be among strongest in US

The governor of Vermont says the state’s proposed data protection law is too risky, and has returned H.121, “An act relating to enhancing consumer privacy and the age-appropriate design code,” unsigned.

Governor Philip Scott’s main objection is the inclusion of a private right of action, allowing individuals to file civil suits against businesses that violate the law. At present, only California’s Consumer Privacy Act and Illinois’ Biometric Information Privacy Act (BIPA) offer a limited private right of action.

The provision, Scott says in a letter, “would make Vermont a national outlier, and more hostile than any other state to many businesses and nonprofits.” That is not something the state can afford, says Scott, given that Vermont already has a reputation for being not particularly business-friendly.

Scott also calls out the “Kids Code” provision for potential rights violations. “While this is an important goal we can all support, similar legislation in California has already been stopped by the courts for likely First Amendment violations,” he says. “We should await the decision in that case to craft a bill that addresses known legal pitfalls before charging ahead with policy likely to trigger high risk and expensive lawsuits.”

In the end, Scott’s essential argument is that Vermont is already shouldering a burden of risk that makes adding more impractical. He points to legal costs the state will incur as its Attorney General attempts to make the world’s large oil and gas companies pay financial reparations for damage caused by climate change – a law he allowed to pass without his signature. “The bottom line is, we have simply accumulated too much risk.”

However, Scott is not opposed to finding another path to consumer data privacy and child protection. “Vermont should adopt Connecticut’s data privacy law, which New Hampshire has largely done with its new law,” says Scott. “Such regional consistency is for both consumers and the economy.”

The diversity of individual state privacy laws presents a potential hurdle for the passage of the  American Privacy Rights Act (APRA), the proposed federal data privacy law. Vermont’s Attorney General is among a group of AGs petitioning congress to remove APRA’s preemptive clause.

March to APRA keeps getting tougher as state laws create boggy ground

The internal policy war over data protection legislation continues to expand and intensify across the U.S. An article in Forbes breaks down the complicated mosaic of U.S. data privacy laws – and argues that many are ineffective.

“Many laws that states have passed over the past few years fall below the standard set by Europe’s Global Data Protection Regulation,” writes Rob Shavell, a privacy advocate and CEO of DeleteMe. “They’re generally watered-down versions of previous laws, adopting the least strict aspects of those laws.”

He notes that nearly half of current state data privacy laws have received a grade of “F” from the Electronic Privacy Information Center (EPIC) and the U.S. PIRG Education Fund. “Unfortunately, most of the current data privacy laws are full of loopholes and exceptions. Plus, states rarely allow for a private right of action (the ability for consumers to sue) or have a well-funded enforcement agency with oversight authority.”

The current draft of APRA, Shavell notes, allows for a private right of action. But he argues that “the baseline set by APRA would still be far below what most privacy advocates would consider adequate.”

Nonetheless, the idea of U.S. federal data privacy law continues to gain supporters – even if they find the current version lacking in substance. A release from TechNet, “the national, bipartisan network of innovation economy CEOs and senior executives” says its United for Privacy trade coalition is calling on the House Energy and Commerce Committee to urge Congress to include a “single, uniform national privacy standard in the American Privacy Rights Act (APRA) that ends the growing patchwork of state privacy laws.”

A letter from United for Privacy says “although our organizations have a range of views on APRA, we all agree that full preemption of state law is an essential component of any meaningful federal privacy legislative effort.” According to TechNet President and CEO Linda Moore, since 2018, 46 states have considered 210 comprehensive data privacy bills and twenty state legislatures have passed different, often conflicting data privacy laws. “The need for one national privacy standard has never been greater,” she says. “Unfortunately, as drafted, the American Privacy Rights Act falls short of this goal. It would add to the growing privacy patchwork, not end it.”

Texas Gov. Paxton forms privacy litigation Power Rangers

The most litigious attorney general in the U.S. is at it again. According to Texas Tribune, state AG Ken Paxton, who has launched previous data privacy lawsuits against Big Porn, Big Tech and Big Gender, among other large boogeymen, is establishing a special team to focus on enforcing data privacy laws.

A statement from Paxton warns that he is not messing around this time. “Any entity abusing or exploiting Texans’ sensitive data will be met with the full force of the law. Companies that collect and sell data in an unauthorized manner, harm consumers financially, or use artificial intelligence irresponsibly present risks to our citizens that we take very seriously,” he says.

Paxton’s office says the data privacy super team will press for enforcement of the state’s Data Privacy and Security Act (TDPSA), and also seek to enforce other state laws related to biometric identifiers and federal child online safety and data privacy laws.

In other words: litigants, engage!

Sedona Conference biometrics privacy primer available

The Sedona Conference’s U.S. Biometric Systems Privacy Primer is now available for download. A summary says the document is intended “to provide a general introduction to biometric systems and a summary of existing U.S. laws regulating the collection, use, and sharing of the biometric information these technologies collect.” It is aimed at “lawyers, judges, legislators, and other policymakers” for use as “a general guide to the relationships among the technical, legal, and policy aspects of biometric systems—with a particular focus on privacy and related concerns these systems may raise.”

Article Topics

American Privacy Rights Act  |  biometric identifiers  |  Biometric Information Privacy Act (BIPA)  |  biometrics  |  data privacy  |  legislation  |  Sedona Conference  |  TDPSA  |  Texas  |  Vermont