Vermont Legislature House Commerce - 2026-01-14

Meetings

Call to Order and Agenda Overview (00:00:02)
The chair opened the meeting, noted the date/time, and stated the committee would review a proposed amendment to H.211 with legislative counsel.
Overview of Proposed Committee Amendment to H.211 (00:00:27)
Legislative Counsel Rick Sable introduced the amendment and explained the approach to changes and their legal context.
Definition Updates: Biometric Data; Brokered Personal Information (00:01:15)
Counsel detailed changes aligning definitions with comprehensive privacy frameworks, broadening 'brokered personal information,' and removing certain public-information exceptions.
Data Broker Definition and Direct Relationship Examples (00:07:13)
The committee reviewed revised language clarifying what constitutes a direct relationship and how it affects data-broker status.
Q&A on Data Broker Status and Third‑Party Mailing Lists (00:09:36)
Members posed scenarios about selling data and purchasing mailing lists, and counsel clarified when entities qualify as data brokers.
Publicly Available Information Definition and Licensing Example (00:17:46)
The committee discussed the updated definition of publicly available information, including a practical example involving professional licensing records.
Data Broker Registration Timing and Fee Structure (00:23:49)
Counsel outlined accelerated initial registration timelines and an open‑ended fee set by the Secretary of State, prompting discussion about adding guardrails.
Penalties for Noncompliance (00:34:05)
A member suggested revisiting penalty levels to ensure failure to register carries the highest penalty, and counsel summarized current amounts.
Accessible Deletion Mechanism and Related Revisions (00:35:10)
Counsel described updates to the deletion mechanism requirements, including harmonizing 'sale' terminology and processor obligations.
Financial‑Sector Data Sharing Concerns (00:37:40)
A member raised concerns about effects on legitimate data transfers among regulated financial entities, with counsel recommending expert testimony to assess impacts.
Lunch Recess and Next Steps (00:40:56)
The chair called a lunch break and indicated discussion would resume later to continue work on H.211.

Transcript: Select text below to play or share a clip

[Michael Marcotte (Chair)]: Good afternoon. Still morning. Good morning, everybody. Today is Wednesday, January 14. It is almost twenty eleven. Gosh, almost twenty five in the morning. We're here to talk about an amendment on H2 11. Here with legislative counsel.

[Rick Sable (Office of Legislative Counsel)]: Good morning. Rick Sable, Office of Legislative Counsel. And I'm gonna share a committee amendment, proposed committee amendment to H two eleven. If it's not yet on the website, it will be soon. It was late, a late edit, so I apologize for not having that sent earlier. So I've tried to highlight all the changes from the version I walked through, the as introduced version I walked through last week, and the proposed amendment for today. I will do the best I can to explain the legal ramifications of the change. I can't always explain the reason behind a change. I'm sure witnesses will be able to tell you how that affects their interests in one way or another. So, I will start with page one at the very bottom, an update to the definition of biometric data. So, was in the introduced version, but there is a proposed change, the previous version, and I'll occasionally go back and look at my introduced paper copy to tell you the difference. The highlight means something changed. It's not always new language. In this case, it is. The previous definition read biological, physical, or physiological characteristics that is linked or reasonably linkable to an individual. So the proposed changes from linked or reasonably linkable to can be used to identify an individual. And

[Unknown (Committee Member)]: kid asked, Chair Marcotte had asked to do alignment with our other bills. This is an alignment with the comprehensive definition.

[Unknown (Committee Member)]: A lot of the

[Rick Sable (Office of Legislative Counsel)]: changes are.

[Unknown (Committee Member)]: Yeah. Most of them are. Yeah. Are the The comprehensive data privacy act.

[Rick Sable (Office of Legislative Counsel)]: It'll be amendment context.

[Unknown (Committee Member)]: Yeah. Yeah. Yeah. I'll maybe I should we we can do, like, not ones that are I don't know. I

[Rick Sable (Office of Legislative Counsel)]: the last day of last session. Thirty. Yes. May year, the amendment I walked through the last day of sessions, those definitions are gonna be the ones that line up here.

[Unknown (Committee Member)]: That we're walking through on Tuesday just so people also will have a refresh

[Rick Sable (Office of Legislative Counsel)]: I don't even know about that.

[Unknown (Committee Member)]: Next time we do this.

[Rick Sable (Office of Legislative Counsel)]: That Tuesday. Alright. So that's biometric data on to page two of the amendment. So definition of brokered personal information. This is a pretty important definition and it's an important proposed change to the definition. So with the marked out, I didn't highlight this, I should have on line 13 of page two. We're moving the starting with the word one, one or more of the following computerized data elements about a consumer if categorized or organized for dissemination to third parties, and then continuing to strike out all those specific categories. Instead, the amendment replaces that listing. If you go to the very bottom, any information. So, biometric data means any information. I'm sorry. Brokered personal information means any information, including derived data and unique identifiers that is linked or reasonably linkable, alone or in combination with other information to an identified or identifiable individual or to a device that identifies or is linked to or is reasonably linkable to one or more identified or identifiable individuals in a household. So this does legally broaden the definition of what brokered personal information is because you're going from specific listings of categories of information to any information, including derived data, which is inferences from data that a company can make about you. Expanding that definition and broken information. Any questions about that?

[Michael Marcotte (Chair)]: Can I add?

[Unknown (Committee Member)]: Just so again, this is an alignment with other state privacy laws and where we're going with the it's the definition from the comprehensive bill. It's also what's in the California Delete Act.

[Rick Sable (Office of Legislative Counsel)]: Removing that it does not include the current language there, does not include publicly available information to the extent that is related to a consumer business or profession. That kind of exception has been removed in this amendment.

[Michael Marcotte (Chair)]: So that broadens publicly available information. It was limited before this broadens what is publicly available.

[Rick Sable (Office of Legislative Counsel)]: Correct. And we have an updated definition of that as well, coming. Business. So, the introduced version included specifically link controllers. I'll make sure I have this correct.

[Unknown (Committee Member)]: Controller,

[Rick Sable (Office of Legislative Counsel)]: consumer health data controller, a processor or a commercial entity really wasn't necessary because this definition is already very broad. It means a commercial entity, including a list of all these different types of entities, sole proprietorship, partnership, LLC, corporation, however organized, either profit or nonprofit. The one exception is state government. It does not include state government. So, the addition of controller consumer health data controller processor didn't seem necessary. It seemed like it was confusing. The definitions are very broad. It includes so my summary is it includes controllers, consumer health data controllers, and processors. Okay. Definition of data broker on page four. So the first paragraph, no changes. What is being changed here proposed is the following paragraph subdivision b, the examples of a direct relationship. So that phrase is important because if a consumer has a direct relationship, then it may not be a date of birth. So this subdivision B provides readers with examples of here is what a direct relationship looks like if a consumer is a pastor president. So I encourage you to look at that current language, but I'm gonna go off to the proposed language of what direct relationship means. It means that a consumer has intentionally interacted with a business for the purpose of accessing, purchasing, using, requesting, or obtaining information about the business's products or services. A consumer does not have a direct relationship with the business if the purpose of the consumer's engagement is to exercise a consumer right or for the business to verify the consumer's identity. A business does not have a direct relationship with the consumer simply because the business collects brokered personal information directly from the consumer. The consumer must intend to interact with the business. A business is still a data broker and does not have a direct relationship with the consumer as to the broker personal information the business sells about the consumer that it collected outside of a first party interaction with the consumer. So, compare that to the current statutory examples of a direct relationship. And if you have questions, I'm happy to answer those and talk about the differences between the proposed language and the current language.

[Unknown (Committee Member)]: I'll just add context. So the direct relationship stuff is from the regulations that went into effect for the Delete Act for California on January 1.

[Unknown (Committee Member)]: I

[Michael Marcotte (Chair)]: guess I have a question about this Struggling with that last sentence. So what we're saying is if you're collecting data directly from consumers and also collecting data not directly from those consumers, that you're a data broker. Is that what that last sentence means?

[Rick Sable (Office of Legislative Counsel)]: A business is still a data broker and does not have a direct relationship with the consumer as to the brokered information the business sells about the consumer that is collected outside of a first party interaction with a consumer. And you're wondering if the data broker collects it in a different manner as well. Does that change?

[Michael Marcotte (Chair)]: I'm just trying to understand. Don't know why. I'm having trouble understanding that sentence. And I think it means that any data that you collect that is not directly from the consumer puts you in a data broker category.

[Unknown (Committee Member)]: Maybe I can link it.

[Michael Marcotte (Chair)]: If you're selling it.

[Unknown (Committee Member)]: Right. That's what I'm just saying. Okay.

[Unknown (Committee Member)]: So, like, if I, for example, were to buy buy a mailing list to just solicit services through direct mail or email or whatever, I would not be considered a data broker just because I don't have a direct relationship, but I'm trying to get leads. Right. You know, people who might need IT work or whatever. If I go and buy a list from a a data broker Mhmm. Do I now become a data broker because I am soliciting mail to somebody who is not technically a relation in a direct relationship with me?

[Rick Sable (Office of Legislative Counsel)]: Are we talking about so if it's about broker personal information, it sounds like it would be. That would be broker personal information. If you buy a mailing list, that includes consumers that are protected from this. But you're not selling the data. I'm not selling your data.

[Unknown (Committee Member)]: I am the consumer of the data. And then I am going to try and sell my service to whatever names I pull. Now, this is under the presumption that the data broker has removed people that have asked to be removed. Right.

[Rick Sable (Office of Legislative Counsel)]: Yeah. Now, far as that sentence is concerned, no, you would not be a data broker. Are you a data broker in other ways? Based on your example, I can't say yes or no. There might be something else that puts you into the category of data broker, but that one sentence does not, if that helps. It does. Thank you. Rep granting? Clear? Okay. Yeah. Okay. So, crossing out, striking out Subdivision C, which currently the following activities conducted by a business and the collection and sale or licensing of brokered personal information incidental to concluding these activities, conducting these activities do not qualify the business as a data broker. You see some clear examples developing or maintaining third party e commerce or application platforms, providing four eleven direct directory assistance or directory information services on behalf or of or as a function of a telecommunications carrier, providing publicly available information related to a consumer's business or profession, or providing publicly available information via real time or near real time alert services for health or safety purposes. Okay. So, keeping previously subdivision D, now C. The phrase sells or licenses does not include keeping that first subdivision a one time or occasional sale of assets of a business as part of a transfer of control of those assets that is not part of the ordinary conduct of the business and removing a sale or license of data that is merely incidental to the business. That really kind of broadens, right, when you use that phrase merely incidental, that could be used, maybe not as expected. Or maybe you wanna keep that type of language, it's up to you all. But the proposal is to remove that subdivision too. Okay, the definition of data broker security breach. This definition is used one time in the chapter, and that is during the registration of a data broker, which this bill overhauls. So it's not really necessary any longer to have this definition because you now, in this bill, you have a new subchapter creating a Notice Act for data brokers. So it was gonna be confusing to keep this definition, which was in place before the new notice of data broker security breaches. So I don't think it's necessary to keep in there. I think it's confusing. Cause now you're explaining what a DataBroker security breach is, which I'll get to in a second. So this whole 5a has been deleted. I didn't highlight the whole thing, but it's all been removed. No change on data collector, encryption, all the same. Two new definitions on page eight. Gen AI system means, and this is a new term that's used later in the bill in the amendment. It means an artificial intelligence system that can generate derived synthetic content, including text, images, video, and audio that emulates the structure and characteristics of the system's training data. Identified or identifiable individual means an individual who can be readily identified directly or indirectly. This comes from the data privacy bill. And this term is used earlier in the definition. So that was helpful to define what that is. No changes on the rest of page eight. At the bottom of page nine, the personally identifying information, no change to what that is, but it changed to what it does not include. So currently, the statute says it does not mean publicly available information that is lawfully made available to the general public from federal, state, or local government records. The change is to include just publicly available information. This amendment adds the definition of what that is. So, that's why the change was made, because you actually have a definition of what publicly available information is here in just a second. Okay, 15, page 10, is the definition of processor. It is a person who performs any operation or set of operations, whether by manual or automated means on brokered personal information or on sets of brokered personal information, such as the collection, use, storage, disclosure, analysis, deletion, or modification of brokered personal information on behalf of a data broker. 16A, publicly available information. This is from the comprehensive data privacy bill. A couple of word changes on subdivision A2, II, I it's called a romanette. A data broker has a reasonable basis to believe that the consumer has all lawfully made available. So, this is specific to data brokers. And, again, this is can read it, but it's strictly from the data privacy bill. Any questions about publicly available information?

[Unknown (Committee Member)]: I think I'll just

[Unknown (Committee Member)]: bring just, I guess, clarification. But for example, I'm a licensed real estate agent. Well, I'm if you go to the office of professional regulation, you put my name in, I'm gonna be there. That's basically that's considered public information, so I would not be able to have my name removed from that list.

[Rick Sable (Office of Legislative Counsel)]: Not well, not through this bill. Right? That that would not provide you the Yeah.

[Unknown (Committee Member)]: Okay. Yeah.

[Unknown (Committee Member)]: But you can remove your license, and then you could reach out and ask for your information to be billed. Correct?

[Rick Sable (Office of Legislative Counsel)]: If it's incorrect, right, if the state website or agency website is not accurate, I would assume so, but it cannot through this bill. Okay. Record redaction, no changes to those definitions. Top of page 12 is the definition of sale. And again, from the comprehensive data privacy language, what sale means and what does not mean. So it means the exchange of a consumer's brokered personal information by the data broker to a third party for monetary or other valuable consideration. It does not include disclosure of that information to a processor, that process on behalf of the data broker, to a third party for the purpose of providing a product or service requested by the consumer, Disclosure or transfer of brokered personal information to an affiliate of the data broker. A disclosure with the consumer's consent of the information where the consumer directs the data broker to disclose the information or intentionally uses the data broker to interact with a third party. The disclosure of publicly available information. The disclosure of or transfer of information to a third party as an asset that is part of a merger, acquisition, bankruptcy, or other transactions or a proposed one of those actions in which a third party assumes control of all or part of the data broker's assets. Page 13, a few changes here. Because of the deletion of data broker security breach, just to ensure that a security breach in this chapter could include a data broker, security breach, adding the phrase or data broker when the phrase data collector is used. Because data collectors are subject to the Security Breach Notice Act, Data brokers are not. So, ensuring the data brokers are also included in a security breach. Those are the changes here. Okay, page 14, speaking of the security breach, the introduced version of the bill had the enforcement language changed quite a bit and the language has been reverted to just what is currently in statute. So, if you are a data collector or subject to this specific sub chapter of security breaches, you are subject to enforcement for not following the Security Breach Notice Act. Again, the introduced language had I can read it to you. I believe it was controller. It was with respect to a controller or processor. So it was getting specific to controllers or processors. This is keeping it to the definition of what a data collector is, which includes controllers and processors for the most part. So questions about that? Again, this is currently in statute. I just highlighted it to show you there is a change here. Page 15. This is the Data Broker Security Breach Notice Act. I mentioned this last time, subdivision b, getting rid of the phrase to cons to consumers because the subsection includes the attorney general notice too. So that was a small change. Nothing on page 16. Nothing on page 17. Nothing on page 18 or 19 or 20. Okay. So nothing else in that Notice Act has changed except for that small heading change. Page 21 at the very bottom, the annual registration language for data brokers has been amended. So current language, and, Grant, you had this question last time it's once a year. But if you're a new data broker, and let's say you under current law, you become a data broker on April 1. You wouldn't have to register until the following January 31. That's the current law. So, this language would make this a little bit quicker. And this is really the editor had to really help me with this one. This is hard to structure with the current language, but I will read it as best I can here. A person not more than thirty days after meeting the definition of a data broker, and then once annually thereafter on or before January 31 of each year. So if you become a data broker on April 1, you have to register within thirty days. So let's say in April, before May. And then you would have to also register thereafter every year before January 31. So it would become an annual requirement, which it currently is, but the speed is increased when you first must alert the state that you're a data broker in Vermont. You must do it within thirty days. That makes sense? Okay. The bottom of page 15 or sorry, page 21, adding as a data broker to clarify that you are registering as a data broker. Page 22. So the data broker must pay registration fee. Current statute has it at a $100 every year. The new language this is not new to this version. The introduced version said in an amount determined by the Secretary of State. The introduced version had language about not exceeding the reasonable cost of establishing and maintaining the informational website, establishing, maintaining, and providing access to the accessible deletion mechanism. So, this amendment removes that shall not exceed the reasonable cost of and just says shall be deposited by the secretive state into the Data Brokerage Registry Fund. So, they can determine what the amount is and there's not really a guardrail on how much they could determine that is. Subdivision three, just adding about the data broker, just grammatical language there, nothing besides that.

[Unknown (Committee Member)]: I'm sorry. I probably missed it, but where's the language that talks about amount determined by the Secretary of State?

[Rick Sable (Office of Legislative Counsel)]: Right here

[Unknown (Committee Member)]: Right. But is there a section that talks about how that's determined?

[Michael Marcotte (Chair)]: Okay. We're probably gonna have to work on this.

[Rick Sable (Office of Legislative Counsel)]: That's not gonna

[Unknown (Committee Member)]: fly with ways and means.

[Michael Marcotte (Chair)]: It might not fly with this committee.

[Unknown (Committee Member)]: Right. Yeah. But I think we should think of an initial registration fee for new data brokers, and then it's a higher amount than all subsequent, right? When they re register, it's at a certain

[Unknown (Committee Member)]: Anything else? Can you guys just add? So met with the attorney general and the secretary of state, and we're gonna have more meetings to kinda talk through anywhere where it's where both either one of them has stuff that applies to them. So we're expecting, like, edits from to work through something for, like, next next week. So just to let the committee know. So this is definitely one of those areas.

[Rick Sable (Office of Legislative Counsel)]: Subdivision A, no changes. So this is the portion where the data broker must provide the following information to the state. So subdivision b is struck here, but some of this comes back in a later portion of the amendment. So just for now, this is about the opting out if the data broker permits that, how the method, what it applies to. Again, struck out here, but you'll see a similar version of this coming up in a little bit. So, skipping over that, going to old D, new B at the bottom of page 22. No changes to statement whether the data broker implements a purchaser credentialing process pursuant to our security breach act that's proposed in this bill, the number of security breaches that the data broker has experienced during the prior year and have known the total number of consumers affected. No change to D. Subdivision E, whether the date of birth or collects the and a list of things here. The structure has changed a little bit, but the information so far what you see on the screen is the same as the build that was introduced. If you scroll down, starting on line 16, you have some new characteristics or categories added to information. Line 16, the name, date of birth, zip code, email address, or phone number of consumers. So, they collect that information. The account login or account number of consumers in combination with any required security code, access code, or passwords that would permit access to consumers account with a third party. Whether it collects driver's license number, state ID card number, social security number, passport number, military ID, or other unique identification number of consumers issued on a government document, commonly used to verify the identity of mobile advertising ID number, connected television ID number, or vehicle identification number of consumers. So not providing just if they do that, you'd have to tell the Secretary of State that you as a data collector collect this information. And in the past year, has shared or sold consumers' data to a foreign actor, the federal government, to other state or local governments, to the law enforcement, unless it was shared pursuant to a subpoena or court order, or to a developer of a Gen AI system or model. That's the one time that definition is used. And finally, the three most common types of personal information that the data broker collects if the data broker does not collect the information set forth in seven and nine, which is the name, date of birth, ZIP code, email address, the government ID numbers.

[Unknown (Committee Member)]: Just for context, so this was

[Rick Sable (Office of Legislative Counsel)]: numbers.

[Unknown (Committee Member)]: Yeah. Sorry. This was pulled directly from the California delete. I think I went into effect engineering first.

[Rick Sable (Office of Legislative Counsel)]: Okay. No change to g. No change to subdivision h. Subdivision J leaves us new. Let me confirm that. A link to a page on the Data Perfect website that informs consumers about the right to consumers to opt out, including Okay, this is where we took from earlier I told you it was coming up. This is the language that was brought over from the opt out language that a data broker must supply information about. So a a link to the page that informs consumers about the rights of consumers to opt out, including whether the data broker permits a consumer to opt out of the data broker's collection of brokered personal information, opt out of its databases, or opt out of certain sales of data. The procedure for requesting an opt out. If the opt out applies to only certain activities or sales, which activities or sales it applies to. Whether the data broker permits a consumer to authorize an authorized agent to perform the opt out on the consumer's behalf. And the data collection databases or sales activities from which a consumer may not opt out from, and whether to and to what extent the data broker or any of its subsidiaries is regulated by the Fair Credit Reporting Act. Any questions about that? Okay, the penalty section. No change on page 26 to the penalties. No page 27. No, Paige.

[Unknown (Committee Member)]: I will suggest that we look at those penalties. In my opinion, data broker that doesn't register should have the highest penalty. I think we have it reversed right now.

[Rick Sable (Office of Legislative Counsel)]: So, fails to register is liable for a fine of 200 per day fees that were due and reasonable cost incurred by the state. So, two, if you fail to provide all the information, yeah, you have a higher 1,000 per day. And then if you file materially incorrect information, it's a civil penalty 25,000 and an additional thousand per day if you don't correct it upon notification that you are. Okay, the accessible deletion mechanism on page 28. No changes to 28 or 29. Starting on page 30, the previous version included, you'll see on line 11. Me kind of go up beginning 08/01/2028, a data broker shall access the accessible deletion mechanism established in subsection a of the section at least once every forty days and shall skipping the b process a request as an opt out of the sale. The old language said or share, but because this bill now defines what sale is or share may not have been as clear as to what that meant. Subdivision C, processors, direct all processors. The old language, make sure I get this correct here, we're looking at B. So the old language was direct all service providers and contractors associated with the data broker. Now it's just processors associated with the data broker. Another sale, just sale, not sale or share. On page 31, subdivision 2B, a data broker may deny a consumer's request to delete a consumer's brokered personal information made pursuant to the section if adding B, the brokered information is used by a consumer reporting agency to furnish a consumer report pursuant to the Fair Credit Reporting Act. 32, another removal of share, just sell, not sell new broker personal information of the consumer unless they request otherwise in writing. No change to the audits or the rulemaking or the penalties of the deletion mechanism. Yeah. No other changes to the bill that was introduced. Happy to answer questions? Concerns?

[Unknown (Committee Member)]: My concerns persisting from day one about the transactions that happen between legitimate organizations, or not organizations, but financial institutions. I'm not sure if this bill is protecting those particular transactions. So and I understand the the concern about data privacy, but I again, for those that don't work in the industry, you you don't understand just how integral the data transactions between a reputable company and another reputable company and how this could have impacts on on your daily life. And and it doesn't you wouldn't think that's the case, but it's true. It I mean, you're talking about rates will go up because you can't trust the data anymore. And I just want to make sure that we have some sort of protection in there that prevents for example, if LexisNexis has data, that an organization that's regulated by whatever can access that data. And I don't know if this bill protects those transactions,

[Unknown (Committee Member)]: because I'm not a legal person, I'm with Detroit. Yes. I

[Rick Sable (Office of Legislative Counsel)]: think it would help to have experts, because I'm not an expert in that financial field, to to be able to tell you that this does or does not. And also, this is kind of new stuff, right? California has done something like this, but this is all very new. And I don't know if I can speak confidently like this will protect that transaction or will not. I think we need people in here that are experts in those fields to tell you that this does what they want it to do or does not. And then you all make a decision on what you want to actually protect.

[Unknown (Committee Member)]: I think you're right. We'll have to understand I mean, a lot of this is in play now in California. So how did they how did they this is the workaround to make sure that financial institutions can get the information that they need, that people aren't deleting the information that they need or the insurance companies the information that they need from the data brokers that they hire to gather the information.

[Rick Sable (Office of Legislative Counsel)]: And there's always the carve out for the consumer requesting, right? And that's maybe not always going to help your situation, but the consumer requesting their credit or requesting a mortgage loan, some of those transactions are indirectly from the consumer wanting that loan. Again, I think you need to hear from people that are more well versed than I am in that business.

[Unknown (Committee Member)]: May or may not have reached out to somebody. I can forward you what I got. Yeah.

[Unknown (Committee Member)]: I'm glad to see it. Okay. I think it's lunchtime. So we're back here at Rons. You know, we could have this discussion on the 02:11, and that's it. We'll have the at our end to talk about the

Vermont Legislature SmartTranscripts:

House Commerce - 2026-01-14 - 11:20AM

Meetings

Transcript: Select text below to play or share a clip

Meetings

Transcript: Select text below to play or share a clip

Share