Vermont Legislature SmartTranscripts:

[Michael Marcotte (Chair)]: Good afternoon, everyone. This is the Vermont House Committee on Commerce and Economic Development. Again, this is Thursday, 01/29/2026 at 01:02 in the afternoon. So we were gonna come back to H512. We had someone else that wanted to survive that. I haven't been able to get in touch with them, so I think we'll go right to H639 if he happens to show up, and we can take his testimony or bring him in another day. Todd, if you'd like to join him. Yeah. You can pop him off.

[Todd Daloz (Assistant Attorney General, Vermont AGO)]: He's not We're prepared to jump on the Zoom. So I'm going to do that very quickly so I can show the presentation I put together for you.

[Michael Marcotte (Chair)]: And my sleep number. Okay. There we go. Great.

[Todd Daloz (Assistant Attorney General, Vermont AGO)]: Thank you. Good morning, afternoon, good afternoon again.

[Michael Marcotte (Chair)]: Good day. Good day.

[Todd Daloz (Assistant Attorney General, Vermont AGO)]: That's easier. Let's go with the neutral. Awesome. Todd Delos, assistant attorney general at the attorney general's office here to talk about h six thirty nine, which is the genetic information Privacy Act. I'm gonna, with your permission, just walk through a brief PowerPoint presentation.

[Michael Marcotte (Chair)]: Of

[Todd Daloz (Assistant Attorney General, Vermont AGO)]: course, the way this lays out, I can't reach. Actually show the Zoom information is blocking the presentation information. So let me

[Michael Marcotte (Chair)]: Okay. There

[Todd Daloz (Assistant Attorney General, Vermont AGO)]: we go. Sorry to have you walk through my technical. Alright.

[Michael Marcotte (Chair)]: We are all right at some point. So

[Todd Daloz (Assistant Attorney General, Vermont AGO)]: I I wanna start by thanking you for taking up the bill. I think Rep Shah did a really nice job kind of presenting the human side of this bill. I think it's really encouraging to see not only this committee's interest continued interest in data privacy, of course, but this specific element of data privacy and the elements of and the number of folks, I should say, are also co sponsoring this bill. I think Repshy indicated it was a tripartisan sponsorship, which is wonderful. I don't need to talk too much about the importance of data privacy to this group in the digital age. It does take on a little bit more concern from the point of view of the attorney general's office when we talk about genetic data. The quote that I've got up there from professor Richards, right, genetic data is not just data about people. And and they're right. We think about how important it is, social security information, health data, location data, and the like. Genetic data is people. And the the genome that's why is it me? Like, technically. You know, our genome is immutable. We cannot change it. And when that data gets out, as this committee knows well, there's no really putting that genie back in the bottle. As Repshai indicated, the genesis of this bill is really the twenty three and me data breach and subsequent bankruptcy. And so I just wanna take a few minutes to walk the committee kinda through our perspective, the AG's perspective on that experience. You know, first was a cyber attack on twenty three and me that resulted in a data breach. The rough figures are it was really about 14,000 accounts, but what's really important is the way the data was interconnected. And this is really talking about what genetic data can do. There were nearly 7,000,000. It was, I think, 6,900,000 accounts that were impacted by the data breach because of all those interconnected family trees and the like. So again, really demonstrating why this data can be extremely powerful and potent. Fast forward about a year and a half, '23 and me sought bankruptcy protection. The AGO issued a consumer alert. I think folks probably saw that. That's what got Rev Shy involved, provided steps to delete accounts, gave information about how to destroy genetic samples. And what's important here is there were a lot of not only was it a multistep process, but they were so inundated with the number of requests that it was really hard for the company to actually comply with all the requests to delete and destroy data, and it took quite a bit of voluntary work between the AGO, multiple a a g AG offices and twenty three and Me to actually carry through that data deletion and destruction of material where consumers want it. So that that intervention was also happening in court. Right? So Vermont was part of a group of of attorneys general who took got status in the bankruptcy filing and, you know, filed basically what was a set of objections to the proposed sale of twenty three and me because the states took the position that the sale of genetic data well, sorry, the sale of the company, any transfer of the company, including its assets of genetic data and genetic samples was really a transfer of genetic data as well. And so you can see kind of, you know, I just pulled a couple paragraphs out, but but really looking at the unprecedented compilation of this highly sensitive data and really the combination of generic identity and phenotypic data, both of which are covered by six thirty nine, really distill the danger of getting this letting this kind of information out there getting transferred. And, again, looking at kind of how it can be used, the challenges it presents, and the real damage it can do to individuals when it is allowed out. As part of the case, the bankruptcy court hired an expert, an ombudsman, professor Richards, whose quote I I put there at the top of the slideshow, who produced it's you as can see at the top of this slide, a 211 page report on consumer privacy related to to this bankruptcy. And the language I flag here is just an example of what people do when they get access to this data. These are largely bad actors. Right? This was a hack that this data was released on, but it still flags the kind of information that's out there and available if it were allowed just into the marketplace. So as I said, the state sought to prevent the sale of 23 and Me assets, including the genetic material and the genetic data, and, you know, arguing that the sale was an was an unauthorized sale of the genetic data and certainly without consumer consent or really consumer foreknowledge. At the same time, the states were negotiating with a potential successor business. And through those negotiations with that successor business, the states established an agreement that basically provided a lot of the data privacy protections we felt were really important for this information, both the samples again and the data. And through that voluntary agreement, we felt like there was a good degree of protection. That became really important because the court rejected the state's objections. And, basically, the court said, no. The sale's the sale, and it's fine. Fortunately, the sale was to this company that we had already negotiated agreement with. So we had a contract, basically, for lack of a more artful term, an agreement with the with the successor company that continues to protect that consumer data and privacy information. But absent that negotiated agreement, and we would take the position that we could have sued for that, and that we could have sought certain protections under the consumer protection act that could have got us to the same place. But, of course, that would have required a lot of litigation, a lot of time, a lot of energy, and a lot of court engagement. That's why we're looking for changes in the law to address this kind of element. I just flagged the bottom two bullets there, right, are we continue to have an interest in the bankruptcy because twenty three and me still has some assets left, we're looking for some kind of recovery on the penalties and and other elements that are, we believe, owing to the state. But it's also important that that I there were no there are no damages in that lawsuit for any individual consumers. So how does six twenty six respond to that? Rick already walked you through it. I don't wanna belabor it too much, but I just wanted to highlight kind of the areas that dovetail with what happened in the twenty three and me case. First, it requires a lot of information for consumers in plain language. It requires prominent placement of information for consumers on the collection of data, how the data security works, and deletion practices, and it helps consumers understand what is lawful data sharing within this space. Consumer consent is also really important. That was a question that came up during the walk through, and I just highlighted. I don't know you can actually read it. It's hard for me to read the highlighted language on my screen, but it it is the as drafted six twenty six is sorry. Six thirty nine. Six twenty six is down the hall. Six twenty six thirty nine, very different bill. Six thirty nine requires expressed consent on each one of these decision points. So I I think it was you, Rutland, who were sort of like, is it one big long 50 page check the box and agree to everything? And and at least the way I read the statute, it's not. It's an individual consent for each step along the way. Is that a lot of checkboxes and a lot of agreements? Yes. Is it important for consumers to have that level of engagement and be able to determine where they're what they're agreeing to? We think yes as well. So it's again, it's consent for the collection and storage. It's consent. These are examples. Consent for use beyond the primary purpose. It's expressed consent for the transfer of the data, which we think is extremely important, and a very simple revocation of consent process. That we think is also really important, not a multistep opt out after the fact, but something as simple as the way you went in. There's also greater data protection. I won't go into this too much, but, you know, we are gonna continue to see data breaches. We're gonna continue to see bad actors attempting to infiltrate. We do the best we can by requiring industry where they hold sensitive data to to meet important standards. I would flag the the the second two points here. One is giving the consumer access to their own data needs to be fairly simple, and the ability to delete their account entirely is really important. The third one there is also important. Right? A lot of these companies, there may be the front end company and then they hire a lab to do the actual testing. That's a service provider. That transfer is contemplated within the agreement that you're making with whatever company you're getting your genetic data tested by. That's carved out in the law. It's an appropriate transfer. But that third party service provider can't take the data they get from you or develop from your sample and combine it with other

[Michael Marcotte (Chair)]: Oh, did I

[Todd Daloz (Assistant Attorney General, Vermont AGO)]: lose you? No. Good. Things that are popping up here aren't popping up It's really

[Michael Marcotte (Chair)]: so

[Todd Daloz (Assistant Attorney General, Vermont AGO)]: I I just wanna flag that that that kind of data combination, which you all have talked about in other contexts, is is included in this bill. There's also anti discrimination language. I think that came up in the discussion of the walk through. So Gina is the genetic information nondisclosure act nondiscrimination act that really focuses on health insurance and employment nondiscrimination. This is a little broader, and it also is it engages directly with the genetic testing company to sort of say, you can't people aren't gonna get a higher level of service in order to waive rights under the law. Finally, this just came up, so I put the that last two bullet points there. The direct to consumer testing company can't disclose the consumer's information to insurance companies or employers. But I wanna be clear. That's the relationship that the consumer has with the contesting company. The consumer may have a different relationship with, for example, a life insurance company. This doesn't regulate the consumer to life insurance transaction. That life insurance company may require disclosure of lots of information, engagement with health records, etcetera. This bill doesn't touch that consumer to insurance company relationship. It's the consumer sorry. It's the genetic testing company to insurance company relationship that it does prohibit. So enforcement, I think, is also an important point, especially in data privacy space. There's a simple crossover as you have in a lot of your bills and and has an act 63. I think it's almost exactly word for word like act 63, which is the age appropriate design code, provides for AGO enforcement, considers this a violation of title nine chapter 63. And again, provides the ability to for individuals to protect the core information about themselves, information that can't be changed. So that's where we stand on the genetic data privacy piece. I think another question that came up during the walk through was sort of how would this dovetail with a broader genetic data privacy act or sorry, data privacy act. I think it dovetails really well, but I would say similar in the consumer protection space, and we could look at h five twelve and ticket reselling. Right? The position of the AGO is a lot of the practices that are of concern in ticket reselling are deceptive, unfair practices in the market that we could go after under existing law. That said, the specificity of five twelve provides additional tools and additional safeguards for consumers. That's how we feel about six thirty nine as well. A broad data privacy act is gonna really help and support consumers broadly. Genetic data privacy, we feel like is both urgent and specific enough to require a little bit more focus. So I'm happy to answer a question. I'm gonna close this unless people wanna see the slides.

[Michael Marcotte (Chair)]: Questions for Todd? Monique?

[Monique Priestley (Clerk)]: Yeah, thanks Todd. And like, yeah, I'm fully supportive of this and super appreciate it. And know that also that I can like lay on top of other things. That's awesome. I did reach out to Neil Richards, who was quoted on your first slide, who was the consumer ombudsman for the 23andMe case, just for expertise of their thoughts on language and all that kind of stuff. So the recommendations, which I shared with Todd but not the rest of the committee yet, is page six line five, biometric data, with the suggestion that that is defined because it wasn't defined in the bill. And so I would love to see that definition match what we passed in kids code. And also, that is what is in the comprehensive so that everything is aligned. Page 11, line 16, changing biometric samples to biological samples. So there's not confusion there. Page 11, line 20, changing well, guess this depends on if biometric is then if you agree to defining it. Maybe they had a suggestion of changing biometric data since it wasn't defined to mean just genetic data. But if we add biometric, then that would be null. And then page nine, line two, inherent contextual uses. They just flag that it might be a potentially vague term, it might be worth defining for clarity. And I think I think that somewhat goes into, like, we'll often use the inferred data. It's like people can make assumptions based on the data, but it's not actually the data itself. So they can kind of have, like, a loophole there. So yeah.

[Todd Daloz (Assistant Attorney General, Vermont AGO)]: I I mean, having not dug into the recommendations that you sent fully, I think they broadly look totally congruent with what we would like to see. I especially like the focus on on closing loopholes around inferences in the genetic data.

[Michael Marcotte (Chair)]: Because

[Todd Daloz (Assistant Attorney General, Vermont AGO)]: I think genetic data I think there is an argument that you can't actually de identify genetic data because you can take the name off and the address and everything else, but it doesn't it is who you are, probably more so than all those other identifiers. Yeah. Not to get too philosophical about what makes us who we are. But I do think that's an absolutely important and appropriate space to look at some additional language. We're going on longer if you

[Monique Priestley (Clerk)]: want.

[Michael Marcotte (Chair)]: We'll have more testimony on this next week. We'll see where we are. So I think that we had another time. Our other. K. So we'll go offline till 02:00. Maria will be in to go over the Herb's amendment on page six forty eight.