Meetings
Transcript: Select text below to play or share a clip
[Michael Marcotte (Chair)]: Good morning, everyone. This is the Vermont House Committee on Commerce and Economic Development. It is Thursday, 02/05/2026 at 09:01 in the morning. So we're beginning our morning today to have some committee discussions on eight-six 39 with the genetic data privacy bill and have our legislative council meeting with the state bill.
[Rick Siegel (Office of Legislative Counsel)]: Rick Siegel with the Office of Legislative Counsel. As I await my Zoom invitation, the amendment was posted pretty recently to the committee webpage. So if you haven't looked recently, it should be there now. It's draft 1.1 of the proposed committee amendment to six thirty nine. Bless you. You. Lindsay, you're gonna email me, or is it gonna be in the calendar?
[Abbey Duke (Member)]: I'm trying to create a link.
[Rick Siegel (Office of Legislative Counsel)]: Oh, okay.
[Lindsey (Committee Assistant)]: I'm trying to find it in order to share. So it's for today. Be a minute or two.
[Rick Siegel (Office of Legislative Counsel)]: That's fine. That's fine. Should I start walking through it, or do you
[Lindsey (Committee Assistant)]: want It's all the
[Michael Marcotte (Chair)]: way down at the bottom.
[Rick Siegel (Office of Legislative Counsel)]: Should I wait for the screen to share?
[Michael Marcotte (Chair)]: What exact number is it? 1.1. Okay. Yeah. I can't find it. Where is the bottom?
[Rick Siegel (Office of Legislative Counsel)]: I'll try. Alphabetical.
[Herb Olson (Member)]: See if I can find it.
[Michael Marcotte (Chair)]: I did change it to bagel, because it's in there.
[Abbey Duke (Member)]: I think that would be
[Herb Olson (Member)]: And you'd
[Michael Marcotte (Chair)]: be right at the top. Yeah.
[Rick Siegel (Office of Legislative Counsel)]: My life would change dramatically. Oh, an invitation to chat. I didn't think of that funny. Right. Invitation to Easy crowd. It's early. It's almost Friday.
[Anthony "Tony" Micklus (Member)]: Already thinking about your difference.
[Michael Marcotte (Chair)]: Some of us sleep.
[Herb Olson (Member)]: Thanks, Tony. Friday. Yeah.
[Rick Siegel (Office of Legislative Counsel)]: Alright. I am in the Zoom. Yeah. But sharing, Lindsay's gonna give me sharing.
[Michael Marcotte (Chair)]: Alright.
[Rick Siegel (Office of Legislative Counsel)]: Thank you, Lindsey. Alright. So now on the screen is draft 1.1 of the committee amendment to six thirty nine, an act relating to genetic data privacy. Not very many changes from the introduced version. I'll just go through that unless the committee wants a more detailed walkthrough of the bill.
[David "Dave" Bosch (Member)]: I'm okay with going through it again after yesterday's testimony. I feel like hey. I feel it felt different yesterday when we were downstairs. It I don't know. Hold on.
[Abbey Duke (Member)]: No. Think it would Either way. Yeah. I think it probably would be a good idea considering we have new contacts.
[David "Dave" Bosch (Member)]: Well ideas about that's part of I missed the PRA issue, which made it sound like we had it in there, which I tried to look for it and I couldn't find it.
[Rick Siegel (Office of Legislative Counsel)]: So through the Vermont Consumer Protection Act, there is a Right. Right. Of action.
[David "Dave" Bosch (Member)]: That has nothing to do
[Abbey Duke (Member)]: I think if you don't That give access to pro just like kids code. That's how we gave a private of action to kids code.
[Todd Daloz (Assistant Attorney General, Vermont AGO)]: I mean,
[David "Dave" Bosch (Member)]: that's it's not the same as the private right of action that was setting up a cottage interest.
[Abbey Duke (Member)]: It's our existing from, like, the sixties.
[Unidentified Committee Member]: Correct. Yeah. Yeah. Yeah. That's what's in here.
[David "Dave" Bosch (Member)]: But the way that they were talking yester sorry.
[Rick Siegel (Office of Legislative Counsel)]: The way that they
[David "Dave" Bosch (Member)]: were talking yesterday, it made it sound like it was the private right of action that we had in the data privacy bill.
[Abbey Duke (Member)]: Same as the kids' code.
[David "Dave" Bosch (Member)]: Is why I couldn't find it in there. I'm like, well, I'm really confused.
[Abbey Duke (Member)]: It's a reference to 2453, just the kids'
[David "Dave" Bosch (Member)]: Which is is not an issue because it's already there. Which is what this is. Yeah. Okay. It just the way that they were talking about it really concerned. Sorry. I I would like to go through it again. Okay.
[Rick Siegel (Office of Legislative Counsel)]: Maybe not word for word, but they all kinda highlight, you know, I think we know what affirmative authorization means. Biological sample is a material part of the human discharge there from or derivatives such as tissue, blood, urine, or DNA. I've not practiced that pronunciation again. I'm sorry. It's not gonna happen today. Biometric data is a new addition to this draft. This does come directly word forward from the age appropriate design code. There was a request to have because that phrase is used in the bill and there was a request to actually have that what that is defined. And if you have forgotten what that is, it is data generated from the technological processing of a consumer's unique biological, physical, or physiological characteristics that allow or confirm the unique identification of the consumer, including the iris or retina, scans, fingerprints, facial or hand mapping, geometry or templates, same patterns, voice prints or vocal biomarkers, and gait or personally identifying physical movement or patterns. Biometric data does not include a digital or physical photograph, an audio or video recording, or any data that is generated from a digital or physical photograph, or an audio or video recording unless such data is generated to identify a specific consumer. Okay. We know a consumer is a Vermont resident. A dark pattern is a interface that is designed or manipulated to basically subvert or impair user autonomy. You're tricked into doing something. A direct to consumer genetic testing company is an entity that sells markets, interprets, or otherwise offers consumer initiated genetic testing products or services directly to consumers. Analyzes genetic data obtained from consumer except that the analysis is performed by a person licensed in the healing arts for diagnosis or treatment of a medical condition. Those are your doctors, dentists, all kinds of people that are licensed to practice medicine or some derivative of medicine. Or collects, uses, maintains, or discloses genetic data that is collected or derived from a direct to consumer genetic testing product or service or directly provided by a consumer. Disclose means all kinds of different ways of saying, give, assign, sell. Express consent is a consumer's affirmative authorization to grant permission in response to a clear, meaningful, and prominent notice regarding the collection use, maintenance, or disclosure of genetic data for a specific purpose. Expressed consent cannot be inferred from an action. Agreement obtained through the use of dark patterns does not constitute express consent. Genetic data is any data regardless of its format that results from the analysis of a biological sample from a consumer or from another element enabling equivalent information to be obtained and concerns genetic material includes DNA, RNA, genes, chromosomes, alleles, is that the correct pronunciation? Thank you. So one person nodding. Genomes, alterations, or modifications to DNA or RNA. Single nucleotide polymorphisms, the FNPs, uninterpreted data that results from the analysis of the biological samples, and any information extrapolated, derived, or inferred. It does not include the identified data, which means data that cannot be used to later sorry, to infer information about or otherwise linked to a particular individual, provided the business that possesses the information takes reasonable measures to ensure the information cannot be associated with the consumer or household, publicly commits to maintain and use the information only in de identified form and not attempt to re identify the information except they may periodically attempt to re identify it solely for the purpose of determining whether it's the identification process to satisfy this subdivision on the express consent condition that the business does not use or disclose any information re identified in this process and destroys the re identified information upon completion of that periodic assessment. And contractually obligates any recipients of the information to take reasonable measures to ensure that the information cannot be associated with the consumer or household and to commit to maintaining and using the information only in de identified form and not to re identify the information. Genetic data does not include data or a biological sample to the extent that data or a sample is collected, used to maintain, disclosed, exclusive for scientific research conducted by an investigator with an institution that holds an assurance with the US Department of Health and Human Services, in compliance with all applicable federal and state laws and regulations for the protection of human subjects and research, including the common rule, US Food and Drug Administration's regulations pursuant to 21 CFR fifteen fifty six and the Family Educational Rights of Privacy Act. Genetic testing means any laboratory test of a biological sample from a consumer for the purpose of determining information concerning genetic material contained within the sample or any information extracted from a person, just about any type of entity, including a individual. Public available information also comes from our age appropriate design code. I think you are pretty familiar with that. I'll let you read that. If you have questions about it, you can reach back to me, but it's information that is made available through federal state or local government records. Service provider on page seven. So we have our second change here means a sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity that is involved in the collection transportation. So the previous word was and, and analysis of the consumer's biological sample or extracted. That was my change. Happy to discuss what that means. It does expand the definition. In my view, that limited a service provider to entities that did all three of those things, collected, transported, and analyzed. Tend to think it's not all service providers do all three. Some of them probably just transport, some of them probably just collect. So it does expand the definition. The next change on behalf of the previous word was z, and that was just a mistake on my part, behalf of a, direct to consumer genetic testing company. So that's just kind of a somatic fix. B, on behalf of any other company that collects, uses, maintains, or discloses genetic data collected or derived from a direct to consumer genetic testing product or service, or that is directly provided by a consumer. Okay, and the requirements section, privacy terms and consent to safeguard the privacy and confidentiality, security and integrity of a consumer's genetic data, a direct to consumer genetic testing company shall provide clear and complete information regarding the company's policies and procedures for the collection, use, maintenance and disclosure of genetic data by making available to a consumer all the following. A summary of its privacy practices written in plain language. B, a prompt and easily accessible privacy notice that includes complete information about the company's data collection, etcetera. And a notice that the consumers de identified genetic or phenotypic information may be shared or with or disclosed to third parties for research purposes. And obtain a consumer's express consent for the collection use and disclosure of the consumer's genetic data, including that minimum separate and express consent for each of the following. The use of the genetic data collected through the testing, for the consumer, including who has access to the data, how the data may be shared, and the specific purposes for which the data will be collect, used, and disclosed. The storage of a consumer's biological sample after the initial testing requested by the consumer has been fulfilled. Each use of the genetic data or the biological sample beyond the primary purpose of the genetic testing or service. And then in the previous introduced version, language was removed.
[Michael Marcotte (Chair)]: Sure. I have that correct.
[Rick Siegel (Office of Legislative Counsel)]: So the there were there were four additional words after service. It said or service and inherent contextual uses. There is a request to remove that and inherent contextual uses because it was kind of vague of what would that be? What kind of contextual uses would that include? So it removes that additional language, has to be beyond the primary purpose of that testing or service.
[Michael Marcotte (Chair)]: Any questions about that?
[Rick Siegel (Office of Legislative Counsel)]: B, each transfer or disclosure. Again, this is consent from the consumer that each transfer or disclosure of the consumer's genetic data or biological sample to a third party other than a service provider, including the name of the third party to which the consumer's genetic data or sample will be transferred or disclosed and the intended purpose of said transfer, except the company shall not require a consumer to expressly consent to the actions in the subdivision in order to receive the services ordered from the company by the consumer. And the marketing or facilitation of marketing to a consumer based on the consumer's genetic data or the marketing or facilitation of marketing by a third party based upon the consumer having ordered, purchased, received, or used a genetic testing product or service. That last subdivision does not require a the marketing, does not require a direct to consumer genetic testing company to obtain a consumer's express consent to market to the consumer on the company's own website or mobile application based upon the consumer having ordered, purchased, received, used a genetic testing product from that company. If the content of the advertisement does not depend upon any information specific to that consumer. Nothing in the subdivision limits, alters, or negates the requirements of any other anti discrimination law or targeted advertising. Any advertisement of a third party product or service presented to a consumer pursuant to subdivision 1 or that last subdivision E the previous section, shall be prominently labeled as advertising content and be accompanied by the name of any third party that has contributed to the placement of the advertising. If applicable, the advertisement shall also clearly indicate that the advertised product or service and the associated claims have not been vetted or endorsed by the direct consumer genetic testing company. Okay, the next change is on the provoking consent. A direct to consumer genetic testing company that is subject to the requirements previously mentioned about the foreign consent shall provide effective mechanisms for consumer. This is brand new language to withdraw consent provided pursuant to the sub chapter that is at least as easy as the mechanism by which the consumer provided the consent. There was a request to make it clear that in order to not just have to offer the consumer the ability to revoke consent, it has to be as easy as the way that you initially requested the consent. So, if that's some kind of checkbox, some kind of, however they ask it of you, they have to also allow you to revoke it in the same manner, at least as easy as that manner. And this comes from one of the data privacy bills, that language, that type of language.
[Michael Marcotte (Chair)]: All good? Okay.
[Rick Siegel (Office of Legislative Counsel)]: Two, if the consumer revokes consent, the direct to consumer genetic testing company shall honor the consumer's consent revocation as soon as practicable, but not later than thirty days after the individual revokes consent. If the revocation is related to the storage or use of a consumer's biological sample, destroy that consumer's sample not later than thirty days after receipt of the revocation consent.
[Michael Marcotte (Chair)]: I just wanna sig too much into the weeds, but
[Anthony "Tony" Micklus (Member)]: I see a situation where somebody could give consent and the data would be used in some sort of sit situation. And they would revoke that consent. But the data at the time when it was given consent, everything was okay, and now they're starting to see notifications from that situation. I I don't
[Rick Siegel (Office of Legislative Counsel)]: know if I'm Mhmm.
[Anthony "Tony" Micklus (Member)]: You know what I'm talking about? In other words, excuse me. There's you're maybe you give them permission to send genetic data to another company, And then later on, you revoke that consent, but that other company still has that data. And they got that data while you gave them consent. And then this other company does something nefarious, and now this company that gave them the data is on the hook for it. That's kind of The
[Rick Siegel (Office of Legislative Counsel)]: cat's out of the bag, so to speak. Exactly. Yeah. In that case, that data is no longer within the bounseless bill. So it's with some third party that no longer probably has to abide by if they are a direct to consumer genetic testing company. You never gave them consent because you gave the previous company consent, who then sold it to another company. So in that case, if you revoke it, that company that sold your data or that gave it to someone else, they would delete it when it's already gone. So I don't know how we would address that.
[David "Dave" Bosch (Member)]: So unfortunately, once it leaves the company, there's probably not much we can do about it, but it does make me concerned about because nonprofits do that little sketchy thing where they do the 501c4s versus the 501c3s. And they're like super close to one another and they're passing information around, but once it goes over to the five zero three, it's this fears. Should we be somehow fixing that problem? Because that could be a way for the company to scoff with the information and then do whatever they want.
[Rick Siegel (Office of Legislative Counsel)]: So you're saying that they would get a consumer's consent to
[David "Dave" Bosch (Member)]: And then
[Rick Siegel (Office of Legislative Counsel)]: meet disclose it to another company that they have an interest in?
[David "Dave" Bosch (Member)]: Yeah. I mean, don't know if it would then generate revenue for that second company, but all they're doing is they have a look at basically a shell company, which is like I said, how the nonprofits do it with their lobbying activities. And I'm not I don't wanna say if it's gonna happen, but, I mean, I could see that hap am I not am I not making any sense?
[Rick Siegel (Office of Legislative Counsel)]: No. I'm thinking about well, personally, I'm thinking about how that would work. So if you go and I'll just kinda look at the language here that for the consent. So
[David "Dave" Bosch (Member)]: for example, and maybe this is as you're sending in your data says, do you have a problem with us sharing it with, you know, geneticdata.com or not doc.org,
[Herb Olson (Member)]: right?
[David "Dave" Bosch (Member)]: And you're like, oh, well, that's only looks like they're part of who they are. And then next thing you know, you click yes, your data's done. You're all done. And they can use that as the ability to sell and do whatever they want. They're still making money off of your data, even though they're a separate entity. Is that, I don't, Maybe it's just something I'm
[Rick Siegel (Office of Legislative Counsel)]: I mean, so you can David, you have to consent to that. As you said, you get this consent saying that we are going to transfer cellular data to this other company. So And in subdivision D, each transfer to a third party other than the service provider, which would be your example, and the intended purposes of said transfer. So the consumer would be aware what the purpose would be. So if you want to beat that up, this is where you may kind of want to put some more parameters.
[Abbey Duke (Member)]: I don't know maybe how you would
[Rick Siegel (Office of Legislative Counsel)]: do that. Didn't think about that.
[David "Dave" Bosch (Member)]: You know, it's by looking for a nail to hammer, I guess. I could see where a company starts making second companies to collect the data in Vermont just so that they could pass it over to their, rather, company, then they could continue doing business as normal. I'm not making any sense. I feel like I'm not making sense.
[Abbey Duke (Member)]: I I think I kind of understand what you're saying, but I'm wondering, even if they take that data and pass it over, isn't that still That hasn't caused that big plate. Do we have that stuff to already label?
[Anthony "Tony" Micklus (Member)]: Yeah, I mean, feel like there's
[Emily Carris Duncan (Member)]: I think
[Kirk White (Ranking Member)]: you're going down the fraud line.
[Anthony "Tony" Micklus (Member)]: Yeah, and we have bait and switch and things like, I mean, to me, that's bait and switch.
[Abbey Duke (Member)]: Right. Yeah, I think we have things out.
[David "Dave" Bosch (Member)]: But it didn't be covered under fraud, it's mostly due to the debt currency.
[Emily Carris Duncan (Member)]: This is protecting Vermonter's data, doesn't matter where the business
[David "Dave" Bosch (Member)]: Right. But if so so at 23andMe, right, 23andMe creates a suborganization or a separate organization to only do business in the state of Vermont. And they take your genetic data and immediately transfer it over to 23andMe. With your approval? Correct. You're
[Emily Carris Duncan (Member)]: monitor's data. No matter where the company is.
[David "Dave" Bosch (Member)]: But to yeah.
[Abbey Duke (Member)]: Okay. So is the concern that they can essentially just take this data and then But transfer I think in order for that transfer to happen, to Edye's point, you'd still have to get express consent to do that sale and transfer. Even if it's a subsidiary. So your initial consent, just because you consented to do the data testing or whatever, is not necessarily enough for them to sell it on,
[Michael Marcotte (Chair)]: I think.
[Herb Olson (Member)]: You got you got maybe a narrower question than than what you're getting more maybe around Tony. So we've got this definition of service provider and it's a company that acts on behalf of the testing company itself. And I see there we haven't gotten to it, but there's a section on contracts,
[Rick Siegel (Office of Legislative Counsel)]: but fairly limited
[Herb Olson (Member)]: requirements, I think. I don't know. Maybe that's my. I'm just wondering whether is there anything in here that obligates the service provider to do some of the same things that the testing company is required to do? I'm thinking about storage, you know, use It won't answer, you know, that kind of stuff.
[Rick Siegel (Office of Legislative Counsel)]: Maybe when we get to the contract section. That's right. And then we can kind of read that together and see what That's right. Maybe not there that you wanna have there. Okay. So we were at subsection d on page 11. Data security and access. A direct to consumer genetic testing company shall implement and maintain reasonable security procedures and practices to protect a consumer's genetic data against unauthorized access, destruction, use modification, or disclosure, and develop procedures and practices to enable consumer to easily access their data, the genetic data, delete their account and genetic data, except for genetic data that is required to be retained by the company to comply with applicable legal and regulatory requirements and request to have and have the consumers' biological sample destroyed. The data and so this change here was typo. It previously said biometric. So it's a genetic data and biometric samples. There's not really such a thing as a biometric sample. So we go from biometric to biological. Genetic data and biological samples of consumers shall not be stored within the territorial boundaries of any country currently sanctioned in any way by the US Office of Foreign Assets Control or designated as a foreign adversary. Genetic data or biometric data of consumers is that.
[David "Dave" Bosch (Member)]: I watch it.
[Rick Siegel (Office of Legislative Counsel)]: Well, I'm wondering, so subdivision two was biological biometric samples. That one made sense. I believe this is the way California has it ordered, but I'm wondering if that should be biological samples and not biometric data.
[Michael Marcotte (Chair)]: Yeah, think a
[Herb Olson (Member)]: biometric recognition scan. Right. Fingerprint. Which includes
[David "Dave" Bosch (Member)]: I don't think I actually think biometric is more than that. I think it I think it is also like cholesterol.
[Rick Siegel (Office of Legislative Counsel)]: So let me think about that. And, of course, if you have any suggestions, we can certainly include biometric data and add biological samples, but there may be a reason that biological samples can be transferred and stored out of The US. So let me put a star next
[Michael Marcotte (Chair)]: to that, something I wanna think about.
[Rick Siegel (Office of Legislative Counsel)]: And so that maybe our attorney general can think about assistant attorney general. Thank you. Any questions about that? Am I just the only one thinking about that or should I?
[Abbey Duke (Member)]: Yeah, that's a good question. Okay.
[Rick Siegel (Office of Legislative Counsel)]: Yeah. All right, so page 12, contracts. A contract between a direct consumer genetic testing company and a service provider shall prohibit the provider from retaining, using, or disclosing the biological sample, genetic data, or any information regarding the identity of the consumer, whether, including whether that consumer has solicited or received genetic testing for a commercial purpose other than providing the services specified in the contract with the business. And associating or combining the sample genetic data or any information regarding the identity of the consumer, including whether that consumer has solicited or received genetic testing with information the service provider has received from or on behalf of another person or persons, or as collected from its own interaction with consumers or as required by law. So, Herb Olson, you asked about,
[Herb Olson (Member)]: are they required? Let's try and see how that fits in to the whole framework here. And so obviously, the company itself might wanna contract with somebody else to do some of the functions. But the service provider might have the data, maybe maybe And would so, there's important protections with respect to the testing company you ran, for example, revocation of consent, security, that kind of stuff, pulling the data. And maybe I'm missing something, but that doesn't totally seem to be covered in e. In other words, I mean, not thinking of any different areas, but, you know, there were some specific protections that we would be requiring a testing company.
[Rick Siegel (Office of Legislative Counsel)]: Well, the first sentence is pretty powerful. Retaining, using, or disclosing the sample genetic data or any information regarding the consumer. So, they would be prohibited from doing that for a commercial purpose, right? So, I'm not sure what other purpose they would disclose that data for, if not commercial. That's not part of their business practice. But But they still have the data, wouldn't they?
[Herb Olson (Member)]: They Maybe the security issue is the one that Okay. The consideration of it.
[Todd Daloz (Assistant Attorney General, Vermont AGO)]: I see.
[Rick Siegel (Office of Legislative Counsel)]: Yeah. Because they are not
[Herb Olson (Member)]: Subject to the Yes. Security. Yes. And
[Michael Marcotte (Chair)]: it's but it's only for service payment. Right? Right. And we have a definition of service provider. Right. So could it be someone that's outside of that that definition? What mean? Do So, we're talking about the economy, I think what Michael is talking about is a subsidiary being so would that subsidiary be involved in collections, transportation or analysis of the consumer's biological sample? Could be, but What if it's not?
[Rick Siegel (Office of Legislative Counsel)]: Then they are not defined. They are a third party.
[Michael Marcotte (Chair)]: And how do we treat third party?
[Rick Siegel (Office of Legislative Counsel)]: A third party is not really regulated in this bill. Only these direct to consumer companies and the service providers are regulated.
[Michael Marcotte (Chair)]: Who is the direct to consumer company? And they contract with third party under this?
[Rick Siegel (Office of Legislative Counsel)]: And they contra with a third party for something like janitorial services?
[Michael Marcotte (Chair)]: Outside of any outside of collection transportation analysis of the consumers.
[Rick Siegel (Office of Legislative Counsel)]: I mean, but I think
[Michael Marcotte (Chair)]: Still has to have your expressed consent.
[Rick Siegel (Office of Legislative Counsel)]: Not to contract now. If any of that contractual services includes, obviously, things that the service provider would do, they become a service provider. If it's work that does not touch on that collection, analyzing, or transporting, I don't know what else it would be that a third party would do that would involve your data.
[Michael Marcotte (Chair)]: You know, I think looking at Michael's scenario Yes. Creating a
[Rick Siegel (Office of Legislative Counsel)]: subsidiary Nefariously.
[Michael Marcotte (Chair)]: That doesn't fall under under direct to consumer, doesn't fall under service provider.
[Rick Siegel (Office of Legislative Counsel)]: Move
[Michael Marcotte (Chair)]: the data in order to sell it.
[Rick Siegel (Office of Legislative Counsel)]: So, look at so the definition of direct consumer genetic testing company means an entity that obviously, a, is what we all think about, these ones that market to people. B, analyzes genetic data from a consumer. But then C is interesting. Collects, uses, maintains, or discloses genetic data collected or derived from a direct to consumer genetic testing product or service. So if are an affiliate of a if you're a company X and you're not a genetic testing company, as people will think of it, and 23andMe creates this company X, that sole purpose is to be an affiliate, a kind of a loophole, I think company X would become a genetic testing company because they have collected or derived from a genetic testing company genetic data. I think they would fit into that definition eventually.
[Abbey Duke (Member)]: Yeah,
[Herb Olson (Member)]: no, I think that's important. What if the service provider has the data and then the contract is terminated or something? I still have the data. They be encompassed within C there, maintains the genetic data? Yeah. If it was collected
[Rick Siegel (Office of Legislative Counsel)]: or arrived from a direct consumer geneticist company.
[Michael Marcotte (Chair)]: Okay. Yeah.
[Herb Olson (Member)]: They so in other words, if if the contract was terminated and the data still is there, they would be treated as a testing company and subject to those requirements.
[Rick Siegel (Office of Legislative Counsel)]: That is my I want some more time to think about it, but that's my initial reaction. So, yeah.
[Abbey Duke (Member)]: Wondering if this particular situation would be covered by parent subsidiary law. Sorry, what was I reading here? If subsidiary was created to basically just be a shell company to just hold this, which it sounds like this would be what that's doing, that the parent company would be on the hook for that contract. Well,
[Rick Siegel (Office of Legislative Counsel)]: yes and no. Yes and no. So in some of our data privacy bills, we have affiliate defined, and it makes it very clear that an affiliate has 50% of whatever control of the company. So that's something we can consider if you want to add that definition of affiliate. It's something we could also look at.
[David "Dave" Bosch (Member)]: I think I would. I mean, because it makes sense. I mean, if I was, I'm not saying brokers are gonna be nefarious, mean, it's a door that could be utilized.
[Abbey Duke (Member)]: I think law is not considered the best factors.
[Herb Olson (Member)]: Right, right.
[Rick Siegel (Office of Legislative Counsel)]: Okay. We are at discrimination subsection f on page 12. A person or public entity shall not discriminate against the consumer because the consumer exercised any of the consumer's rights under the subchapter by denying goods, excuse me, services or benefits to the consumer, charging different prices or rates for goods or services, providing a different level of quality of goods, services, or benefits, suggesting that the consumer will receive a different price or rate for goods or services benefits, or a different level of quality of goods, services, or benefits. Considering the consumer's exercise of rights under the subchapter as a basis for suspicion of criminal wrongdoing or unlawful conduct. Non disclosure, notwithstanding any other provision in this section, a direct to consumer genetic testing company shall not disclose a consumer's genetic data to any entity that is responsible for administering or making decisions regarding health insurance, life insurance, long term care insurance, disability insurance, or employment, or to any entity that provides advice to an entity that is responsible for performing those functions. Enforcement is the Vermont Consumer Protection Act, a direct to consumer testing company or service provider that violates a subchapter or rules adopted violate the section twenty four fifty three of the Vermont Consumer Protection Act. The attorney general shall have the same authority under the subchapter make rules, conduct civil investigations, bring civil actions, and enter into assurances of discontinuance against any person as provided under chapter 63.
[David "Dave" Bosch (Member)]: So regarding the discrimination, that's not saying because we all pull up our apps and as we're downloading, it says you need to sacrifice your soul the app company, right? In 80 pages. In 80 pages. You know, is this does that mean that if you say no, you can't be denied usage or you can't be charged?
[Rick Siegel (Office of Legislative Counsel)]: It's saying that if you revoke consent, typically is what this is. Your rights under this bill are typically that you are allowed to consent or revoke consent to something you've already, as a consumer, that you've already given consent to. So if you do those things, a person, which is anything, right, any entity or public entity as well, cannot deny goods, services, benefits, like there's this bullet point list of things that they can't do because a consumer wrote consent.
[David "Dave" Bosch (Member)]: So I have, I've sent my data to Ancestry, Can't access my account now. But if at any given point, I say, I don't want you to use my data anymore. And then they said, that's fine. Now you can't use our platform. You're saying that that's is that covering that issue? Because it get or or they say, well, that's fine. You you can revoke it, but you have to pay. So now what we're saying is, is that applying to that situation? Yes. So what we're doing is we are forcing product out of somebody for nothing. Because our data is about $600 a year per person based on my quick search. So we are extracting stuff from an entity without paying for it. And this is where I have my problems with our data stuff. We look at it as well. These organizations are using our data to pay for the stuff that they get. We get a lot of free stuff, but we're not, it's not free. We are paying with our debt. Now, this is saying that you can force somebody to work for you for free.
[Rick Siegel (Office of Legislative Counsel)]: So I don't know if I agree. I would call this more like retaliation. Think of it that way, that if you do something that you have a right under this bill to do, like the vote consent, a company cannot retaliate against you because of that, by denying you something that offers every other consumer in the world, like Ancestry. It's open platform. If you pay us, we'll provide you the service, right? So just because you've revoked consent or asked them to delete your data, does not mean you can no longer log in. They'd have to allow you to log in and access whatever you have left on the platform. So I don't know, maybe I'm missing your point.
[David "Dave" Bosch (Member)]: So I guess, probably that's not a good example. But if it's a platform, so for example, if I have a bank account and I close my bank account, I can't log in to the bank account anymore.
[Michael Marcotte (Chair)]: Right.
[David "Dave" Bosch (Member)]: Right. So, but if we are looking at it from this perspective, you can log into the bank account. I mean, you won't be able to like do anything in there.
[Rick Siegel (Office of Legislative Counsel)]: This is specific to genetic data. This is you deleting your genetic data. A bank wouldn't care that you've deleted your genetic data, right?
[David "Dave" Bosch (Member)]: Right. I know. I'm trying to use it as an analogy because they still have to pay for the app for you to be able to access it. Ancestry? You can't Well, no, I'm thinking of the banking. The bank account was closed. You still have to be able to access it. You're tapping into customer service if there's a problem with you accessing it. I know it sounds stupid because we don't look at data the same way that we look at money, the thing is that data is money. It's a completely different mindset and we have to, so we are forcing an organization to service us when they can't make money off of us. And I understand we don't want them to make money off of us, but that is the deal that you if you're working if you're getting something from them, it's like Facebook. I mean,
[Abbey Duke (Member)]: if No. This is a paid to use I
[David "Dave" Bosch (Member)]: get that. I get that. Pay for having them tested data. But you're but you're saying that you can't deny goods and services. And I
[Michael Marcotte (Chair)]: So so I think in these 23 and Me or ancestry, that would get a certain amount of availability of their service, because the genetic testing is not the whole service that they provide. They're also providing you the ability to research your ancestry. So, you can go so far with that, but then you have to pay more to do more research. So, they're not going to stop you from doing that, you're just telling them to delete data, or my genetic, my genome, whatever they've got. And you can still And I think this is saying that you can't deny your customer the ability to utilize your services, your paid services.
[Kirk White (Ranking Member)]: So That they're paying for.
[Abbey Duke (Member)]: That the customer is being paid for.
[David "Dave" Bosch (Member)]: So for ancestry.com, because I do have that. When I submitted my DNA, it tells me who I'm related to. So I delete my DNA, and you're tell and this this is saying you still have to provide that information.
[Michael Marcotte (Chair)]: You already you already had it. You already had that information of who you related to.
[Abbey Duke (Member)]: If you delete the data, then they can't
[Kirk White (Ranking Member)]: and they wouldn't be able to use the data to
[Michael Marcotte (Chair)]: They wouldn't be able to
[David "Dave" Bosch (Member)]: correct. But they're but if
[Anthony "Tony" Micklus (Member)]: I I think the intent of this is if we're gonna continue to use the example of ancestry.com is now you tell them I wanna delete it and now ancestry.com says, nope. You're not gonna we're we're just gonna shut you down. And and this is preventing that. Because you're now losing the benefit of the other services they offer.
[Edye Graning (Vice Chair)]: That's it. It says later on, right, they can't charge you different prices. So I could also say, well, you know, some other service we offer, now we're only gonna charge charge you twice for that, because we believe your data on this
[Michael Marcotte (Chair)]: other case.
[David "Dave" Bosch (Member)]: Case is
[Edye Graning (Vice Chair)]: validation I
[Kirk White (Ranking Member)]: mean, I think I get your point, which is you're saying that you don't want And the genetic companies would have to have a business model in which they understand that if you delete your data, you can still utilize services that they offer. They can't deny you that. And the genetic company would just need to understand in their pricing model that they need to charge a price that they would charge somebody when they have their data or somebody who doesn't, and they're not going to subsidize one price because they have your data and not the other. So the company would just need to understand all of this, and that would be through their people. And really would help maybe to decrease the monetization of the genetic data. That make think that's right? That's understanding how what you're talking about.
[David "Dave" Bosch (Member)]: So for those paid subscriptions that would ordinarily be a little bit less because the genetic data is being used, we're now charging those customers that are paying more.
[Kirk White (Ranking Member)]: Who knows? Who knows what the company would do? Once they don't have your data, I don't imagine there's a lot of services they can provide you. This bill is just saying they can't deny you a service because you deleted your data. But there may be a few services that they could even provide. We're not saying you need to not monetize the data. Anyway, that's how I read it. It's more like they can't retaliate. If you delete your data, they can't now say, oh, well, you're dead domain. Let's say there's another service they provide that you want to use. They can't deny that service because you denied it, because you deleted your data.
[David "Dave" Bosch (Member)]: But if the business model is we are providing that service for free because we are collectively using all the data. You're
[Michael Marcotte (Chair)]: thinking outside of the realm of this one genetic testing. You're looking at everything as a whole. The realm of genetic testing is that, number one, you're buying a service to get yourself tested, and then you can also purchase another service to track down your ancestors. So there's no quid pro quo here where you're freely giving your genetic for nothing there, and they're testing it for you for nothing. It's you're paying for a service that you're getting the service. And then once you get your your all your information, you can print it out, and you can now buy their service. And you can tell them now I want you to destroy my all my genetic thing stuff that you have.
[David "Dave" Bosch (Member)]: Right. I get that. I I understand that. But if the business model is that they're using that data for compensation somehow, when you pull the data, that means they can't use it. And if there's a service that they offer free to their users that are sharing their data, they now have to offer it to you for free even though you're not sharing your data and being part of the whole ecosphere. It's kind of like
[Abbey Duke (Member)]: I'm not sure what the problem is.
[David "Dave" Bosch (Member)]: The problem is if the business model is set up so that we offer a free service, but it's not free, it's the reason why we offer is because we use your data, whether that's for advertisings that they can push out to you, whatever. You are saying, I am retracting that, but you still have to provide me the service, Even though I'm not sharing my data, you still have to provide me service.
[Emily Carris Duncan (Member)]: Have we heard any testimony from anyone in this field that provides free services for data, for genetic data?
[David "Dave" Bosch (Member)]: We've had very little testimony on the other side of this equation. It's all been people that are like super pro data privacy. So no, I don't think we have, but the problem is that it's like the apps that we have on our phones, they're all free for a reason. This
[Emily Carris Duncan (Member)]: is a small industry, and I think you're taking, what this bill is, is regulating a small industry, and you're trying to extrapolate that into something else. And that's not what this bill is. But it is our comprehensive data privacy
[Bridget Morris (Representative for Ancestry)]: bill. I
[Kirk White (Ranking Member)]: mean, they didn't flag it. I
[David "Dave" Bosch (Member)]: get that. They just be in it. He not applied to ancestry. And I don't know how many genetic companies there are out there. We're creating a blanket law and.
[Abbey Duke (Member)]: It's all good. Is the concern about the three apps that we use kind of on a regular basis having biometric data about us?
[David "Dave" Bosch (Member)]: This is only dealing with And I get it, I'm just thinking I'm
[Abbey Duke (Member)]: just trying to understand where your thought process is coming from.
[David "Dave" Bosch (Member)]: Thought process is, if I'm a genetic company, genetic testing company and I offer an app that allows whatever it is, but I use your data. What we're saying here is that even if I would revoke my data from you, you're still going to have to provide whatever service.
[Rick Siegel (Office of Legislative Counsel)]: Except they don't have your data.
[Michael Marcotte (Chair)]: So why
[Abbey Duke (Member)]: That's would you exactly it. They wouldn't actually be able to probably conduct the full breadth of services if they don't have your data.
[David "Dave" Bosch (Member)]: But you can't deny services.
[Abbey Duke (Member)]: No, you have to make them available, but the question of usability is also there too. So if they don't have the data because you've retracted your permission, then they don't have anything there to run tests or comparisons or anything like that. You might have the results from what has been done previously, but going forward.
[Herb Olson (Member)]: So, think of the term retaliation and what that means. And I'm not I think it's a little more narrow than I'm hearing you say, Mike. I mean, the company that you got your DNA testing from and you got the results of that, and you paid for it. Well, I guess you're thinking that they're not paying for it. Assuming that they paid for it. And then they offer these other services, but they can't offer those other services because they don't have a DMA there. Is that what you're talking about? And I don't see that as retaliation. That's just physically impart I mean, if you actually needed that data to perform these other services To me, I don't know the law around retaliation, but that doesn't strike me as, well, we're not gonna do this because you evoked your consent. It's just physically impossible to provide this other service without the data that I got.
[Abbey Duke (Member)]: No. Yeah. And if you if the customer were to go back to the company and say, I would like this test again and give you affirmative consent to to do so. Now if they said no, because you canceled once.
[Kirk White (Ranking Member)]: Can I take a stab? I think I get what you're saying. Let's say we have 1,000 people in the state who submit their genetic testing to ancestry dot com. We have 1,000 data sample of 1,000, and they all pay $50.500 of them, two weeks later, download their data, go in, delete it. And the company now has 500 that they are then putting in a pool and they're monetizing that. Maybe they're allowing drug companies to search it. I don't know what it is. But they have 500, they don't have 1,000. So they make half as much money doing that. And so maybe because of that, they have to increase the price of instead of $50 it's $55 So now, those 500 customers who are sharing their data are not subsidized as much by the sharing of the data. So it could increase the price for the customers by a little bit because they're not used as much. Is that what you're trying to say? If that is, I'm fine with that. I think that's a perfectly fine trade off.
[David "Dave" Bosch (Member)]: It is, that is kind of what I'm saying, except for say situation where they offer whatever service because they have the data. And what I'm saying is that those 500 people, if they withdraw their data, they can't say, well, that's fine. Now you have to pay to access whatever tools we have or services.
[Kirk White (Ranking Member)]: Yeah, no, I get your point. Just don't agree.
[David "Dave" Bosch (Member)]: That's okay.
[Kirk White (Ranking Member)]: But I get it. I get it. Mean, I think, yeah.
[Rick Siegel (Office of Legislative Counsel)]: A lot of one more thing. We'll focus on deletion. A customer can also request you not sell their data. So in that aspect, the company still has your data. You've said don't sell it. The company then couldn't say, well, because you didn't allow to sell your data, we're going to charge you more, or we're going to deny you this that everyone else gets. But because you said no, we're gonna think of it, it's not just deletion of data, it's also the consumer saying don't sell it, don't disclose it, don't give it to an affiliate without my consent. So think about that too.
[Kirk White (Ranking Member)]: Basically saying my genetic data is not current.
[Rick Siegel (Office of Legislative Counsel)]: And he can't retaliate because a consumer hasn't booked that right. Shall I continue? Any questions about enforcement?
[Michael Boutin (Member)]: Yes. I I need a cliff notes version at $24.53 Visa Okay. Who has standing Yeah. And what steps are available to a $124.50 to seek redress.
[Rick Siegel (Office of Legislative Counsel)]: So this may be a bigger conversation, but just kind of close notes, it's the Vermont Consumer Protection Act. Right. An unfair act in commerce, as typically defined as the FTC, the federal government's, how they define what an unfair act in commerce is. And of course, we cross reference that a lot. And we say here that this thing is an unfair act in commerce. If you sell genetic data that a consumer has told you not to sell, you have violated our Consumer Protection Act, which gives the attorney general the right to enforce on behalf of the state. Vermont would sue ancestry.com or 23andMe, whatever. A person could also invoke their private right if they don't wanna use the AG or if they think that they have been harmed so much that they're gonna sue the business on their own. The Consumer Protection Act allows that as well. So there's a few avenues. But it
[Michael Boutin (Member)]: would have to be somebody who's aggrieved or allegedly aggrieved.
[Rick Siegel (Office of Legislative Counsel)]: You can file a can file a frivolous lawsuit, but, no, it's it yeah. That would be a waste of time and money for the consumer to do that. You would need to have harm and indicate this is how it was harmed. You violated this, and then the court will take her from there.
[Michael Marcotte (Chair)]: Thank you. Perfect.
[David "Dave" Bosch (Member)]: Questions?
[Michael Marcotte (Chair)]: Great. Yeah. Express consent. Express consent. Okay. So is that a blanket checkbox and you can do with a broken statement?
[Rick Siegel (Office of Legislative Counsel)]: Thank you. We have it defined. Look at that again. So it means that consumers affirmative authorization, which is also defined, obtaining error, an action that demonstrates an intentional decision by a consumer. Okay. So some type of intentional action by a consumer to grant permission in response to a clear, meaningful, and prominent notice regarding the collection, use, maintenance, or disclosure of genetic data for a specific purpose. It cannot be inferred from an action, which to me indicates you have to, yeah, click something or sign something with your mouse or finger. Agreement abstained through the use of dark patterns does not constitute express consent.
[Michael Marcotte (Chair)]: So if genetic testing company soldier data for quantifiable, is that allowable under that one box you checked?
[Rick Siegel (Office of Legislative Counsel)]: You would have to let's make sure here before I say something. Collection use and disclosure at minimum express consent for the use, who has access, how it may be shared, storage. Selling it does not require anything special other than just what the definition of express consent is. That's my reading of it. So if we want that to be a special event, then it would need to be
[Emily Carris Duncan (Member)]: Page nine, D. Line one. Are you saying where you are?
[Rick Siegel (Office of Legislative Counsel)]: Yes. I don't know if I'm on the page.
[Abbey Duke (Member)]: Oh, sorry.
[Emily Carris Duncan (Member)]: I'm stuck in on mine in front of me.
[Abbey Duke (Member)]: It says that you do need it, doesn't it?
[Rick Siegel (Office of Legislative Counsel)]: Yes, but I think the chair is indicating that. Is it just a regular consent that a consumer would
[Michael Marcotte (Chair)]: What would I need consent?
[Rick Siegel (Office of Legislative Counsel)]: It would need to be
[Emily Carris Duncan (Member)]: Oh, shall not require a consumer to expressly consent to you.
[Rick Siegel (Office of Legislative Counsel)]: Right. Emily, that's correct. There needs to be a box for each of the things, but selling the data would be one of those boxes. Yes.
[Michael Marcotte (Chair)]: That's my view of it.
[Rick Siegel (Office of Legislative Counsel)]: We didn't get to the applicability. Happy to there's no changes. Make sure there's no changes to the the applicability. You have your typical HIPAA exemptions, scientific research, and then public information. And let me show you the one that got a couple questions last time. I didn't change it, but on the last page, subdivision six, genetic data used or maintained by an employer or disclosed by an employee to an employer to the extent that the use of maintenance or disclosure of that data is necessary to comply with a local, state, or federal workplace health and safety ordinance law regulation. That is exempt from the bill. Sounds like we had some decisions to make on that.
[Michael Marcotte (Chair)]: If you like me. You had something else that you wanted to bring to our So
[Rick Siegel (Office of Legislative Counsel)]: and, yeah, I have thankfully, assistant attorney general is here. Maybe he can explain this. So I thought this morning about law enforcement and how occasionally they will request this information from ancestry 23andMe in police work to conduct some police work. You hear about these cases where they solve a crime using DNA through a cousin or
[Herb Olson (Member)]: a
[Rick Siegel (Office of Legislative Counsel)]: sibling, and they eventually get to the DNA sample. Even if the person didn't do it, they have a relative that used ancestry. So my reading of the bill, if a police if law enforcement gets a warrant and submits the warrant to Ancestry, would Ancestry have to get your consent to disclose that? Think in my opinion is I don't think it's clear. So if I was the counsel for ancestry, and they get a warrant and they ask me, do we need to get the consent of the consumer? I would say, well, Vermont passed this law that says you have to get their express consent. There's no exemption for law enforcement. So I told the chair about this, and I said I could talk to my judiciary colleagues about this because it's kind of out of my wheelhouse as far as warrants and about law enforcement. But there's it may not hurt to think about if you want to include an exemption for law enforcement with a warrant. Might be something to consider. Thanks for the reminder. It's I was distracted.
[Michael Marcotte (Chair)]: When we had Todd up, we we can pull that over. I think something else that came up yesterday, I missed a lot of it, but it's a cure period, something you all heard about yesterday and we can discuss on that. And I think Tom Weiss has a suggestion that he'd like to bring to us. Tom, if you'd like to join us.
[Tom Weiss (Public, Civil Engineer from Montpelier)]: Morning. I'm Tom Swice, a resident of Montpelier and a civil engineer, and I appreciate you're giving me a few minutes, shoehorning me into what might or might not be your last session on this on this bill. And this morning's testimony goes back to my testimony last week on h two eleven. I have not heard why this is being placed into a separate subchapter 61 a instead of making it a a separate anyway, it's a new chapter 61 a instead of into a subchapter of the existing section 62 or chapter 62. Pardon me. And my experience as an engineer with contracts and specifications of drawings is that repetition can cause problems and in some cases significant problems. Last week, I recommended that you move some definitions around within chapter 62. And I asked that definitions of terms used in more than one subchapter be placed in the subchapter one, which covers the entire chapter 62. And now genetic I see that genetic data privacy is really a subset of chapter 62 and not a new subchapter. H six thirty nine will create two distinctly different definitions of genetic data. This will cause and I believe my letter has been posted on your site for today. Okay? And and it's that comparison of the two definitions of genetic data that is my concern. They're not the same. Some of them are significant differences. Epigenetic markers are no other there or other sources have been removed, and there were slight changes in words. And my experience with contracts and specifications is that whenever you say the same thing two different ways, it creates loopholes and unnecessary confusion. So and even if you were to change the definition in h six thirty nine to match the definition that's now in chapter 62, then sometime in the future, some legislature is going to change it and create the confusion. So what I'm suggesting is that you move what is in chapter 61, genetic data privacy, into a new subchapter in chapter 62 and make the definitions uniform. I I don't understand why genetic data should have two different definitions in two different chapters. I I think it should all be the same. And, you know, the chapter 61 a definition has a whole list of what's not genetic data, which is not in chapter 62. So a company that's working in both realms, which do they have to follow partly, I guess, depends on context, but I I'd rather that that not happen. So that's my comment today is that I don't see why it's a new sub a new chapter 61 a and that it should be a sub chapter in 62.
[Michael Marcotte (Chair)]: Thank you, Tom. You're welcome. There's a question in the Pardon me, doctor. For legal counsel.
[Rick Siegel (Office of Legislative Counsel)]: Want me to respond? Okay. So I missed that conversation. I think last week you were
[Michael Marcotte (Chair)]: here about that,
[Rick Siegel (Office of Legislative Counsel)]: so I haven't had a chance to digest that. I thought about putting it in 62, which is where you have the age appropriate design code, you have the Security Breach Notice Act, you have the data brokers. To me, and it is a legislative council position, by the way, it's like, I want to leave with that. To me, the way I'm thinking about this is you're going to have some type of data privacy law, probably, at the end of the session. And we're not gonna stick data privacy in Title 62. It's not gonna work. That title was meant for, initially, security breaches. That was the point of that title, when it was created, or that chapter in that title. So, I did think about putting this genetic privacy in there, because it is public personal information. However, with the genetic data definition, that is in that title that is, by the way, only used for the age appropriate design code. That's the only time that definition is used, is my understanding. So I can look at it again, but I looked at it several times when I was actually doing this. And I'm thinking I do want data privacy to have its own chapter because it's going to be a comprehensive type of thing. And this genetic data privacy would live in the data privacy chapter, which, again, will presumably have a comprehensive data privacy law. So but again, I I I appreciate the analysis, and I'm glad someone else is looking at the green books along with me. That's helpful. And I really am trying to keep it as clean as possible and also thinking about the future and where we're going to put these things. So. And I know, Herb Olson, you may have some suggestions too with your history.
[Herb Olson (Member)]: I'll leave that for you. Okay. I mean, I haven't wrapped my head around what specific definitions in the existing chapter 62 might be in conflict with what we've got here. So I I don't really have my head around that. Yeah. And and I think what you're saying is that there's no conflict to to the extent that they're different. They're different because you're dealing with a different subject. That's what I'm hearing.
[Rick Siegel (Office of Legislative Counsel)]: Yeah. The the when you have a a chapter and you have a sub chapter that has definitions that apply to every sub chapter in that chapter, which is what 62 is, you're picking up on a box and sometimes you don't wanna use. You know, consumer is a great example. We typically have the same definition of consumer. Like, that's pretty but ubiquitous. But this is a specifically genetic data privacy law, where it might be more detailed than you want than the age appropriate design code genetic data. So I think I have faith that our businesses will know where to look for compliance and how we expect them to comply. But that's my opinion.
[Michael Marcotte (Chair)]: You.
[David "Dave" Bosch (Member)]: Morning. Morning. So nice, I guess.
[Todd Daloz (Assistant Attorney General, Vermont AGO)]: The record, Todd Daylo's assistant attorney general at the Vermont AG's office. My apologies for missing the first part of markup, but happy to answer questions if there are elements I missed. The three things I noted down were a question about warrants and and law enforcement access to the data. Maybe a further thought to your question, Rob Bosch, in terms of in terms of sorry, but in terms of that discrimination question you were asking about. And then I can happy to share our thoughts on a cure period. Was that were those the main three? You know, on the warrant point, I I would say I looked at both Virginia and California are are sort of the main models for this. Neither of them has an exclusion for warrants. I think in the cases like the Golden State killer, which I think is sort of the big famous one, a lot of that was was crowdsourced. Right? So individuals choosing to engage on their own with their own data and sharing information and looking. I don't think it was a law enforcement seeking information from a testing company. So that's just by way of thinking those two pieces through. The third piece I would say is, you know, any kind of broad access to law enforcement would be concerning without a judicial check. I don't know if I need to talk more about why that might be of a special concern in the current moment, but we would certainly say that would be really important. And I I would almost say if it's something the committee wants to engage in, I would look to Ancestry and the industry to see what to what degree they're concerned about that. From our perspective, of course, we wanna enable law enforcement to carry out their investigations in appropriate manner. We trust from law enforcement. That's not a concern, and we just wouldn't wanna open the door too broadly in case there are unintended consequences there or we're solving a problem that law enforcement may not see. That's warrants. On the discrimination point, Rutland, I think other folks talked about this. And maybe it's maybe you the committee discussion sort of responded sufficiently, so I don't need to open that again. I would say the way we look at that, if you don't pay for the service, you don't get the service. Right? If it's a if it's a fee for service. And I think we heard yesterday from Richie, you know, the three big players, that is how they operate. They're not they're not in the free data or rather it's never free. Right? That's what I tell my kids all the time. You I prefer we pay for the app, then you get the free app because the free app is just you're paying for it otherwise. Be amazed how little a 12 year old cares about their data. So putting that to one, think there were a number of examples that I would just rehighlight because like what that the way I read that provision is you can't a company can't offer a gold level membership if you waive the express consent requirements for any transfer of your data. Right? We'll give you all this additional benefit for no extra cost if you waive these rights. That's that's kind of the main piece or if you exercise the rights and you say, I'm not gonna consent to you transferring the data, they can't say then you don't get to use the system anymore even though you're paying the $600 a month per year. That's how I look at it. I'm not aware of a business model that is it's free if you agree. That would be prohibited. And I would say the same language as in California, same language as in Virginia. And the way I look at it, industry is not paying that much attention to 635,000 potential consumers. They're gonna pay a lot more attention to the fifth largest economy. So to the extent that helps provide a little support. The cure period I mean, I said yesterday, our general position on this is any kind of disclosure that's not authorized and is a violation of the law. I just don't think there's a cure. I I mean, I think it's as simple as that. Once the data's out, the data's out. Now what Ancestry said yesterday, I think, is important to think about, but I will just give a lawyer's perspective this lawyer's perspective on it. If my data gets out there after I've engaged with Ancestry and I sue Ancestry under this law that were passed, and Ancestry said, woah. Woah. Woah. We used this lab, and the lab had the breach. You should sue the lab. That's something that's gonna work out in litigation. My engagement is with the company I'm engaged with. Now they may have a contractual agreement with the lab that requires indemnification. I hope they do. There may be an additional action against that other company. I may have sued the wrong party, but that doesn't mean that there shouldn't be the ability to seek redress when your information is disclosed without your consent. And so that's what we'd say is we don't believe there should be any kind of cure period for any kind of disclosure. Right? You sue the wrong party, they're gonna get it dismissed. That's how the legal system works. I understand, you know, the question about minimizing litigation. I think this committee's heard that a lot. I think rep Cooper asked a a really valuable question. It's like, who's tracking that data? Is the AG tracking that data? What are you seeing it I will say anecdotally, again, we don't see it in April. We don't see a lot of that kind of vexatious litigation. I didn't hear about it happening in Wyoming, which is another state that has a private right of action in the genetic data space. So I I don't know if we're hearing about, you know, a concern that is existent or one that is, like, somewhere out there. And, you know, I can imagine a world in which some of the more technical violations Was this a clear and conspicuous notice or not? When we bring an enforcement action, we're gonna have that conversation. Right? It's cheaper and easier for Vermont and for business to come into compliance fast. That said, you know, if you see it a lot or you see a business practice, you stop providing that prosecutorial discretion. But we feel like where we sit as the AGO, that cure period is already our business process by March. So we don't see a need for it, but I recognize that's something the committee is going discuss.
[Emily Carris Duncan (Member)]: Can you talk me through, so I'm a consumer. I feel I had an account with one of these companies. My data got out there. I personally get a lawyer and sue them. And they respond to me, not to you, right? So this is without a cure period. They respond to me and say, your claim is false?
[Todd Daloz (Assistant Attorney General, Vermont AGO)]: So there are lot of different ways it could go. I think most lawyers would send a letter to the company saying, my client is this person. Here's the information. We believe you're in violation of this, and we believe there's, you know, here are the damages under $24.61, which Rick laid out in response to your question. And then there'd be a negotiation or conversation around that. I think it's not frequent that a lawsuit is the first step in that. But again, I
[Kirk White (Ranking Member)]: And then if there's
[Emily Carris Duncan (Member)]: a cure period, I send them a letter that says, I think you violated my data. I think you did something with my data. And they reply back to me, we have fifteen days to look into this. Is that the difference?
[Todd Daloz (Assistant Attorney General, Vermont AGO)]: Well, I think there could be a number of different.
[Emily Carris Duncan (Member)]: And I'm just making up
[Todd Daloz (Assistant Attorney General, Vermont AGO)]: a Yeah. So if we can go into the the concern I'll give you the hypothetical in the concern space, not the not concern space. The not concern space is, yes, they fix it. Everything's fine. Nothing bad happened. The concern space is you send that letter. They've had an let's just say it's like their notice is not clear and conspicuous. And so however many customers who have engaged in that not clear and conspicuous notice to the point in time where you sent the notice letter have consented to something that wasn't clear or conspicuous, was in violation of the law. Maybe they agreed. Maybe it was a one checkbox on a 50 page terms of use that allowed for free transfer to any number of third parties or allowed disclosure in other ways or use for other purposes. If that it's the clear and conspicuous notice. So they technically haven't necessarily violated the transfer part of the law. Right? Because you consented to it. But, of course, you didn't really consent within the meaning of the law. So some kind of damage may have occurred during that fifteen day, but they could be selling all that data with your consent for fifteen days to every data broker out there or wherever else. Again, I don't believe Ancestry would ever do that. I think most of the actors in this space are totally reasonable. But that's that's the scenario. Right? You can still have a technical violation. You can have a fifteen day period. And up to day fourteen, twenty three hours, and fifty nine minutes, they're still operating within the bounds of what is appropriate. And then, you know, again, these are very savvy companies. How hard is it for them to make that technological shift to make something more clear and conspicuous, etcetera? So that's that's the reason it's different.
[Abbey Duke (Member)]: Thank you.
[Todd Daloz (Assistant Attorney General, Vermont AGO)]: And theoretically, until that fifteenth day, you don't have a claim for whatever damages occurred.
[Herb Olson (Member)]: Couple questions. Retaliation and what that means. And I was positing, so a consumer revokes consent, that would confer an obligation to destroy their data rights. And I'm thinking, well, the company might need that data in order to perform some other services. Would they be able to say, would it come within the definition of retaliation for the company to say, well, we can't provide those services because we don't have the raw material.
[Todd Daloz (Assistant Attorney General, Vermont AGO)]: Recognizing this as a hypothetical, it's not making a statement about any future enforcement action should it happen. I would agree. Right? I mean, it's the I think I'm not sure if it was Rep Duke or not. But if you don't pay, it's not retaliation to say, well, you're not paying for the service, so you don't get the service. Right? Similarly, if you don't and I think this was both you and Herb Karas Duncan. If you don't have the genetic material that can't provide the service, that's not retaliation. That's an impossibility. And that would be the defense. I think retaliation would look much more like you wouldn't allow us to transfer the data. We're gonna charge you more. We're not gonna give you access to what you've had access to previously.
[Michael Marcotte (Chair)]: Another question? Yeah. I'm trying to keep it to this cure period, but we've already gone down. I hope you Let's finish it.
[Herb Olson (Member)]: I can wait. Go ahead. Okay.
[Michael Marcotte (Chair)]: Go ahead and finish it. I'm happy.
[Herb Olson (Member)]: Oh, okay. I was thinking about the warrant issue, and you got state law enforcement, you got federal law enforcement, and there might be a difference in level, but you talked about trusting the process in terms of that warrant and the standards around that kind of. And I would move you around state enforcement. I've had a little qualms these days about some segments of federal law enforcement. What's the question? Yeah, but in any event, I know very little about pharma, and if we wanna explore that, we should probably ask others.
[Michael Marcotte (Chair)]: Sorry,
[Herb Olson (Member)]: Virginia, no one else.
[Bridget Morris (Representative for Ancestry)]: Yeah, may I just weigh in first? Do have Bridget Morris, Ultra Strategist, also here on behalf of Ancestry, and I thank you for her and Richie's testimony. I just wanted to clarify one thing that in Wyoming under that cure period, there has not been a frivolous lawsuit, but I would say under the genetic and biometric laws in Illinois and PRA available there, they did have a number of lawsuits that were threatened against them that did not actually turn out to rule against them ultimately. But so it has happened in the past. I think the valid reasons for wanting that kind of cure period that exists in Wyoming, and one could say part of the reason they don't have those frivolous lawsuits is because there is that cure period which offers that extra hurdle.
[Abbey Duke (Member)]: Just wanted to clarify.
[Michael Marcotte (Chair)]: Bridget, can you give us information from the press committee on police warrants for
[Bridget Morris (Representative for Ancestry)]: Yes. I would just say that I actually had to look through the bill again because I think we assumed that it was in there. But I think typically in other genetic privacy acts, which I just need to reconfirm this, that it does mention that there is an exemption for law enforcement and a valid legal process. But if you want, I can try to find my clients at some point in the next twenty four hours to discuss what other states have that in there now.
[Todd Daloz (Assistant Attorney General, Vermont AGO)]: Yeah, didn't see it in California or Virginia, which is just what happened.
[Michael Marcotte (Chair)]: It's on the council. So
[Rick Siegel (Office of Legislative Counsel)]: again, example, council, I'm quickly researching this. Montana has requiring a search warrant for a court order. It's not clear based on this bill, a search warrant wouldn't necessarily, I think the answer to your behalf is on policy, a requirement for it, but that's not law, that's their own policy. So it's nice that they have that policy, but not every company may have that policy. Absent a policy, if the company receives a request from law enforcement, if it's voted to pass, then my reading would be they would need to consent to the consumer and maybe you want that. I'm just saying that's something
[Michael Marcotte (Chair)]: to think about. Regarding court
[David "Dave" Bosch (Member)]: requires it. I can't refuse it. Right. Like, I mean, says we want this information. You're absolutely right. Like, I feel like this.
[Todd Daloz (Assistant Attorney General, Vermont AGO)]: So think about iPhones think about search warrants that Apple fought for a long time about how to crack an iPhone to get information for law for law enforcement. Right? I mean, it it's a lot of litigation. I'm I'm not an expert in where that might play out, but I think a company would wanna be really careful about whether in response to a just hypothetically a New York search warrant on a Vermont consumer, whether they're violating whether they're gonna fight in New York court over that warrant, or they're gonna fight in Vermont court over disclosing data in violation of her. Again, I might I I would I would wanna hear from the industry about how frequent that is. I I think the scenario and I again, I'm looking at Virginia and California. I don't see it in those two states. I just don't know if if this is a solution that doesn't really have a problem behind it or not. And there may be a carve out exactly along airlines. Like, oh, it turns out in the space, you know, the court gets to say so.
[Michael Marcotte (Chair)]: But okay.
[Abbey Duke (Member)]: I have a novice question. Since
[David "Dave" Bosch (Member)]: Vermont
[Abbey Duke (Member)]: has had our consumer protection law for quite some time, do we often get an influx of would be frivolous lawsuits?
[Todd Daloz (Assistant Attorney General, Vermont AGO)]: So I spoke to this a little yesterday, and Jonathan asked a great rep Cooper asked a great question, which is do we track that? We are not aware of that happening. That's that's the short answer. There's not I was talking to lawyer earlier this morning about, you know, how you would go about there's not an easy way to search all the dockets and all the cases, but it is not something that we are aware of. We certainly don't see appeals and things like that because I think, generally, we have notice of what's at you know, the Vermont Supreme Court is a is a sort of focal point to pay attention to rather than every superior court in the state, but we're not aware of it.
[David "Dave" Bosch (Member)]: So I guess I just don't understand the legal processes. So if a judge says you have to hand
[Michael Marcotte (Chair)]: something over, a company can say no. There's appeals processes to that for Oh, okay.
[Abbey Duke (Member)]: And also, they're a person, legally. A company is a person, so they still have the same rights as a person. And they also technically have a right to privacy.
[Todd Daloz (Assistant Attorney General, Vermont AGO)]: By way of example, there are times that the state gets sued for various reasons, and we may get a subpoena, which is a kind of private one. And we've we might fight those for various reasons. Judicial orders, we are less likely to fight, but we also have a little flexibility as the state. I think, you know, you you there are certainly examples out there. Another one would be freedom of the press. Right? Another one that's germane in the current moment. That's a similar So right
[David "Dave" Bosch (Member)]: now, in putting in an exemption would make it easier for people to get that. And it sounds like other states haven't done that.
[Todd Daloz (Assistant Attorney General, Vermont AGO)]: At least the two that I have static copies of their statutes in front of me.
[David "Dave" Bosch (Member)]: My opinion? I would say
[Michael Marcotte (Chair)]: Well, I mean,
[David "Dave" Bosch (Member)]: that's it's not broke, let's not fix it.
[Michael Marcotte (Chair)]: It's unfortunate. It's one of the questions we ask in the question. And the other question is cure period. So let's start with cure period. Got ten minutes. Let's start that discussion. We're definitely not going to finish this up to bed. Where where are people at? What are they thinking about? Do you wanna include in the state of town?
[Anthony "Tony" Micklus (Member)]: I can start. I think there should be one. I think, to me, any sort of speed bump to prevent frivolous lawsuits is good. You know, to their point, there were in other states frivolous lawsuits, and okay, maybe they didn't amount to anything, but those companies were still sacrificing time and resources and manpower to fight those. And I think to put a little bit of a speed bump in there, yes, the cat's already out of the bag, but how much more? I mean, it's already I don't know. Is it fifteen or thirty days is gonna make much of a difference?
[Michael Marcotte (Chair)]: I guess the cat's already out of the bag. How do you cure it? Right? But it's supposed to be a cure period to fix something. How do you fix something that's already out?
[Anthony "Tony" Micklus (Member)]: Well, I think it allows yeah. I I guess that the question becomes, is the cat really out of the bag? And that gives them opportunity to figure that out.
[David "Dave" Bosch (Member)]: So I would agree that care period is fine. I don't know. Once it's out of the bag, it needs to be in the possession of a third party. So there's nothing you can do about that anyway.
[Herb Olson (Member)]: But, you know, allowing
[David "Dave" Bosch (Member)]: allowing time when it's obviously cutting down on lawsuits in other states, think that's probably a good idea. I will add in, don't know if I wanna put an exemption for law enforcement if it's already taken care of.
[Michael Marcotte (Chair)]: Let's see. Let's stick with the kisser. Sorry. But he also want to wait.
[Herb Olson (Member)]: There appeared when we're talking about that we're. Talking about limitation on a private right of action, right, for a limited period of time. And we're also talking about retaining, you know, whatever enforcement authority the AG has, right? I think that's encompassed within the care. On the latter point, I think are our agencies needing us as enough help as much help as they can to address you know, these are pretty complicated. I know it's just a few companies, but these are pretty complicated issues that I certainly like to have the expertise to do that, know, to do respond to a claim or whatever. I'm not sure that they have that resource up front to do that. On the concept of cure itself, it just strikes me that the data is so personal. It's so wrapped up in who you are. I'm a little worried about putting limitations on the ability of an individual who's really upset. You know, maybe not a technical violation, but it really goes to the heart of what we're trying to do here. So I'm a little reluctant, but I'm willing to listen. Jonathan?
[Jonathan Cooper (Member)]: Good morning. One of the things that I'm thinking about with respect to cure periods is if these if the accuracy that we've talked about these if these things are as precise as we presume them to be, or have been speaking about them as, are requests ever coming from the wrong people? People that don't have standing, or who aren't, or maybe misunderstanding which individual's data or something like that might be part of the the breach. I'm curious to hear if that's a relevant factor. The sort of mistakes in a presumption of the the the accuracy of what we're sort of talking about. Are we is it a 100% all the time, and therefore any request being made or notification being made is automatically correct? Or is it something where there is human error on all sides and that's sort of what a cure period can help ascertain.
[Unidentified Committee Member]: I guess I generally not a fan
[Abbey Duke (Member)]: of the cure period because of the weight of the data that is being collected. I would say, I also think it sounded like from the witness yesterday that they are I would assume that a company that gets this information that is like, we're going to be sued, would check right away. So if there was going to be a cure period, I don't know why it couldn't be as something as small as like forty eight hours or something. But I also just politically am just curious if we want to do a cure period on the house side when this will be lobbied on the Senate side, and that could be an easy gimme for the Senate to add as well. The record.
[Jonathan Cooper (Member)]: I think, as a briefer time period, I think, Rupris, that makes sense to me that it doesn't need to be thirty days. I think what we're talking about is something that is very automated. And I think the fact that these periods exist elsewhere means that people have systems in place and I doubt that anyone needs more than, you know, I can see forty eight hours being a sensible number. But I also take your point that this is the beginning of a negotiation between chambers.
[Kirk White (Ranking Member)]: Yeah. I mean, I guess I agree. I think I'm fine with the cure period, but I think it should be short.
[Herb Olson (Member)]: Right.
[Kirk White (Ranking Member)]: Forty eight hours, two business days.
[Edye Graning (Vice Chair)]: I hear the fear about frivolous lawsuits. I'm comparing the damage done to an individual versus the damage done in a frivolous lawsuit, I'm going to weigh on the side of the person, not the individual. So for me, the frivolous lawsuit question is not an issue. Whether or not someone is trying to doesn't have standing or that kind of thing. One would presume that they have an attorney that would be helping them with that decision. So, I feel like either a cure period is not necessary because as we've heard the data is already out there and so if we were going to do a cure period, I still think yeah, it would have to be short, very short forty eight hours, twenty four hours, something just long enough for them to the company to look and
[David "Dave" Bosch (Member)]: say, yes,
[Edye Graning (Vice Chair)]: we see a different problem, or we don't see a different problem. But it doesn't strike me as the kind of thing that would require a lot of consideration on their part. They should have that data available.
[Abbey Duke (Member)]: You want me to talk? Normally,
[Emily Carris Duncan (Member)]: I'm a huge fan of cure periods. I think they make a lot of sense. And I have real concerns about this specific data needing a cure. So when we refer back to Biometric Illinois law that was 2008, it was a really badly written law that didn't get updated for more than ten years. And that's why they had so many court cases and needed care periods and had to do all kinds of things. This is a law that is in effect in 14 other states, pretty darn close to exactly this. I'm not sure we need it here.
[Michael Marcotte (Chair)]: When I look at the term cure period, that means we're giving them time to fix something. Right? Can't fix something and the cat's already out of the bag. How do you fix that? So why should we have a cure period to fix something that can't be fixed? I want to take you back to last year, we did kids code. We didn't include cure period in there because we understand reason why you shouldn't have a cure period, the reason why we have a PRA in there, because that's bad stuff. Same goes with your own personal genetics. If it gets out, that could be really bad stuff. Why wouldn't we give a person that has that arm the ability to sue? I understand it in the broad context of data privacy. And I was, I mean, wholeheartedly supported a cure period. Because those things can get fixed. You can stop a company from The company can stop doing whatever they're doing, sharing your data. This is a little different. This is your genetics. So, I mean, the committee's willing to provide a cure period, I mean, I'll go along with it, but I see a need for it first.
[Kirk White (Ranking Member)]: Honestly, that makes sense.
[Rick Siegel (Office of Legislative Counsel)]: I
[Abbey Duke (Member)]: guess for me, I keep thinking about the forward technological world that we are wandering into And having this level of, I mean, highly sensitive, I don't think even gets to it, pays to the point, this is you, the making of you. And so I don't know, we're going into a blank space. I'm not sure what's going to happen, but there's a lot of very powerful technology that's being created. I think we need to be mindful and protect people. And I also really do agree with the point that in this situation, when the information is out there and given how fast information can be disseminated, it's kind of out there. And it's very hard to get back into track. I also trust what the AG's office is saying. It seems like they feel comfortable being able to handle it. So I don't know that a cure period is necessary. Yeah, I don't think it's necessary in this case.
[Michael Marcotte (Chair)]: Jonathan, did you want to say anything?
[Jonathan Cooper (Member)]: Think I should just to clarify, a cure period doesn't preclude people from suing. It just does for the length of the period. Is that correct?
[Emily Carris Duncan (Member)]: It slows down the start date
[Edye Graning (Vice Chair)]: of the lawsuit.
[Jonathan Cooper (Member)]: Yes. And I and I just part of my thinking was the cure period both is a cure to cure, to write a remedy. I also thought understood it to be we have entered a serious phase in which legal counsel on both sides are communicating with one another, And and there is it seems like I didn't I didn't see that period of time as impeding somebody's actions so much as sort of preflight, like taxing on the runway, and preparing for those actions, which should only be done, I think, in consultation with qualified legal representation. That's why I felt pretty comfortable with a a very short window of time as opposed to something that was that our witness seem to believe was much more time than was necessary. Thanks.
[Michael Marcotte (Chair)]: I think that's part of the process. You file suit, lawyers are gonna have that back and forth. And so, I think as Todd brought to us, and I've they've been Edye as well, that there's the longer you let it sit there, the more time they have to con continue to conduct whatever frivolous thing that's going on until you get to that stopping point. So I think the minute you file that suit, then hopefully, they're taking a look and saying, uh-oh, made a mistake. And it stops. So we have to go, but committee, I'd like you to really think about the two things that we've discussed. Warmth and cure period, and we'll set some time up for some time early next week, maybe late in the afternoon or we may come back after talkuses in afternoon when we've got a side moving thing. So, let's think about that. Maybe we can take a little time tomorrow to have further discussions. We need more drafting. We can get it through it. Okay. With that, we're over in Room 270 for a hearing for the outdoor rec.