Vermont Legislature House Commerce - 2026-03-10

Meetings

Call to order and agenda overview (00:00:00)
The Chair opened the meeting of the House Committee on Commerce and Economic Development and previewed testimony on H.211.
H.211 — Data Brokers/Data Privacy (Assistant AG testimony) (00:00:42)
Assistant Attorney General Talenden Lewis supported H.211, recommending clarifications to breach notification and enforcement authority and discussing use‑case exemptions for fraud detection, followed by member Q&A on proactive audit powers.
H.205 — Scheduling update (00:16:48)
The Chair announced no testimony would be taken on H.205 today and that stakeholder discussions would continue before rescheduling action later in the week.
H.733 — Committee amendment walkthrough (Franchise and EdTech registration) (00:17:39)
Legislative Counsel Rick presented a strike‑all amendment narrowing H.733 to registration and data reporting for franchisors/franchisees and EdTech providers, including definitions, required disclosures, and a 1/1/2027 effective date, with discussion of possibly moving the language to H.650.
Recess and preview of next item (H.512) (00:27:42)
The committee recessed until 2:45 PM with plans to take up H.512 and hear from Cameron, Susan McCourt, and Todd from the AG’s office.

Transcript: Select text below to play or share a clip

[Michael Marcotte (Chair)]: Good afternoon, everyone. This is the Vermont House Committee on Commerce and Economic Development. Again, Tuesday, March at Yeah. I can't sing it

[Unidentified Member (Committee Member)]: too soon.

[Michael Marcotte (Chair)]: We go on standard time on this clock. Eastern, this is our clock in right there behind me. So we've, our Deputy Attorney General has returned, and so proud of welcome, get forward to your testimony on 02:11.

[Talenden Lewis (Assistant Attorney General)]: Thank you, Chair. My apologies for keeping us waiting on that. Talenden Lewis, Assistant Attorney General, here to speak in support of H2 11. I think we've been on the notes already still. So again, reiterating our broad support for where H2O is going and really wanting to highlight the work that this committee has done over the course of years and certainly around balancing the need to protect consumers and consumer data while still allowing legitimate commerce to continue. I think it's an incredibly fine line, an incredibly important level. And I think H2 11 is moving in a very valuable direction. And of course, be considered within the broader context of data privacy. Say that knowing that you already passed H639, which you're in bit, and that in the offing is the current cornerstone data privacy bill that came up from the silent session. We very much view 2.11 as part of a broad continuum there. I think appropriate design to a degree fits into that from last session. And we think the data brokers should play a really vital role in the regulation and safety of online privacy for consumers. I think where 2.11 stands currently strikes a good balance. Think I especially wanted to touch on, I think you've heard testimony on, is it an entity level exemption? Is it a data level exemption? Or is it a use case exemption? And just speaking to that point, I think we certainly support use case exemptions because they speak to legitimate needs. The one that popped into my head having a conversation with somebody in

[Michael Marcotte (Chair)]: the industry who works in

[Talenden Lewis (Assistant Attorney General)]: the fraud detection space here and there to the hearts of consumer protection advocates. We want to make sure we're eliminating the frequency of fraud, and those various fraud protection programs and products allow for that. That said, let me give you an example. So let's say I was signing up for a bank account trying to get access to my partner's bank account And I needed to go through some kind of identity verification and fraud prevention and questioning. And it asked me a question, where did you live in sixth grade? And the entity may have the company that's running the fraud protection may have like that data on me. They may know where I lived in sixth grade and be able to answer that, confirm my answer appropriately. That may be, and it's a policy decision, that may be a very valuable use case for data brokers. What I would argue is we wanna make sure that the use case is just for fraud detection. Because if we imagine the scope of information that could be considered important for data verification in a fraud prevention context, it could be any. And it's appropriate potentially in the fraud detection space, but not to be used more broadly. Am I making sense there that if you open the door and say, you can do fraud protection, it should be constrained to a room that just says, but you only use the data for that purpose, not being stolen. I think that's largely what the balance to a left strike does. Beyond all that, I think we are comfortable with the changes that Rick walked through for you earlier from the Secretary of State and the FR to support those. We'll continue working closely with Secretary of State's office in terms of technical questions before the break on how we ensure that the right monies get paid where in the enforcement section. Happy to walk into that if that's helpful, but we'll work out an MOU to ensure that the right amounts cover the costs and we certainly do that in clear investigatory spaces. The other two points I just wanted to look at, some enforcement sections and just maybe make a suggestion in some specific language.

[Unidentified Member (Committee Member)]: Page 25,

[Talenden Lewis (Assistant Attorney General)]: this is notice requirement under the breach notification. Is existing language taken from which there's the data broker and then there's the security breach, the existing language. There's language in here that allows for an exemption from the notice requirement that essentially says, if you think you've been breached but and the language is, it is not reasonably possible for the information that has been captured through the breach to be misused, then you can just tell the AG's office, right, it is not reasonably possible to provide us with detailed explanation for the determination of the AGO. Now arguably there, if we disagree with that determination, we're going to issue a CID, a civil investigative demand and go into a full investigatory phase. So we believe we've got that authority, but I think it's appropriate to say if you're looking at this language that we should sit in the place determining whether it is reasonably possible for the information to have leaked out and not leave that solely for the data broker or the entity in question, That there should be a clear and express check on. Again, we think we've got that authority under the law and we would use it. It's a small suggestion to make in that section just to allow us a little bit more give and take when we get that notice that says, hey, we had a breach, but it's not reasonably possible. Here are the three reasons why we think it's not reasonably possible. We want to be able to engage directly at that point in time in a conversation with the potential victim of the breach directly at the entity, obviously, to the consumers, information that's taken. That's one. And then the other is a much smaller edit, but just change to the way that the enforcement language is provided. And I can talk to Rick about it. I don't think it's particularly material. It's just simplifying the language and making it clear that we have the same authority as provided under Chapter 63 and not listing all the types of authority we have, we can succeed your claim. That's page 26, line

[Unidentified Member (Committee Member)]: six. Those

[Talenden Lewis (Assistant Attorney General)]: are the main points I was going to raise again. We see this as a really important block in the privacy structure that you're building.

[Unidentified Member (Committee Member)]: So thanks very much, Tom. It was kind of interesting how the enforcement divisions are constructed in this whole chapter. It looks like each sub chapter deals with a little bit different matter and each one has their own enforcement section. And I was zeroing in on the pushing around, the subsection around registration. And it's being expanded to

[Unidentified Member (Committee Member)]: include

[Unidentified Member (Committee Member)]: a lot of other requirements around what has to be on the website and how people can read their information. And I'm looking at the enforcement section, and it doesn't include all the penalty of attorney general tools, I guess. And number one, was wondering what you thought of that. And second, this just seems to

[Michael Marcotte (Chair)]: be a real core important piece of it.

[Unidentified Member (Committee Member)]: And I'm wondering if you have all the tools that you need to do this. I'm thinking in particular, some regulators have the ability to go in and do periodic data without knowing, without having consumers complain to you. Sometimes these things are hard for consumers to understand whether they have the right side. So I'm wondering whether there's some sort of proactive examination authority would be appropriate just for that kind of. Sure. So answering your first question, we're looking, I guess, at line six through eight on page 37, which is

[Talenden Lewis (Assistant Attorney General)]: the existing language for enforcement authority. Think what Rick walked through earlier, the broader language that exists under 2,447 chronically, 2,447 D, I think it is, says the whole subchapter provides us the same authority. I think it could make sense to do a cross reference to that here just to belt suspenders it. The second question is a bigger policy question. I think there, and I'm gonna use the artwork that I try and avoid when I testify. There's a resource issue with that. In the current moment, we operate very much on a complaint driven system because we have a limited number of attorneys and investigators who can do this work. Think there is certainly, and I think we'll get there in the data privacy space as well. But I think there's a real need that if I think that's appropriate. I think you're not wrong. The consumers are not necessarily going to be extremely knowledgeable of the harms that they may be suffering. And there may be a value in having some proactive audit type authority. And I'm not sure that I could sit here today and tell you, yes, here's how and here's when. But I think it's something to look

[Unidentified Member (Committee Member)]: Can you follow-up just a little bit? So the examination part that I'm familiar with in regulatory agency, it deals with that resource issue by saying, DFR needs to do a triennial examination of the banks or whatever, they don't necessarily do it with their own staff. I mean, they're connected to the staff, all the staff oversees them, but they usually hire a contractor to do that. So anyway, if you're talking about my conception isn't just that DHE would have to scrounge around for staff to do it. Sure. And

[Talenden Lewis (Assistant Attorney General)]: think going a little bit out on a limb, but I would say that's something we can support studying and looking at and then coming back to the committee to determine kind of what the scope and scale might be. Because I think there's still, you still have to hire the people and have the money to do the work to then potentially build back. And I think there's the absolute merit in that idea. I think we, yeah, we want to look at it.

[Michael Marcotte (Chair)]: Questions? Sorry,

[Unidentified Member (Committee Member)]: have a post lunch promo question. So this kind of feeds into a lot of different stuff. It's one like trying to do the use based exemptions versus just trying to bring in the California privacy exemptions that don't specifically get to brokers. But what you started off your testimony saying about around, it is important for the banks and insurance companies to be able to use strong, high quality data to do fraud prevention identity verification. Something dug into this whole last week, to learn that space in particular. And we have somebody that is coming from the identity verification space in general to talk about all of the options there and how that works. I guess I'm just your thoughts on the exemptions, especially when it gets to focusing on the Fair Credit Reporting Act and the verification piece when talking to I talked to a few different players that moved between the broker and the banking space and insurance space and that kind of stuff. They were saying, if banks and things like that are reliant on the quality thick recovered data that people do have legal access to correct the data, see what's in there, all that kind of stuff as part of our federal system. But then the whole ecosystem of data brokers that Matt was saying is not regulated, it's an unregulated market that could be used. Talking to people who are like, if the know your customer space, the KYC space, with the knowledge based verification of who is a person, are they who they say they are, based on information that's out there. If people are buying anybody at this point can go onto the dark web and find somebody's social security number, buy their credit reports, have information. So if I'm having those 20 questions through a bank not 20 questions, three questions usually or whatever. Anybody can go and buy my information, my answers to my questions. And generally, that verification method is actually not as strong anymore as other there's six different identification methods. But I guess that's a lot to say. I'm curious about your thoughts on the exemption specifically as we're trying to craft them on legitimate controlled regulated entities that have that information versus the whole ecosystem of other unregulated players in the space. It's a fine line.

[Talenden Lewis (Assistant Attorney General)]: Yeah, and I'm not sure I am I'm trying to make sure I am conceptualizing. So the question is really, I mean, we support the legitimate business uses that provide greater consumer protection. And some of those rely on data.

[Unidentified Member (Committee Member)]: Yeah, totally. Totally. Yeah, yeah.

[Talenden Lewis (Assistant Attorney General)]: So that legitimate business space, it's all a policy question for this committee,

[Unidentified Member (Committee Member)]: but we

[Talenden Lewis (Assistant Attorney General)]: absolutely support that use. One of my perhaps ill formed example earlier, in my head, it's like, how big is the door you're opening in the

[Rick (Legislative Counsel)]: wall and what's

[Talenden Lewis (Assistant Attorney General)]: through the door? And in my mind, it's like, you don't want to open a door that just eviscerates the wall completely because anybody can go in and out. Any data can come out of that door because that's a legitimate use, the door is. Whereas if you said like just the only people who can go through the door are the people looking for, again, fraud

[Michael Marcotte (Chair)]: detection.

[Talenden Lewis (Assistant Attorney General)]: And the only use for that data is legitimately fraud detection. That to me makes sense. And that's a reasonable policy determination and a reasonable use case. It is not any data used for, it can be used for any purpose. And so I don't know if I'm answering your question.

[Unidentified Member (Committee Member)]: No, you are. Yeah, that's the long answer.

[Talenden Lewis (Assistant Attorney General)]: Maybe this the answer. The existence of people's ability to circumvent those protection mechanisms to me is not a reason not to continue supporting those protection mechanisms and carving out some of those protection mechanisms. Yeah.

[Michael Marcotte (Chair)]: Questions for Todd? Great. Thanks Todd. Thanks Rob, appreciate the time. Good ahead of schedule. Rick, do you have any place you need to be right now?

[Rick (Legislative Counsel)]: Nope, 02:45 actually is the time. I got it on.

[Talenden Lewis (Assistant Attorney General)]: So

[Michael Marcotte (Chair)]: instead of waiting till 04:00, what if you run us through 07:33? Sure. Oh, we have time now. So I just want you to go on with that. Mhmm. Give me one second to open the file.

[Rick (Legislative Counsel)]: I sent you, Mr. Chair, David. Did you see that? Yes. Okay.

[Michael Marcotte (Chair)]: That's what I'll hear. Just so committee notes two zero five, we're not going to take any testimony on that this afternoon. We have vice chair and I met with the interest and charities, made a pitch and asked them to take a look at it and get back to us by Thursday. We're going to delay action tomorrow for more legislative days to get people time to hopefully come up with an agreement that they both can support. We'll see what happens then. Okay

[Rick (Legislative Counsel)]: so I'm going to share my screen so you all can see the committee amendment, post committee amendment to H733 and you may have forgotten what H733 is. Introduced bill was a fairly long bill that would regulate franchises in the state maybe that brings a bill. Yeah. It was fairly detailed. Franchises would have to register at the state and their agreements would be regulated by the state. So this is now a three page bill and it's really been whittled down to how franchisers, franchisees, and now EdTech providers, which is a H650 connection, when they register with the state or make a filing with the state, they must provide information about their business. So I'll explain that. So we're in Title XI, the Business Organization title which we reorganized last year. That was the David Hall bill. So we would be adding a new section under the administrative provisions for business organizations. And this would be something that applies to just a couple different companies. And we have definitions here about data reporting. When they register, they must provide certain data. So the yellow, and this is confusing, is mostly for I should probably remember the yellow, this was for my editor, so they knew in fact that we need to do that, so if

[Michael Marcotte (Chair)]: you aren't too confused by it.

[Rick (Legislative Counsel)]: These definitions, the ed tech product and product that comes

[Unidentified Member (Committee Member)]: to your information section.

[Rick (Legislative Counsel)]: If you remember that bill, that bill regulated ed tech providers, they must register and pay a fee. But just a reminder that it meets any student facing software, application, or platform that may collect, process, or transmit student data that is used for teaching and learning purposes in a school in Vermont. A filing means an initial registration, amendment, periodic report, or other filing with the Secretary of State as the Secretary may require. Franchisee and franchisor have the same meetings as in 16 CFR 436.1 that comes from the, well it's a federal cross reference. Number four is also a H650 definition of a provider of an educational technology product. I'm sorry, yes, provider of an EdTech product and provider meaning a person that operates an ed tech product that is in use at a school with or without a contract with the school or school district. A provider shall utilize geolocation and IP address tracking technologies to determine whether one of its contract free products is being used in the school. And that school means a public or independent school approved number 16 VSA one 66. Okay, so here's the substantive portion. Mandatory data reporting, in addition to all other requirements of a person registering with the Secretary of State pursuant to state law, a person doing business in the state as a provider of an educational technology product shall at the time of a filing, which is defined, provide the following. And all of this comes from age six fifty. The name and primary physical email and internet address of the person, a link to the most recent version of the privacy policy and terms and conditions of each product use, the name of each school or school district in which the provider is operating pursuant to a contract, the name and a brief description of each product operated by the provider, which products are known by the provider to be in use in any school or school district, and an attestation that each product being used in the school meets the standard set forth in nine BSA Chapter 62 Sub Chapter six, the HAPP and all federal and state privacy laws including the Federal Children's Online Privacy Protection Act. Act. So if you're a EdTech provider you must provide all that information at the time of filing. If you're a franchiser or franchisee at the time of filing you shall indicate that you are operating as a franchisor or franchisee and you shall provide the name of the franchisor if you are operating as a franchisee. The effective date is 01/01/2027 to give the Secretary of State time to update the system, and this is just saying that the bill title will be updated because the current title I think is franchise agreements, which this bill is not now really directly about franchise agreements. It also includes ed tech and franchise registration.

[Unidentified Member (Committee Member)]: That's the what? That's the advantage. Okay. I'm not following what's happening here. That's what my

[Michael Marcotte (Chair)]: promise. Some pieces of $6.50.

[Unidentified Member (Committee Member)]: This is not a separate. This is

[Unidentified Member (Committee Member)]: Paid in two bills, make him one, then make it a lot shorter. Yeah. But,

[Unidentified Member (Committee Member)]: okay, which that's what I thought, but we're not amending any of those bills. This is just a separate bill.

[Rick (Legislative Counsel)]: So 733. Yeah.

[Michael Marcotte (Chair)]: 733 is on our wall. We're amending 733. To do this. So it's a strike all. Right?

[Unidentified Member (Committee Member)]: And this is what we're voting on. We're not voting on

[Talenden Lewis (Assistant Attorney General)]: it. Well okay.

[Unidentified Member (Committee Member)]: Right. Okay. Sorry. Let me rephrase that. If we were voting on it

[Michael Marcotte (Chair)]: Yeah.

[Unidentified Member (Committee Member)]: It's this language that we'd be

[Michael Marcotte (Chair)]: we would be voting. Yeah. Justice language. Well,

[Unidentified Member (Committee Member)]: it's odd for me. I'm getting confused by it and apologize. And it's probably because I'm just not used to this. I just wanna make sure because I have issues with the franchise thing. So I don't wanna but I don't have an issue with this language.

[Michael Marcotte (Chair)]: It was pretty dramatic. They're pretty So the idea is to start out with the registration. Right. So we have a better understanding of what's going on both school technology, educational technology front and franchise front. We really don't have nine year yet of what's out there, What schools are using, who's in the state, what franchisees and franchisors in the state. So it's trying to get a better handle on that before we actually talk about shouldn't we be putting regulation on any of these.

[Unidentified Member (Committee Member)]: Makes sense. And I

[Michael Marcotte (Chair)]: Is Edyeon?

[Talenden Lewis (Assistant Attorney General)]: Is she

[Michael Marcotte (Chair)]: Edye, do you wanna add any more?

[Edye Graning (Vice Chair)]: I don't know that I wanna add a whole lot more. I think Rick and I need to touch base a little bit, but this is more or less what we talked about with the Secretary of State so that we could get a baseline of who is in the state. And then we wanna have the agency of education dive in more to what to the rest of the information. And so

[Michael Marcotte (Chair)]: So there'll be there'll be more added. Did you wanna use 733 or 650?

[Edye Graning (Vice Chair)]: Doesn't matter.

[Michael Marcotte (Chair)]: Okay. So there's more more to be developed. I think this is what we have so far? Yes. Yeah. Just wanted to get that out to the committee. So Yep.

[Edye Graning (Vice Chair)]: And to let folks who have been following six fifty know that the number changed.

[Michael Marcotte (Chair)]: Right. So folks,

[Rick (Legislative Counsel)]: yeah. So I'll say if we're gonna add in the AOB, because six fifty the amendment had in language about the AOB study. If you want to add that this bill, I might suggest we use six fifty because you may have a germane issue at some point, which I can't testify to you. But in my opinion, this language is close to the original bill that regulated franchises. But if the bill becomes more about EdTech, then I would suggest it going to six fifty because six fifty also had regular registration. Right. So you just had franchises set up. So that's my 2¢.

[Michael Marcotte (Chair)]: Probably the way to go.

[Unidentified Member (Committee Member)]: Yep.

[Michael Marcotte (Chair)]: Okay. So we'll switch the numbers. We'll write a little bit more. We'll bring it back to the committee. We'll take more testimony so that we can hold this by the end of the week. Okay. Great. So we're time for a break. We're back at 02:45 to have discussions on 05:12. We'll be hearing from Cameron, from Susan McCourt, and from Todd from the AT's office. So with that, I think

Vermont Legislature SmartTranscripts:

House Commerce - 2026-03-10 - 1:50PM

Meetings

Transcript: Select text below to play or share a clip

Meetings

Transcript: Select text below to play or share a clip

Share