Communications Litigation Today was a service of Warren Communications News.
Enforcement, Coverage Differences

Vermont Rep. Priestley Says Rival Privacy Bill Favors Big Tech

February 28, 2025 by Adam Bender|Top News

Vermont Rep. Monique Priestley (D) criticized a comprehensive privacy bill introduced Thursday in the state Senate. Sen. Thomas Chittenden (D) introduced S-93 on the same day that the Senate Institutions Committee started walking through the Senate version (S-71) of Priestley’s previously introduced H-208, which also seeks a broad data privacy law (see 2502130013).

S-71/H-208 “is the result of extensive consultations with stakeholders and fellow New England legislators, designed to balance strong consumer protections with the needs of businesses,” Priestley told us Friday. The Chittenden bill, “in contrast, appears to favor the interests of large technology companies at the expense of consumer protections,” said the state rep. “I will continue to fight for strong safeguards against the exploitation of Vermonters in 2025.”

Chittenden, whose bill is pending before the Senate Economic Development Committee, didn't comment Friday.

S-93 "is a Connecticut-style comprehensive consumer privacy bill with heightened protections for certain health data," said Keir Lamont, Future of Privacy Forum senior director.

One key difference from Priestley's bill is that S-93 says that the attorney general would have exclusive enforcement authority and that the proposed law wouldn’t provide a basis for a private right of action. Gov. Phil Scott (R) vetoed last year’s version of Priestley’s bill, including due to the private right of action that would have made Vermont an outlier among states. However, Vermont AG Charity Clark (D) supports allowing individuals to sue (see 2501270025).

Among various other differences, the bills contain different data minimization language. Chittenden’s bill says data controllers “shall limit the collection of personal data to what is adequate, relevant, and reasonably necessary in relation to the purposes for which the data is processed, as disclosed to the consumer.”

On the other hand, Priestley's bill says entities must "limit the collection and processing of personal data to what is reasonably necessary and proportionate to provide or maintain: (A) a specific product or service requested by the consumer to whom the data pertains; and (B) a communication, that is not an advertisement, by the controller to the consumer that is reasonably anticipated within the context of the relationship between the controller and the consumer.”

Similar to Connecticut's law, S-93 would cover for-profit entities that do business in Connecticut and control or process personal data of at least 100,000 consumers or controls or processes data of at least 25,000 consumers and derives more than 25% of its revenue from selling personal data. S-71/H-208 has lower thresholds, setting the above consumer numbers at 25,000 and 12,500, respectively.

Senate Institutions Committee members went line-by-line through S-71 with a legislative counsel at meetings Thursday and Friday. Earlier Thursday, the committee cleared the Senate version of another Priestley bill that would require companies to follow an age-appropriate design code (see 2502270029).

Vermont state legislators have next week off. When they return, they will have days to meet a March 14 crossover deadline for policy bills.

"Every state that has established a comprehensive consumer data privacy law, now over 15 states, has opted to invest enforcement authority with their respective state attorney general," said Computer & Communications Industry Association State Director Megan Stokes in an emailed statement. "Pursuing a privacy bill with a broad private right of action is one of the main reasons the Vermont Privacy Bill was vetoed by Governor Phil Scott in 2024."