United States of America: Vetoed Vermont Act relating to enhancing consumer privacy (HB 121) including cybersecurity regulation

On 13 June 2023, Governor Scott of Vermont vetoed the Act relating to enhancing consumer privacy (HB 121), citing significant risks and potential legal challenges. The Governor highlighted concerns over the Bill's “private right of action”, which could position Vermont as exceptionally hostile to businesses and non-profits. Additionally, the “Kids Code” provision, aimed at protecting children, was noted as potentially violating the First Amendment. The complexity of the Bill, alongside its expansive definitions and provisions, was also mentioned as a burden for small and mid-sized businesses, potentially placing them at a competitive disadvantage. Governor Scott suggested looking towards Connecticut’s data privacy law as a model for achieving consumer data privacy and child protection without the associated risks. The Bill would have introduced cybersecurity incident reporting requirements for data brokers, defined as a business that sells or licenses personal information to third parties. In case of a data breach, data brokers would have been required to notify affected consumers and the state Attorney General.