• by Wendy Davis  @wendyndavis, June 18, 2024

Vermont lawmakers on Monday failed to override Governor Phil Scott's veto of a sweeping privacy bill that would have limited data collection by companies, imposed restrictions on online ad targeting, and allowed consumers to bring private lawsuits in some circumstances.

The state House voted 128-17 in favor of an override, but a motion to override failed 14-15 in the Senate.

Privacy advocates supported the bill, contending it was stronger than many other state privacy laws due to the provisions that would have authorized private lawsuits.

But ad industry organizations opposed the measure, arguing in a veto request that allowing private lawsuits would “benefit opportunistic trial lawyers and plaintiff’s law firms rather than protect the privacy of Vermont consumers.”

When Scott vetoed the bill last week he stated that it “creates an unnecessary and avoidable level of risk,” adding that the provision allowing private lawsuits “would make Vermont a national outlier, and more hostile than any other state to many businesses and non-profits.”

On Tuesday, the Association of National Advertisers cheered news that lawmakers sustained Scott's veto.

“We commend the Senate for blocking the override of a deeply flawed privacy bill that would have caused significant consumer harm, regulatory confusion, frivolous litigation, and economic injury to Vermont businesses,” Chris Oswald, executive vice president of the group stated.

He added that the provisions authorizing individuals to sue over violations “would have set a new low for the nation, triggering a flood of risky and expensive lawsuits from out-of-state lawyers, driving up costs for Vermont residents and businesses.”

The bill, which was passed last month, would have required companies to let consumers opt out of targeted advertising -- meaning ads served based on non-sensitive data collected across distinctly branded sites or apps. The measure also would have explicitly obligated companies to honor opt-outs made through mechanisms like the Global Privacy Control, which transmits opt-out requests to every site consumers visit.

The proposed law additionally would have prohibited companies from collecting or harnessing sensitive data -- including biometrics, location data and information that reveals consumers' race, religion, citizenship, sexual orientation or health -- without opt-in consent.

A separate section of the bill would have created an “age-appropriate design code” that would have restricted how social media platforms serve content to minors.

The privacy restrictions and design-code provisions were originally proposed as separate laws, but combined into one piece of legislation shortly before the vote last month.

The tech industry group NetChoice had urged Scott to veto the bill due to its design-code provisions, which NetChoice said would violate the First Amendment.

That organization challenged a similar California design code, and last year obtained an order blocking enforcement.