Skip to content

Privacy

Vermont and Minnesota Privacy Law Updates

Why This Alert Is Important

This alert summarizes critical changes in privacy laws in Vermont and Minnesota, demonstrating that despite some progress at the federal level, states continue to be the engine driving privacy rights in the US.

Vermont Privacy Law Update 

Vermont House Bill 121, also known as the Data Privacy Law of 2023, introduces significant changes to how personal data is collected, stored, and used within the state. House Bill 121 was enacted to address growing concerns about data security and consumer privacy in an increasingly digital world. The bill mandates stricter consent requirements for data collection, enhances data breach notification protocols, and establishes robust consumer rights, including the right to access, correct, and delete their personal data. This law builds upon Vermont's strong track record of pioneering privacy protections, revealing the state's ongoing commitment to safeguarding its residents' digital lives. Its provisions include:- 

  • Private Right of Action (PRA): Consumers can now bring lawsuits against data brokers and "large data holders" handling data on over 100,000 Vermonters.
  • Data Minimization Standards: Aligns with Maryland’s comprehensive law, emphasizing the protection of children's and consumer health data.
  • Opt-Out Mechanisms and Assessments: Required user opt-out mechanisms and mandatory data protection assessments.
  • Applicability and Timeline: The bill takes a three-year stepdown approach to increase coverage annually. PRA is set to take effect in 2027, with a two-year review in 2029 to assess its effectiveness. 
  • Legislation Maintenance: The Vermont House Committee on Commerce and Economic Development will revisit the bill annually for potential improvements.

Minnesota Privacy Law Update

Minnesota's commitment to enhancing data privacy rights culminated in the passage of the Minnesota Consumer Data Privacy Act (MCDPA). Rooted in the evolving landscape of digital privacy, the MCDPA is a response to rising concerns over how personal data is collected, used, and protected. As businesses increasingly rely on consumer data to drive growth and innovation, the need for robust data protection frameworks has never been more critical. The MCDPA aims to address these concerns by establishing comprehensive privacy standards that align with both national and global best practices, including: 

  • Scope: Targets entities processing data on 100,000 consumers or earning 25% of their revenue from selling data of more than 25,000 consumers. 
  • Exemptions: Small businesses as defined by the U.S. Small Business Administration are exempt. 
  • Compliance Requirements include an implied obligation to appoint a chief privacy officer or organizational privacy lead., obligatory data privacy notices and data protection assessments, and consumer right to request information regarding profiling decisions and access the data used in these decisions. 
  • Universal Opt-Out: Recognizes universal opt-out mechanisms. 
  • Attorney General Enforcement: Exclusively enforced by the attorney general with a 30-day right to cure (sunsets in 2026).

Minnesota and Vermont add the existing complexities of the state data privacy landscape by introducing unique requirements for companies to focus and comply with. Minnesota continues the trend of consumer rights and transparency; however, organizations should pay close attention to the specific requirement to maintain a data inventory and to allow consumers to challenge profiling decisions made about them. Vermont meanwhile brings a private right of action to consumers by allowing them to sue data brokers and large data holders for collecting or sharing their personal information without consent. With these unique requirements in mind, businesses should focus on the foundation of their privacy program to ensure it can get the more straightforward obligations sorted like privacy rights, notices, and an inventory, while also figuring out if there is exposure to what is likely going to be litigious environment in Vermont.

Matt Dumiak, Director of Privacy Services, CompliancePoint

Data Alert Tip

Stay updated on state-specific privacy laws to ensure compliance and avoid legal issues with Exterro's State Privacy Law Tracker.

Ready to Get Started?

Get an Exterro data risk management platform demo today.

Get a Demo