BlogLine

The private right of action in privacy laws: Comparing Vermont to California 

6/25/24

By: Justin J. Boron, Matt P. Delfino, and Danielle A. Ocampo

In recent years, a number of states have passed privacy laws, including Montana, Maryland, Tennessee, Kentucky, and many others. The Vermont legislature followed suit with the Vermont Data Privacy Act (“VDPA”), passed on May 11, 2024. But on June 13, Governor Phil Scott vetoed the bill. On June 17, the Vermont Senate voted 15-14 to sustain the governor’s veto, ultimately defeating the legislation. 

The legislation was notable for its private right of action (“PRA”) provision. Governor Scott cited the private right of action as the reason for his veto, raising his concern that the provision would make Vermont “hostile” to businesses. As privacy concerns grow in legislatures across the country, the mechanisms for enforcing these laws have come to the fore. Most states wrest authority for bringing actions against businesses in the state’s Attorney General. Had Vermont’s bill passed, the state would have joined Illinois and California as the only states granting a private right of action to its citizens. 

Comparing Vermont’s (proposed and failed) Private Right of Action to California’s  

To understand what may make a PRA viable in future legislation in other states, it is worth comparing several aspects of the PRA in Vermont’s failed bill to that of the California Consumer Privacy Act (“CCPA”), passed in 2018.

California’s PRA is Broader in Scope than Vermont’s Proposed PRA

Under the proposed Vermont bill, any Vermont resident not acting in a commercial or employment context could have exercised the private right of action. However, the PRA was limited to suing large data holders, or entities who hold data for at least 100,000 consumers. California’s PRA is broader. California residents who were afforded the right to sue not only included permanent residents, but also those in the state for other than a temporary purpose as well as those domiciled in California but live outside of the state for a “temporary and transitory purpose.” See Cal. Civ. Code § 1798.140(g); Cal. Code Regs., tit. 18 § 17014(a). Further, unlike Vermont’s limited types of defendants, the California PRA may be exercised against any business that owns, licenses, or maintains personal information about Californians.

Vermont Affords Data Holders Longer Cure Period

Vermont’s Attorney General, in response to the Governor’s veto, noted that a PRA “generally vests” after a 45 to 90-day cure period in which the data holder or broker can correct the violation. Under Section 2418, a controller must respond to a consumer’s request to exercise any of their enumerated rights within 45 days after receiving the request, but can extend the response period by another 45 days when reasonably necessary, as long as the consumer is informed of the reason for the extension. VDPA, H.121 § 2418(c) (2024). In contrast, the PRA in the CCPA specifically requires consumers to provide a business with 30 days’ written notice, prior to filing a lawsuit, identifying specific provisions of the CCPA which the consumer alleges were violated. Cal. Civ. Code § 1798.150(b). Under the CCPA, if the business cures the violation within 30 days and provides a written statement of the cure to the consumer, no action for statutory damages can be brought. Id.  

Violations and Damages 

Under the VDPA, consumers may have only recovered actual damages if an entity breached the confidentiality of their health data, sold their sensitive data, or processed their sensitive data without their consent or, if knowing the consumer is a child, in violation of the Children’s Online Privacy Protection Act (“COPPA”). The consent-based approach and utilization of COPPA as a standard for the processing of children’s data is similar to that taken by other states. The VDPA defines “process” as the collection, use, storage, disclosure, analysis, deletion, or modification of personal data. VDPA, H.121 § 2415(43) (2024). Sensitive data is a subset of personal data and includes, among other categories, data revealing a consumer’s government-issued identifier (SSN, driver’s license, etc.), biometric or genetic data, geolocation, financial information, as well as sexual orientation, or racial, ethnic, and national origin. VDPA, H.121 § 2415(54) (2024). 

In California, a consumer may sue for actual or statutory damages, whichever is greater. While Vermonters could have only recovered for the improper sharing of health data or the selling or processing of sensitive data, Californians can bring actions for unauthorized access and exfiltration, theft, or disclosure of unencrypted and unredacted personal information. Cal. Civ. Code § 1798.150(b). Personal information under the CCPA is a similar but potentially broader category than “sensitive data” under the VDPA, as it refers to a person’s first name or initial and the person’s last name, in combination with at least one of a number of other categories similar to those constituting sensitive data under Vermont’s law. Cal. Civ. Code § 1798.81.5(d)(1). However, usernames and email addresses combined with a password or security question and answer permitting access to an online account can also constitute personal information under the CCPA. Id.  

The Future of the “Private Right of Action” in State Privacy Laws

To date, nineteen states have passed privacy laws varying in scope and enforcement. The vast majority of those state laws do not grant citizens a private right of action; thus, the Vermont governor feared his state becoming an outlier with respect to its privacy framework. Yet, in several ways, Vermont’s PRA was less aggressive than California’s. It was also likely narrower than the PRA of the American Privacy Rights Act of 2024, the text of which was recently released in the U.S. Congress, and allows for an immediate private right of action for alleged violations. It remains to be seen whether Vermont’s failure to enact a private right of action will discourage other states from attempting to include a PRA, or whether other states will try to model their PRA after California’s more closely in the future. 

If you have any questions regarding the content of this article, please do not hesitate to contact Justin J. Boron at jboron@fmglaw.com, Matt P. Delfino at matthew.delfino@fmglaw.com, Danielle A. Ocampo at danielle.ocampo@fmglaw.com or your local FMG relationship partner.