On July 1, 2020, amendments to Vermont’s data breach notification law, signed into law earlier this year, will take effect along with Vermont’s new student privacy law.

Security Breach Notice Act
The amendments to Vermont’s Security Breach Notice Act include expanding the definition of Personally Identifiable Information (“PII”), expanding the definition of a breach to include login credentials and narrowing the permissible circumstances under which substitute notice may be used. Notably, the amendments:

  • Expand the definition of PII to add the following data elements, when in combination with individual’s first name or initial and last name:
    • individual taxpayer identification number, passport number, military identification card number or other identification number that originates from a government identification document that is commonly used to verify identity for a commercial transaction;
    • unique biometric data generated from measurements or technical analysis of human body characteristics used by the owner or licensee of the data to identify or authenticate the consumer, such as a fingerprint, retina or iris image, or other unique physical representation or digital representation of biometric data;
    • genetic information; and
    • heath records or records of a wellness program or similar program of health promotion or disease prevention, a health care professional’s medical diagnosis or treatment of the consumer or a health insurance policy number.
  • Expand the definition of a breach to include login credentials, meaning “a consumer’s user name or e-mail address, in combination with a password or an answer to a security question, that together permit access to an online account.” Login credentials are not part of the definition of PII, but the law’s definition of a security breach now covers “personally identifiable information or login credentials.” Where a breach is limited to login credentials for an online account other than an email account, notice may be provided electronically. Special notification procedures apply where a breach is limited to login credentials for an email account. In addition, where a breach is limited to login credentials, the data collector is only required to notify the Vermont Attorney General (or Department of Financial Regulation if the data collector is regulated by the Department) if the login credentials were acquired directly from the data collector or its agent.
  • Permit substitute notice in limited circumstances, i.e., only where the lowest cost of providing direct notice via writing, email or telephone would exceed $10,000, or where the data collector does not have sufficient contact information. The number of affected consumers exceeding 5,000 is no longer a basis for providing substitute notice.

Read Vermont’s explanation of the amendments.

Student Data Privacy
Vermont’s Student Data Privacy law, modeled after California’s Student Online Personal Information Protection Act, generally, will prohibit certain “operators” of websites, online services and online or mobile applications used primarily by, and designed and marketed to, PreK-12 schools from knowingly:

  • engaging in targeted advertising based on any information, including covered information (as defined under the law) and persistent unique identifiers, that the operator acquired because of the use of its site, service or application for PreK-12 school purposes;
  • using information created or gathered by the operator’s site, service or application to amass a profile about a student, except in furtherance of PreK-12 school purposes;
  • selling, bartering or renting a student’s information, including covered information; and
  • disclosing covered information, unless the disclosure is made for a purpose specified under the law and is proportionate to the identifiable information necessary to accomplish the purpose.

Operators also are required to:

  • implement and maintain reasonable security procedures and practices;
  • at a school or school district’s request, delete, within a reasonable time period and to the extent practicable, a student’s covered information that is under the control of the school or school district, unless the student or the student’s parent or legal guardian consents to the operator’s maintenance of the covered information; and
  • publicly disclose and provide the school with material information about the operator’s collection, use and disclosure of covered information, including publishing terms of service, a privacy policy or similar document.

The law also allows operators to use covered information to comply with applicable law or for legitimate research purposes (in certain circumstances), and to disclose covered information to a State or local educational agency for PreK-12 school purposes, as permitted by State or federal law.

The law further clarifies that an operator may use covered information that is not associated with an identified student to improve the operator’s educational products and to demonstrate the effectiveness of the operator’s products or services, including in its marketing. An operator also may share covered information that is not associated with an identified student for the development and improvement of its educational sites, services or applications. Additionally, an operator may use recommendation engines to recommend to a student additional content or services related to an educational, other learning, or employment opportunity within an online site, service or application, if the recommendation is not determined by payment or other consideration from a third party.

The law is enforceable by the Vermont Attorney General. The law calls for the Vermont Attorney General, in consultation with the Vermont Agency of Education, to examine the issue of student data privacy as it relates to the Family Educational Rights and Privacy Act and access to student data by data brokers, and determine whether to make any recommendations.