Vermont Senate concurs with House changes to H.121, delays private right of action to 2027
May 10, 2024 | SENATE, Committees, Legislative , Vermont
This article was created by AI summarizing key points discussed. AI makes mistakes, so for full details and context, please refer to the video of the full meeting. Please report any errors so we can fix them. Report an error »
The Vermont Senate voted by voice to concur with the House's proposed amendments to H.121, the Data Privacy Act, approving a package that restores exemptions for HIPAA-covered portions of hybrid entities, delays certain utility obligations and schedules a private right of action to begin Jan. 1, 2027, subject to a two-year sunset.
Senator from Chittenden Southeast moved the concurrence and described the compromise as one that "restores" hybrid-entity exemptions and balances enforcement through the Attorney General. She said the bill "allows for the private right of action to become law in January 2027 barring any affirmative action on our part," and that the PRA would be repealed on Jan. 1, 2029 unless the Legislature takes further action.
The amendment reinstates an exemption for HIPAA-covered health care components of hybrid entities so that hospitals and clinics would not be forced into duplicative compliance regimes for data already governed by HIPAA. Counsel later confirmed the committee's reading: the HIPAA-covered part of a hybrid entity is exempt while non-HIPAA activities remain subject to the Act (the sponsor cited UVMMC as an illustrative example).
The package also delays applicability for public utilities regulated by the Public Utility Commission until July 1, 2026, while directing the PUC, stakeholders and relevant committees to further study the nature of utility data and the costs of compliance. The sponsor said the PRA in the amended bill would apply only to entities that process data of more than 100,000 Vermont consumers annually; the general thresholds for the act begin at 25,000 consumers in 2025 and phase down to 12,500 and then 6,250 over subsequent years.
Under the amendment, the Attorney General is given exclusive authority to enforce many provisions of the Data Privacy Act and is asked to provide interim reporting on violations, use of cure periods and the kinds of harms observed so the Legislature can assess impacts before the PRA takes effect.
Opponents urged caution. "Unfortunately, the cake that was baked includes some ingredients that I, unfortunately, can't eat," said Senator Franklin, who cited concerns about implementation costs and an estimate that compliance could cost hospitals "literally 1,000,000 of dollars." Supporters, including the senator from Windham, said the two-year study concluding Jan. 15, 2026, will inform the Legislature before the PRA becomes effective and that the sunset provides a further safeguard.
The presiding officer asked for the question and the Senate concurred with the House amendment by voice vote; the record does not include a roll-call tally. The Senate then ordered the concurrence messaged to the House forthwith.
Next steps: the message was sent to the House and the Legislature will receive reports from the Attorney General and the AI commission/task force as directed in the bill; the PRA will not take effect until Jan. 1, 2027, subject to the study outcomes and any further legislative action.
Senator from Chittenden Southeast moved the concurrence and described the compromise as one that "restores" hybrid-entity exemptions and balances enforcement through the Attorney General. She said the bill "allows for the private right of action to become law in January 2027 barring any affirmative action on our part," and that the PRA would be repealed on Jan. 1, 2029 unless the Legislature takes further action.
The amendment reinstates an exemption for HIPAA-covered health care components of hybrid entities so that hospitals and clinics would not be forced into duplicative compliance regimes for data already governed by HIPAA. Counsel later confirmed the committee's reading: the HIPAA-covered part of a hybrid entity is exempt while non-HIPAA activities remain subject to the Act (the sponsor cited UVMMC as an illustrative example).
The package also delays applicability for public utilities regulated by the Public Utility Commission until July 1, 2026, while directing the PUC, stakeholders and relevant committees to further study the nature of utility data and the costs of compliance. The sponsor said the PRA in the amended bill would apply only to entities that process data of more than 100,000 Vermont consumers annually; the general thresholds for the act begin at 25,000 consumers in 2025 and phase down to 12,500 and then 6,250 over subsequent years.
Under the amendment, the Attorney General is given exclusive authority to enforce many provisions of the Data Privacy Act and is asked to provide interim reporting on violations, use of cure periods and the kinds of harms observed so the Legislature can assess impacts before the PRA takes effect.
Opponents urged caution. "Unfortunately, the cake that was baked includes some ingredients that I, unfortunately, can't eat," said Senator Franklin, who cited concerns about implementation costs and an estimate that compliance could cost hospitals "literally 1,000,000 of dollars." Supporters, including the senator from Windham, said the two-year study concluding Jan. 15, 2026, will inform the Legislature before the PRA becomes effective and that the sunset provides a further safeguard.
The presiding officer asked for the question and the Senate concurred with the House amendment by voice vote; the record does not include a roll-call tally. The Senate then ordered the concurrence messaged to the House forthwith.
Next steps: the message was sent to the House and the Legislature will receive reports from the Attorney General and the AI commission/task force as directed in the bill; the PRA will not take effect until Jan. 1, 2027, subject to the study outcomes and any further legislative action.
Don't Miss a Word: See the Full Meeting!
Go beyond summaries. Unlock every video, transcript, and key insight with a Founder Membership.
✓
Get instant access to full meeting videos
✓
Search and clip any phrase from complete transcripts
✓
Receive AI-powered summaries & custom alerts
✓
Enjoy lifetime, unrestricted access to government data
30-day money-back guarantee
