Vermont Amends Data Breach Notification Law, Enacts Student Privacy Act

Vermont Amends Data Breach Notification Law

On July 1, 2020, amendments to Vermont’s Security Breach Notice Act, 9 V.S.A. §§ 2330 & 2335, took effect along with a new “Student Online Personal Information Protection Act.”

Key amendments to the security breach act include:

• An expanded definition of Personally Identifiable Information (“PII”). The definition now adds various ID numbers, unique biometric data, genetic information, and certain health or wellness records.
• Expanded definition of security breach to include “login credentials”. Login credentials are defined by the amendment as “a consumer’s user name or email address in combination with a password or an answer to a security question that together permit access to an online account.”  Businesses should consider login credentials and PII as the same when considering whether breach occurred and whether a business has a general duty to notify, but login credentials differ from PII in how and to whom notice must be provided
  •  If only login credentials are breached (without breach of actual PII), a data collector is only required to notify the Vermont Attorney General (or the Department of Finance, as applicable) if the login credentials were acquired directly from the data collector or its agent. The law specifies different notification requirements depending on whether the breached login credential would permit access to an email account.
• Narrows the Permissibility of Substitute Notice. Previously, substitute notice was permitted when the class of affected consumers to be provided written or telephonic notice exceeded 5,000, the cost of direct notice would exceed $5000, or the data collector did not have sufficient contact information. Now, substitute notice is only permitted where the lowest cost of providing notice to affected customers via written, email, or telephonic notice would exceed $10,000. This revision included e-mail as a permissible form of notice and eliminated the number of affected consumers exceeding 5,000 as a basis for providing substitute notice.  Because email allows companies to provide mass notice to affected customers in a timely manner at low cost, it will be more difficult for data collectors to reach that $10,000 minimum.

Vermont Enacts New Student Privacy Law

Vermont’s new Student Online Personal Information Protection Act updates its privacy law to include regulations specifically concerning the data of pre-K to 12^th grade students. The law applies to website operators, online services, or mobile applications designed and marketed to, and used primarily by, pre-K to 12th grade schools.

Under the new law, enforceable by the Vermont Attorney General, operators are generally prohibited from:

• Engaging in targeted advertising based on any information the operator has acquired because of the use of its site, service, or application for PreK-12 purposes;
• Using information that is created or gathered by the operator’s site, service, or application to amass a profile about a student, except for PreK-12 purposes;
• Selling, bartering, or renting a student’s information; or
• Disclosing covered information to a third party, unless a specific exception applies (including certain disclosures for educational purposes).

Operators are also required to: (a) implement and maintain reasonable security procedures and practices; (b) delete a student’s covered information within a reasonable time period if the school or school district requests it; and (c) publicly disclose and provide the school with material information about the operator’s collection, use, and disclosure of covered information, including publishing terms of service, a privacy policy or similar document.

Operators may use or disclose covered information as required by law. Operators may also use covered information for legitimate research purposes in certain circumstances and to disclose the information to a state or local education agency for PreK-12 purposes, as permitted by State or federal law.  Operators are also not prohibited from using covered information in the following scenarios so long as the information is not associated with an identified student within the operator’s control (sites, services, applications, products, or marketing):

• Improving educational products;
•  Demonstrate the effectiveness of the operator’s products or services, including their marketing;
• Development or improvement of educational sites, services, or applications;
• Using recommendation engines to recommend to a student (1) additional content or (2) additional services, in which both relate to an educational, other learning, or employment opportunity purpose, so long as the recommendation is not determined in whole or in part by payment or other consideration from a third party; or
• Responding to a student’s request for information or feedback without the response being determined by payment or other consideration

This subchapter does not:

• Limit the authority of law enforcement to lawfully obtain content or information;
• Limit the ability of an operator to use student data for adaptive or customized student learning purposes;
• Apply to general audience websites, online services, online applications, or mobile applications
• Limit service providers from providing Internet connectivity to schools, students, or their families;
• Prohibit an operator from marketing educational products directly to parents;
• Impose a duty upon a provider of an electronic store, gateway, marketplace, or other means or purchasing or downloading software to review or enforce compliance of this law;
• Impose a duty upon a provider or an interactive computer service to review or enforce compliance with this law;
• Prohibit students from downloading, exporting, transferring, saving, or maintaining their own student-created data or documents; or
• Supersede the federal Family Educational Rights and Privacy Act (FERPA) or rules adopted pursuant to the Act.

Finally, the law requires the Vermont Attorney General, in consultation with the Vermont Agency of Education, to examine the issue of student data privacy as it relates to FERPA and access to student data by data brokers, and determine whether to make any recommendations.