The Vermont Statutes Online
The Statutes below include the actions of the 2025 session of the General Assembly.
NOTE: The Vermont Statutes Online is an unofficial copy of the Vermont Statutes Annotated that is provided as a convenience.
Title 9 : Commerce and Trade
Chapter 062 : Protection of Personal Information
Subchapter 006 : VERMONT AGE-APPROPRIATE DESIGN CODE ACT
(Cite as: 9 V.S.A. § 2449a)-
§ 2449a. Definitions [Effective January 1, 2027]
As used in this subchapter:
(1)(A) “Affiliate” means a legal entity that shares common branding with another legal entity or controls, is controlled by, or is under common control with another legal entity.
(B) As used in subdivision (A) of this subdivision (1), “control” or “controlled” means:
(i) ownership of, or the power to vote, more than 50 percent of the outstanding shares of any class of voting security of a company;
(ii) control in any manner over the election of a majority of the directors or of individuals exercising similar functions; or
(iii) the power to exercise controlling influence over the management of a company.
(2) “Age assurance” encompasses a range of methods used to determine, estimate, or communicate the age or an age range of an online user.
(3) “Age range” means either an interval with an upper and lower age limit or a label indicating age above or below a specific age.
(4) “Algorithmic recommendation system” means a system that uses an algorithm to select, filter, and arrange media on a covered business’s website for the purpose of selecting, recommending, or prioritizing media for a user.
(5)(A) “Biometric data” means data generated from the technological processing of an individual’s unique biological, physical, or physiological characteristics that allow or confirm the unique identification of the consumer, including:
(i) iris or retina scans;
(ii) fingerprints;
(iii) facial or hand mapping, geometry, or templates;
(iv) vein patterns;
(v) voice prints or vocal biomarkers; and
(vi) gait or personally identifying physical movement or patterns.
(B) “Biometric data” does not include:
(i) a digital or physical photograph;
(ii) an audio or video recording; or
(iii) any data generated from a digital or physical photograph, or an audio or video recording, unless such data is generated to identify a specific individual.
(6) “Business associate” has the same meaning as in the Health Insurance Portability and Accountability Act of 1996, Pub. L. No. 104-191 (HIPAA).
(7) “Collect” means buying, renting, gathering, obtaining, receiving, or accessing any personal data by any means. This includes receiving data from the consumer, either actively or passively, or by observing the consumer’s behavior.
(8) “Compulsive use” means the repetitive use of a covered business’s service that materially disrupts one or more major life activities of a minor, including sleeping, eating, learning, reading, concentrating, communicating, or working.
(9)(A) “Consumer” means an individual who is a resident of the State.
(B) “Consumer” does not include an individual acting in a commercial or employment context or as an employee, owner, director, officer, or contractor of a company, partnership, sole proprietorship, nonprofit, or government agency whose communications or transactions with the covered business occur solely within the context of that individual’s role with the company, partnership, sole proprietorship, nonprofit, or government agency.
(10) “Covered business” means a sole proprietorship, partnership, limited liability company, corporation, association, other legal entity, or an affiliate thereof:
(A) that conducts business in this State;
(B) that generates a majority of its annual revenue from online services;
(C) whose online products, services, or features are reasonably likely to be accessed by a minor;
(D) that collects consumers’ personal data or has consumers’ personal data collected on its behalf by a processor; and
(E) that alone or jointly with others determines the purposes and means of the processing of consumers’ personal data.
(11) “Covered entity” has the same meaning as in HIPAA.
(12) “Covered minor” is a consumer who a covered business actually knows is a minor or labels as a minor pursuant to age assurance methods in rules adopted by the Attorney General.
(13) “Default” means a preselected option adopted by the covered business for the online service, product, or feature.
(14) “De-identified data” means data that does not identify and cannot reasonably be used to infer information about, or otherwise be linked to, an identified or identifiable individual, or a device linked to the individual, if the covered business that possesses the data:
(A)(i) takes reasonable measures to ensure that the data cannot be used to reidentify an identified or identifiable individual or be associated with an individual or device that identifies or is linked or reasonably linkable to an individual or household; and
(ii) for purposes of this subdivision (A), “reasonable measures” includes the de-identification requirements set forth under 45 C.F.R. § 164.514 (other requirements relating to uses and disclosures of protected health information);
(B) publicly commits to process the data only in a de-identified fashion and not attempt to reidentify the data; and
(C) contractually obligates any recipients of the data to comply with all provisions of this subchapter.
(15) “Derived data” means data that is created by the derivation of information, data, assumptions, correlations, inferences, predictions, or conclusions from facts, evidence, or another source of information or data about a minor or a minor’s device.
(16) “Genetic data” means any data, regardless of its format, that results from the analysis of a biological sample of an individual, or from another source enabling equivalent information to be obtained, and concerns genetic material, including deoxyribonucleic acids (DNA), ribonucleic acids (RNA), genes, chromosomes, alleles, genomes, alterations or modifications to DNA or RNA, single nucleotide polymorphisms (SNPs), epigenetic markers, uninterpreted data that results from analysis of the biological sample or other source, and any information extrapolated, derived, or inferred therefrom.
(17) “Identified or identifiable individual” means an individual who can be readily identified, directly or indirectly, including by reference to an identifier such as a name, an identification number, specific geolocation data, or an online identifier.
(18) “Known adult” is a consumer who a covered business actually knows is an adult or labels as an adult pursuant to age assurance methods in rules adopted by the Attorney General.
(19) “Minor” means an individual under 18 years of age.
(20) “Online service, product, or feature” means a digital product that is accessible to the public via the internet, including a website or application, and does not mean any of the following:
(A) telecommunications service, as defined in 47 U.S.C. § 153;
(B) a broadband internet access service as defined in 47 C.F.R. § 54.400; or
(C) the sale, delivery, or use of a physical product.
(21)(A) “Personal data” means any information, including derived data and unique identifiers, that is linked or reasonably linkable, alone or in combination with other information, to an identified or identifiable individual or to a device that identifies, is linked to, or is reasonably linkable to one or more identified or identifiable individuals in a household.
(B) Personal data does not include de-identified data or publicly available information.
(22) “Process” or “processing” means any operation or set of operations performed, whether by manual or automated means, on personal data or on sets of personal data, such as the collection, use, storage, disclosure, analysis, deletion, modification, or otherwise handling of personal data.
(23) “Processor” means a person who processes personal data on behalf of:
(A) a covered business;
(B) another processor; or
(C) a federal, state, tribal, or local government entity.
(24) “Profiling” means any form of automated processing performed on personal data to evaluate, analyze, or predict personal aspects, including an individual’s economic situation, health, personal preferences, interests, reliability, behavior, location, movements, or identifying characteristics.
(25)(A) “Publicly available information” means information that:
(i) is made available through federal, state, or local government records or to the general public from widely distributed media; or
(ii) a covered business has a reasonable basis to believe that the consumer has lawfully made available to the general public.
(B) “Publicly available information” does not include:
(i) biometric data collected by a business about a consumer without the consumer’s knowledge;
(ii) information that is collated and combined to create a consumer profile that is made available to a user of a publicly available website either in exchange for payment or free of charge;
(iii) information that is made available for sale;
(iv) an inference that is generated from the information described in subdivision (ii) or (iii) of this subdivision (25)(B);
(v) any obscene visual depiction, as defined in 18 U.S.C. § 1460;
(vi) personal data that is created through the combination of personal data with publicly available information;
(vii) genetic data, unless otherwise made publicly available by the consumer to whom the information pertains;
(viii) information provided by a consumer on a website or online service made available to all members of the public, for free or for a fee, where the consumer has maintained a reasonable expectation of privacy in the information, such as by restricting the information to a specific audience; or
(ix) intimate images, authentic or computer-generated, known to be nonconsensual.
(26) “Reasonably likely to be accessed” means an online service, product, or feature that is reasonably likely to be accessed by a covered minor based on any of the following indicators:
(A) the online service, product, or feature is directed to children, as defined by the Children’s Online Privacy Protection Act, 15 U.S.C. §§ 6501–6506 and the Federal Trade Commission rules implementing that Act;
(B) the online service, product, or feature is determined, based on competent and reliable evidence regarding audience composition, to be routinely accessed by an audience that is composed of at least two percent minors two through 17 years of age;
(C) the audience of the online service, product, or feature is determined, based on internal company research, to be composed of at least two percent minors two through 17 years of age; or
(D) the covered business knew or should have known that at least two percent of the audience of the online service, product, or feature includes minors two through 17 years of age, provided that, in making this assessment, the business shall not collect or process any personal data that is not reasonably necessary to provide an online service, product, or feature with which a minor is actively and knowingly engaged.
(27)(A) “Social media platform” means a public or semipublic internet-based service or application that is primarily intended to connect and allow a user to socially interact within such service or application and enables a user to:
(i) construct a public or semipublic profile for the purposes of signing into and using such service or application;
(ii) populate a public list of other users with whom the user shares a social connection within such service or application; or
(iii) create or post content that is viewable by other users, including content on message boards and in chat rooms, and that presents the user with content generated by other users.
(B) “Social media platform” does not mean a public or semipublic internet-based service or application that:
(i) exclusively provides email or direct messaging services; or
(ii) is used by and under the direction of an educational entity, including a learning management system or a student engagement program.
(28) “Third party” means a natural or legal person, public authority, agency, or body other than the covered minor or the covered business. (Added 2025, No. 63, § 1, eff. January 1, 2027.)
