Industry - Policy Change
Executive Summary
Vermont's Governor signed S.B. 110 into law, expanding the state's data breach notification requirements to include additional types of personal information such as online login credentials, biometric data, genetic information, and health records. The law also creates new student privacy protections for educational technology services, restricting how operators can collect, use, and disclose student data. These requirements took effect on July 1, 2020.
What Happened
Vermont's Governor signed S.B. 110 into law in June 2020, expanding the state's data breach notification requirements and creating new student privacy protections. The law broadened the definition of personal information subject to breach notifications to include online login credentials, biometric data, genetic information, health records, and additional government identification numbers. It also imposed restrictions on how operators of educational technology services can collect, use, and disclose student data, with all provisions taking effect on July 1, 2020.
Who Is Affected
Vermont residents whose personal information is held by data collectors are affected, as they now receive notification for breaches involving a wider range of sensitive data types. Students using educational technology services in Vermont gain new protections regarding how their data can be handled by service operators. Organizations that collect data from Vermont residents or provide educational technology services must comply with expanded notification obligations and new usage restrictions.
Why It Matters
This law significantly expands what constitutes notifiable personal information in data breaches, recognizing modern privacy risks from biometric data, genetic information, and online credentials that earlier laws did not address. By including health records and login credentials, Vermont acknowledges that these data types pose substantial identity theft and privacy risks when compromised. The student privacy provisions represent growing recognition that educational technology operators require specific regulatory constraints to protect minors' data from inappropriate collection and commercial use.
What You Should Do
Vermont residents should monitor breach notifications more carefully, as organizations now must disclose compromises involving login credentials, health information, and biometric data. If you receive notification of a breach involving login credentials, immediately change passwords for the affected account and any other accounts using the same credentials. Students and parents should review privacy policies of educational technology platforms used in Vermont schools and exercise any available opt-out rights for data collection beyond what is necessary for educational purposes.
Summary generated from verified sources and reviewed before publication. How we summarize.