Vermont’s data privacy law sparks state lawmaker alliance against tech lobbyists

Vermont lawmakers just defied national trends by passing the toughest-yet state bill protecting online data privacy — and they did it by using a new tactic designed to get around industry pressure.

The bill lets Vermont residents sue companies directly for collecting or sharing sensitive data without their consent. As they drafted and finalized it, lawmakers deployed a countermeasure against business pushback: They brought together lawmakers in states from Maine to Oklahoma who had fought their own battles with the tech industry and asked them for advice.

“The biggest thing I have learned from this entire bill is that Big Tech has a playbook,” said Rep. Monique Priestley, the Democratic state lawmaker who called the hearing and said she hoped to create a “grassroots playbook” to fight back.

The Vermont story is a rare but powerful exception to an emerging national current: With little action in Congress, the burden of regulating tech has shifted to the states. And that pits state lawmakers, often with small staffs and part-time jobs, against powerful national lobbies with business and political clout.

It’s not clear Vermont’s new game plan is waterproof: Republican Gov. Phil Scott has yet to sign the bill, and lawmakers and industry are still jousting over it.

But already, national consumer advocacy groups are looking to Vermont as a possible model for lawmakers who want to pass tough state tech regulations around the country — a battle that states have, until now, largely been losing.

Lobbying back-and-forth

The battle for privacy regulations has played out in states since 2018, after California became the first state to pass a comprehensive data privacy law.

In March this year, Vermont’s House of Representatives began discussing a state privacy bill to give residents the right to sue companies for privacy violations, and to minimize the amount of data businesses could collect on their customers. Local businesses and national groups said the bill could harm industry, but the House nevertheless passed it unanimously.

Next, the bill headed to the state Senate, where local businesses found a more receptive audience.

The chief financial officer of Vermont outdoors outfitter Orvis wrote state senators that limiting data collection would “put Vermont businesses at a significant if not crippling disadvantage.”

A spokesperson for Orvis said the company did not work with tech industry groups against Vermont’s privacy bill.

Vermont’s Chamber of Commerce updated its members on April 12 that it had met with state senators and that they “improved the bill to ensure strong consumer protections that do not put an undue burden on Vermont businesses.”

The pressure alarmed Priestley, she said in an interview. It reminded her of L.L. Bean’s influential opposition to Maine’s privacy bill. She learned about similar industry campaigns against state privacy regulations in Maryland, Montana, Oklahoma and Kentucky. She invited lawmakers from the five states to share their experiences, in the hopes of showing this pattern to her colleagues.

“It felt like once it hit the Senate side, there was a coordinated, massive national push against this,” Priestley told POLITICO. “It felt like the only thing that could counter a big national lobbying push was to spotlight that on-the-record for everybody.”

She convened the hearing for April 26. Two days before, Vermont’s senators passed an amended version of the bill to remove private right of action provisions and recommended more changes to align with Connecticut’s privacy bill, favored by industry.

Insights from out of state

The out-of-state lawmakers described how local businesses echoed tech industry groups. They recalled a deluge of amendment requests to water down the proposals and noted that lobbyists turned to the opposite legislative chambers when a strong bill passed through the House or Senate.

Maine Democratic state Rep. Maggie O’Neil said her chamber passed a bill with data minimization and a private right of action, but local businesses including L.L. Bean were key to killing it in the state Senate.

Data minimization would require companies to only collect and use data that would be necessary to provide their services.

“In Maine, if L.L. Bean says something, people are going to respect that,” she said at the hearing.

L.L. Bean denied coordinating efforts against Maine’s privacy bill with tech industry groups.

Maryland’s Democratic Del. Sara Love described a similar experience: a lobbying blitz from tech industry groups who highlighted concerns about local businesses when the privacy bill was set to pass.

“They only brought out the small businesses card at the very end, and I think they’re learning that’s something that sways legislators,” Love said.

Lawmakers from Kentucky and Oklahoma said their state’s Chambers of Commerce applied pressure to weaken privacy proposals.

“While I was busy trying to get my bill out of the Senate, the Chamber was busy holding it back,” said Kentucky’s Republican state Sen. Whitney Westerfield. “They were working hard in the House poisoning the well.”

The Kentucky Chamber told POLITICO that it was “critical for Kentucky to pass a bill that not only protected consumers, but also worked for businesses in the ever-changing world of technology.”

Raising suspicions in Vermont

Vermont’s Republican state Rep. Michael Marcotte, who was negotiating a compromise bill between the two chambers, told POLITICO he had been on the fence about private right of action until he heard testimony from Kentucky. It made him suspicious of local Vermont businesses who appeared to be closely aligned with state and national tech industry groups, he said.

In particular, Marcotte pointed to arguments made by Jim Hall, CEO of the Vermont Country Store and board chair of the American Commerce Marketing Association. Hall warned Vermont’s lawmakers against a private right of action, noting a 2013 lawsuit cost his company $100,000 for failing to comply with a California law requiring lead exposure labeling on its licorice products.

“That makes you wonder, is he speaking about the Vermont Country Store, or is he representing his organization? How can we be sure that they’re genuine?,” Marcotte said. “It was hard for us to try to parse that out.”

Hall told POLITICO that he did not have any discussions with Big Tech on privacy regulations and supported less stringent regulation preferred by industry groups.

“I spoke out, as did the Vermont Chamber of Commerce, to protect small business,” Hall said in an email.

Not all Vermont lawmakers watched the hearing, including Democratic state Sen. Kesha Ram Hinsdale, who introduced the amendments that loosened her chamber’s bill. She said she found it vital to hear from local businesses and dismissed the idea of a concerted tech effort.

“I’m trying to operate in reality, not with conspiracy theories about who was involved in what, and Jim Hall brought his own specific example of a labeling law that caused him a lot of financial harm,” she said in an interview.

Marcotte helped negotiate a last-minute compromise to include the private right of action, but only make large data brokers and businesses liable. He said he used his new insights to convince his colleagues in the Senate to vote for the measure, which passed on May 11.

“When we had our discussions with the Senate, we just let them know this is directly from the playbook — the same things that other legislators heard in their states is the same thing we’re hearing here,” Marcotte said.

A new strategy for privacy advocates

R.J. Cross, director of consumer privacy at the Public Interest Research Group, said her group hopes to replicate Vermont’s success and build a coalition to counter the tech lobby’s influence. In particular, she said lawmakers were more receptive to advice from fellow legislators than from advocates.

“When you look at what’s happened in the last five years, it’s obvious that industry has a playbook, and that it’s effective. It may be the strategic thing to do to take a lesson from that and to get organized on your own terms,” she told POLITICO.

Vermont business groups and national tech lobbyists denied they were working together to weaken the privacy bill, but remained committed to stopping it.

“This isn’t a product of a ‘Big Tech’ national conspiracy; it’s a direct response to misguided policies imposed by external special interests, which undermine the vitality of local businesses,” Megan Sullivan, the Vermont Chamber’s vice president of government affairs, said in an email.

Still, the Chamber’s points overlap those made by national tech industry groups NetChoice, TechNet and the State Privacy and Security Coalition.

“It’s unfortunate that Vermont lawmakers ran roughshod over the pains of small businesses rather than passing a law that protects the privacy of citizens while providing easy to adopt rules,” NetChoice general counsel Carl Szabo said via email.

TechNet executive director for the Northeast Chris Gilrein wrote POLITICO that the bill “includes many untested provisions and definitions that would put the state’s businesses at a competitive disadvantage.”

Both NetChoice and TechNet are urging Vermont’s Republican Governor Phil Scott to veto the bill; he has five days to sign it once he receives the bill from the legislature.

A spokesperson for the governor told POLITICO, “it was passed at the last minute with a major amendment with little scrutiny by the Legislature.”

No matter the outcome, state lawmakers say they see new power in their cooperation.

Speaking to Vermont lawmakers, Montana’s Republican state Sen. Daniel Zolnikov said he strengthened his state’s data privacy bill after he learned lobbyists who had pushed him to weaken it had backed a stronger model in Maryland.

“They think we’re all decentralized,” he told his colleagues. “Luckily, their technology, we can use to our benefit.”