.svg){kind=small}
.svg){kind=small}
.svg){kind=small}
.svg){kind=small}
.svg){kind=small}
.svg){kind=small}
.webp?width=1220&height=1090&name=Osano-guarantee-seal%20(1).webp)
I may have missed the mark a few months ago when Maineās data privacy legislation was vetoed by its governor, but I have a much better feeling about this one: Vermont is queued up to be the USās next comprehensive data privacy law.
The bill is waiting for Governor Phil Scottās signature or veto, and there are good odds heāll sign it.
Although Governor Scott vetoed a previous Vermont comprehensive data privacy law in 2024, that law contained a private right of actionāwhich would have made it a total outlier in the US privacy landscape. In his veto letter, Governor Scott advocated for a privacy law that more closely resembled Connecticutās.
This latest iteration of a Vermont privacy law does indeed more closely resemble Connecticutās privacy law. It features no private right of action (just like the other 21 state privacy laws). The bill enjoys broad bipartisan support in the legislature as well as support from the business community. Privacy advocates like Consumer Reports and EPIC, however, are less enthusiastic about this version of a Vermont privacy law, which probably means it's more likely to be signed.
As of this writing, the bill still awaits Governor Scottās signature, but Iād put my money on it becoming the 22nd privacy law in the US.
Best,
Arlo
In Case You Missed It...
Ebook: State of US Privacy Enforcement 2026
For years, businesses in the US have adopted a āwait and seeā approach to data privacy compliance. But that era is over. Privacy enforcement is a regular occurrence in the US nowadays, and by analyzing these actions, you can learn what regulators are looking for and how to protect your business. Download our Ebook to discover the 8 themes and patterns across recent enforcement actions and 7 priority actions you can take today to protect yourself.
Blog: The Opportunity in the Obligation: Why Data Privacy Is Marketing Strategy
Data privacy compliance and marketing strategy might seem like they have nothing to do with one another, but history tells us otherwise. Our SVP of Marketing, Shane Coker, breaks down how data privacy has intersected with his experience as a marketer and three ways marketing leaders can meet data privacyās moment.
Checklist: How to Reduce CIPA Risk
2,200 companies were sued under wiretap laws last year. Donāt let your company fall into the crosshairs of opportunistic law firms repurposing laws like CIPA for website tracking! Follow our checklist to learn how to reduce your risk.
Top Privacy Stories of the Week
Vermont Data Privacy Law Awaits Governorās Signature
After two years of debate, negotiation, and advocacy, Vermontās comprehensive data privacy legislation officially passed the Legislature this week after the House approved the bill and the Senate concurred with House changes. The legislation now heads to Governor Phil Scott.
California AG Sues Chrome Holding Co., Formerly Known as 23andMe, Over 2023 Data Breach
California Attorney General Rob Bonta recently filed a lawsuit against Chrome Holding Co., formerly known as 23andMe, for failing to protect its customersā sensitive genetic information. In 2023, 23andMe experienced a data breach that affected nearly 7 million users across the United States. The AGās office contends 23andMe failed to take reasonable measures to protect its customersā sensitive data, violating a number of California laws, including the CCPA.
EPIC Comments on UK ICO Draft Guidance on Automated Decision-Making: āUnderestimatesā Impact of Contesting Inaccurate Decisions
EPIC has submitted feedback in response to the UK Information Commissionerās Office (ICO) consultation on the draft guidance they produced about automated decision-making (ADM), including profiling. As part of its feedback, EPIC argued that the ICO underestimates the time, resources, and opportunity lost by individuals fighting unfair and inaccurate decisions.
Notable CIPA Ruling: Pen Register and Trap and Trace Provisions Apply to Telephone Communications, Not Software
Recently, a California Superior Court ruled that the California Invasion of Privacy Actās (CIPAās) pen register and trap and trace device provisions apply only to telephone communications and not to software on commercial websites. The Court dismissed with prejudice claims against a defendant premised on the deployment of a data collection software development kit on its website. While this ruling provides further defense against CIPA claims, courts continue to be split on CIPAās applicability to modern website tracking.
EFF Announces Its New Executive Director, Nicole Ozer
The Electronic Frontier Foundation (EFF) has welcomed Nicole Ozer as its new Executive Director Nicole Ozer. Nicole is a legal expert on privacy and surveillance, artificial intelligence, and digital speech who previously served as the inaugural executive director of the Center for Constitutional Democracy at UC Law San Francisco.
Like what you see in the Privacy Insider newsletter?
There's more to explore:
šļøThe Privacy Insider Podcast
We go deeper into additional privacy topics with incredible guests monthly. Available on Spotify or Apple.
š± The Osano Subreddit
Join our official subreddit to stay up to date on the latest news, analysis, guidance, and content from Osano!
š The Privacy Insider: How to Embrace Data Privacy and Join the Next Wave of Trusted Brands
The book inspired by this newsletter: Osano CEO, Arlo Gilbert, covers the history of data privacy and how companies can start building a privacy program from the ground up. More details here.
If youāre interested in working at Osano, check out our Careers page!
