I may have missed the mark a few months ago when Maineâs data privacy legislation was vetoed by its governor, but I have a much better feeling about this one: Vermont is queued up to be the USâs next comprehensive data privacy law.
The bill is waiting for Governor Phil Scottâs signature or veto, and there are good odds heâll sign it.
Although Governor Scott vetoed a previous Vermont comprehensive data privacy law in 2024, that law contained a private right of actionâwhich would have made it a total outlier in the US privacy landscape. In his veto letter, Governor Scott advocated for a privacy law that more closely resembled Connecticutâs.
This latest iteration of a Vermont privacy law does indeed more closely resemble Connecticutâs privacy law. It features no private right of action (just like the other 21 state privacy laws). The bill enjoys broad bipartisan support in the legislature as well as support from the business community. Privacy advocates like Consumer Reports and EPIC, however, are less enthusiastic about this version of a Vermont privacy law, which probably means it's more likely to be signed.
As of this writing, the bill still awaits Governor Scottâs signature, but Iâd put my money on it becoming the 22nd privacy law in the US.
Best,
Arlo
Highlights From Osano
Ebook: State of US Privacy Enforcement 2026
For years, businesses in the US have adopted a âwait and seeâ approach to data privacy compliance. But that era is over. Privacy enforcement is a regular occurrence in the US nowadays, and by analyzing these actions, you can learn what regulators are looking for and how to protect your business. Download our Ebook to discover the 8 themes and patterns across recent enforcement actions and 7 priority actions you can take today to protect yourself.
Blog: The Opportunity in the Obligation: Why Data Privacy Is Marketing Strategy
Data privacy compliance and marketing strategy might seem like they have nothing to do with one another, but history tells us otherwise. Our SVP of Marketing, Shane Coker, breaks down how data privacy has intersected with his experience as a marketer and three ways marketing leaders can meet data privacyâs moment.
Checklist: How to Reduce CIPA Risk
2,200 companies were sued under wiretap laws last year. Donât let your company fall into the crosshairs of opportunistic law firms repurposing laws like CIPA for website tracking! Follow our checklist to learn how to reduce your risk.
After two years of debate, negotiation, and advocacy, Vermontâs comprehensive data privacy legislation officially passed the Legislature this week after the House approved the bill and the Senate concurred with House changes. The legislation now heads to Governor Phil Scott.
California Attorney General Rob Bonta recently filed a lawsuit against Chrome Holding Co., formerly known as 23andMe, for failing to protect its customersâ sensitive genetic information. In 2023, 23andMe experienced a data breach that affected nearly 7 million users across the United States. The AGâs office contends 23andMe failed to take reasonable measures to protect its customersâ sensitive data, violating a number of California laws, including the CCPA.
EPIC has submitted feedback in response to the UK Information Commissionerâs Office (ICO) consultation on the draft guidance they produced about automated decision-making (ADM), including profiling. As part of its feedback, EPIC argued that the ICO underestimates the time, resources, and opportunity lost by individuals fighting unfair and inaccurate decisions.
Recently, a California Superior Court ruled that the California Invasion of Privacy Actâs (CIPAâs) pen register and trap and trace device provisions apply only to telephone communications and not to software on commercial websites. The Court dismissed with prejudice claims against a defendant premised on the deployment of a data collection software development kit on its website. While this ruling provides further defense against CIPA claims, courts continue to be split on CIPAâs applicability to modern website tracking.
The Electronic Frontier Foundation (EFF) has welcomed Nicole Ozer as its new Executive Director Nicole Ozer. Nicole is a legal expert on privacy and surveillance, artificial intelligence, and digital speech who previously served as the inaugural executive director of the Center for Constitutional Democracy at UC Law San Francisco.
There's more to explore:
We go deeper into additional privacy topics with incredible guests monthly. Available on Spotify or Apple.
Join our official subreddit to stay up to date on the latest news, analysis, guidance, and content from Osano!
The book inspired by this newsletter: Osano CEO, Arlo Gilbert, covers the history of data privacy and how companies can start building a privacy program from the ground up. More details here.
If youâre interested in working at Osano, check out our Careers page!