Earlier this month, the Governor of Vermont signed into law S.B. 110, which will amend the state’s data breach notification law and create a new student privacy law focused on operators of educational technology services.  Notably, the amendments to the state’s data breach notification law will expand the categories of personally identifiable information (“PII”) that may trigger notification obligations to individuals and regulators in the event of a breach to include online account credentials, health and medical information, and biometric and genetic data, among others.  The student privacy law will place certain restrictions on how student data can be collected, used, and disclosed by operators of online educational technology services.  The new requirements, which will enter into force on July 1, 2020, are discussed in more detail below.

Data Breach Notification Changes

Vermont’s existing data breach notification law requires data collectors to notify affected Vermont residents and the Vermont Attorney General within a specific time frame following a “security breach,” defined as the unauthorized acquisition of unencrypted PII.  S.B. 110’s amendments to Vermont’s data breach notification law include revisions to the law’s definition of PII that can trigger notification obligations if breached.  The amendments will expand the definition to include a consumer’s name in combination with any of the following data elements:

  • Certain government identification numbers, such as individual taxpayer identification numbers, passport numbers, or military identification card numbers (in addition to driver’s license or state identification card numbers, which are already covered by the existing law);
  • Certain biometric data used for identification or authentication;
  • Genetic information;
  • Certain health records, including records of a “wellness program or similar program of health promotion or disease prevention”;
  • A medical diagnosis or treatment; or
  • A health insurance policy number.

The amendments to the data breach notification law will also include notification obligations resulting from a breach of “login credentials.”  The amendments define “login credentials” as “a consumer’s user name or e-mail address, in combination with a password or an answer to a security question, that together permit access to an online account.”  A breach of login credentials may trigger certain notification obligations to affected individuals and the Vermont Attorney General, with alternative notification methods available if the login credentials relate to a consumer’s e-mail account.  Finally, if the breach only involves login credentials (and no other PII), the bill specifies that the data collector will only be required to notify the Vermont Attorney General if the credentials were acquired directly from the data collector or its agent.  This provision may help clarify notification obligations for breaches involving login credentials that are obtained from the dark web, re-used across accounts, or otherwise breached from a third-party source.

New Student Privacy Law

By passing S.B. 110, Vermont continues the recent trend of states passing laws that directly regulate operators of education technology services.  Vermont’s new student privacy law will apply to “operators” of websites, online services, or applications that are knowingly used and marketed for PreK-12 school purposes.  The Vermont law places certain restrictions and requirements on operators’ collection, use, disclosure, and retention of “covered information,” which includes certain types of personal information provided by a student, parent, or school employee or agent, or information gathered by the operator that personally identifies a student.

Under the new law, operators will be generally prohibited from:

  • Engaging in targeted advertising based on any information the operator has acquired because of the use of its site, service, or application for PreK-12 purposes;
  • Using information that is created or gathered by the operator’s site, service, or application to amass a profile about a student, except for PreK-12 purposes;
  • Selling, bartering, or renting a student’s information; or
  • Disclosing covered information to a third party, unless a specific exception applies (including certain disclosures for educational purposes).

In addition, operators will be required to:

  • Implement and maintain reasonable security procedures and practices;
  • Delete a student’s covered information within a reasonable time period if the school or school district requests deletion; and
  • Publicly disclose and provide the school with information about the operator’s collection, use, and disclosure of covered information.

The law also explicitly permits certain acceptable uses and disclosures of covered information, such as disclosure for legitimate research purposes.  Operators may also use covered information that is not associated with an identified student to improve educational products, demonstrate the effectiveness of products or services, or improve educational services.