At a glance, tech giants such as Facebook, Amazon, and Google appear to be operating in distinct markets; social networking, e-commerce, and search engine services respectively. But beneath the surface, they share a common ground as some of the world’s largest collectors and vendors of data. While this activity often unfolds without knowledge or recourse for affected consumers, the status quo appears to be on the cusp of changing, courtesy of legislative developments in the state of Vermont. For instance, when instances like a Facebook data breach or a Google data breach occur, consumers suffer most as they simply cannot hold companies accountable individually.
Vermont’s legislature has recently passed a comprehensive data privacy law, one of the strongest to date in the United States. What sets this legislation apart is its provision empowering individuals to sue companies believed to have violated their privacy rights; a pioneering provision in light of similar state laws. As reported by The Record, the bill imposes constraints on what personal data companies can collect and use. Further, it forbids companies from selling consumers’ sensitive data, and potentially opens them up to litigation initiated by individuals who believe such breaches have occurred—terms likely to reshape how corporations handle user data.
Thus, the implications of this law aren’t restricted to Vermont’s residents but will likely ripple into wider circles of data privacy practices. Companies aiming to comply with Vermont’s law may introduce site-wide changes that boost overall data security. Even companies not based in Vermont but handling data of its citizens will need to align with these regulations or be prepared to face potential class-action lawsuits.
In a broad view, this move by Vermont shifts the narrative in data privacy from corporations largely enjoying carte blanche in data collection and misuse towards legal empowerment of individuals. Undoubtedly echoing the data protection ethos of the EU’s General Data Protection Regulations (GDPR), it underscores the sustained momentum towards enforceable privacy laws.