One governor’s veto won’t stop the momentum on data rights for all

Vermont Gov. Phil Scott last week squashed a data privacy bill with strong consumer protections, but other states will pick up the mantle.
large ball rolling downhill
(Getty Images)

It would have been the strongest data privacy law in the country.

Vermont Gov. Phil Scott last week squashed a data privacy bill with strong consumer protections, asking lawmakers to instead craft legislation that would be good “for both consumers and the economy.” Legislators on Monday failed to override his veto, but it won’t stop the movement that the Vermont Data Privacy Act and Kids Code ignited.

The surge in grassroots support will grow and the bill will remain a model for what state privacy law and compromise could look like. Big Tech and data brokers — armed with lobbyists, millions in funding and sly arguments saying privacy laws hurt businesses — can’t win forever against the rising tide of consumer awareness and the fight for data dignity.

As The Vermont Data Privacy Act and Kids Code made its way through the legislature, many called its inclusion of a private right of action “a poison pill.” A private right of action would give Vermont residents the right to file suit against companies that violated their privacy rights, a scary proposition for data privacy offenders.


Big Tech and data broker lobbyists showed up in droves to call foul, and that is exactly why the right to sue is so important. Opponents say a private right of action is onerous for business, especially small businesses, and Big Tech played the familiar but tired role as the champion of small business.

There was little doubt that the bill would have sailed through without the private right of action, but bill sponsor Rep. Monique Priestley and other brave legislators didn’t give up on the important provision. Not wanting to make privacy compliance unnecessarily burdensome or cost prohibitive, they agreed to a compromise. The law, if enacted, would only apply to organizations who dealt in the data of more than 100,000 Vermonters. Small businesses would be safe. With this novel caveat, the bill didn’t just pass the Vermont legislature — it passed 139 to 3.

But last Thursday,  the governor vetoed it anyway, echoing common Big Tech talking points: that the bill was anti-business, even after significant compromises had been made.

The right to choose, the right to litigate 

There are more than 500 data brokers in the U.S. who are secretly collecting your data — via your cell phone, credit cards, apps and more — forming a map and profile of every moment of your digital day and then selling it to the highest bidder.


That is who the governor’s veto protected. 

The veto didn’t protect the Main Street shop or bar, or the maple farms that jot down emails for newsletters and loyalty programs. The law wouldn’t have done a thing to the retail site that suggests a pair of pants because you clicked on a matching shirt. People understand that data is at the heart of the value exchange with business, and they deserve transparency and choice in how that data is collected and used.

The proposed law would have empowered individuals to identify and act on privacy violations, and exercising that right shouldn’t be something that businesses who build trust with their customers should worry about. Responsible data practices should be the status quo for every business that we trust with our data.

Explaining the veto, the governor said the bill was “a national outlier and more hostile than any other state to many businesses and nonprofits.” When it comes to data privacy, being an outlier should be a point of pride in a state that holds strong to ideals of the independent American spirit.

As for Vermont’s privacy aspirations hurting small businesses? Limiting the private right of action to large companies should’ve quashed those concerns. But still, he vetoed.


Despite a 139-3 vote in favor of the law in the House, and a flurry of amendments to compromise on the proposed regulations, he vetoed.

Despite the proposed law being temporary, he vetoed it. It would have taken effect in 2025 with the right-to-sue lasting only two years, beginning in 2027. A study, meanwhile, would have looked at how well the new rules worked.

There was so much compromise and so many guardrails in this bill that the governor’s veto doesn’t so much say that this bill was bad for business as it says he believes that any privacy bill is bad for business. It’s a decision to prioritize the ability of big businesses to pilfer data over the rights of individuals to have a say in how their data is handled. 

A framework to be emulated

On Monday, this chapter of the fight for the data rights of Vermonters died in Montpelier. But the groundswell has only just begun. Our lives are increasingly digital, and we need a level of consumer protection that I believe many Americans assume we already have.


Privacy is a cornerstone of democracy. It’s also a necessary condition for human rights. Gov. Scott might’ve killed a bill, but if the energy percolating around that legislation is any indication, he didn’t kill the momentum that will eventually awaken individuals, regulators and legislators to the inherent need for data dignity. 

Other states will pick up the mantle from Priestley and her colleagues – using this innovative legislative framework to ensure data dignity across the country. We deserve it, and we will demand it.

This article is an opinionated submission from a contributor and does not reflect the opinions of Scoop News Group.

Latest Podcasts