The Vermont House of Representatives passed H.211 on March 25, a bill targeting the roughly 283 data broker companies registered with the Secretary of State that collect and sell Vermonters’ personal information — phone numbers, location histories, political affiliations, health conditions, biometric data, and more. The bill gives residents the right to request deletion of that data and requires brokers to prominently display opt-out options on their websites.

Rep. Monique Priestley, D-Bradford, called the bill a first step toward giving Vermonters “the right to say no” — the ability to interrupt the sale of their personal information in a global data industry that generates hundreds of billions of dollars annually.

That framing — the “right to say no” — captures the consumer-facing goal clearly. But the legislative reality behind it is more complicated than the headline suggests. H.211 is one piece of a fragmented privacy strategy that includes at least two other major bills, a still-unresolved enforcement debate that killed a sweeping privacy law in 2024, and a timeline that puts the most powerful consumer tool years into the future.

Here’s what readers need to know.

The deletion portal that isn’t — yet

H.211 is modeled after California’s 2023 Delete Act, which created a centralized online portal where residents can submit a single request to delete their data from every registered broker at once. Vermont would become the second state with such a mechanism — eventually.

The version of H.211 that passed the House does not mandate immediate creation of that portal. Instead, it appropriates $50,000 from the General Fund in fiscal year 2027 for the Secretary of State to hire a consultant to study the feasibility of building one. The portal itself is years away.

That timeline matters. The Secretary of State’s office asked for the study approach rather than the immediate mandate. California’s own portal took roughly two years to build after its Delete Act passed. Until Vermont’s mechanism is operational — if it gets built at all — a Vermonter who wants to exercise the “right to say no” across the entire data broker industry would need to submit individual deletion requests to each of the 283 registered companies, each with its own opt-out process.

The Electronic Privacy Information Center testified in support of H.211 but pushed for stronger provisions, noting that advocacy groups view the current framework as placing the burden of data deletion squarely on the individual consumer.

Data broker fees jump from $100 to $900

H.211 doesn’t just give consumers new rights. It builds a new regulatory structure around the data broker industry — and the costs are substantial.

Under current law, data brokers pay a $100 annual registration fee to the Secretary of State. H.211 raises that to $900. Penalties for failing to register jump from $50 per day (capped at $10,000 annually) to $200 per day with no cap. Materially incorrect filings carry a $25,000 penalty. And brokers would be required to post a $20,000 bond.

The Joint Fiscal Office projects the higher fees will generate approximately $254,700 in annual revenue, earmarked for a new Data Brokers Registry Fund to support enforcement and the feasibility study.

This represents a shift from a disclosure-based system — where brokers simply tell the state what they do — toward a compliance-based one where they pay substantially more and face meaningful penalties for noncompliance. Whether you view that as necessary accountability or regulatory overreach likely depends on where you sit. But it’s a structural change worth understanding regardless.

What happens when you delete your data — and then need a loan?

Say you exercise your new right to tell a data broker to delete your information. Then you walk into a bank and apply for a mortgage. The lender needs to verify your identity, your financial history, your creditworthiness — and some of that verification relies on data broker records. Can the bank still access what it needs?

That question sits at the center of a debate over how H.211 handles exemptions, and it matters to anyone who interacts with a bank, an insurer, or a title company.

Most state privacy laws solve this by exempting entire industries. Banks covered by federal financial privacy laws, for instance, are typically carved out altogether. H.211 takes a different approach: instead of exempting the bank, it exempts the activity. A financial institution isn’t outside the law, but the specific act of verifying a customer’s identity for a loan is protected.

Todd Daloz, the Attorney General’s director of policy and legislative affairs, told lawmakers the bill strikes “a good balance” and recommended this use-case approach over broader carve-outs. Priestley has argued that exempting entire categories of companies creates loopholes that swallow the rule.

The Vermont Bankers Association isn’t convinced. President Chris D’Elia told Vermont Public that banks view data privacy as “paramount to building trust” but warned that a deletion request could make it impossible to complete basic due diligence on a loan. Rep. Zachary Harvey, R-Castleton, called the framework “untested” and warned it risks degrading fraud prevention and complicating insurance underwriting.

The Consumer Data Industry Association, the data broker trade group, submitted testimony arguing that the bill lacks the specificity of California’s exemptions for credit reporting — a point likely to surface again as H.211 moves to the Senate. For consumers, the practical question is whether the line between “protected activity” and “everything else” is drawn clearly enough that exercising your deletion rights doesn’t create unintended consequences the next time you need credit, insurance, or a background check.

H.211 targets data brokers. Another bill would cover all businesses.

The data broker bill advanced to a floor vote while the comprehensive privacy legislation — the bill that would regulate how all businesses collect, use, and sell Vermonters’ personal data — remains in committee.

That’s not an accident. It’s the product of a deliberate strategic shift that traces back to June 2024, when Governor Phil Scott vetoed H.121, a sweeping privacy bill that had passed the House with near-unanimous support. Scott objected primarily to its inclusion of a private right of action — the legal mechanism that would allow individual consumers to sue companies for violations. The House overrode the veto 128-17, but the Senate voted just 14-15 in favor — far short of the 20 votes needed for a two-thirds override.

That failure reshaped the 2025-2026 session. Instead of one omnibus bill, lawmakers broke the privacy agenda into pieces. H.211 targets data brokers. S.71 is the Senate’s comprehensive framework, which passed unanimously in March 2025 — but only after Sen. Robert Plunkett, D-Bennington, stripped the private right of action to align with what Scott described in his veto letter as a preference for Connecticut’s enforcement model. H.208 is the House’s version, which keeps the PRA in.

S.71 was referred to the House Commerce Committee, where it has remained. The committee held hearings but did not advance the bill during the 2025 session, with Priestley indicating the coalition needed time to find compromise ground with industry. Both S.71 and H.208 remain in committee in the current session.

The fragmented approach has a strategic logic: pass what you can, bank wins where they’re available. But it also means the broadest consumer protections — covering all businesses, not just data brokers — are stalled behind the same enforcement debate that killed H.121 two years ago.

The question that killed the last bill — and could kill this one

If a company violates your privacy rights under the new law, what can you actually do about it?

Under the Senate’s bill, the answer is: nothing, directly. You’d rely on the Attorney General to act on your behalf. The AG would issue a notice, the company would get 60 days to fix the problem, and only then could the state pursue penalties. Individual consumers couldn’t file their own lawsuits.

Under the House’s version, consumers could sue — and collect damages — if a large data holder or broker violated their rights involving sensitive data. That ability to sue is called a private right of action, or PRA, and it is the single issue that has defined Vermont’s data privacy debate for three years.

Governor Scott vetoed the 2024 bill over this provision. The House overrode the veto overwhelmingly, but the Senate fell well short of the two-thirds majority needed. The Senate stripped the PRA out of S.71 to avoid a repeat. The House kept it in H.208.

Privacy advocates argue the AG’s office simply doesn’t have the staff to police every data violation statewide, and that without the threat of individual lawsuits, the law has no real teeth. The Vermont Chamber of Commerce argues the opposite — that a PRA turns privacy law into a tool for trial lawyers and exposes Vermont businesses to litigation their competitors in New Hampshire and Connecticut don’t face. Governor Scott’s spokesperson reiterated that Scott wants Vermont “more aligned with other states, rather than be a regional outlier.”

With weeks left in the session, the comprehensive bill faces the same choice it faced in 2024: include the PRA and invite a veto, or drop it and risk losing the advocacy coalition that’s been driving this effort.

What happens next

H.211 now moves to the Senate. The legislative session runs through mid-May.

The comprehensive privacy bill — whether it moves as S.71, H.208, or some merged version — remains in committee, stuck on the same question that’s stalled it since 2024.

Meanwhile, the most tangible consumer-facing promise of the “right to say no” — the one-stop deletion portal — is still just a feasibility study. Until it’s built, the right to say no remains a right you exercise 283 times over, one data broker at a time.

All sourcing linked within the text. Legislative documents, fiscal notes, committee testimony records, and published reporting from VTDigger, Vermont Public, Privacy Daily, TechPolicy.Press, EPIC, and the Vermont Chamber of Commerce were used in the preparation of this article.