On March 5, 2020, Vermont Governor Phil Scott signed into law Senate Bill 110, which amends sections of Chapter 62 of the Vermont Statutes Annotated - “Protection of Personal Information” - including Sections 2430, 2435, and 2454. The bill also adds Section 2443 to the chapter, which governs the privacy of student information belonging to preschool, kindergarten, elementary, and secondary school students.

The bill expands the definition of “personal information” under the Security Breach Notice Act applicable to businesses and to government agencies (V.S.A. § 2430). 

“Personal information” was previously defined to include (when combined with an individual’s first name or initial and last name) a Social Security number; driver’s license number or non-driver identification card number; financial account, credit, or debit card number which could be used without additional identifying information; or passwords or personal identification numbers or other access codes for a financial account.

Following the passage of Senate Bill 110, “personal information” now also includes the following data elements:

  • Biometric data;
  • Genetic information;
  • Health records and records from other wellness, health promotion, or disease prevention programs; 
  • Medical diagnosis or treatment information; and 
  • Health insurance policy numbers.

Additionally, the bill also establishes protections for Student Privacy (V.S.A. § 2443). Specifically, Section 2443 imposes restrictions and requirements for the privacy, use, and disclosure of student information on operators of online websites or applications used by schools. Entities governed by the statute include operators of internet websites, online services, online applications, or mobile applications that are used for school purposes if the operator has actual knowledge that the site, service, or application is used primarily for school purposes and it was designed and marketed for those purposes. The section expands the scope of protected information beyond “personal information” as defined under Section 2430, and it applies to any non-public personal information or material that was created by, or provided to an operator by, a school, student, or student’s guardian for school purposes.

Operators are required to maintain reasonable security procedures and practices for covered student information, which are designed to protect that information from unauthorized access, destruction, use, modification, or disclosure. Operators must publically disclose and provide the school with material information about its collection, use and disclosure of covered student information, including publishing a privacy policy or similar document. Operators must also, within a reasonable amount of time, delete covered student information at the request of a school or school district.

Moreover, disclosure of student information is limited to the specific purposes set forth in the statute, including furtherance of the school purposes for the website or application. Section 2443 further prohibits operators from engaging in targeted advertising on the website or application and from selling, bartering, or renting any student information.

The bill also amends Section 2454 to require contracts governing subscriptions clearly disclose any automatic renewal provisions.

The new law takes effect on July 1, 2020. 

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.