Vermont; Another Brick in the Data Privacy Wall

Vermont’s New Privacy Law Is Not the Story. The Growing Patchwork of State Privacy Laws Is.

When Vermont lawmakers recently passed S.71, the Vermont Data Privacy and Online Surveillance Act, some observers immediately began asking what the new law might mean for repossession agencies, lenders, and recovery technology providers.

The answer, at least for now, is probably “not much.” But the wall is growing.

Vermont’s legislation is not particularly unique. In fact, it may be better understood as another brick in a wall that has been steadily growing across the country for several years.

The modern era of state privacy regulation arguably began with California’s Consumer Privacy Act (CCPA) in 2018. California’s law established broad consumer rights regarding personal information and inspired lawmakers throughout the nation to pursue similar legislation. Since then, states including Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, Delaware, New Hampshire, New Jersey, and several others have adopted their own versions of consumer privacy frameworks.

While each law differs in scope and enforcement, the overall direction has been remarkably consistent. Consumers are being granted greater control over their personal information. Businesses are being required to provide more transparency regarding data collection and sharing. Sensitive information, particularly geolocation data, is receiving increased scrutiny.

For the repossession industry, however, the concern is not that these laws directly regulate collateral recovery.

Most do not.

The larger issue is that modern repossession operations increasingly rely upon a complex ecosystem of data providers, skip-tracing services, location intelligence platforms, telematics providers, and license plate recognition (LPR) networks. As lawmakers continue to focus on privacy protections, those supporting technologies may find themselves facing additional restrictions, compliance requirements, or limitations on how information can be collected, stored, shared, and sold.

Today, a recovery agency may obtain location intelligence through a variety of lawful commercial sources. Tomorrow, some of those sources may become subject to differing rules depending on the state in which the consumer resides, where the data was collected, or where the vendor operates.

That creates a challenge that extends far beyond Vermont.

The growing patchwork of state privacy laws may eventually become more difficult to navigate than any individual statute. Vendors operating nationally may choose to adopt the most restrictive standards across all jurisdictions rather than maintain fifty different compliance models. Lenders may become more cautious about sharing location information. Data providers may limit access, increase costs, or reduce the scope of information available to recovery professionals.

The result may not be a direct prohibition on repossession activities, but a gradual tightening of the information ecosystem that supports them.

For now, Vermont’s S.71 is simply the latest addition to a trend already well underway.

One brick alone does not make a wall.

But when enough states begin stacking similar bricks together, the repossession industry may eventually find itself operating in a very different data environment than the one it knows today.

The industry would be wise to pay attention not only to Vermont, but to the broader national movement that Vermont now joins.