 All right, I think we should get underway with at least introducing ourselves. I wanted to say one, so sorry for the conference room, dial-in trouble. Thank you all for coming in today, especially those of you who are planning on taking the day off or who thought you had a little vacation day or the legislature gone. Why don't we just as a preliminary matter go around and say who we are and I wanna know if one two zero two four two nine zero zero is now joining. Thanks for joining and for those of you on the phone, in addition to people in the room, we also have a video camera because our local cable access station, which is called Orca, we invited them to come and tape this in case people who couldn't come wanted to observe and just be a part of the conversation after the fact, I guess, and know what was talked about. So, Wayne from Orcas here, thank you very much. And we will, they're always published, all their videos of meetings like this are published on Orcas' website so we can send the link once that's up. So to begin matters, I am Charity Clark. I'm the Chief of Staff here at the Attorney General's Office and one of my tasks I oversee are legislative work. So that's why I'm here and I will sort of serve as facilitator of this meeting and why don't we start to my right with Ryan and then we'll have the folks on the phone introduce themselves. If you could just say who you're representing that, that's helpful. This is Ryan Krieger, Assistant Attorney General of the Public Protection Division here in Vermont. Jeff Kutcher, the Executive Director of the Vermont Technology Alliance. Claire Buckley from Leonine Public Affairs and we have a number of clients that are interested in this subject. Do you want me to? No, it's okay. Hi, it's Anne Cominelli. I'm with the Vermont Public Interest Research Group, Beeper. Yes. Hi, everyone, I'm Brooke Jenkins. I'm interning in the AG's from office with Communications and Legislative Matters. Hi, I'm Falco Shilling. I'm the Advocacy Director for the ACLU of Vermont. Laura Kyneman, also here with the Vermont Technology Alliance Board Member. Tammy Koda, Internet Coalition. Chris Rice from InMEMOR. Danielle Dean, Comptia. All right, why don't we turn to the folks on the phone and apologies again for our conference called Trouble, but if you could introduce yourselves for everyone, that would be great. John Hall, I was down there from Martin on behalf of Apple. Hi, this is Andrew Kingman, Capital of State Privacy Security Coalition and Attorney at the LA Beeper. Plus one, two, zero, two, seven, one, six, two, one, seven, two. He's now exiting. You need to leave early, we'll ask. Is anyone else on the phone besides John and Andrew? Can you put your picture back up? Say that again? Plus one, six, one, seven, six, nine, four, seven, zero, four, three, he is now joining. All right, I left off with John and Andrews. Sorry. We heard TechNet. Yeah, we heard TechNet. And it's brought Barnes with Google. Nick Jefferson. Tim Wilkerson and Kristen Gravioso from the New England Table of Telecommunications Association. Hey, Tim. Anna Myers from Amazon. Anyone else? All right, so why don't I just lay the table as to how we got here. And for those of you who weren't in the room last Thursday in House Commerce, this hopefully will be helpful. So there is, I was hoping Michael would be on the phone today, I didn't invite him. But there is an entrepreneur named Michael B. who lives in Burlington, who e-mails Representative Barca, the Chair of House Commerce. The New York Times article about Clearview AI, I'm not sure if folks are familiar with that article or Clearview, saying this is concerning. I would like the legislature to do something about facial recognition. And Representative Marca decided, and his community decided that they would take up Representative Barbara Rachelson's Bill H595. They invited folks to testify about the bill. Ryan and I were invited to go. We went. And that was Thursday. Just before we talked to TJ, the Attorney General, as you do, and say, what do you think of the bill? And what the Attorney General wanted was a facial recognition being one narrow subset of biometric data. He thought, well, this doesn't really cover what we're looking at, it's all biometric data. And there's three states who have bills on biometric data. And so what he wanted was a bill that would cover biometric data and follow in the paths of one of these states. And his recommendation was Illinois. And so we testified, Ryan and I, in House Commerce. And we included in our testimony, our written testimony, the Illinois statute. So that's kind of how we got to that point. And then upon hearing the testimony of Ryan and me and also Mr. Lee from Burlington, the chair invited or kind of requested, I guess, that we try to all get together on the stakeholders and have a conversation about the bill and then come back next week. We are scheduled to testify at one. I don't know if others have been invited to testify on Tuesday when they get back, but Ryan and I will be there at one. So that's kind of the next event after this. I should also make a note. Plus 1-800-279-33176 is now exiting. So the legislative timeline for those on the phone who might not be familiar. Plus 1-800-279-4262 is now joining. Hi, welcome to the meeting. Can you announce yourself? Hi, it's Maggie Lensson. Plus 1-800-279-33176 is now joining. Is someone else new on the call? I'm sorry, Charity, it's John Hall. I got dropped. I'm on a train, so if I get dropped again, I'll just stay off. Oh, no, no, John, call back in. No problem. I know it's a little disruptive, it sounds like. It's because our super fancy conference call number lists the entire phone number when they call, so we get your full phone number. So I was just, I was just noting our timeline for those who aren't in the state house all the time like we are. So we have the crossover date where bills need to cross over from one house to the other is next week. And so there is some, you know, a different timeline I guess than what would ordinarily we would look at such as our privacy bill that we all worked on last session, S110. So in this situation. Plus 1-7348-123-176 is now joining. Hello, welcome to the meeting. Can you say who you are? Yes, I'm so sorry about that. This is Amy Keller. Oh, no worries. From the law firm of Dicella Levitt. Welcome. Hi, how are you? Thank you. We're just filling in everyone on the timeline. And so a lot of this, you know, our recommendation last Thursday was to, you know, use the Illinois law that's business is already complying with. And if changes need to be made to that based on these conversations, it might make the best sense to do that work in the Senate once the bill crosses over for crossover. So that's kind of where our starting place was when we testified last week. And Ryan, have I forgotten anything before we get into a kind of round table? Those are the key. Okay, key points. All right, so I think what we should do, you know, we've, we testified, we've sort of said what we had to say and it would be really wonderful to hear from all of you. So I guess I'll just open up the room for anyone who wants to comment or ask questions. I was gonna start to, honestly, I haven't had time to look at everything in depth and do research just because of stuff that already had. My biggest concern is I emailed as soon as, how you very good, you know, how you do it. Plus 1-8-0-2-7-9-3-3-1-7-6 is now exiting. Board member of the Vermont Technology Alliance. Plus 1-2-0-2-4-4-2-2-9-0-0 is now exiting. I'm, I had anticipated sending out an update to our members sort of either by Friday afternoon or Monday or Tuesday this week. Anyway, it's break, here's what's going on and whatnot. I haven't even sent that update out yet because now I wanna, I want to include this and that delayed by another five days our ability to literally do any due diligence on our own and then reach out to our membership, to individuals and businesses throughout Vermont to get feedback from them. So honestly, as a board member of the Law Technology Alliance, I'm feeling extremely constrained in not being able to understand even before you're saying the plan is in fact to go back in on testify. And testify on Tuesday at one and by Friday this will be at a committee without any opportunity to anything, the plan is to pass the house, rush it through the house, and we'll deal with the objections in the Senate. I, I don't like that process and it makes our ability to engage the membership, get feedback, figure it out really difficult, which is difficult anyway because we represent technology differences and the kind of definitions, words, semantics and everything else that are included in a vastly complex, more complex proposal than a there should be some transparency here, which I, which we also agree with, we supported that and we're actually planning on testifying next time. It's a part of age 95 and I'm gonna point out some other issues we think are worthy of further study given if you AI might not chat with Michael. We, you know, we know this and then came out of that was, have you read the Illinois law yet and crossovers next week? Excuse me, could you speak up? Yeah, and cross over next week. Thank you. I'm just, I'm struggling with the fact that we are not gonna be able to get feedback from enough of our members, all of them have different perspective, different takes of different, maybe uses of technology and whatnot. So we're not gonna be able to do much by Friday. And that's concerning just from a process point of view. We're stuck having to represent the membership and all I can do right now is say the speed is concerned because of the complexity involved and we recognize all the issues. You know, really just wanna make sure we don't rush too fast. There's, for this matter, the stuff. It's just so complex. Please state your name before you speak too. You know, I would want to, this is Danielle Dean with CompTIA. I would also echo concerns with timing on this, especially since Illinois isn't a done deal. They still have, I think, upwards of six or seven amendments that they're considering this year to change different aspects. Yeah, and different aspects of their law on the books now. So I mean, companies may even, you know, by the end of this year, have to comply with a different set of rules. And so even, you know, with the idea that, you know, we're gonna just push this off to the Senate, let them deal with it there. There's already, you know, laws on the books. It's still a moving target for our companies. And timing is- They always will be though. That's, I mean, as the legislators want to amend their bill, amend their law. So I think that's just the way it works. Yeah, but I mean, it's just the sense of like, if we're, if we want to have a meaningful conversation about, you know, vetting all of the issues, maybe taking some lessons learned from what Illinois is dealing with now in Texas and was it Oregon, Washington, thank you, that have already passed this bill. I mean, I think that there's time for us to have a meaningful conversation with companies and, you know, pushing this through so quickly won't really allow us to vet and have these types of meaningful conversations with both your office and with the legislature. Charity, this is, and Ryan, this is Andy Kingman here. First of all, thanks for, you know, letting us sit inside some time today for us to chat. You know, I think, you know, we're just a few days removed from S-110 being put on the governor's desk. And that was, you know, a meaningful privacy bill that was the result of, you know, a multi-stakeholder input that a lot of us had time to work on together and, you know, ended up with something that, because we put the time in up front, was able to, you know, pass with a relatively smooth process. I think even though, you know, that was based on, you know, a bill that had been adopted in, you know, 25 states or so. And even that took a little bit of time for it to move through, I think, you know, we would, you know, offer that that type of process would be a great process to go through for this issue rather than, you know, take the bill that is probably one of the most controversial privacy statutes in the country as a base and put it through in a week and a half in a chamber. I mean, you know, I think would be more than willing to engage in a thoughtful stakeholder process and work with, you know, different constituents. But I think, you know, would love to hear your thoughts on your willingness to do that. So this is Ryan Krieger from the AG's office. I think we've heard that concern about the process loud and clear. This is something which we will have to discuss and talk to TJ and mention that this has been raised. That said, we've been asked to request from the legislature to advise them, which is why we're here. So taking that into account that there are concerns about the process and I'm sure that those concerns will also be expressed to the legislature and, you know, so that may be one track that this takes, noted. If it does not take that track and they do want a solution this year and we have limited time to talk, can we turn the discussion to the solution itself and hear any concerns about that in particular? We can talk about the solution, but as a solution is not a, it is, you know, effectively a non-starter for, you know, most of the folks on this call. It is incredibly difficult to comply with and it has, you know, instigated any number of frivolous class action lawsuits. I am defending one client right now in one of those and, you know, there are other states to choose from, but this is a statute that was passed a year after the iPhone was invented and, you know, failed in any number of ways to, you know, consider what the modern online ecosystem is and I would, you know, just urge that the legislature take some time on this. It's an incredibly complicated issue and what biometrics consist of is incredibly complicated. It is getting more complicated. It just, this statute is incredibly hard to comply with. I counsel, you know, numerous clients through it and it's very, very challenging. That's despite the fact that it's been on the books for 10 years. So I've heard, so this is charity. So I've heard hard to comply with concerns about enforcement, creating a lot of class actions and concerns about the definition of biometric data. Are those the three kind of big concerns that you would flag? Yeah, I mean, I think making Vermont a haven for class action attorneys would be a concern to flag. Like it really is. If you Google, you know, BIPA right now, you will see that they are just feasting on this law and with very little, you know, substantive law coming out of it. In terms of, there's a lot of stuff that's being, again, this is Mark Hyman of Vermont Technology Alliance. I've also had, been on the board, we work very well, I think, with the AG's office on, not just on, I don't know, pregnancy stuff. I mean, I'm sure to think back to the data worker turns a couple years ago and everything where that was, there was a real need and we had to really figure it out. That was, happened to me as I was in my previous life. Also going to GDPR compliance and, you know, and everything and I, to the extent, there are absolutely legitimate concerns in terms of privacy and protections that apply to us all. There is a growing, you know, we're thinking that we're protecting folks from the big bad evil companies out there. I will just remind you, my sole focus, you know, in this capacity is on Vermont's individual and tech businesses and community using, why not, and we are Vermont businesses of all sizes that could be, definitely will be impacted by this bill and not necessarily based on their tech or their business, just because there's an easy target and mechanism to do so, to go after them. I'm actually concerned more about the Vermont small business tech community. Every year it's just about to get there and it's really hard and we're trying, we're trying to be very responsible local Vermont businesses. It's just every year there's something and this is just another one last year. I was testifying on S18 and it was the, the unintended consequences was the primary concern as we also acknowledge the legit substantive issues and let's figure out, it's very complex. So I know you've said that you haven't had a lot of time to digest the Illinois law, but I'm trying to just identify the concerns that you do have that are specific. It sounds like you're concerned with the enforcement portion as well. I'm concerned with enforcement, I'm concerned with slight nuance in some ethics, given in a bill that was passed in 2008 with today's technology and sort of saying, I heard in a very different context, now it's software as a service or going after non-platform or infrastructure as a service and I sit here and say the marketing folks came up with four years ago and which now everybody also knows. So outdated definitions. Outdated definitions and what that, and the complexity and the difficulty is. Charity, I will tell you that, I worked with a client a couple weeks ago in their startup and trying to look at where to deploy their products and we advised them to literally just not enter the Illinois market because the enforcement risk and the compliance difficulty was so burdensome and costly that we just said you probably shouldn't go into Illinois. And I don't think that that's the message that Vermont wants to send to, like we're not just talking about large businesses, it's just not the message you want to send to small businesses or businesses that are looking at bringing products and jobs to Vermont. Yeah, that's a great, real live example of what Mark was just saying. May I ask a question, Jeff Kutcher of Vermont Technology Alliance, is your current proposal to take this bill and have the Health Commerce Committee pass it? I mean, I think what our proposal is now is we like the Illinois law and think that should be a model and we want to have a conversation with everyone, all the stakeholders, and find out where the concerns are, you know, and have the conversations. No, I'm just going back to your, trying to get something over the crossover date. I mean, if we want to pass- And my informal, our informal conversation with Chair Markott was that this would be something we would look at over the summer. So there's a difference of perspective from what I thought, what I heard you say and what I heard him say. What I heard him, well- Yeah, that wasn't in the hearing. Right, that was not there, so. Oh, okay, so I don't know he- This seems to be moving quickly. That's why I- I don't think he would have asked us to meet over the break if he wasn't planning on doing something next week. Okay. This is Maggie Lenz. I just want to say that I spoke with Markott yesterday and he also, I can second that, he told me that he was looking to get something worked on over the summer. That was absolutely what he did. Yeah, that's what he did. Maybe he just wanted us to come in on our vacations. Well, I had some emails and as well, I'm just reading it, it's sort of the, I actually was coming, I'm not sure if you were saying we should adopt this now or we should look at age 595 and set up, we'd like, you know, if the, I actually didn't know what the real proposal was, is the proposal, I have no problem with we'd like to use this as the model. If the next part of the sentence is, and study it and have a thoughtful conversation about it, let's do that. Let's hammer out what the thoughtful conversation should be. We can support, I mean, we'll talk to members of them. We can always support a thoughtful look at anything. I'm, we are happy to support, you know, we were in support of age 595, as introduced, we wanted to look at other issues actually for further study related to just facial recognition. I would say I would ask that the collective proposal after we synced up, my understanding was, the chair and the committee were looking for this group, sync up and come back to us with recommendations. Can you speak up please for those of us on the phone? With recommendations, not necessarily with the language to pass by Friday. And so my, I came here saying, hoping this group would recommend we go back in, we will be there in some capacity on Tuesday as well, whether it's Jeff, or myself, or the other. I'd love to go back and have everybody say, we support X and we'd like to do a deep dive further study on the following, and we'll further refine that. Let's pass this in the Senate. We get something in terms of getting some notice out on age 595, it's not a massive bill, but I think there's always benefit to transparency and notice, I just believe that. And then your Walden lockstep when we passed saying, the Attorney General's office is gonna study this with local and other stakeholders that will be impacted by it, and I think that the complexity of these issues require that length of discussion, given the timing. Yeah, is there any right, I mean, I think you guys know that we're not, SPSC is not fire breathers, and we were generally willing to work on legislation and try to work with you guys. And to the extent that we can have a study process, and like we did with the student privacy bill, exchange drafts, and work with lots of different constituents and stakeholders, then I think that we're very willing to do that, and I don't speak for everybody on the phone and in the room, but I think everybody, most folks are pretty willing to engage in that, and you'll find willing partners who want to address the issues and sincerely work on something. I think if the course of action is, we're going to get DIPA into the Senate by next week, and then try to fix it in the following five weeks, I mean, again, just to use the student privacy bill as an example is the data breach bill, we spent months on that, and that bill has been adopted in 25 states, but this bill, as you guys know, has not been adopted in a single other state. And so I think to call it a model is maybe a little bit overstating it, and my concern is that if this is a course of action that we go down, everybody in the room who is right now a willing partner is going to be a vigorous opponent of that course of action. Sure, so Zach Tominolli with Be Perk. So I'm not representing any technology companies, so speaking on behalf of sort of our membership, 50,000 Vermonters, we support this bill, DIPA, we support moving fast on it. That being said, obviously that's not shared by the vast majority of people in this room. We would be happy to engage in a process, we engage in the data broker process and the student privacy process. That being said, some of the things that I'm hearing in the room at the moment are things like DIPA is a non-starter and this is always going to be constantly moving or changing and it's hard to get the definition. So while I'm happy to participate in a process, I am concerned that that process would not actually result in vigorous agreement by the stakeholders here because at the end of the day, what is contained in this bill, and it's been on the books since 2008, it has been subject to several lawsuits. It's not going to be, anything substantial like this is not going to be, I think, probably well received by industry. That being said, there's a lot of people around this table, so if people are going to oppose this vigorously, that's all well and good, but I see no problem with moving forward with the law that's been on the books since 2008 in another state. So this fall goes showing from the ACLU of Vermont, and we're in a very similar position. The ACLU of Illinois helped support and work on the origin of DIPA. They were an amicus in the most recent lawsuit, so this is a law that we are supportive of and we're supportive of moving forward with, understand concerns around timeline, but also this is something where the legislature has asked for people to come in and talk about this because there was great concern. So those of you in the room on Friday, as people learned about the implications and where the technology is going, there was rightfully a lot of concern about what this means for personal information, personal privacy, and the testimony they heard is there is no time to wait. And so kicking the can down the road is something that is a concern as the technology evolves, as we see more breaches and as more data is collected without consumers being informed. So we are supportive of moving forward with this legislation, understand the objections, and we'd be willing to continue that discussion. I would also just say that if there is some sort of formal study process of this over the summer, that is something that if the legislature was going to put that forward, that would need to move out at any by the end of next week. So just saying, if you wanna have legislative counsel to support this with their research capacity in any way, or if you're trying to bring in outside stakeholders who can be compensated for their time in this conversation, those are things that the legislature would be discussing and probably moving forward in some form next week. So the conversation dies in many ways if it is not moved forward in some way, be it the original piece of legislation that is introduced or are containing Beppo. So that's our perspective at this point in time. Mark Hyman, Vermont Technology Alliance again, to the extent that we are referred to as industry, no personal offense taken and whatnot, but we always remind folks in any meeting, I am now a one person bootstrap startup. After my other thing, I've been in the tech sector for a long time, I just came from a dairy farm this morning. Also a member of the tech sector, tech is ubiquitous. When we talk about at least the Vermont Technology Alliance members, I'm talking about 50,000 for honors too. I was just in Springfield at the Black River Innovation Campus talking to them about public policy initiatives, saying I've got this meeting, I'm not really sure what it's about. Do you, any of your folks care about anything tangentially related to this? Might that impact your business plans or anything like that? Trying to revitalize Springfield in a dilapidated school building that we're all spending our time trying to restore not to the county, but other parts of the state as well. And the answer I got was, yeah, I don't know in what way, but I can think of 20 people off the top of my head who are trying to hire people, recruit, start businesses, find work that will be impacted one way or the other. Both of them were all worried about the consumers, but also what are they trying to do? And when I said, well, it was testimony Thursday and now, Crossover's Friday, so everyone's rushing us through. I just said rush. I don't, we weren't talking about any substance. That sets, people are literally trying to start something one person at a time makes everybody freak out. Not to mention, if there's a headline, there are four startups that don't come to Vermont that we will never know about because they scratch their head thinking I'm 93 and kept on driving, is my sarcastic. We have Cougar Vermont Technology Alliance. I think we can start from that as an organization we want businesses to be able to use the technology appropriately for services that consumers want, but also making sure they're informed and we protect their personal identity and their confidential information. So we're not saying let's go one side and let's use it in any way business wants to. Let's make sure we have the protections, but let's not because where we say let's not scare away or do damage to the businesses that are either working in that area here in Vermont and serving Vermonters and the startups and medium-sized businesses that we represent who may be using this technology as part of their offering. And sometimes what we see because tech kind of seems to be new sometimes to some Vermonters is the not recognizing the unintended consequences that can affect businesses. Even Michael Lee, who is a member of ours who we talked to who spoke and we started talking about, well, what about this Michael? What about that? He's like, well, no, I just didn't like some guy who's able to go off and do something and not get anyone's permission. So I think, and we're kind of like, yeah, we agree with that, but within that range. Isn't that BIPA, they have to get people's permission? Yeah, but even how you define, but I mean, I haven't read all this, I've read what you sent out. I mean, the definition of what biometric information is I'm trying to think, you know, so if I use an app that tags me, I take your photo and it tags you, I've used it, maybe we're friends. I say, that's my friend. Then I've probably broken this law. I don't know, I haven't looked at it, but I don't know if tagging your friend on Facebook violates this law. This is, sorry, go ahead. What did somebody just say? Go ahead. I was gonna say, this is Amy Keller. I'm actually an attorney in Illinois in Chicago and I have brought specific cases. I actually found an aegis in support of the Rosenbach case. Tagging your friend on Facebook, it would not be a violation of BIPA. Using algorithms to predictive code someone's face and say, face upon the distance between their eyes, I can machine code basically and tag this person in a number of photos without that person's consent. I wanted to clear up a couple of misconceptions about Illinois BIPA. I heard earlier that class action attorneys like me are now beefing on BIPA and are filing a number of frivolous lawsuits. And I think we just need to remember that the whole point of BIPA is that you have a mutable human characteristics that cannot be changed. And in order to use those, a business basically needs to get someone's permission. Because that's forbid there's a data breach of the future that exposes this kind of information. That's it. That's the backstop. You cannot change that information. So requiring companies to get consent to have basic security protocols and that kind of thing, I think we can all agree that that seems reasonable. The reason why you're seeing such a- I think you're right, Amy. And I think that's why we're happy that we updated the data breach statute last year to include biometrics. And so I'm continuing. I think the reason why everyone is seeing an uptick in litigation now is because there was just a big payday in the Facebook BIPA case. And as a result of that, you're seeing some people who had otherwise not filed cases before, now they're filing cases. But I think we need to remember that for a very long time, people were not filing the cases. This is actually a law that some businesses did not know about. And I know a lot of businesses now are a little flat-footed because they were violating the law and they just didn't know about it before. So I think if businesses were well-informed about the law, that they could take steps to protect themselves going forward. If they can't afford to use biometric information, then maybe they shouldn't be using it if they cannot afford to protect it or a proper consent to use it. And then the other thing is, I think we just need to keep in mind the backstop's available to companies who think that lawsuit is ridiculous. Of course, you have rule 11 motions that you can file. If they think that's something, do think that lawsuit is ridiculous. So I don't want to have everyone be sounding the alarms that God forbid Vermont be proactive in ensuring that biometric information, which again, cannot be changed, should be protected and should, you should have paid consent before using it. Just had to say that. I think Sammy, has anyone else, just while we have someone on the phone, anyone else on the phone who hasn't spoken yet, I want to weigh in on any of this? Tim, Anna, Maggie, Euler? No? Okay, Ryan. Sure. So I'm listening to everything that everyone's saying. We're taking notes. We're definitely going to have a long conversation when this is done. I just want to address one notion is, I don't mean to be flip here, but it is kind of interesting hearing the tech industry writ large, and I mean kind of like the more national tech industry saying, we're really afraid of going fast. Like this is going too fast. I mean, one of the companies on the phone literally had the motto for a long time, what was it, move fast and break things. We don't want to break anything, okay? But there is a sense of urgency in the legislature. There is a sense of urgency in the citizenry. We hear about this all of the time because the tech industry and tech generally is always going to outstrip legislative response, okay? The tech industry is going to look different six months from now than it looks now. It's going to look different a year from now. And that is why anyone who has seen our efforts in the tech regulatory process is we really do try to think about legislation that is generally tech neutral. We don't try to code specific technological solutions into laws. We have background in the technology industry. We reach out to experts to try to make sure these things. We try to legislate in terms of broader principles rather than very specific prescriptive requirements. Interestingly, it's often industry representatives who come in and demand more prescriptive requirements because they say the language has to be really, really, really specific. And that's a whole different philosophical discussion. But as we hear it so far, the legislature and our office feel a sense of urgency about this issue because biometric use and data use generally has been an issue for years and years and years. I mean, at least 12 years, this is not a new concept. And we have determined to commit the resources that if the legislature chooses that it wants to move forward on an accelerated plan, which is not our preference as an office, as you know from the past, we generally prefer to take a more measured approach. But if the urgency is there, we are committing the resources to try to meet that pace, which means hearing from people, talking about language. Anyone who has worked with us on legislation in the past knows that we can be pretty nimble. I mean, S110, the data broker bill, there were 13 versions of the data broker bill. We were changing a version every day. We were having multiple conversations. There is always going to be urgency and things happening. I don't want to downplay the worries about speed. But there are a number of people on the phone right now who have a lot of experience with the BIPLAW on both sides of it, who represent various interests. I have been getting up to speed on the BIPLAW. I'm actually supposed to be on vacation all next week. I will not be. I will be working on this a lot because we think the urgency is important. So that's one point I want to make, assuming that the legislature does decide to go forward on this course. And we don't know what they're going to decide next week. But we need to be ready for whatever that course they decide to take. And then the second thing I want to note is that we have been looking at the Illinois BIPLAW. We have been looking at the Washington State BIPLAW. We have been looking at the Texas BIPLAW. We have been speaking to experts and people with knowledge. And we hope to keep doing that. The legislature is going to expect some language from us next week, assuming they don't change their mind. And what we propose is not necessarily like the current language of the BIPLAW all or nothing. It's either going to be that, pass it next week, and worry about it on the Senate. There is actually time. I know it's, what day is it, Thursday? I know it's Wednesday. It's Wednesday. Thank you. So there is actually time to have some conversations and to discuss what language might even be put before the legislature then. And again, I mean, from a lawyer standpoint, three days is forever to talk about this stuff. As far as I'm concerned, we can have lots of conversations and really get into a lot of the weeds on this stuff in that amount of time. And we have the bandwidth to do so. So just one thing to that. And you're absolutely right. I mean, I think, sorry, Chris Rice from MMR. I think the work that you guys led on with Data Broker, the same stakeholder engagement process you guys had on, the privacy bill that was just signed into law, I think those are models for how you arrive at a good policy product. The point that you're leaving out and the big part that you're leaving out is you have all the time in the world. Some of us may all have all the time in the world over the next several days. What's not clear to me is how much time the Commerce Committee is going to have to spend on this. And since they're the ones that are the decision makers, you're a subject matter expert. There are many other subject matter experts on this issue. There aren't in the Commerce Committee. And them getting up to speed and understanding this at the same level that all the rest of us do to make some of these tough policy calls, I think is a tall ask. And I understand exactly what you're saying about the urgency. I just think it's a tough thing to do with crossover hanging over everybody's head. It's a tall ask of the committee. And it's a tall ask to the people in the room and yourselves, and I'll do that in that short order. So I won't repeat everything everybody else has already said. I think the best work that you guys have done in privacy area and the best work that all the stakeholders have done is a thoughtful, collaborative approach. Not everybody's always going to be happy. But we do our best work when we do it together and we take the time to do it. And I think right now, we don't have the luxury to be the one of those things. All I was going to say, if it were me personally, I have the time. I've been doing enough privacy stuff and whatnot. But I'm here representing my membership. And I'll say it unless Jeff shakes me off and says, we've got more resources than I think that two of us can handle. You're looking at the two resources right now and stuff like this. The Multotechnology Alliance does not have the resources to diligently study this in a few days and explain it all to statewide membership. I've just done 600 miles in the past three days to talk to like six of them to come back and give us feedback so that we can be a part of this process. We can't be a part of this process in a deliberative, conscious way from a fiduciary allegation I'm going to do, although I have concerns. I talked about them with Michael A. I've read the articles. I share, actually everybody's thing, the extent that we typically say Vermont's a little bit different than everybody else out there. I think the same, I'll say the same for our membership as compared to maybe the perception of big tech outside of Vermont. But I'm here fighting for my Vermont membership. And I'm just telling you from a process point of view, we don't have the resources to get there by Friday in any way that makes sense. And so as from my point of view, not Jeff's as staff, but from a fiduciary or level point of view, I have to go back here and say, well, if there's no time to go back to the membership, explain everything, get feedback, come back and speak thoughtfully and constructively with both, with, but really we appreciate that. Echo everything everybody said about how the attorney general's office has really approached these big issues for such a small state, 50 other issues going on. We also don't have time for it. I'm gonna look at Jeff right after this, outside of here and say something to the effect of, do I ring my hands or do we just get the update out saying call him, say no. I'd rather like, I hope the attorney general's recommendation and I think that's what the committee is. What's the best way for the commerce committee to move forward? I hope our collective agreement of recommendation is to take every issue as seriously as possible. I don't think outlining a thoughtful list of stuff, of very complex issues that might need a lot of discussion amongst a lot of different stakeholders. I don't think that's being delaying. I don't think that's not taking it seriously. I'm ringing the alarm bells saying, we need to define the study and do it as soon as possible. So I'm hearing that. Ryan, that's it. Go ahead. Yep, I just want to say, I mean, if you guys are looking for language, we will draft a very robust study committee that, you know, there are ways, I'm happy to take a stab at it, that you guys can provide to the commerce committee. I just, you know, this is not a fixable bill in five weeks. And I mean, to my knowledge, it's not actually a bill right now, right? It hasn't actually been introduced yet. Well, I mean, what we have now is $5.95. It would be an amendment to $5.90. Right, right. So the actual bill hasn't even been introduced yet, right? No, it would just be a stroke ball. It's five. The bill is $5.95. It just wouldn't look like that. Right, so my point, you know, I guess I have three points. One is that we are happy to draft up a draft of a study committee that we can get to, you know, in the next couple of days here before Friday. To, you know, the points about Clearview that were brought up, those are not, you know, in the urgency around that particular situation. That is not necessarily just what BIPA gets at. BIPA gets at, you know, virtually any business that has any degree of fraud authentication. And that leads it to my third point, which is it is not possible to fix this bill in five weeks because my point earlier about it, ignoring the online ecosystem, more specifically, it doesn't take into account the fact that there are service providers who use biometric information. It doesn't take into account the fact that there is literally no fraud protection in this bill. There are any number of reasons why this bill is not workable. And you have people around the table think we are willing to work on the issue. We understand the urgency. You know, we are willing to go through a robust process. I would just urge you to work with us on this and not try to push this through just because, you know, you're hearing something from the legislature. Thanks, Andy. Jeff Kutcher, again, Vermont Technology Alliance. I just wanted to ask the question based on what you said, Ryan. Is your office actually hearing from people before this came up about biometric concerns? We are, well, we're definitely hearing about privacy concerns generally. We have definitely heard about facial recognition concerns, absolutely. As I testified in the legislature last week, facial recognition is a subset of biometrics. And we do not think a piecemeal approach, which has been basically the entire way that we've dealt with privacy law up until now. It's been a very reactive, let's pick off this area, this area, this area. And that, you know, it's not sufficient to protect consumers. So your office believes there should be a bill like this or a version of BIPA? I mean, that's what we recommended last week. Right, I mean, would you've brought this on your own if there wasn't a hearing or discussion about it? I'm just trying to understand where you keep it. We didn't this year. I mean, we could have, you were asked to testify on it, and that's what was our decision. And we got asked to testify after Michael raised an alarm on a clear view. I'm just trying to confuse how we got here so fast, but. Yeah, I mean. And then they might throw, let me go. And you've looked at the other proposed legislation. Do you think what's now the Illinois legislation, do you think that's the best one or the one we should adopt? I mean, right now when you're looking at it, can you talk to the legislative legislature? Yeah, I mean, we're, I don't think anyone thinks that Illinois has, the Illinois BIPA is like the be-all and all of BIPAs. And it certainly, you know, could use some of Vermont's touch, shall we say. But when we looked at the three choices, it seemed to us the best foundation to begin with. Then you talked about, would you change it? Would you put this Vermont touch? I was just trying to follow you, so we could do this quickly. I just wonder what you wanted to see happen quickly. If we just go ahead, do whatever you want, what would be your approach? I'm trying to understand where your guys are coming at it from. I mean, I think that. We're saying slow down, but I'm trying to understand what you were. Sure. We would need to have that conversation internally before we say what we would recommend doing. Okay. I mean, where we are is, we were asked by the chair of the House Commerce Committee to get together with stakeholders and talk about it. That's what we're doing right now. So that, I mean, I kind of answered that question before, and that's really where we were asked to testify in the bill. That was our testimony. We think we should have a Vermont BIPA, and then here we are with the next step, which is we were requested by the chair to have this conversation. So first of all, I should reiterate, thank you so much for being a part of the conversation. Thank you for providing us with that. And helping us to respond to the chair's request. So thank you for being here to have this conversation, and certainly we're hearing what you say, and our fearless interns taking notes so that we can be sure to digest everything. And it's really helpful to have just begin the conversation. I'm hearing themes. I'm hearing this is not out of time. I'm hearing concerns about the enforcement provision in the specific Illinois BIPA. I'm hearing concerns about the definition of biometric data. We already have a definition of biometric data in Vermont law. So I mean, right away I can say that's where we would begin. And there was one, what am I missing? Enforcement, definition, and? There was talking about platforms, I heard that. Well, particular types of, I mean, the meat of the compliance provisions are incredibly difficult to comply with. They are ambiguous. They don't think up with, you know, the way that businesses generally provide privacy policies. Again, there's no fraud. There's no recognition of online service providers. There's no recognition of cloud storage providers. There's no recognition of security provisions. Andy, can I ask you a question? Yeah, yeah, yeah. In your opinion, do you think some of these flaws are due to the age of the initial bill, like technology has changed and the bill just wasn't written in a way to be flexible to move with technology or do you think there's some other cause? No, I mean, I think a lot of it was the fact, again, I mean, it was literally written the year after the iPhone came out. So the way that the online ecosystem has evolved is just not reflective of the way that this bill, the way that you're required to comply with this bill. And, you know, I just, I don't think that the issues in and of themselves are wrong, like the idea of trying to, you know, provide consumers more control over their privacy. I mean, I think, you know, everybody in the room here is on board with that, but this bill in particular, it's not a, like, oh, well, we'll just tweak a few provisions that, you know, as you sort of said, like put a Vermont touch on it. It's just like, it's very important to have a conversation to understand, you know, Pam Dixon, who I think you guys have talked to, you know, is not certainly, you know, not on, you know, quote, our side and has the same reaction. And, you know, a lot of the work that they've done is around just how complex the issue of biometrics is. And this is just a very, you know, sort of hatchet, meat cleaver approach to a very technical and complex issue. Let me ask, let me ask something. Let me try to, like, go from, from try a little bit more of a constructive approach here. Broad swaths here, assuming that there was a definition of biometrics that was agreeable to people, okay. And we have actually had the argument over biometrics in the last two laws and we've used the same definition each time. So let's say, for example, that maybe that was a good one to start with, the definition that's already in our law. And then looking at, say, the Illinois, I see that there's a ton of carve outs from definite. This is not, you know, Oregon donations are not biometrics, okay. So let's say we took that and then all these carve outs, just let's say we had something everyone agreed to, okay. So one section of the law says basically if you have biometric identifiers that are electronic, you need to protect them. You need good data security, right. That seems like a reasonable position, right. Is there anyone who objects to the notion of requiring reasonable data security for companies that collect biometrics? Well, you've already got that in the data breach law, right. Well, not exactly because in the- Yeah, if you have reasonable security controls in your data breach law, and we just added biometric last year. We have reasonable security controls for data brokers. There is no reasonable data security for anyone who collects that kind of data. So that's not in the law. If it's a data broker that's collecting biometrics, actually right now what it says, nine VSA 24, 47, 37 says that if a data broker, a data broker must have reasonable data security and explains exactly what that means. It's based on the Massachusetts regulation, which we assumed everyone was compliant with already, must have that level of data security for PII, which currently until the signature happened is social security number, et cetera, et cetera. Biometrics is now part of that. So yes, so now data brokers have to have reasonable data security for their biometric data. Great. And so does anyone object to the notion that anyone collecting biometric information should have reasonable data security? I mean, the idea here is, right, if you're collecting a thumbprint to authenticate someone, or that's great. But then if you lose the thumbprint, that person who owns the thumbprint, that person with those thumbs is now unable to be authenticated anywhere else because they're victim of ID theft, right? So is that something that people can generally get behind is my question. I guess, yes. Ryan, I don't think, I really don't think. Andy, sorry, Mark was talking. I know it's hard to hear from him because he's so far away from the phone. Actually, I would just say yes, but I think it's in the law. And in terms, I think maybe somebody, Andy, can riff on the how businesses use this. If I've got a database of all the information I collected out of business, and in that database, seven bits of PII without biometric required to be kept in a reasonably secure manner, even if, at this point, a pure negligence standard could apply, I think, in terms of, I have your name, it got out there along with 50 million other ones. Actually, in this day and age, I mean, for one statute aside, I'll find a negligence argument to make. But I think we've already got, as a practical matter, a statute that says you have to keep reasonable data security controls. Most businesses that are looking at that have 50 other state data privacy laws to look at. If they sell so much as anything overseas, they're already supposed to be GDPR compliant and everything else. So I don't object to any of it, I guess, to sort of say, let's make sure the right thing is included in there. I'm being a little facetious. I don't mean it's not important. I have to say, how is biometric information not PII already? Well, and again. And actually, I don't answer that was a rhetorical question. I understand the different ways it isn't, but as a practical matter, I also don't think that one state out of 50, I'm the guy that says I actually like how Europe did it for the past 25 years and the fact that Congress is inept is making us having this discussion in ways that maybe it wouldn't create a national solution. So I guess what I'm saying, what I just heard there was I didn't hear anyone object to the notion of reasonable data security for biometrics. There was raised that, okay, well, the devil's in the details, fine, got it, okay? But so that seems to be something that is generally agreeable, okay? One of the biggest, yes? I just want to be clear. I don't know about everybody else sitting around the table. I didn't come here with authority to agree to anything. So, fair enough. You didn't hear any objection from me, but I wanted my silence as a consentee. We are not gonna represent to anybody that everyone was on board with everything, okay? Fair enough. So, one of the fundamental elements of the BIPA law basically says that if you're going to collect biometric information, you need to get consent to do so. Now, understanding that, what does that mean? Get consent to do so. That's, I have been told that that is a vague area in the current law and that has caused a lot of confusion and a lot of lawsuits. So, again, if the definition of biometrics could be agreed to, and if that consent piece could be agreed to, if we could come to something that was, you know, a compromise or something that actually worked for industry, right, that was doable, does anyone at a high level object to the notion of getting consent prior to collecting individuals biometric information? What's the argument against it? Ryan, these are the conversations that need to be had publicly and with lots of different stakeholders. Which is why we're here today. None of us, no, Ryan, none of us here are authorized to agree to anything on behalf of our members. All of these concepts need to be vetted with our members. That's a fair request. And so I don't think anybody here is going to be, you know, saying, yep, great, here's seven concepts, go draft a bill by Friday. I don't think that's, these are the kinds of questions and issues that are discussed in a study group. I'll throw out a hypothetical out of the top of my brain, not be here or anything else. I actually agree with what was just said, so I'm not, you know, but what I'm thinking about is, I actually went after I looked at the articles and then after I heard about the testimony and whatnot, I jumped up, jumped on the sex date site, looked at Clearview AIs, data broker filing. Then I thought about all of this stuff is gonna protect consumers. I thought about who's a consumer and then jumped on the Clearview AI website. And they already scraped everybody by breach of contracts simply by surfing the web. That's why Google, Facebook, everybody else is going after them. I don't know if they're concerned only about facial recognition or the fact that they took the pictures from their platforms without their permission, but they certainly aren't going, my picture is in Clearview AI's database. I'm not a user of theirs, I can't be. They say it's only law enforcement. I don't know who that is or what that is. I'm definitely afraid of that. Now, so I agree with Michael Lee's stuff as he and I talked about the week before he went down and we were like, where are you, where are we? Well, we're together, great. As it turned out for scheduling reasons, we were gonna testify on the second day of age 95 when this came up, that's why the NETTA wasn't there. But all of this happens and if there's one actor that says, before anybody even knows I exist, I'm gonna do X, call somebody else, my user, the consumer, I'm obligated to the person who pays me money to use the service and whatnot and we've done a lot of legislating and stuff like that. I don't even know what's gonna attack the worst, most obvious, most talked about problem that caused us to all gather in the first place in this way. It's a tortured, twisted, illogical circle I just viewed for it, I hope it made sense, but I, and so, yes, I can agree in general, I believe in consent, implied, active, what counts and whatnot. Clearview's not targeting me, they're not asking me anything, they're not marketing me, they're not doing anything, but they have my data. How do I not give consent to those types of folks? So I'm for consent, but without a full understanding actually, the business processes that go involved in each of the ones where you're always different from our high level similarities, sort of like, you know, we need health education, we need awareness, all the protections in the world don't stop me from not being able to keep up with my inbox and so I am for protecting all of us philosophically, I'm for a good process, good study, good solutions, working together, except we're talking about something I don't even know about, can't talk to my members about and even if we came up with something that was agreeable, the example that brought us all here today may or may not be taken care of, even if I nodded to everything we proposed and so I'm acknowledging the problem, agreeing it is a problem and simply saying let's be deliberate, let's go with the pace, let's be proactive, let's be as deliberate as possible and I think that Vermont way is we figure it out and not everybody agrees, but if we can all say I have my opportunity to study it, to chime in and I simply lost a substance of debate, I'll go home, I'll fight again another day. I'm a process guide personally, so I know where I personally stand, substance aside, I'm here until three o'clock or until Ryan or Charity say we're gonna go and talk to TJ about this and our inclination what we're doing is we think we might, of course we can't confirm, but we might be recommending X. So that- I don't know. It's really helpful, for those of you who haven't weighed in I just wanna make sure that we don't end this meeting without hearing from everyone who might have a comment or you wanna echo what someone else said so I think that was the time or if someone wants to introduce a new concept that we haven't touched on. So I think, unless anyone has anything else they wanna add, I wanna say that Ryan and I are around so if something comes up or if you do speak to one of your clients and another point comes up or something you wanna communicate, we're here and just give us a ring or drop us an email. We will be there on Tuesday. We haven't obviously spoken to TJ since this meeting but we will and we'll have something formed on Tuesday but between now and then please reach out if you have something else to add or questions or anything. Ryan, do you have anything else? Yeah, only to reiterate that we are available. I've been giving out my cell phone number for anyone who wants to contact. Those productive conversations, hearing the use cases are very valuable to us. It has often been valuable to us to hear from actual business owners, right? You know, who can give us this more direct notion so that is also always useful. And I just, I do wanna reiterate something that was told to me when I was sworn in in this office. Plus 26176947043 is now exiting. It's something really nice to say. And that is, as I was told by the former attorney general that I swore an oath to protect and we all swore an oath to protect the public. And the public is not just consumers. The public includes the business community. The public often includes the business that we are bringing enforcement action against. We are not win at all costs in this office. We are not zealous advocates. We think we take all of the different positions into account and that is how we have always done things and that is how we are all going to, always going to do things. So that is our commitment and that is the oath that I swore. Well said, Brian. No way to close the meeting. I mean, there's nothing that I could add to that. How could he hang up ahead of that? Really, they miss some things, it's wonderful. I'll write down the phone number. I just like something to do. I didn't like a reelection piece of me. All right, Brian in 2020. All right guys, thank you so much for coming and being here and thanks to those of you on the phone. Thank you particularly for your patience while we started out the conference called dial in and I guess we'll either talk to you between now and Tuesday or maybe we'll see you on Tuesday. Plus one six one seven four zero six six zero. Thank you. Thanks Amy, bye guys. Bye. Thank you. That was Maggie. Thank you. Bye.