Vermont Becomes 24th State to Enact Comprehensive Consumer Privacy Law
The Vermont Data Privacy and Online Surveillance Act (the "VDPOSA") will become effective on January 1, 2028. With its enactment, Vermont becomes the 24th state to adopt a comprehensive data privacy law. While the VDPOSA follows the framework of many existing state privacy laws, it includes several distinctive features, including broad consumer health data provisions, an AI training disclaimer requirement, and an expanded definition of sensitive personal information. Businesses should carefully evaluate their data practices to ensure compliance before the effective date.
On June 16, 2026, Vermont Governor Phil Scott signed S. 71 into law, making Vermont the 24th state to enact a comprehensive consumer privacy statute. The bill, enacted as the Vermont Data Privacy and Online Surveillance Act (“VDPOSA”), goes into effect on January 1, 2028. Governor Scott previously vetoed a stricter version of the law in June 2024.
Applicability and Scope
The VDPOSA applies to any person that conducts business in Vermont or produces products or services targeted at Vermont residents that, during the preceding calendar year, meets one or more of the following thresholds:
- Controls or processes the personal data at least 35,000 Vermont residents, excluding personal data controlled or processed solely for the purpose of completing a payment transaction;
- Controls or processes the sensitive data of at least 3,000 Vermont residents, excluding personal data controlled or processed solely for purposes of completing a payment transaction; or
- Offers for sale in trade or commerce the personal data of at least 3,000 Vermont residents.
Vermont becomes the second state, in addition to Connecticut, to incorporate a standalone sensitive data applicability trigger, independent of any other revenue or processing thresholds.
The VDPOSA also includes a separate, broader applicability provision for consumer health data. The consumer health data provisions apply to any person that conducts business in Vermont or produces products or services targeted at Vermont residents, without the numerical thresholds described above.
Like most other state privacy laws, the definition of "consumer" does not include an individual acting in a commercial or employment context.
The VDPOSA provides entity-level exemptions for: (1) federal, state, tribal, or local government entities and instrumentalities of the State operating in the ordinary course; and (2) HIPAA-covered entities that are not hybrid entities, health care components of hybrid entities, and business associates. Notably, unlike certain other state privacy laws, the VDPOSA does not include a blanket exemption for nonprofit organizations.
Data-level exemptions include: (1) protected health information under HIPAA; (2) patient-identifying information under 42 U.S.C. § 290DD-2; (3) information used for public health, community health, or population health activities as authorized by HIPAA; (4) data regulated under the Fair Credit Reporting Act; (5) data subject to the Driver's Privacy Protection Act; (6) data subject to the Family Educational Rights and Privacy Act; (7) data subject to the Airline Deregulation Act; and (8) various other categories of federally regulated data, including information processed solely in connection with emergency contact purposes.
Sale of Personal Data
Controllers that sell personal data to third parties must clearly and conspicuously disclose such processing, as well as the manner in which consumers may exercise their right to opt out. This disclosure obligation also applies to controllers that process personal data for targeted advertising.
Definition of Sale
The VDPOSA defines "sale of personal data" as the exchange of personal data for monetary or other valuable consideration by the controller to a third party. This definition excludes the following arrangements: (1) disclosures to a processor acting on behalf of the controller; (2) disclosures to third parties for the purpose of providing a product or service requested by the consumer; (3) transfers to an affiliate of the controller; (4) disclosures directed by the consumer; (5) information the consumer has intentionally made available to the general public; and (6) data transfers that occur as part of a corporate transaction.
Controller Requirements
The VDPOSA imposes a number of obligations on controllers that are consistent with those found in other state comprehensive privacy laws, with a few notable additions:
Privacy Policy Disclosures
Companies must provide consumers with a reasonably accessible, clear, and meaningful privacy notice that details the categories of personal information processed, the purpose for such processing, a description of the statutory rights available to consumers, how consumers may exercise such rights, and statements regarding the sale or disclosure of personal information for targeted advertising purposes, if applicable.
Notably, the VDPOSA requires businesses to disclose whether the company collects, uses, or sells personal information for the purpose of training large language models (“LLMs”) or artificial intelligence (“AI”).
Data Minimization and Security
Controllers must limit the collection of personal data to what is adequate, relevant, and reasonably necessary in relation to the purposes for which such personal data is processed, as disclosed to the consumer. Additionally, the VDPOSA contains a purpose limitation requirement prohibiting companies from processing more information than is necessary or compatible to facilitate the purpose for which it was provide, absent consumer consent.
Controllers must also maintain reasonable security practices to protect the confidentiality, integrity, and accessibility of personal data appropriate to the volume and nature of the personal data at issue.
Sensitive Data
Under the VDPOSA, “sensitive data” includes the following categories of personal information: (1) racial or ethnic origin, religious beliefs, sex life, sexual orientation, status as nonbinary or transgender, or citizenship or immigration status; (2) a mental or physical health condition, diagnosis, disability, or treatment; (3) consumer health data; (4) genetic or biometric data, or information derived therefrom; (5) personal data collected from a known child; (6) precise geolocation data; (7) neural data; (8) a consumer's financial account number, financial account login information, or credit or debit card number in combination with any required access or security code or password; and (9) government-issued identification numbers, including Social Security numbers, passport numbers, and driver's license numbers.
Vermont becomes the fourth state to incorporate “neural data” within its definition of sensitive personal information. Under the VDPOSA, neural data is defined as any information that is generated measuring the activity of an individual’s central nervous system.
Companies may not process sensitive data without first obtaining the consumer's consent and unless the processing is reasonably necessary in relation to the purposes for which the sensitive data are collected.
Data Protection Assessments
The VDPOSA requires controllers to conduct and document data protection assessments for processing activities that present a heightened risk of harm, including: (1) processing personal data for the purposes of targeted advertising; (2) the sale of personal data; (3) processing personal data for the purposes of profiling where there is a reasonably foreseeable risk of unfair or deceptive treatment, financial or physical or reputational injury, intrusion upon seclusion, or other substantial injury; and (4) the processing of sensitive data.
The VDPOSA also requires a separate impact assessment for controllers that engage in profiling for decisions producing legal or similarly significant effects, with prescribed components including purpose disclosure, risk analysis, categories of data used, performance metrics, transparency measures, and post-deployment monitoring.
These assessments must be made available to the Attorney General upon request and are confidential and exempt from public disclosure. Data protection assessment requirements apply prospectively to processing activities created or generated after January 1, 2028, and are not retroactive.
Consumer Health Data
Companies may not: (1) provide any employee or contractor with access to consumer health data unless that individual is subject to a contractual or statutory duty of confidentiality; (2) use a geofence to establish a virtual boundary within 1,850 feet of any health care facility, including any mental health facility or reproductive or sexual health facility, for the purpose of identifying, tracking, collecting data from, or sending notifications to a consumer regarding the consumer's health data; (3) sell or offer to sell consumer health data without first obtaining the consumer's consent; or (4) provide any processor with access to consumer health data unless the person and processor comply with the processor requirements of the VDPOSA.
Opt-Out Preference Signals
The VDPOSA also requires controllers to honor opt-out preference signals sent by consumers through a platform, technology, or other mechanism indicating the consumer's intent to opt out of the processing of personal data for targeted advertising or the sale of personal data.
If a consumer's opt-out preference signal conflicts with the consumer's existing controller-specific privacy settings, the controller must comply with the opt-out preference signal but may notify the consumer of the conflict and provide the consumer the opportunity to confirm their controller-specific setting or participation in the program.
Consumer Rights
Vermont consumers have the following rights under the VDPOSA:
- Right to confirm whether or not a controller is processing the consumer's personal data and to access and obtain a copy of such personal data;
- Right to correct inaccuracies in personal data;
- Right to delete personal data;
- Right to opt out of the processing of personal data for purposes of targeted advertising, the sale of personal data, or profiling in furtherance of a decision that produces a legal or similarly significant effect concerning the consumer.
- To the extent the consumer’s personal data is subject to processing for profiling that produces a legal or similarly significant effect, the right to question the result of such profiling, to be informed of the reason for such outcome, and to review the consumer’s personal data that were processed for such profiling purposes.
- Right to obtain from the controller a list of the third parties to which the controller has sold the consumer's personal data.
Controllers must respond to consumer requests within 45 days, with the possibility of a 45-day extension where reasonably necessary. The VDPOSA requires controllers to establish an appeal process for consumers whose requests are denied, with controllers required to respond to appeals within 60 days. The VDPOSA also permits consumers to designate an authorized agent to exercise opt-out rights on their behalf.
Enforcement
The Vermont Attorney General (“AG”) has exclusive authority to enforce the VDPOSA. A violation of the VDPOSA constitutes a violation of the general state consumer protection statute.
From January 1, 2028, through June 30, 2029, the Attorney General must issue a notice of violation before initiating action if the Attorney General determines that a cure is possible. If the person fails to cure the violation within 60 days after receipt of the notice, the Attorney General may bring an enforcement action. After June 30, 2029, the AG may bring enforcement actions without providing an opportunity to cure.
The Attorney General must submit an annual report to the General Assembly disclosing the number of notices of violation issued, the nature of violations, the number of enforcement actions taken, and related information. In addition, the AG is required to provide, and update as necessary, guidance to controllers and processors for compliance with the VDPOSA.
Koley Jessen is committed to staying informed about developments in state privacy law and will provide guidance as new information emerges. If you have questions about your business’s compliance obligations or the steps required to meet state privacy requirements, please contact a member of Koley Jessen’s Data Privacy and Security Practice Area for assistance.
Special thanks to Summer Associate Yana Baravik for her contributions to this article.
This content is made available for educational purposes only and to give you general information and a general understanding of the law, not to provide specific legal advice. By using this content, you understand there is no attorney-client relationship between you and the publisher. The content should not be used as a substitute for competent legal advice from a licensed professional attorney in your state.