Skip to main content
Mais Lidos
Em Destaque
View All Services
Ver Todas as Indústrias
Careers Overview
About Us Overview
  • Home
  • Insights
  • Vermont Enacts Comprehensive Consumer Privacy Law
junho 22 2026

Vermont Enacts Comprehensive Consumer Privacy Law

Authors:
Baixar PDF
Share

On June 16, 2026, Vermont Governor Phil Scott signed S.71 into law, enacting the Vermont Data Privacy and Online Surveillance Act (the “VDPOSA” or the “Act”), which is the 24th state to pass a comprehensive data privacy law. The VDPOSA, which takes effect on January 1, 2028, largely tracks the established framework for consumer privacy laws outside California; however, the Act includes a few notable nuances, including relatively low applicability thresholds, a broad definition of sensitive data, heightened protection for consumer health data, a right to obtain a list of third parties to whom personal data was sold, and a right to question certain uses of profiling. For more information about how the VDPOSA compares to other comprehensive state privacy laws, please see our state privacy law tracker.

Who is Covered?

The VDPOSA applies to persons that conduct business in Vermont or that target products or services to Vermont residents, and that meet one of the following thresholds: (1) controlled or processed the personal data of at least 35,000 Vermont residents (excluding personal data controlled or processed solely to complete a payment transaction); (2) controlled or processed sensitive data of at least 3,000 Vermont residents (excluding personal data controlled or processed solely to complete a payment transaction); or (3) offered for sale in trade or commerce the personal data of at least 3,000 Vermont residents.

With respect to the Act’s consumer health data provisions, the above applicability thresholds do not apply. The Act’s consumer health data provisions apply to any person that does business in Vermont or targets products or services to Vermont residents.

Entity-Level Exemptions

A number of entities are exempt from the VDPOSA, including the following:

  • Government entities at the federal, state, tribal, and local levels;
  • Covered entities and business associates as defined by the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) (except for “hybrid” entities, where only the health care components are excluded);
  • State- or federally chartered banks, credit unions, and affiliates or subsidiaries principally engaged in financial activities;
  • Agents, broker-dealers, investment advisers, and investment-adviser representatives that are regulated by the Securities and Exchange Commission or the Department of Financial Regulation;
  • Health care providers and health care facilities maintaining protected health information in accordance with HIPAA and Vermont law;
  • Persons regulated under Vermont’s insurance laws;
  • Third-party administrators subject to regulation by the Vermont Department of Financial Regulation;
  • Non-profit organizations established to detect and prevent insurance fraud; and
  • Certain news and media organizations, including Federal Communications Commission-licensed radio or television stations and nonprofit organizations that provide programming to radio or television networks.

In addition to these entity-level exemptions, the Act provides certain data-level exemptions, including, inter alia, data subject to the Gramm-Leach-Bliley Act, protected health information under HIPAA, patient-identifying information, data regulated by the Fair Credit Reporting Act, data regulated by the Family Educational Rights and Privacy Act, data subject to the Driver’s Privacy Protection Act, data governed by the Farm Credit Act, data regulated by the Airline Deregulation Act, employee and job applicant data processed within the employment context, and emergency contact information.

Consumer Rights

The VDPOSA provides Vermont residents with the following suite of privacy rights, generally consistent with the rights offered under other comprehensive state privacy laws, with the addition of two notable rights that are less common: (1) the right to contest certain profiling uses, and (2) the right to obtain a list of third parties.

  • Right to Access: Consumers may confirm whether a controller is processing their personal data and access that data.
  • Right to Correction: Consumers may request correction of inaccuracies in their personal data.
  • Right to Deletion: Consumers may request deletion of their personal data.
  • Right to Data Portability: Consumers may request a copy of their personal data in a portable format.
  • Right to Opt Out of Targeted Advertising, Sale, and Profiling: Consumers may opt out of the processing of their personal data for targeted advertising, the sale of their personal data, or for profiling in furtherance of automated decisions producing legal or similarly significant effects.
  • Right to Question Profiling: If a consumer’s personal data was processed for the purposes of profiling in furtherance of any automated decision that produces any legal or similarly significant effects concerning the consumer, the consumer may question the result of such profiling and has a right to be informed of the reasoning behind such decision and to review the personal data processed for the purposes of profiling. If the profiling decision concerned housing, the consumer must be allowed to correct any incorrect personal data processed for the purposes of such profiling and have the profiling decision reevaluated based on the correct data.
  • Right to Obtain a List of Third Parties: Consumers may obtain a list of third parties to which their personal data was sold. If the controller does not maintain such a list with respect to the consumer, the controller must provide a list of all third parties to which the controller has sold personal data.
  • Right to Appeal: Consumers may appeal a controller’s refusal to act on a privacy request. The controller must respond within 60 days, and if denied, provide the consumer with an online mechanism, if available, or other method through which the consumer may contact the Vermont Attorney General.

Internal Business Obligations

The VDPOSA imposes several business obligations on controllers:

  • Privacy Notice Requirements: Controllers must provide consumers with a reasonably accessible, clear, and meaningful privacy notice. Notably, the Act requires privacy notices to disclose whether the controller collects, uses, or sells personal data for the purpose of training large language models.
  • Data Minimization and Purpose Limitation: Controllers must limit the collection of personal data to what is reasonably necessary and proportionate in relation to the purposes for which the data is processed, as disclosed to the consumer, and not process a consumer’s personal data for any material new purpose without consent.
  • Data Security: Controllers must also establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data.
  • Sensitive Personal Data: The VDPOSA prohibits controllers from processing sensitive data without first obtaining the consumer’s consent and unless the processing is reasonably necessary in relation to the purposes for which the sensitive data are collected. The sale of sensitive personal data also requires consent. “Sensitive data” includes data revealing racial or ethnic origin, religious beliefs, sex life, sexual orientation, status as nonbinary or transgender, or citizenship or immigration status, health condition and data, genetic or biometric data, precise geolocation data, neural data, financial information, and government-issued identification numbers. Personal data collected from a known child under the age of 13 is also treated as sensitive data and must be processed in accordance with the federal Children’s Online Privacy Protection Act (“COPPA”).
  • Data Protection Assessments: Controllers must conduct data protection assessments for processing activities involving targeted advertising, the sale of personal data, profiling presenting foreseeable risks of harm, and processing of sensitive data. Data protection assessments are also required for profiling decisions producing legal or similar significant effects. Data protection assessment requirements apply to processing activities created or generated after January 1, 2028.
  • Consumer Health Protections: The Act includes heightened protections for consumer health data, including confidentiality requirements for employee access to consumer health data. The Act also prohibits selling consumer health data without consumer consent and prohibits geofencing health care facilities for certain purposes (within 1,850 feet). Consumer health data is defined broadly as “any personal data that a controller uses to identify a consumer’s physical or mental health condition, diagnosis, or status,” and it includes reproductive or sexual health data and gender-affirming health data.

Enforcement and Penalties

The Vermont Attorney General has exclusive authority to enforce the VDPOSA, and the VDPOSA does not provide a private right of action.

Before commencing an enforcement action, the Vermont Attorney General must issue a notice of the alleged violation and provide the controller with a mandatory 60-day right-to-cure period. After June 30, 2029, the cure period is no longer mandatory and is at the Attorney General’s discretion.

Key Takeaways

  • Assess applicability carefully. The Act provides three distinct applicability thresholds. The 3,000-consumer threshold for sensitive data processing or data sales is notably low, meaning businesses with even modest operations involving these categories may fall within its scope.
  • Note the broad definition of “sensitive data.” Vermont’s definition of sensitive data is one of the most expansive among state privacy laws, extending to categories such as neural data, financial account credentials, government-issued identification numbers, and transgender or nonbinary status.
  • Prepare for data protection assessments. Unlike some other comprehensive state privacy laws, Vermont requires data protection assessments for high-risk processing activities and impact assessments for profiling decisions producing legal or similarly significant effects.
  • Review and update your privacy notice. Ensure that Vermont is included within your privacy notice scope and that the VDPOSA-specific requirements are addressed, including the right to question profiling and right to obtain a list of third parties to whom personal data was sold.
  • Implement universal opt-out signal recognition. VDPOSA requires companies to honor opt-out preference signals. Ensure that technical systems are in place to detect and respond to such signals.
  • Note the transitional cure period. From January 1, 2028, to June 30, 2029, the Vermont Attorney General must provide a 60-day cure period before bringing an enforcement action. After June 30, 2029, the cure opportunity becomes discretionary.
  • Obtain consent for sensitive data processing. Ensure that affirmative consent is obtained before processing any sensitive data, including data from known children under 13 (in accordance with COPPA).

Autores

Serviços e Indústrias Relacionadas

Stay Up To Date With Our Insights

See how we use a multidisciplinary, integrated approach to meet our clients' needs.
Subscribe

Follow us

© 2026 Mayer Brown. All Rights Reserved

 

 

Mayer Brown is a global legal services provider comprising associated legal practices that are separate entities, including Mayer Brown LLP (Illinois, USA), Mayer Brown International LLP (England & Wales), Mayer Brown Hong Kong LLP (a Hong Kong limited liability partnership) and Tauil & Chequer Advogados (a Brazilian law partnership) (collectively, the “Mayer Brown Practices”). The Mayer Brown Practices are established in various jurisdictions and may be a legal person or a partnership. PK Wong LLC (“PKW”) is the constituent Singapore law practice of our licensed joint law venture in Singapore, Mayer Brown PK Wong Pte. Ltd. More information about the individual Mayer Brown Practices and PKW can be found in the Legal Notices section of our website.

“Mayer Brown” and the Mayer Brown logo are the trademarks of Mayer Brown.

Attorney Advertising. Prior results do not guarantee a similar outcome.