A New Peak in Privacy: Vermont’s Consumer Data Privacy Law Joins the National Wave

Firm Publication

Key Takeaways

  • The Vermont Data Privacy and Online Surveillance Act (VDPOSA) takes effect on January 1, 2028, and includes standalone consumer health data provisions that apply to any person doing business in Vermont, regardless of whether they meet the VDPOSA’s general applicability thresholds. The VDPOSA prohibits geofencing within 1,850 feet of healthcare facilities, including mental health and reproductive health facilities, and requires consumer consent before selling consumer health data.
  • The VDPOSA includes forward-looking artificial intelligence (AI) transparency requirements, mandating that those determining the uses of personal data (controllers) disclose in their privacy notices whether they collect, use, or sell personal data for training large language models. Vermont joins a small but growing number of states requiring this type of AI-related disclosure.
  • Enforcement rests exclusively with the Vermont Attorney General, with no private right of action. A 60-day cure period applies from January 1, 2028, through June 30, 2029, after which the Attorney General may pursue violations without providing prior notice or an opportunity to cure.

Vermont has enacted comprehensive consumer data privacy legislation with the passage of S0071, establishing the Vermont Data Privacy and Online Surveillance Act (VDPOSA). The VDPOSA takes effect January 1, 2028. This legislation revives data privacy efforts in Vermont after Governor Phil Scott vetoed a prior version. While the VDPOSA follows the Connecticut-style framework, it includes several distinctive provisions impacting those doing business in Vermont.

The VDPOSA is notable for its standalone consumer health data provisions, relatively low applicability thresholds, an expansive definition of sensitive data that includes neural data and financial account information, forward-looking AI transparency requirements, and robust consumer rights, including the right to question automated profiling decisions.

Who Must Comply with the VDPOSA?

The VDPOSA’s consumer health provisions apply to any person that conducts business in Vermont or produces products or services targeted at Vermont residents, regardless of whether the person meets any of the following thresholds.

The non-consumer health provisions of the VDPOSA only apply to persons or entities that conduct business in Vermont or produce products or services targeted at Vermont residents and that, in a calendar year, meet any one of the following thresholds:

  • Controls or processes the personal data of at least 35,000 Vermont residents.
  • Controls or processes the sensitive data of at least 3,000 Vermont residents.
  • Sells or offers for sale the personal data of at least 3,000 Vermont residents.

What Entities and Data Are Exempt from the VDPOSA?

Certain entities are exempt from the VDPOSA, including:

  • Federal, state, tribal, and local government entities.
  • Covered entities or business associates governed by the Health Insurance Portability and Accountability Act of 1996 (HIPAA).
  • Financial institutions and their affiliates subject to Title V of the Gramm-Leach-Bliley Act (GLBA).
  • Insurance entities regulated under Vermont law.
  • Agents, broker-dealers, investment advisers, and investment adviser representatives regulated by the Department of Financial Regulation or the Securities and Exchange Commission (SEC).
  • Institutions of higher education.
  • Third-party administrators in compliance with Department of Financial Regulation regulations.
  • Victim services organizations collecting data on victims or witnesses of abuse, violence, or stalking.
  • Nonprofit organizations established to detect and prevent insurance fraud or providing enrollment data services for postsecondary schools.
  • Noncommercial activities of news media organizations.
  • Air carriers regulated under the Federal Aviation Act and the Airline Deregulation Act.

Data-level exemptions include protected health information under HIPAA; data regulated by the Fair Credit Reporting Act; data subject to the Family Educational Rights and Privacy Act (FERPA), the GLBA, the Driver’s Privacy Protection Act, the Farm Credit Act, and the Controlled Substances Act; payment transaction data; emergency notification information; and employee, contractor, and business contact data processed in the employment context. Consistent with most state privacy laws, “consumer” excludes individuals acting in a commercial or employment context.

What Consumer Rights Does the VDPOSA Grant?

The VDPOSA grants consumers a robust set of rights with respect to their personal data held by controllers. Under the VDPOSA, consumers have the right to:

  • Confirm whether a controller is processing the consumer’s personal data and has access to such data.
  • Correct inaccuracies in the consumer’s personal data.
  • Delete personal data provided by or obtained about the consumer.
  • Obtain a copy of the consumer’s personal data in a portable and readily usable format.
  • Opt out of processing of personal data for targeted advertising, the sale of personal data, or profiling for automated decisions producing legal or similarly significant effects.
  • Question the results of automated profiling decisions; be informed of the reasoning behind the decision; review the personal data processed for the profiling; and, in the case of housing decisions, correct inaccuracies and request reevaluation.
  • Obtain a list of specific third parties to which the controller has sold the consumer’s personal data.

Consumers may designate authorized agents to opt out on their behalf, including through browser settings or global opt-out signals. Controllers must respond to consumer requests within 45 days (with one 45-day extension permitted) and establish an appeal process with a 60-day response deadline. Denied appeals must include instructions for filing a complaint with the Vermont Attorney General.

What Are Controller Obligations and Privacy Notice Requirements Under the VDPOSA?

The VDPOSA imposes numerous obligations on controllers that are consistent with frameworks that apply in most other applicable states. For example, controllers must comply with standard data minimization principles and limit the collection of personal data to what is reasonably necessary for disclosed purposes. Notable additional controller obligations include:

  • Establishing reasonable administrative, technical, and physical data security practices.
  • Prohibiting the sale or use of data for targeted advertising relating to consumers known to be between 13 and 17 years old (notably, personal data of consumers under the age of 13 is considered “sensitive data” and must be processed in accordance with the Children’s Online Privacy Protection Rule (COPPA)).
  • Providing an easy-to-use mechanism for revoking consent and ceasing processing within 15 days of revocation.
  • Not processing personal data in violation of anti-discrimination laws. Notably, any evidence (or lack thereof) concerning proactive antibias testing or similar efforts to avoid discriminatory data processing is relevant to any claim or defense under such laws, incentivizing controllers to conduct and document bias audits.

Controllers must provide a reasonably accessible, clear, and meaningful privacy notice on its website homepage that includes:

  • The categories of personal data processed.
  • The purposes of processing and a description of the processing.
  • The means for consumers to submit requests to exercise their rights and appeal decisions.
  • The categories of personal data sold to third parties and the categories of those third parties.
  • A clear and conspicuous disclosure of any practices related to targeted advertising or sales to a third party for targeted advertising.
  • An active email address or other online mechanism for contacting the controller.
  • Whether the controller collects, uses, or sells personal data for training large language models.
  • The most recent month and year the privacy notice was updated.

Controllers must also comply with opt-out preference signals sent by consumers—such as the Global Privacy Control (GPC)—that indicate their intent to opt out of targeted advertising or sales of personal data. The VDPOSA requires controllers to provide a clear and conspicuous link on their website enabling consumers to opt out, and to support any opt-out preference signal mechanism that is consumer-friendly, requires an affirmative choice, and does not unfairly disadvantage other controllers.

What Does the VDPOSA Require of Data Processors and Contracts with Them?

Processors must follow controller instructions and assist with consumer rights requests, data security, breach notification, and data protection assessments (discussed below). Controller-processor contracts must specify the nature and purpose of processing, data types, duration, and party obligations. A processor that determines its own purposes and means of processing becomes a controller subject to the VDPOSA’s controller obligations and enforcement.

How Does the VDPOSA Treat Sensitive Data and Consent Requirements?

The VDPOSA’s definition of “sensitive data” is expansive, drawing from multiple state frameworks. It includes racial or ethnic origin, religious beliefs, sex life and sexual orientation, nonbinary or transgender status, citizenship or immigration status, mental or physical health conditions, consumer health data, genetic and biometric data, data from known children under the age of 13, precise geolocation (within 1,750 feet), neural data (see here for recent Bass, Berry & Sims article detailing recent developments in state neural data protections), financial account credentials, and government-issued identification numbers.

Processing or selling sensitive data requires consumer consent. Controllers with actual knowledge that a consumer is a child under the age of 13 must comply with COPPA.

What Are the VDPOSA’s Consumer Health Data Provisions?

The VDPOSA imposes standalone consumer health data requirements that apply regardless of whether a controller meets the VDPOSA’s general applicability thresholds. Under these provisions, a person may not provide any employee or contractor with access to consumer health data unless the employee or contractor is subject to a contractual or statutory duty of confidentiality. Processors receiving consumer health data must comply with the VDPOSA’s processor requirements. The VDPOSA also prohibits the use of a geofence within 1,850 feet of any healthcare facility, including mental health and reproductive or sexual health facilities, for the purpose of identifying, tracking, collecting data from, or sending notifications to a consumer regarding their consumer health data. Controllers may not sell, or offer to sell, consumer health data without first obtaining the consumer’s consent.

What Data Protection Assessments are Required Under the VDPOSA?

The VDPOSA requires controllers to conduct data protection assessments (DPAs) for high-risk processing activities, including targeted advertising, the sale of personal data, profiling activities, and the processing of sensitive data. DPAs must balance processing benefits against consumer risks.

Additionally, Vermont requires a separate impact assessment (Profiling Assessment) for profiling used in decisions producing legal or similarly significant effects. These Profiling Assessments must address:

  • The purpose of the processing, intended use cases, and deployment context.
  • An analysis of heightened risks to consumers and mitigation steps.
  • A description of data inputs and outputs.
  • Performance metrics and known limitations.
  • Transparency measures, including real-time disclosure to consumers during profiling.
  • Post-deployment monitoring and user safeguards.

Assessments are confidential but must be produced if requested by the Vermont Attorney General.

The VDPOSA is not intended to prevent controllers from processing personal data for profiling purposes specifically to detect or correct bias in automated decision-making systems, provided the data are processed only to the extent necessary, subject to appropriate safeguards, kept secure with strict access controls, and not shared with third parties.

How is the VDPOSA Enforced?

The VDPOSA does not include a private right of action, and the Vermont Attorney General has exclusive enforcement authority, with civil penalties up to $10,000 per violation.

From January 1, 2028, through June 30, 2029, the Attorney General must provide a written notice of violation and a 60-day cure period before initiating enforcement. After that, Vermont’s cure period completely sunsets.

Key Compliance Dates

January 1, 2028: The VDPOSA takes effect, and the cure period begins. DPA and Profiling Assessment requirements apply to processing activities created or generated after this date.

June 30, 2029: The cure period sunsets. After this date, the Vermont Attorney General is no longer required to issue a notice of violation and provide a 60-day cure opportunity before initiating an enforcement action.

Our team will continue to monitor the Vermont Data Privacy and Online Surveillance Act. If you have any questions about the VDPOSA or other states’ privacy laws and how they could affect your business, please contact the authors.

Resource: Data Privacy Regulations by State

Data Privacy Regulations by State

The data privacy regulatory landscape continues to evolve rapidly across jurisdictions. Our privacy & data security attorneys are actively tracking new legislation and regulatory developments nationwide. We will continue to provide ongoing analysis as new regulations emerge. Access our interactive map to learn more about comprehensive state laws and consumer health data privacy requirements.

Related Professionals
Related Services
Firm Publication

Key Takeaways

  • The Vermont Data Privacy and Online Surveillance Act (VDPOSA) takes effect on January 1, 2028, and includes standalone consumer health data provisions that apply to any person doing business in Vermont, regardless of whether they meet the VDPOSA’s general applicability thresholds. The VDPOSA prohibits geofencing within 1,850 feet of healthcare facilities, including mental health and reproductive health facilities, and requires consumer consent before selling consumer health data.
  • The VDPOSA includes forward-looking artificial intelligence (AI) transparency requirements, mandating that those determining the uses of personal data (controllers) disclose in their privacy notices whether they collect, use, or sell personal data for training large language models. Vermont joins a small but growing number of states requiring this type of AI-related disclosure.
  • Enforcement rests exclusively with the Vermont Attorney General, with no private right of action. A 60-day cure period applies from January 1, 2028, through June 30, 2029, after which the Attorney General may pursue violations without providing prior notice or an opportunity to cure.

Vermont has enacted comprehensive consumer data privacy legislation with the passage of S0071, establishing the Vermont Data Privacy and Online Surveillance Act (VDPOSA). The VDPOSA takes effect January 1, 2028. This legislation revives data privacy efforts in Vermont after Governor Phil Scott vetoed a prior version. While the VDPOSA follows the Connecticut-style framework, it includes several distinctive provisions impacting those doing business in Vermont.

The VDPOSA is notable for its standalone consumer health data provisions, relatively low applicability thresholds, an expansive definition of sensitive data that includes neural data and financial account information, forward-looking AI transparency requirements, and robust consumer rights, including the right to question automated profiling decisions.

Who Must Comply with the VDPOSA?

The VDPOSA’s consumer health provisions apply to any person that conducts business in Vermont or produces products or services targeted at Vermont residents, regardless of whether the person meets any of the following thresholds.

The non-consumer health provisions of the VDPOSA only apply to persons or entities that conduct business in Vermont or produce products or services targeted at Vermont residents and that, in a calendar year, meet any one of the following thresholds:

  • Controls or processes the personal data of at least 35,000 Vermont residents.
  • Controls or processes the sensitive data of at least 3,000 Vermont residents.
  • Sells or offers for sale the personal data of at least 3,000 Vermont residents.

What Entities and Data Are Exempt from the VDPOSA?

Certain entities are exempt from the VDPOSA, including:

  • Federal, state, tribal, and local government entities.
  • Covered entities or business associates governed by the Health Insurance Portability and Accountability Act of 1996 (HIPAA).
  • Financial institutions and their affiliates subject to Title V of the Gramm-Leach-Bliley Act (GLBA).
  • Insurance entities regulated under Vermont law.
  • Agents, broker-dealers, investment advisers, and investment adviser representatives regulated by the Department of Financial Regulation or the Securities and Exchange Commission (SEC).
  • Institutions of higher education.
  • Third-party administrators in compliance with Department of Financial Regulation regulations.
  • Victim services organizations collecting data on victims or witnesses of abuse, violence, or stalking.
  • Nonprofit organizations established to detect and prevent insurance fraud or providing enrollment data services for postsecondary schools.
  • Noncommercial activities of news media organizations.
  • Air carriers regulated under the Federal Aviation Act and the Airline Deregulation Act.

Data-level exemptions include protected health information under HIPAA; data regulated by the Fair Credit Reporting Act; data subject to the Family Educational Rights and Privacy Act (FERPA), the GLBA, the Driver’s Privacy Protection Act, the Farm Credit Act, and the Controlled Substances Act; payment transaction data; emergency notification information; and employee, contractor, and business contact data processed in the employment context. Consistent with most state privacy laws, “consumer” excludes individuals acting in a commercial or employment context.

What Consumer Rights Does the VDPOSA Grant?

The VDPOSA grants consumers a robust set of rights with respect to their personal data held by controllers. Under the VDPOSA, consumers have the right to:

  • Confirm whether a controller is processing the consumer’s personal data and has access to such data.
  • Correct inaccuracies in the consumer’s personal data.
  • Delete personal data provided by or obtained about the consumer.
  • Obtain a copy of the consumer’s personal data in a portable and readily usable format.
  • Opt out of processing of personal data for targeted advertising, the sale of personal data, or profiling for automated decisions producing legal or similarly significant effects.
  • Question the results of automated profiling decisions; be informed of the reasoning behind the decision; review the personal data processed for the profiling; and, in the case of housing decisions, correct inaccuracies and request reevaluation.
  • Obtain a list of specific third parties to which the controller has sold the consumer’s personal data.

Consumers may designate authorized agents to opt out on their behalf, including through browser settings or global opt-out signals. Controllers must respond to consumer requests within 45 days (with one 45-day extension permitted) and establish an appeal process with a 60-day response deadline. Denied appeals must include instructions for filing a complaint with the Vermont Attorney General.

What Are Controller Obligations and Privacy Notice Requirements Under the VDPOSA?

The VDPOSA imposes numerous obligations on controllers that are consistent with frameworks that apply in most other applicable states. For example, controllers must comply with standard data minimization principles and limit the collection of personal data to what is reasonably necessary for disclosed purposes. Notable additional controller obligations include:

  • Establishing reasonable administrative, technical, and physical data security practices.
  • Prohibiting the sale or use of data for targeted advertising relating to consumers known to be between 13 and 17 years old (notably, personal data of consumers under the age of 13 is considered “sensitive data” and must be processed in accordance with the Children’s Online Privacy Protection Rule (COPPA)).
  • Providing an easy-to-use mechanism for revoking consent and ceasing processing within 15 days of revocation.
  • Not processing personal data in violation of anti-discrimination laws. Notably, any evidence (or lack thereof) concerning proactive antibias testing or similar efforts to avoid discriminatory data processing is relevant to any claim or defense under such laws, incentivizing controllers to conduct and document bias audits.

Controllers must provide a reasonably accessible, clear, and meaningful privacy notice on its website homepage that includes:

  • The categories of personal data processed.
  • The purposes of processing and a description of the processing.
  • The means for consumers to submit requests to exercise their rights and appeal decisions.
  • The categories of personal data sold to third parties and the categories of those third parties.
  • A clear and conspicuous disclosure of any practices related to targeted advertising or sales to a third party for targeted advertising.
  • An active email address or other online mechanism for contacting the controller.
  • Whether the controller collects, uses, or sells personal data for training large language models.
  • The most recent month and year the privacy notice was updated.

Controllers must also comply with opt-out preference signals sent by consumers—such as the Global Privacy Control (GPC)—that indicate their intent to opt out of targeted advertising or sales of personal data. The VDPOSA requires controllers to provide a clear and conspicuous link on their website enabling consumers to opt out, and to support any opt-out preference signal mechanism that is consumer-friendly, requires an affirmative choice, and does not unfairly disadvantage other controllers.

What Does the VDPOSA Require of Data Processors and Contracts with Them?

Processors must follow controller instructions and assist with consumer rights requests, data security, breach notification, and data protection assessments (discussed below). Controller-processor contracts must specify the nature and purpose of processing, data types, duration, and party obligations. A processor that determines its own purposes and means of processing becomes a controller subject to the VDPOSA’s controller obligations and enforcement.

How Does the VDPOSA Treat Sensitive Data and Consent Requirements?

The VDPOSA’s definition of “sensitive data” is expansive, drawing from multiple state frameworks. It includes racial or ethnic origin, religious beliefs, sex life and sexual orientation, nonbinary or transgender status, citizenship or immigration status, mental or physical health conditions, consumer health data, genetic and biometric data, data from known children under the age of 13, precise geolocation (within 1,750 feet), neural data (see here for recent Bass, Berry & Sims article detailing recent developments in state neural data protections), financial account credentials, and government-issued identification numbers.

Processing or selling sensitive data requires consumer consent. Controllers with actual knowledge that a consumer is a child under the age of 13 must comply with COPPA.

What Are the VDPOSA’s Consumer Health Data Provisions?

The VDPOSA imposes standalone consumer health data requirements that apply regardless of whether a controller meets the VDPOSA’s general applicability thresholds. Under these provisions, a person may not provide any employee or contractor with access to consumer health data unless the employee or contractor is subject to a contractual or statutory duty of confidentiality. Processors receiving consumer health data must comply with the VDPOSA’s processor requirements. The VDPOSA also prohibits the use of a geofence within 1,850 feet of any healthcare facility, including mental health and reproductive or sexual health facilities, for the purpose of identifying, tracking, collecting data from, or sending notifications to a consumer regarding their consumer health data. Controllers may not sell, or offer to sell, consumer health data without first obtaining the consumer’s consent.

What Data Protection Assessments are Required Under the VDPOSA?

The VDPOSA requires controllers to conduct data protection assessments (DPAs) for high-risk processing activities, including targeted advertising, the sale of personal data, profiling activities, and the processing of sensitive data. DPAs must balance processing benefits against consumer risks.

Additionally, Vermont requires a separate impact assessment (Profiling Assessment) for profiling used in decisions producing legal or similarly significant effects. These Profiling Assessments must address:

  • The purpose of the processing, intended use cases, and deployment context.
  • An analysis of heightened risks to consumers and mitigation steps.
  • A description of data inputs and outputs.
  • Performance metrics and known limitations.
  • Transparency measures, including real-time disclosure to consumers during profiling.
  • Post-deployment monitoring and user safeguards.

Assessments are confidential but must be produced if requested by the Vermont Attorney General.

The VDPOSA is not intended to prevent controllers from processing personal data for profiling purposes specifically to detect or correct bias in automated decision-making systems, provided the data are processed only to the extent necessary, subject to appropriate safeguards, kept secure with strict access controls, and not shared with third parties.

How is the VDPOSA Enforced?

The VDPOSA does not include a private right of action, and the Vermont Attorney General has exclusive enforcement authority, with civil penalties up to $10,000 per violation.

From January 1, 2028, through June 30, 2029, the Attorney General must provide a written notice of violation and a 60-day cure period before initiating enforcement. After that, Vermont’s cure period completely sunsets.

Key Compliance Dates

January 1, 2028: The VDPOSA takes effect, and the cure period begins. DPA and Profiling Assessment requirements apply to processing activities created or generated after this date.

June 30, 2029: The cure period sunsets. After this date, the Vermont Attorney General is no longer required to issue a notice of violation and provide a 60-day cure opportunity before initiating an enforcement action.

Our team will continue to monitor the Vermont Data Privacy and Online Surveillance Act. If you have any questions about the VDPOSA or other states’ privacy laws and how they could affect your business, please contact the authors.

Resource: Data Privacy Regulations by State

Data Privacy Regulations by State

The data privacy regulatory landscape continues to evolve rapidly across jurisdictions. Our privacy & data security attorneys are actively tracking new legislation and regulatory developments nationwide. We will continue to provide ongoing analysis as new regulations emerge. Access our interactive map to learn more about comprehensive state laws and consumer health data privacy requirements.

In Case You Missed It: