























Vermont has become the 23rd U.S. state to enact a comprehensive consumer privacy law after Governor Scott signed S.71, the Vermont Data Privacy and Online Surveillance Act (VDPOSA), on June 16. This new law is amongst the broadest in the country, closely resembling the 2025 version of the Connecticut Data Privacy Act (CTDPA). For example, the VDPOSA includes low applicability thresholds, a broad definition of sensitive data, heightened protections for consumer health data, consumer rights to know third parties to whom your personal data is sold and to contest certain profiling decisions, and impact assessments for certain uses of profiling. The law will take effect on January 1, 2028 and be enforced exclusively by the attorney general.
In addition to enacting the VDPOSA, Vermont also passed bills updating the state’s data broker registry (H.211), establishing a direct-to-consumer genetic testing law (H.639), and recognizing a right to neural privacy (H.814). This blog post provides background on Vermont’s privacy legislative efforts in recent years, then covers the law’s scope and key definitions, consumer rights, business obligations, and enforcement provisions. The blog post concludes with a brief overview of other privacy legislation enacted in Vermont this year.
Privacy has been a long time coming in the Green Mountain State. Two years ago, Governor Scott became the first governor to veto a comprehensive consumer privacy bill. That bill, H.121, was an omnibus privacy bill with comprehensive protections and an age-appropriate design code. Had that bill been enacted, the comprehensive privacy provisions would have been amongst some of the broadest and most stringent in the country. In particular, the bill included Maryland-style substantive data minimization requirements, a ban on selling sensitive data, and a limited private right of action (PRA). The legislature tried, but failed, to overturn the veto.
The legislature continued working on privacy issues in the intervening years. Last year, they enacted the Vermont Age-Appropriate Design Code Act. This year, they finally reached consensus on a comprehensive consumer privacy law as well as an update to the state’s data broker registry, regulation of direct-to-consumer genetic testing companies, and a “right” to “mental and neural data privacy.” Although the law enacted this year diverges from the 2024 effort in notable ways, this law nevertheless incorporates many elements from the broadest and most privacy protective iterations of the Washington Privacy Act framework in the country.
Covered Entities: The law applies to persons who conduct business in Vermont or produce a product or service targeted to Vermont residents and, excluding payment transaction data, annually either (1) control or process the personal data of at least 35,000 consumers, (2) control or process the sensitive data of at least 3,000 consumers, or (3) offer for sale the personal data of at least 3,000 consumers. These thresholds are low compared to those in other states, and it is uncommon to include a threshold tied to processing sensitive data. Like Connecticut’s and Maryland’s laws, the VDPOSA has requirements for consumer health data and consumer health data controllers that are not subject to the same applicability thresholds, instead applying broadly to “a person that conducts business in [Vermont] or a person that produces products or services that are targeted to residents of [Vermont.” This law also addresses any potential conflicts with the Vermont Age-Appropriate Design Code Act (AADCA), providing that the most protective law should control in any situation where that law conflicts with the requirements of this law. (Section 1, § 2415b.)
Definitions: The law’s definitions are generally consistent with the Connecticut model, including aspects of Connecticut’s 2023, 2025, and 2026 amendments. Two definitions worth noting:
Entity and Data-Level Exemptions: The law includes many of the common entity-level exemptions, including for: certain government entities acting “in the ordinary course of its operation”; a covered entity or business associate under HIPAA (although a “hybrid entity” is not fully subject to the exemption); state or federally chartered banks or credit unions or affiliates or subsidiaries principally engaged in financial activities; certain health care providers and health care facilities under Vermont law; nonprofits established to detect and prevent insurance fraud; and more. Continuing a trend in recent years, the VDPOSA opts for more targeted entity-level exemptions for specific types of financial entities and nonprofits rather than broader exemptions for all GLBA-regulated entities and all nonprofits.
The law also includes many of the common data-level exemptions, including for: certain health records, patient identifying information, and research data; activities using information for the purpose of evaluating creditworthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living if “done strictly in accordance with” the FCRA by a consumer reporting agency, furnisher, or person using a consumer report; information collected, processed, or disclosed in accordance with the DPPA or FERPA; data subject to GLBA; protected health information under HIPAA; personal data of a victim or witness of certain crimes (e.g., child abuse, human trafficking) maintained by a victim services organization; and more. (Section 1, § 2415c.)
Exceptions for Common Business Activities: The law includes many exceptions which are consistent with existing state comprehensive privacy laws, including: compliance with federal, state, or municipal laws or regulations; compliance with investigations, subpoenas, or summons; compliance with law enforcement agencies; preventing or detecting security incidents, fraud, or illegal activity; engaging in public or peer-reviewed scientific or statistical research in the public interest that meets required safeguards; internal use of data for product improvement or for internal operations reasonably aligned with the expectations of the consumer; and more. (Section 1, § 2415i.)
Consumers have the standard rights to confirm whether a controller is processing their personal data and access that data, correct inaccuracies in their personal data, delete their personal data, obtain a copy of their personal data in a portable format (if technically feasible), and to opt-out of the processing of their personal data for targeted advertising, the sale of personal data, or profiling in furtherance of a decision that produces a legal or similarly significant effect concerning the consumer. These rights contain a few unique or uncommon provisions:
This law allows consumers to designate an authorized agent to opt out of processing on the consumer’s behalf (including for profiling) and to use an opt-out preference signal to opt out of the sale of personal data or targeted advertising. (Section 1, § 2415d.)
Controllers and processors have enumerated responsibilities under the law, including transparency, data minimization, data security, oversight of processors, antidiscrimination, heightened protections for minors, and conducting both data protection assessments and impact assessments.
Transparency: Controllers must provide consumers with a “reasonably accessible, clear, and meaningful” privacy notice that includes required information under the law, such as categories of data processed, processing purposes, how to exercise rights and appeal decisions, the categories of personal data sold to third parties, and the categories of third parties to whom personal data is sold. (Section 1, § 2415e(c).)
Data Minimization: The law includes procedural data minimization requirements. A controller must:
Although these provisions are not “substantive data minimization” requirements in the same way that Maryland’s or California’s are, they are slightly unusual. In particular, the “necessary and proportionate” language is a departure from the usual “adequate, relevant, and reasonably necessary” language used in most state laws based on the WPA framework. Only Connecticut uses this same language, and those requirements were added in last year’s CTDPA amendments. Nevertheless, this is still a procedural requirement that ties data collection to the purposes disclosed to the consumer. Also similar to Connecticut, this law explicitly states that a controller cannot sell a consumer’s sensitive data without consent. (Section 1, § 2415e(a).)
Data Security: Controllers are required to “establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data.” (Section 1, § 2415e(a)(2).)
Processors: Controllers must engage in oversight of processors by entering into a contract that meets statutory criteria (e.g., providing instructions for processing data, describing the nature and purpose of the processing, imposing confidentiality). (Section 1, § 2415f.)
Antidiscrimination: Controllers are prohibited from processing personal data in violation of a federal or state law that prohibits unlawful discrimination against consumers. Similar to Connecticut’s 2025 amendment, this law further provides that, for state laws only, any evidence (or lack thereof) of proactive anti-bias testing or similar efforts to avoid processing data in violation of any anti-discrimination law will be relevant to any claim for a violation of such a state law. The law also includes a narrow exception for internal data use in profiling to correct bias. (Section 1, § 2415e(a)(5).)
Consumer Health Protections: Similar to Connecticut’s and Maryland’s law, this law includes heightened protections for consumer health data, such as confidentiality requirements for employee access to consumer health data, a prohibition on geofencing health care facilities for certain purposes (within 1,850 feet), and a prohibition on selling consumer health data without the consumer’s consent. Consumer health data is defined broadly as “any personal data that a controller uses to identify a consumer’s physical or mental health condition, diagnosis, or status,” and it includes reproductive or sexual health data and gender-affirming health data. These protections apply more broadly than the rest of the law to “persons,” notwithstanding the law’s other applicability thresholds. (Section 1, § 2415k.)
Assessments: Like most comprehensive privacy laws, this law requires controllers to conduct and document a data protection assessment for certain processing activities that present a heightened risk of harm to consumers, including: processing personal data for targeted advertising; selling personal data; processing personal data for profiling that presents a reasonably foreseeable risk of substantial injury to consumers, or processing sensitive data. Once again taking inspiration from Connecticut’s 2025 amendment, this law will additionally require a controller to conduct an impact assessment for any profiling conducted for making a decision that produces legal or similarly significant effect. These impact assessments must include information such as: the purpose, intended use, and deployment context of the profiling; analysis on whether the profiling presents a reasonably foreseeable risk of harm; descriptions of inputs and outputs; post-deployment monitoring and user safeguards; and more. The Vermont Attorney General (AG) may request a completed data protection or impact assessment as part of an investigation. (Section 1, § 2415g.)
Minor-Specific Provisions Address Potential Conflicts with the Vermont AADCA
The VDPOSA prohibits a controller from processing personal data for targeted advertising or selling the consumer’s personal data if the controller “has actual knowledge, and willfully disregards,” that a consumer is at least 13 years of age but younger than 18 years of age. Maryland’s law includes a similar prohibition, albeit with a different knowledge standard. The VDPOSA clarifies that a controller who is also a covered business under the Vermont AADCA must comply with the requirements in that law. Where the two laws conflict, the most protective law will control. (Section 1, §§ 2415b & 2415e(a)(7), (9).)
The VDPOSA will be enforced exclusively by the attorney general. The law includes a permissive cure period of 60 days, allowing the attorney general to issue a cure notice to an alleged violator if the attorney general “determines that a cure is possible.” This cure period will expire on June 30, 2029. Although this law does not include a private right of action (PRA), the legislature added a statement of intent declaring that the attorney general will bear the burden of enforcing the law and, if sufficient appropriations and resources are not provided, the legislature will consider adding a PRA. (Section 1, § 2415j; Section 2; Section 3.)
The VDPOSA may be the most notable privacy bill enacted in Vermont this year, but it is not the only one. Vermont also updated the state’s data broker registry (H.211), enacted a direct-to-consumer genetic testing law (H.639), and established a right to neural privacy (H.814).
Data Brokers: Vermont is one of several states to create a data broker registry, alongside California, Connecticut (enacted this year), Oregon, and Texas. Effective January 1, 2027, H.211 significantly amends Vermont’s law. Key changes include—
Although earlier versions of H.211 would have added a California Delete Act–style accessible deletion mechanism, the final bill merely directs the Vermont Secretary of State to study the feasibility of establishing an accessible deletion mechanism.
Genetic Testing: Vermont has become the third state this year—after South Dakota and Connecticut—to enact a law regulating direct-to-consumer genetic testing. The Vermont Genetic Information Privacy Act will go into effect on July 1, 2026. This law imposes notice and consent requirements for the collection and use of biological samples and genetic data, gives consumers rights of deletion and access, and prohibits certain disclosures or uses of genetic data. Violations of the law will constitute unfair and deceptive acts in commerce under 9 V.S.A. § 2453. This includes a private right of action, although consumers will have to provide written notice of an alleged violation to a direct-to-consumer genetic testing company or service provider prior to initiating a civil action and allow 30 days to cure the notice. The cure requirement will expire on June 30, 2028. The Attorney General has enforcement and rulemaking authority.
Mental and Neural Privacy: Although the primary focus of H.814 is extending the duration and scope of the state’s Artificial Intelligence Advisory Council, this law also formally recognizes an individual right to “mental and neural data privacy.” This includes rights to “change an individual’s decision regarding neurotechnology,” to “be afforded protection from unauthorized neurotechnological alterations in mental functions critical to personality,” and to “be afforded protection from unauthorized neurotechnological alterations in mental functions critical to personality.” The law does not define key terms such as “neurotechnology,” nor are there specific mechanisms or business obligations attached to these new rights. The newly enacted VDPOSA includes neural data as a category of sensitive data, however, providing Vermont residents with actionable protections like opt-in consent requirements and mandatory data protection assessments.
* * *
Looking to get up to speed on the existing state comprehensive consumer privacy laws? Check out FPF’s 2025 report, Anatomy of a State Comprehensive Privacy Law: Charting the Legislative Landscape.

Pictured: Vermont receiving its red star on the FPF “Privacy Patchwork” quilt.
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。