Privacy & Cybersecurity Law Blog

On June 16, 2026, Vermont Governor Phil Scott signed into law Senate Bill S.71, the Vermont Data Privacy and Online Surveillance Act (“VDPOSA” or the “Act”), making Vermont the 23rd state with a comprehensive consumer privacy law.

The VDPOSA follows the now-familiar controller/processor and consumer rights framework seen in many state comprehensive consumer data privacy laws, with certain distinctions.

Effective Date

The Act takes effect on January 1, 2028.

Scope

The Act’s applicability thresholds are unique in comparison to other state comprehensive consumer privacy laws.

The majority of the VDPOSA’s provisions apply to any person or entity that does business in Vermont or produces products or services targeted to Vermont residents and in the preceding calendar year met one or more of the following thresholds:

• controlled or processed the personal data of at least 35,000 Vermont consumers (excluding personal data processed solely to complete a transaction);
• controlled or processed the sensitive data of at least 3,000 Vermont consumers (excluding personal data processed solely to complete a transaction); or
• offered for sale (for monetary or other valuable consideration) the personal data of at least 3,000 Vermont consumers.

The VDPOSA’s consumer health data provisions apply to any person or entity that conducts business in Vermont or that produces products or services targeted to Vermont residents, with no other required criteria.

Notably, the Act provides that in the event of a conflict between the VDPOSA and any other law, including the Vermont Age-Appropriate Design Code, the provisions of the law that provide the greatest privacy protections control.

Like other state comprehensive privacy laws, the VDPOSA exempts certain entities and data from its scope. Exempt entities include state agencies, GLB-regulated financial institutions, HIPAA-covered entities and business associates, nonprofits and institutions of higher education. Notably, the Act also exempts health care providers and facilities that maintain PHI according to HIPAA and Vermont law even if they are not HIPAA covered entities. Data-level exemptions include HR-related data, PHI subject to HIPAA, GLBA-covered data, substance use disorder and patient safety records, and FCRA-covered data.

Key Obligations

The VDPOSA imposes several obligations on controllers, including:

• Privacy Notice: Controllers must provide a reasonably accessible and clear privacy notice that discloses the categories of personal data processed; the purposes of processing; the categories of personal data sold to third parties; the categories of third parties to whom personal data is sold; whether the controller engages in targeted advertising (including the sale of personal data in connection with targeted advertising); whether the controller processes personal data for the purpose of training large language models (“LLMs”); and the methods for submitting consumer rights requests.
  • The requirement to disclose information about the processing of personal data to train LLMs is novel.
  • Notably, the VDPOSA also requires controllers to notify consumers of material changes to a privacy notice and provide a reasonable opportunity for consumers to withdraw consent to any further and materially different processing of previously collected personal data.
• Data Minimization: Controllers must limit the collection of personal data to what is reasonably necessary and proportionate for the disclosed purposes, and not process a consumer’s personal data for any materially new purpose that is neither reasonably necessary to nor compatible with the disclosed purposes, unless the controller obtains consent.
• Security Safeguards: Controllers must implement and maintain reasonable administrative, technical and physical safeguards appropriate to the volume and nature of the personal data.
• Vendor Contracts: Contracts between controllers and processors must describe the nature and purpose(s) of processing; the types of personal data subject to processing; the duration of processing; the rights and obligations of both parties; and requirements for confidentiality, data return/deletion, audit cooperation and sub-processor obligations.
• Data Protection Assessments and Impact Assessments: Controllers must conduct and document data protection assessments for higher-risk processing activities, including targeted advertising, the sale of personal data, profiling that presents a foreseeable risk of harm and the processing of sensitive data. Controllers must separately conduct impact assessments for profiling that produces a legal or similarly significant effect. Controllers must disclose data protection or impact assessments to the Vermont Attorney General upon request.
• Sensitive Data: Controllers must obtain prior consent to process sensitive data, and only process such data if it is reasonably necessary in relation to the purposes for which the sensitive data was collected.
• Children’s and Minors’ Data: Controllers are prohibited from selling or processing for targeted advertising the personal data of minor consumers age 13 to 17, and must comply with the Vermont Age-Appropriate Design Code with respect to such consumers’ personal data, if applicable. Additionally, controllers must process the personal data of child consumers under the age of 13 in accordance with COPPA and, if applicable, the Vermont Age-Appropriate Design Code.
• Consumer Health Data: The Act requires entities to (1) restrict access to consumer health data to employees and contractors who are subject to confidentiality obligations; (2) ensure that any processor with access to consumer health data is contractually bound in accordance with the Act’s processor requirements; (3) refrain from using a geofence within 1,850 feet of a health care facility to identify, track, collect data from, or send notifications to consumers based on their consumer health data; and (4) obtain consumer consent before selling consumer health data.

Consumer Rights

The VDPOSA provides Vermont consumers the right to:

• confirm whether the controller is processing their personal data;
• access their personal data, in a portable copy if feasible (including any inferences drawn about the consumer and whether a controller or processor processes the consumer’s personal data for the purpose of profiling to make a decision that produces any legal or similarly significant effect);
• correct inaccuracies in the consumer’s personal data;
• delete the consumer’s personal data;
• opt out of (1) targeted advertising, (1) the sale of personal data, and (3) profiling that produces a legal or similarly significant effect; and
• obtain certain information about the use of profiling that produces a legal or similarly significant effect (including the reason that such profiling resulted in a decision and the personal data used for the profiling), and correct personal data used in a profiling decision concerning housing and have the decision be reevaluated based on the corrected personal data;
• obtain a list of third parties to whom the controller has sold their personal data; and
• appeal the denial of a privacy request.

Enforcement

The Vermont Attorney General has exclusive enforcement authority. A violation of the Act constitutes a violation of the Vermont Consumer Protection Act. A 60-day cure period applies from January 1, 2028 through June 30, 2029, after which the cure period expires.