Privacy & Cybersecurity Law Blog

On June 16, 2026, Vermont Governor Phil Scott signed into law House Bill H. 211 (“the Act”), which significantly amends Vermont’s existing data broker registration law by expanding compliance obligations, creating new consumer rights, enhancing registration requirements, adding data breach notification requirements, and strengthening enforcement and penalties for non-compliance.

Effective Date

Substantive provisions take effect January 1, 2027.

Expanded Scope

Updates to the definitions of “data broker,” “brokered personal information” and “sale” significantly expand the law’s reach, potentially subjecting businesses that previously did not consider themselves data brokers to its requirements.

• Data Broker: The Act mirrors the California Delete Act in specifying that a data broker is a business that does not have a “direct relationship” with a consumer and defining the term to mean that a consumer “has intentionally interacted with a business for the purpose of accessing, purchasing, using, requesting, or obtaining information about the business’s products or services.” Additionally, the Act specifies that even if a business has a direct relationship with consumers, the business is still a data broker with respect to the brokered personal information the business sells about the consumer that it “collected outside of a first-party interaction with the consumer.”
• Brokered Personal Information: The Act significantly broadens the definition of “brokered personal information,” replacing a specific list of data elements with a much broader definition aligned with the definition of “personal information” under many state consumer privacy laws. “Brokered personal information” means “any information, including derived data and unique identifiers, that is linked or reasonably linkable, alone or in combination with other information, to an identified or identifiable individual or to a device that identifies, is linked to, or is reasonably linkable to one or more identified or identifiable individuals in a household.”
• Sale: The Act introduces a new definition of “sale” that aligns with the approach taken in most comprehensive state consumer privacy laws, defining the term as the disclosure of brokered personal information to a third party in exchange for “monetary or other valuable consideration.” Consistent with those laws, the definition excludes certain disclosures, including transfers to processors and affiliates, as well as other specified exemptions.

Expanded Data Broker Registration and Disclosure Requirements

The Act significantly expands Vermont’s data broker registration regime. Data brokers must register with the state, pay an increased annual registration fee of $900, maintain a $20,000 surety bond, and provide detailed disclosures about their data collection, sharing and sales practices. Required disclosures include whether the broker collects sensitive categories of data (such as precise geolocation, biometric, reproductive health, immigration or government-issued identification information), shares data with government entities, foreign actors, law enforcement or generative AI developers, and maintains information about minors. Data brokers must also provide information about consumer opt-out and deletion rights, submit copies of their privacy policies and bonds, and report security breaches experienced during the prior year.

New Purchaser Credentialing Procedures

The Act requires data brokers to implement procedures ensuring that prospective users of brokered personal information identify themselves, disclose the purposes for which the information will be used and certify that the information will not be used for any other purposes. The Act also prohibits data brokers from disclosing brokered personal information to prospective users if the data broker has reasonable grounds for believing the information will be used for contrary purposes.

New Data Broker Security Breach Notification Requirements

The Act imposes new data breach notification obligations for the breach of brokered personal information. Following such breach, data brokers generally must notify affected consumers within 45 days and provide prompt notice to the Vermont Attorney General. Consumer notices must include key details about the incident, the categories of information involved, and steps consumers can take to protect themselves. The Act also establishes detailed requirements governing the timing, content, and method of breach notifications.

New Consumer Deletion Right

The Act creates a new right for consumers to request deletion of their brokered personal information. The Act requires each data broker to provide a dedicated webpage through which consumers can request deletion of their brokered personal information. Unlike the California Delete Act and other recently proposed state initiatives, the Act does not establish a centralized deletion mechanism; consumers must submit requests directly to individual data brokers. However, the Act does require the Vermont Secretary of State to conduct a feasibility study into the creation of a centralized single data broker deletion mechanism.

Data brokers generally must process valid deletion requests within 30 days and provide an appeals process for denied requests. While the law includes exceptions for legal compliance, fraud prevention, security, and other specified purposes, retained data must be segregated and cannot be used for unrelated activities.

Enhanced Enforcement and Penalties

The Act significantly strengthens enforcement of Vermont’s data broker registration requirements. Data brokers that fail to register may face administrative fines of $200 per day, in addition to unpaid registration fees and the state’s enforcement costs. The law also imposes substantial penalties for incomplete or inaccurate registration filings, including fines of $1,000 per day for failing to correct omitted information and a $25,000 penalty for submitting materially incorrect information, plus additional daily penalties if corrections are not timely made.