On June 16, 2026, Vermont Governor Phil Scott (R) signed the Vermont Data Privacy and Online Surveillance Act into law, making Vermont the 23rd state to enact a comprehensive consumer data privacy law and the fourth state law to be enacted this year. Vermont’s law will go into effect on January 1, 2028.

We summarize key provisions of the Vermont Data Privacy and Online Surveillance Act below.

Applicability

As originally introduced, the Vermont law proposed a tiered applicability structure in which the relevant processing and sale thresholds would have decreased progressively on a year-over-year basis, with the effect of bringing increasingly smaller businesses within the law’s scope over time. The signed law departs from this approach, replacing the tiered structure with a single, uniform threshold.

Under the enacted law, applicability extends to any controller that conducts business in Vermont or produces products or services targeted to Vermont residents and that, during the preceding calendar year: (1) controlled or processed the personal data of not fewer than 35,000 consumers; (2) controlled or processed the sensitive data of not fewer than 3,000 consumers; or (3) offered for sale in trade or commerce the personal data of not fewer than 3,000 consumers.

Exemptions

Vermont’s law contains a broad set of entity-level and data-level exemptions that will be familiar to businesses already navigating the state privacy law landscape. A few exemptions, however, are worth flagging for their departure from the approach taken in other state privacy laws.

Notably, Vermont’s law does not contain a blanket nonprofit exemption. Unlike a number of other state privacy laws that carve out all nonprofit organizations from their scope, Vermont’s nonprofit exemptions extend to only a few narrow categories of nonprofits: (1) those established to detect and prevent fraudulent acts in connection with insurance; (2) those established to provide enrollment data reporting services on behalf of postsecondary schools, and only for processing performed for compliance, enrollment or degree verification, or research services purposes; and (3) noncommercial activity of certain enumerated media entities.

Additionally, Vermont’s law includes a data-level exemption for financial institutions under the Gramm-Leach-Bliley Act (GLBA), but it notably stops short of adopting a full entity-level GLBA exemption for all financial institutions. At the entity level, the law’s financial institution exemption extends only to state- or federally chartered banks and credit unions, and to affiliates or subsidiaries of such banks and credit unions that are principally engaged in financial activities as described in 12 U.S.C. § 1843(k), which is a narrower carve-out than the entity-level GLBA exemptions found in many other state privacy laws.

Notable Definitions

Vermont’s definition of “biometric data” diverges from most other state privacy laws in that it does not require that the biometric data be processed for the purpose of uniquely identifying an individual. Vermont’s definition is broader, capturing data generated from the technological processing of an individual’s unique biological, physical, or physiological characteristics that are merely collected on a specific consumer, meaning that biometric data processed for purposes other than identification merits protections established for sensitive data under Vermont’s law. For example, a company that collects voice prints or vocal biomarkers to train artificial intelligence models for quality assurance or compliance monitoring, or that processes gait data to analyze health conditions or mobility patterns, would be handling biometric data under Vermont’s definition even where identification of the consumer is not the intent.

Vermont’s definition of “publicly available information” is significantly narrower than the treatment of the term in many other state privacy laws by enumerating a number of exclusions from this definition. Of particular note for data brokers and information aggregators, Vermont excludes from the definition any information that has been collated and combined to create a consumer profile, as well as any inferences derived from such a profile. Therefore, even data drawn entirely from public sources loses its publicly available status once aggregated into a consumer profile. Vermont also excludes genetic data, biometric data collected without the consumer’s knowledge, information shared with a restricted audience, and nonconsensual intimate images from the definition.

Privacy Policy

In addition to the most common privacy policy requirements in other states, controllers in Vermont will now need to provide a statement in their privacy policy disclosing whether the controller collects, uses, or sells personal data for the purpose of training large language models. This is the same disclosure required under the Connecticut Data Privacy Act amendments effective July 1, 2026. Similar to Connecticut’s law, Vermont’s law is notably lacking any clarifications as to what qualifies as training large language models.

Consumer Rights

Vermont consumers are entitled to the core rights generally found in state consumer privacy laws, including the right to access, correction, deletion, portability, and opt out of targeted advertising, sales, and profiling for automated decisions with legal or similarly significant effects. The right to access is expanded, though, to include access to inferences derived from the consumer’s personal data and the ability to confirm whether a controller or processor is processing the consumer’s data for profiling purposes in furtherance of a decision that produces a legal or similarly significant effect.

In addition to these standard rights, the law provides Vermont consumers with enhanced profiling rights similar to those adopted by Minnesota and those taking effect under Connecticut’s amendments on July 1, 2026. Where a controller processes personal data for the purposes of profiling in furtherance of an automated decision that produces a legal or similarly significant effect, a consumer may: (1) question the result of the profiling; (2) be informed of the reason the profiling resulted in that decision; and (3) review the personal data processed for the purpose of the profiling. Where the profiling decision concerns housing specifically, consumers have the additional right to correct any inaccurate personal data processed for purposes of the profiling and to have the profiling decision reevaluated based on the corrected data.

An increasingly common requirement being seen among the states, Vermont consumers have the right to request a list of third parties to which the controller has sold the consumer’s personal data, or if the controller does not maintain a list of the third parties to which such controller has sold the consumer’s personal data, a list of all third parties to which such controller has sold personal data.

Minors

The law links its minor protections to the Vermont Age-Appropriate Design Code Act, requiring controllers that qualify as “covered businesses” under that statute to comply with its requirements when the consumer is a “covered minor.” Separately, the law prohibits controllers from selling a consumer’s personal data or processing it for targeted advertising purposes when the controller has actual knowledge, and willfully disregards, that the consumer is at least 13 but younger than 18 years of age.

Data Protection and Impact Assessments

For any applicable processing activity created after January 1, 2028, controllers must conduct a data protection assessment for each processing activity that presents a heightened risk of harm to consumers, including targeted advertising, the sale of personal data, certain profiling activities, and the processing of sensitive data. Where a controller uses profiling to make a decision with a legal or significant impact on a consumer, it must carry out a separate impact assessment of that profiling. Although both types of assessments serve to identify and mitigate potential consumer harm, they are subject to different triggers and carry distinct substantive content requirements.

Consumer Health Data Privacy

Unlike the law’s general applicability framework, the consumer health data provisions apply to any person that conducts business in Vermont or targets Vermont residents and contains no minimum processing threshold, which is a broader scope capturing small businesses, startups, and other entities that would not otherwise fall within the law’s reach. Additionally, the law defines “consumer health data” expansively as any personal data that a controller uses to identify a consumer’s physical or mental health condition, diagnosis, or status, meaning that data not ordinarily thought of as health data could qualify if a controller uses it to identify or infer a consumer’s health condition or status.

The Vermont law prohibits a person that conducts business in Vermont or produces products or services that are targeted to residents of Vermont from (1) granting any employee or contractor access to consumer health data without a contractual or statutory duty of confidentiality, (2) granting any processor access to consumer health data without complying with the controller-processor contract requirements under the law, (3) using geofencing technology to establish a virtual boundary within 1,850 feet of any health care facility for the purpose of identifying, tracking, collecting data from, or sending notifications to a consumer regarding their consumer health data, and (4) selling or offering to sell consumer health data without first obtaining the consumer’s consent.

Enforcement

The law is exclusively enforced by the Vermont attorney general. However, businesses will have some flexibility in building out compliance programs as for the first 18 months the law is in effect, the Vermont attorney general must first issue a notice of violation and allow a 60-day cure period before it can initiate any enforcement action. The law’s right to cure period will end on June 30, 2029.

When first introduced, the law would have given consumers a limited private right of action against data brokers and large data holders with statutory damages of at least $5,000. The final enacted version of the law removes this private right of action. However, the Vermont General Assembly provides a separate legislative intent section explaining that the General Assembly may revisit implementing a private right of action if enforcement resources are not funded. The state attorney general must also annually report on its enforcement activities to the General Assembly.