Press "Enter" to skip to content
Vermont Data Privacy and Online Surveillance Act

Vermont Enacts Data Privacy and Online Surveillance Act

Published June 17, 2026 by Eric Rosenkoetter

Vermont Data Privacy and Online Surveillance ActVermont Gov. Phil Scott on June 16 signed into law Senate Bill 71, the Vermont Data Privacy and Online Surveillance Act, making Vermont the 23rd state to enact a comprehensive consumer data privacy law. The Act will go into effect Jan. 1, 2028.

Vermont joins the following states to have enacted privacy laws: California, Virginia, Colorado, Utah, Connecticut, Iowa, Indiana, Tennessee, Montana, Texas, Oregon, Delaware, New Jersey, New Hampshire, Kentucky, Nebraska, Maryland, Minnesota, Rhode Island, Oklahoma, Alabama, and Louisiana.

APPLICABILITY

The Act applies to a person that conducts business in Vermont or a person that produces products or services that are targeted to residents of Vermont and that during the preceding calendar year:

  1. controlled or processed the personal data of not fewer than 35,000 consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction;
  2. controlled or processed the sensitive data of not fewer than 3,000 consumers, excluding personal data controlled or processed solely for the purposes of completing a payment transaction; or
  3. offered for sale in trade or commerce the personal data of not fewer than 3,000 consumers.
EXEMPTIONS

Exemptions include, in part:

  1. data subject to Title V of the Gramm-Leach-Bliley Act, Pub. L. No. 1 106-102, and regulations adopted to implement that act;
  2. a state or federally chartered bank or credit union, or an affiliate or subsidiary that is principally engaged in financial activities, as described in 12 U.S.C. § 1843(k);
  3. any activity that involves collecting, maintaining, disclosing, selling, communicating, or using information for the purpose of evaluating a consumer’s creditworthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living if done strictly in accordance with the provisions of the Fair Credit Reporting Act, 15 U.S.C. §§ 1681–1681x;
  4. in the ordinary course of its operation, a federal, state, tribal, or local government entity or an instrumentality of the State;
  5. an agent, broker-dealer, investment adviser, or investment adviser representative, as those terms are defined in section 5102 of this title, who is regulated by the Department of Financial Regulation or the Securities and Exchange Commission;
  6. health care providers and health care facilities, as those terms are defined in 18 V.S.A. § 9402, provided such providers and facilities maintain all protected health information in accordance with the requirements of 16 18 V.S.A. § 1881 and HIPAA regardless of whether such providers or facilities are covered entities under 45 C.F.R. § 160.103;
  7. protected health information under HIPAA; and
  8. data processed or maintained in the course of an individual applying to, employed by, or acting as an agent or independent contractor of a controller, processor, consumer health data controller, or third party, to the extent that the data is collected and used within the context of that role.
CONSUMER RIGHTS

Consumers have the right to:

  1. confirm whether a controller is processing the consumer’s personal data and access such personal data, including any inferences about the consumer derived from such personal data and whether a controller or processor is processing a consumer’s personal data for the purposes of profiling to make a decision that produces any legal or similarly significant effect concerning a consumer;
  2. correct inaccuracies in the consumer’s personal data, taking into account the nature of the personal data and the purposes of the processing of the consumer’s personal data;
  3. delete personal data provided by, or obtained about, the consumer;
  4. obtain a copy of the consumer’s personal data processed by the controller, in a portable and, to the extent technically feasible, readily usable format;
  5. opt out of the processing of the personal data for purposes of targeted advertising, the sale of personal data, or profiling in furtherance of a decision that produces a legal or similarly significant effect concerning the consumer.
SENSITIVE DATA

A controller may not process the sensitive data unless the consumer has provided consent and unless the processing is reasonably necessary in relation to the purposes for which the sensitive data are collected; not sell the sensitive data unless the consumer has provided consent; and if the controller has actual knowledge, or willfully disregards, that the consumer is a child, process the sensitive data in accordance with Children’s Online Privacy Protection Act of 1998, 15 U.S.C. 6501 et seq., or process personal data in violation of state or federal laws that prohibit unlawful discrimination.

“Sensitive data” is personal data that includes:

  1. racial or ethnic origin, religious beliefs, sex life, sexual orientation, status as nonbinary or transgender, or citizenship or immigration status, or a mental or physical health condition, diagnosis, disability, or treatment;
  2. consumer health data;
  3. genetic or biometric data or information derived therefrom;
  4. personal data collected from an individual the controller has actual knowledge, or willfully disregards, is a child;
  5. precise geolocation data;
  6. neural data;
  7. a consumer’s financial account number, financial account login information, or credit card or debit card number that, in combination with any required access or security code, password, or credential, would allow access to a consumer’s financial account; or
  8. a government-issued identification number, including, but not limited to, Social Security number, passport number, State identification card number, or driver’s license number, that applicable law does not require to be publicly displayed.
CONTRACT REQUIREMENTS

A contract between a controller and a processor must govern the processor’s data processing and require that the processor:

  1. ensure that each person processing personal data is subject to a duty of confidentiality with respect to the data;
  2. at the controller’s direction, delete or return all personal data to the controller as requested at the end of the provision of services;
  3. upon the reasonable request of the controller, make available to the controller all information in its possession necessary to demonstrate the processor’s compliance with the obligations in the law;
  4. after providing the controller with an opportunity to object, engage any subcontractor pursuant to a written contract that requires the subcontractor to meet the obligations of the processor with respect to the personal data; and
  5. make available to the controller upon a reasonable request all information in the processor’s possession necessary to demonstrate the processor’s compliance.
DATA PROTECTION ASSESSMENTS

A controller must conduct and document a data protection assessment for each of the controller’s processing activities that presents a heightened risk of harm to a consumer, which includes:

  1. the processing of personal data for the purposes of targeted advertising;
  2. the sale of personal data;
  3. the processing of personal data for the purposes of certain profiling.
ENFORCEMENT

The Attorney General has exclusive authority to enforce the Act under the Vermont Consumer Protection Act and must provide and update, as necessary, guidance to controllers and processors for compliance with the terms of the Act.

IMPRESSION

The Act balances the rights of consumers with the impact on businesses.  The Act follows the pattern of many post-California comprehensive data privacy laws but notably departs from the vast majority of states by including only a data-level Gramm-Leach-Bliley Act exemption for non-bank financial institutions.

This means that non-bank financial institutions subject to the GLBA must take the extra step to analyze whether all the data collected and processed falls within the GLBA, despite the fact they are subject to many of the same federal data privacy and security laws as banks.

Photo: jovannig/stock.adobe.com

Print Friendly, PDF & Email

Eric Rosenkoetter is a principal at Maurice Wutscher LLP, and is focused on advising clients with respect to federal and state consumer financial protection laws and data privacy and security, and he is a Certified Information Privacy Professional though the International Association of Privacy Professionals. He also brings to the table experience as a litigator, chief compliance and ethics officer, director of legislative affairs, federal lobbyist, and administrative hearings officer. Eric earned his Juris Doctor from Washington University School of Law, and his Bachelor of Business Administration from Southern Methodist University. He is a member of the International Association of Privacy Professionals, the Receivables Management Association International (RMAI), and ACA International. He is admitted to practice law in Texas and Missouri and in the U.S. District Courts for the Northern, Southern, Eastern, and Western Districts of Texas. For more information, see https://mauricewutscher.com/attorneys/eric-rosenkoetter/

Published in Data Privacy and Security

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.