Vermont Data Privacy and Online Surveillance Act

• 2026 Legislative Session: Passed by both the House and the Senate.
• 16 June 2026: Signed by the Governor into law as Act No. 145.
• 1 January 2028: Law officially takes effect.
• 1 January 2028 – 30 June 2029: Mandatory 60-day statutory cure period applies to eligible violations.

The Vermont Data Privacy and Online Surveillance Act applies to individuals or entities that conduct business in Vermont, or produce products or services targeted to Vermont residents, and meet at least one of the following thresholds during the preceding calendar year:

• Controlled or processed the personal data of not fewer than 35,000 unique consumers (excluding data processed purely to complete a payment transaction).
• Controlled or processed the sensitive data of not fewer than 3,000 unique consumers (excluding data processed purely to complete a payment transaction).
• Offered for sale in trade or commerce the personal data of not fewer than 3,000 unique consumers.

Note: The act’s consumer health data privacy provisions apply broadly to any entity doing business in the state or targeting its residents, regardless of the consumer volume thresholds above.

The law does not apply to:

• Vermont state, federal, tribal, or local government entities and instrumentalities.
• Financial institutions, their affiliates, or data subject to Title V of the Gramm-Leach-Bliley Act.
• HIPAA covered entities (excluding hybrid entities) and business associates.
• Registered national securities associations.
• Air carriers operating under federal aviation laws.
• Certain insurance entities and non-profit organizations focused on fraud detection or enrollment reporting.
• Health care facilities and licensed providers maintaining information in compliance with state health records laws and HIPAA.

The law also exempts distinct categories of information, including protected health information under HIPAA, federal substance use disorder patient records, human subjects research data, Fair Credit Reporting Act data, Driver's Privacy Protection Act data, FERPA educational records, Farm Credit Act data, noncommercial media activity (publishers, editors, reporters, and broadcasters), employment-related data, emergency contact data, benefits administration data, and data processed strictly in a personal or household context.

Controllers must:

• Limit the collection of personal data to what is reasonably necessary and proportionate to the disclosed purposes of processing.
• Establish, implement, and maintain reasonable administrative, technical, and physical data security practices.
• Avoid processing personal data for material new purposes that are incompatible with original disclosures without obtaining explicit consumer consent.
• Refrain from processing data in violation of state or federal laws that prohibit unlawful consumer discrimination.
• Avoid discriminating or retaliating against any consumer who exercises their statutory rights.
• Obtain affirmative consumer consent before processing or selling sensitive data.
• Process known children's data in compliance with COPPA frameworks.
• Cease processing within 15 days of a consumer revoking their consent through an effective mechanism.
• Block the sale or processing of personal data for targeted advertising if they have actual knowledge (or willfully disregard) that a consumer is between 13 and 17 years of age.
• Provide consumers with a clear, accessible, and meaningful privacy notice.

Processors must follow the clear instructions of the controller and directly assist them in meeting consumer rights requests, maintaining security obligations, reporting breaches, and delivering data protection assessments. All controller-processor interactions must be governed by a valid, binding contract outlining processing instructions, the nature and duration of the data activity, confidentiality duties, subcontractor mandates, compliance reviews, and data deletion or return protocols.

Website owners that fall within the scope of the law must:

• Establish one or more secure and reliable methods for consumers to submit rights requests.
• Avoid forcing consumers to create a brand-new user account just to execute their legal rights.
• Place a clear, conspicuous hyperlink on their homepage containing the word "privacy" (as well as on app store download pages and inside application settings menus).
• Enable a web page mechanism that permits consumers or authorized agents to opt out of targeted advertising and personal data sales.
• Support automated opt-out preference signals (such as browser-based global privacy settings) that reflect an affirmative choice to opt out.
• Publish an online privacy notice detailing:
  • The precise categories of personal data and sensitive data processed.
  • The clear purposes for processing each category of data.
  • Instructions on how consumers can exercise rights and appeal denied requests.
  • The categories of data shared or sold to third parties, alongside details regarding what types of entities those third parties are.
  • An active email address or monitored online contact method.
  • An explicit statement disclosing whether the controller collects, uses, or sells personal data for the purpose of training large language models.
  • The exact month and year the notice was last updated.

Note: In contrast to certain other states, the final enacted portion of this act does not mandate specific, quoted multi-word uppercase boilerplate text (e.g., "NOTICE: We may sell...") for sensitive or biometric data sales, but it strictly requires clear and conspicuous upfront disclosure of any such sales within the standard privacy notice layout.

The Vermont Data Privacy and Online Surveillance Act introduces several unique operational guardrails:

• Controllers must respond to consumer rights requests within 45 calendar days of receipt.
• A single 45-day extension is permitted when reasonably necessary due to complexity or request volume, provided the consumer is notified within the initial window.
• Responses must be provided completely free of charge once per consumer during any 12-month period.
• If a request is denied, the business must establish a conspicuous appeal process that mimics the initial submission process and respond in writing within 60 days.
• If an appeal is rejected, the controller must provide an explicit method for the consumer to contact the Vermont Attorney General to file a formal complaint.
• Any contractual waivers or terms that attempt to limit consumer rights are legally void and unenforceable.
• Data protection and impact assessments must be documented for targeted advertising, data sales, processing sensitive data, and algorithmic profiling that introduces foreseeable risks of discrimination, physical/financial injury, or offensive intrusions into consumer seclusion.
• Impact assessments are also mandatory for any profiling tied to automated decisions that yield legal or similarly significant consumer outcomes.
• These assessment rules apply to new data activities initiated after 1 January 2028 and do not act retroactively.
• Assessments must be kept for at least three years, remain exempt from public record disclosures, and be turned over to the Attorney General upon an investigative demand.
• Entities handling deidentified data must implement technical safeguards against reidentification, publicly pledge not to reidentify it, and contractually bind downstream recipients to those same terms.

Vermont consumers hold the right to:

• Confirm and Access: Verify if a controller is processing their data and access the personal data directly.
• Correction: Demand the correction of factual inaccuracies within their personal records.
• Deletion: Request the deletion of data provided by or obtained about them.
• Portability: Secure a digital, portable, and readily usable copy of their processed personal data.
• Opt-Out Rights: Stop the processing of their data for targeted advertising, data sales, or profiling linked to decisions with legal or similarly significant effects.
• Automated Decision Review: Question automated profiling outcomes, obtain the reasoning behind a decision, review input variables, and correct housing-related profiling metrics to trigger a manual reevaluation.
• Third-Party Disclosures: Obtain a comprehensive list of specific third parties to which the controller has sold their personal data.

Parents and legal guardians possess the explicit right to exercise these privacy protections on behalf of known minors.

The Vermont Attorney General holds sole, exclusive authority to enforce the Vermont Data Privacy and Online Surveillance Act. The law strictly prohibits a private right of action, instead, a violation is legally treated as an unfair and deceptive act with civil penalties of up to US$10,000.00 for each individual violation.

From 1 January 2028 through 30 June 2029, the Attorney General must issue a formal notice of violation and extend a mandatory 60-day cure period to the alleged violator before launching an enforcement lawsuit, provided the AG determines the violation can be remedied. If the entity fails to fix the issues within 60 days, civil enforcement actions may proceed under the Consumer Protection Act's standard enforcement rules and penalty schedules. Courts are also fully authorized to grant additional high-stakes remedies under this framework, including temporary or permanent injunctions to halt data processing, orders for consumer restitution, and full reimbursement to the Attorney General's office for investigative costs and attorney's fees.