Perseverance Pays Off for Vermont Privacy Efforts

Vermont has become the 23rd U.S. state to enact a comprehensive consumer privacy law after Governor Scott signed S.71, the Vermont Data Privacy and Online Surveillance Act (VDPOSA), on June 16. This new law is amongst the broadest in the country, closely resembling the 2025 version of the Connecticut Data Privacy Act (CTDPA). For example, the VDPOSA includes low applicability thresholds, a broad definition of sensitive data, heightened protections for consumer health data, consumer rights to know third parties to whom your personal data is sold and to contest certain profiling decisions, and impact assessments for certain uses of profiling. The law will take effect on January 1, 2028 and be enforced exclusively by the attorney general.

In addition to enacting the VDPOSA, Vermont also passed bills updating the state’s data broker registry (H.211), establishing a direct-to-consumer genetic testing law (H.639), and recognizing a right to neural privacy (H.814). This blog post provides background on Vermont’s privacy legislative efforts in recent years, then covers the law’s scope and key definitions, consumer rights, business obligations, and enforcement provisions. The blog post concludes with a brief overview of other privacy legislation enacted in Vermont this year.

Background

Privacy has been a long time coming in the Green Mountain State. Two years ago, Governor Scott became the first governor to veto a comprehensive consumer privacy bill. That bill, H.121, was an omnibus privacy bill with comprehensive protections and an age-appropriate design code. Had that bill been enacted, the comprehensive privacy provisions would have been amongst some of the broadest and most stringent in the country. In particular, the bill included Maryland-style substantive data minimization requirements, a ban on selling sensitive data, and a limited private right of action (PRA). The legislature tried, but failed, to overturn the veto. 

The legislature continued working on privacy issues in the intervening years. Last year, they enacted the Vermont Age-Appropriate Design Code Act. This year, they finally reached consensus on a comprehensive consumer privacy law as well as an update to the state’s data broker registry, regulation of direct-to-consumer genetic testing companies, and a “right” to “mental and neural data privacy.” Although the law enacted this year diverges from the 2024 effort in notable ways, this law nevertheless incorporates many elements from the broadest and most privacy protective iterations of the Washington Privacy Act framework in the country. 

Scope and Key Definitions

Covered Entities: The law applies to persons who conduct business in Vermont or produce a product or service targeted to Vermont residents and, excluding payment transaction data, annually either (1) control or process the personal data of at least 35,000 consumers, (2) control or process the sensitive data of at least 3,000 consumers, or (3) offer for sale the personal data of at least 3,000 consumers. These thresholds are low compared to those in other states, and it is uncommon to include a threshold tied to processing sensitive data. Like Connecticut’s and Maryland’s laws, the VDPOSA has requirements for consumer health data and consumer health data controllers that are not subject to the same applicability thresholds, instead applying broadly to “a person that conducts business in [Vermont] or a person that produces products or services that are targeted to residents of [Vermont.” This law also addresses any potential conflicts with the Vermont Age-Appropriate Design Code Act (AADCA), providing that the most protective law should control in any situation where that law conflicts with the requirements of this law. (Section 1, § 2415b.)

Definitions: The law’s definitions are generally consistent with the Connecticut model, including aspects of Connecticut’s 2023, 2025, and 2026 amendments. Two definitions worth noting: 

• “Publicly available information” is defined narrowly, excluding information collated and combined to create a consumer profile that is made available via a publicly available website and inferences generated from such profiles. For the consumer rights to access, correction, and portability (see below), publicly available information does not include “information made available for sale,” meaning such data is subject to those rights. This narrow definition of publicly available information—which conversely expands the scope of personal data—is similar to Connecticut’s updated definition from this year’s CTDPA amendments. 
• “Sensitive data” is defined broadly, including less common categories such as data revealing status as nonbinary or transgender, consumer health data, neural data, information derived from genetic or biometric data, certain financial account numbers or login information, or government-issued identification numbers. (Section 1, § 2415a.)

Entity and Data-Level Exemptions: The law includes many of the common entity-level exemptions, including for: certain government entities acting “in the ordinary course of its operation”; a covered entity or business associate under HIPAA (although a “hybrid entity” is not fully subject to the exemption); state or federally chartered banks or credit unions or affiliates or subsidiaries principally engaged in financial activities; certain health care providers and health care facilities under Vermont law; nonprofits established to detect and prevent insurance fraud; and more. Continuing a trend in recent years, the VDPOSA opts for more targeted entity-level exemptions for specific types of financial entities and nonprofits rather than broader exemptions for all GLBA-regulated entities and all nonprofits. 

The law also includes many of the common data-level exemptions, including for: certain health records, patient identifying information, and research data; activities using information for the purpose of evaluating creditworthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living if “done strictly in accordance with” the FCRA by a consumer reporting agency, furnisher, or person using a consumer report; information collected, processed, or disclosed in accordance with the DPPA or FERPA; data subject to GLBA; protected health information under HIPAA; personal data of a victim or witness of certain crimes (e.g., child abuse, human trafficking) maintained by a victim services organization; and more. (Section 1, § 2415c.)

Exceptions for Common Business Activities: The law includes many exceptions which are consistent with existing state comprehensive privacy laws, including: compliance with federal, state, or municipal laws or regulations; compliance with investigations, subpoenas, or summons; compliance with law enforcement agencies; preventing or detecting security incidents, fraud, or illegal activity; engaging in public or peer-reviewed scientific or statistical research in the public interest that meets required safeguards; internal use of data for product improvement or for internal operations reasonably aligned with the expectations of the consumer; and more. (Section 1, § 2415i.)

Consumer Rights

Consumers have the standard rights to confirm whether a controller is processing their personal data and access that data, correct inaccuracies in their personal data, delete their personal data, obtain a copy of their personal data in a portable format (if technically feasible), and to opt-out of the processing of their personal data for targeted advertising, the sale of personal data, or profiling in furtherance of a decision that produces a legal or similarly significant effect concerning the consumer. These rights contain a few unique or uncommon provisions:

• The right to access extends to inferences about the consumer derived from personal data and the right to know whether a controller or processor is processing the consumer’s personal data for profiling to make a decision that produces legal or similarly significant effects; 
• Consistent with states like Minnesota and Montana, a controller is prohibited from disclosing certain categories of personal data in response to a consumer access request. These include social security numbers, government-issued ID numbers, financial account numbers, health or medical identification numbers, account passwords, security questions or answers thereto, or biometric data. If a controller has collected any of these categories of personal data, it must inform the consumer “with sufficient particularity” that it has done so. 
• If a consumer’s personal data was processed for profiling in furtherance of an automated decision that produced any legal or similarly significant effect, the consumer has the right to, “if feasible,”  question the profiling result, be informed of the reason the profiling resulted in the decision, and review the personal data processed for the profiling. If the decision concerned housing, the consumer can also correct any inaccurate personal data that was processed and have the decision reevaluated based on the corrected data. This right to contest adverse profiling decisions matches that in Connecticut’s law, which was added last year and modeled on Minnesota’s broader right. 
• Consumers have an additional right to obtain a list of the third parties to whom their personal data was sold, or, if the controller does not maintain such a consumer-specific list, then a list of all third parties to whom personal data is sold. 

This law allows consumers to designate an authorized agent to opt out of processing on the consumer’s behalf (including for profiling) and to use an opt-out preference signal to opt out of the sale of personal data or targeted advertising. (Section 1, § 2415d.) 

Business Obligations

Controllers and processors have enumerated responsibilities under the law, including transparency, data minimization, data security, oversight of processors, antidiscrimination, heightened protections for minors, and conducting both data protection assessments and impact assessments. 

Transparency: Controllers must provide consumers with a “reasonably accessible, clear, and meaningful” privacy notice that includes required information under the law, such as categories of data processed, processing purposes, how to exercise rights and appeal decisions, the categories of personal data sold to third parties, and the categories of third parties to whom personal data is sold. (Section 1, § 2415e(c).)

Data Minimization: The law includes procedural data minimization requirements. A controller must: 

• limit the collection of personal data to what is “reasonably necessary and proportionate” in relation to the purposes for which the data are processed, as disclosed to the consumer; 
• obtain consent to process personal data for any “material new” purpose that is “neither reasonably necessary to, nor compatible with,” the disclosed purposes for which the personal data is processed; and 
• not process a consumer’s sensitive data without the consumer’s consent and “unless the processing is reasonably necessary in relation to the purposes for which the sensitive data are collected.” 

Although these provisions are not “substantive data minimization” requirements in the same way that Maryland’s or California’s are, they are slightly unusual. In particular, the “necessary and proportionate” language is a departure from the usual “adequate, relevant, and reasonably necessary” language used in most state laws based on the WPA framework. Only Connecticut uses this same language, and those requirements were added in last year’s CTDPA amendments. Nevertheless, this is still a procedural requirement that ties data collection to the purposes disclosed to the consumer. Also similar to Connecticut, this law explicitly states that a controller cannot sell a consumer’s sensitive data without consent. (Section 1, § 2415e(a).)

Data Security: Controllers are required to “establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data.” (Section 1, § 2415e(a)(2).)

Processors: Controllers must engage in oversight of processors by entering into a contract that meets statutory criteria (e.g., providing instructions for processing data, describing the nature and purpose of the processing, imposing confidentiality). (Section 1, § 2415f.)

Antidiscrimination: Controllers are prohibited from processing personal data in violation of a federal or state law that prohibits unlawful discrimination against consumers. Similar to Connecticut’s 2025 amendment, this law further provides that, for state laws only, any evidence (or lack thereof) of proactive anti-bias testing or similar efforts to avoid processing data in violation of any anti-discrimination law will be relevant to any claim for a violation of such a state law. The law also includes a narrow exception for internal data use in profiling to correct bias. (Section 1, § 2415e(a)(5).)

Consumer Health Protections: Similar to Connecticut’s and Maryland’s law, this law includes heightened protections for consumer health data, such as confidentiality requirements for employee access to consumer health data, a prohibition on geofencing health care facilities for certain purposes (within 1,850 feet), and a prohibition on selling consumer health data without the consumer’s consent. Consumer health data is defined broadly as “any personal data that a controller uses to identify a consumer’s physical or mental health condition, diagnosis, or status,” and it includes reproductive or sexual health data and gender-affirming health data. These protections apply more broadly than the rest of the law to “persons,” notwithstanding the law’s other applicability thresholds. (Section 1, § 2415k.)

Assessments: Like most comprehensive privacy laws, this law requires controllers to conduct and document a data protection assessment for certain processing activities that present a heightened risk of harm to consumers, including: processing personal data for targeted advertising; selling personal data; processing personal data for profiling that presents a reasonably foreseeable risk of substantial injury to consumers, or processing sensitive data. Once again taking inspiration from Connecticut’s 2025 amendment, this law will additionally require a controller to conduct an impact assessment for any profiling conducted for making a decision that produces legal or similarly significant effect. These impact assessments must include information such as: the purpose, intended use, and deployment context of the profiling; analysis on whether the profiling presents a reasonably foreseeable risk of harm; descriptions of inputs and outputs; post-deployment monitoring and user safeguards; and more. The Vermont Attorney General (AG) may request a completed data protection or impact assessment as part of an investigation. (Section 1, § 2415g.)

Enforcement

The VDPOSA will be enforced exclusively by the attorney general. The law includes a permissive cure period of 60 days, allowing the attorney general to issue a cure notice to an alleged violator if the attorney general “determines that a cure is possible.” This cure period will expire on June 30, 2029. Although this law does not include a private right of action (PRA), the legislature added a statement of intent declaring that the attorney general will bear the burden of enforcing the law and, if sufficient appropriations and resources are not provided, the legislature will consider adding a PRA. (Section 1, § 2415j; Section 2; Section 3.)

Updates to Data Broker Registry Headline Other Privacy Efforts

The VDPOSA may be the most notable privacy bill enacted in Vermont this year, but it is not the only one. Vermont also updated the state’s data broker registry (H.211), enacted a direct-to-consumer genetic testing law (H.639), and established a right to neural privacy (H.814).  

Data Brokers: Vermont is one of several states to create a data broker registry, alongside California, Connecticut (enacted this year), Oregon, and Texas. Effective January 1, 2027, H.211 significantly amends Vermont’s law. Key changes include—

• Re-defining “brokered personal information” (“BPI”) as “any information, including derived data and unique identifiers, that is linked or reasonably linkable, alone or in combination with other information, to an identified or identifiable individual or to a device that identifies, is linked to, or is reasonably linkable to one or more identified or identifiable individuals in a household.” The prior definition was narrower and limited to an enumerated list of identifiers, plus a catch-all. This definition, in contrast, is modeled on the broader definitions of “personal data” under many state comprehensive privacy laws. Additionally, the “publicly available information” exception to the definition of BPI has been broadened. The previous definition only excluded publicly available information “to the extent that it is related to a consumer’s business or profession.” That qualifier has been removed.
• Re-defining “data broker” by changing the “direct relationship” requirement. The core definition remains unchanged: a data broker is “a business . . . that knowingly collects and sells or licenses to third parties the [BPI] of a consumer with whom the business does not have a direct relationship.” Previously, the law provided examples of direct relationships, such as a “past or present . . . customer, client, subscriber, user, or registered user of the business’s goods or services.” The newly revised definition is instead modeled on California’s Delete Act regulations: a consumer must have “intentionally interacted with a business for the purpose of accessing, purchasing, using, requesting, or obtaining information about the business’s products or services,” and “[a] business is still a data broker and does not have a direct relationship with a consumer as to the [BPI] the business sells about the consumer that it collected outside of a first-party interaction with the consumer.” The revised definition also removed some of the law’s exceptions to data brokerage, such as “developing or maintaining third-party e-commerce or application platforms.”
• Adding a definition of “sale” that is consistent with the common definition under state comprehensive privacy laws: the exchange of BPI for monetary or other valuable consideration, subject to exceptions. 
• Imposing due diligence or ‘know your customers’–style requirements prior to disclosing BPI, such as: requiring “prospective users” of BPI to identify themselves, state their purposes for seeking the information, and certifying that the information will not be used for other purposes; and, prior to disclosing such information, verifying the prospective user’s identity, reviewing the stated purposes for using the information, and not disclosing the information where there are “reasonable grounds for believing that the information will be used to violate State or federal law or will not be used for the purposes stated by the user.” 
• Adding new security breach notice requirements specific to data brokers.
• Accelerating when a data broker must register, closing the timeframe to 30 days after a data broker first meets the relevant definition and then annually by July 1 of each year. 
• Increasing the registry fee and imposing a $20,000 bond. 
• Expanding the mandatory disclosures during registration. New information that a data broker must disclose includes whether the data broker: collects certain categories of personal information (e.g., precise geolocation data, immigration status); has sold or shared the consumers’ data, in the past year, with certain entities (e.g., foreign actors, state or federal government, “developer of a GenAI system or model”); “the URL of a page on the data broker’s website” that includes relevant information on consumer rights; and more. Notably, while this disclosure requirement references consumer rights to deletion, opting-out of the collection of BPI, and authorized agents’ ability to exercise an opt-out on the consumer’s behalf, the revised data broker law itself does not require that data brokers offer these rights. The newly enacted VDPOSA, however, will require data brokers to offer consumer rights if they are within the scope of that law. 
• Improving consumer access to the data broker registry in the form of a downloadable spreadsheet of registered data brokers.

Although earlier versions of H.211 would have added a California Delete Act–style accessible deletion mechanism, the final bill merely directs the Vermont Secretary of State to study the feasibility of establishing an accessible deletion mechanism. 

Genetic Testing: Vermont has become the third state this year—after South Dakota and Connecticut—to enact a law regulating direct-to-consumer genetic testing. The Vermont Genetic Information Privacy Act will go into effect on July 1, 2026. This law imposes notice and consent requirements for the collection and use of biological samples and genetic data, gives consumers rights of deletion and access, and prohibits certain disclosures or uses of genetic data. Violations of the law will constitute unfair and deceptive acts in commerce under 9 V.S.A. § 2453. This includes a private right of action, although consumers will have to provide written notice of an alleged violation to a direct-to-consumer genetic testing company or service provider prior to initiating a civil action and allow 30 days to cure the notice. The cure requirement will expire on June 30, 2028. The Attorney General has enforcement and rulemaking authority. 

Mental and Neural Privacy: Although the primary focus of H.814 is extending the duration and scope of the state’s Artificial Intelligence Advisory Council, this law also formally recognizes an individual right to “mental and neural data privacy.” This includes rights to “change an individual’s decision regarding neurotechnology,” to “be afforded protection from unauthorized neurotechnological alterations in mental functions critical to personality,” and to “be afforded protection from unauthorized neurotechnological alterations in mental functions critical to personality.” The law does not define key terms such as “neurotechnology,” nor are there specific mechanisms or business obligations attached to these new rights. The newly enacted VDPOSA includes neural data as a category of sensitive data, however, providing Vermont residents with actionable protections like opt-in consent requirements and mandatory data protection assessments.

* * *

Looking to get up to speed on the existing state comprehensive consumer privacy laws? Check out FPF’s 2025 report, Anatomy of a State Comprehensive Privacy Law: Charting the Legislative Landscape. 

Pictured: Vermont receiving its red star on the FPF “Privacy Patchwork” quilt.