Vermont Data Privacy and Online Surveillance Act
Comprehensive Vermont privacy law granting consumer data rights with heightened health-data protections.
Short Title and Definitions
Establishes the short title, "Vermont Data Privacy and Online Surveillance Act," and defines key terms. As enacted, "sensitive data" was broadened beyond the introduced bill to expressly include consumer health data, genetic and biometric data generally (not just data used for identification), neural data, and data revealing status as nonbinary or transgender, in addition to precise geolocation and data from a known child.
Applicability
As enacted, the applicability thresholds were substantially lowered and restructured from the introduced bill's 100,000/25,000-consumer, revenue-based test: the Act now reaches businesses processing the personal data of at least 35,000 consumers, or the sensitive data of at least 3,000 consumers, or selling the personal data of at least 3,000 consumers. Consumer health data provisions apply regardless of these thresholds.
Exemptions
Replaces the introduced bill's blanket carve-outs for all nonprofits and higher-education institutions with a much more granular list: HIPAA-covered entities and business associates, specific federal human-subjects research regimes, Fair Credit Reporting Act activity, GLBA-regulated data, state-chartered banks/credit unions, licensed insurance producers, victim-services data, and narrow nonprofit/media carve-outs.
Consumer Personal Data Rights
Consolidates and expands consumer rights beyond the introduced bill: confirm/access personal data and profiling-based inferences, correct inaccuracies, delete data, obtain a portable copy, opt out of targeted advertising/sale/certain profiling, and (new) question and seek review of automated decisions with legal or similarly significant effects, plus obtain a list of third parties that purchased the consumer's data. Authorized-agent opt-out designation now lives in this section rather than standing alone.
Duties of Controllers
Requires data minimization, consent for sensitive-data processing and sale, non-discrimination, and a detailed privacy notice, now including a required disclosure of whether the controller uses or sells personal data to train large language models. Extends the ban on targeted advertising and sale to any consumer known to be under 18 (up from under 16 in the introduced bill), cross-references the Vermont Age-Appropriate Design Code Act for covered minors, and requires a non-default opt-out preference signal mechanism.
Processors’ Duties; Contracts Between Controllers and Processors
Processors must follow controller instructions and assist with consumer-rights responses, security, and breach notification. Controller-processor contracts must require confidentiality, data deletion/return at contract end, subcontractor flow-down obligations, and cooperation with compliance audits. A processor that exceeds its instructions and starts determining the purposes of processing becomes a controller and can face direct Attorney General enforcement.
Data Protection and Impact Assessments; Disclosure to Attorney General
Controllers must conduct data protection assessments for high-risk processing (targeted advertising, sale of data, risky profiling, sensitive data). New in the enacted version: profiling used for legally or similarly significant decisions requires a separate, more detailed impact assessment covering intended use, foreseeable harms, input/output data categories, and post-deployment monitoring. Assessments are confidential but discoverable by the Attorney General; the duty applies only to activity created after January 1, 2028.
Deidentified Data
A controller holding deidentified data must take reasonable measures against re-identification, publicly commit not to re-identify it, and bind recipients to the same obligations by contract. The Act does not require re-identification to fulfill a request, and the rights to confirm, access, correct, or delete data do not apply to properly safeguarded pseudonymous data.
Construction of Duties
Clarifies that the Act does not restrict compliance with law, law-enforcement cooperation, fraud/security response, contract performance, or approved scientific research, and adds a new exception (not in the introduced bill) allowing limited internal use of personal data to detect or correct bias in automated decision-making. Also confirms the Act does not authorize facial recognition use by law enforcement.
Attorney General Enforcement; Reporting
Enforcement is folded directly into Vermont's general Consumer Protection Act rather than the standalone "unfair and deceptive act" language used in the introduced bill: a violation is deemed a Consumer Protection Act violation, enforced exclusively by the Attorney General, with no private right of action. A separate transitional provision requires a 60-day notice-and-cure period for violations occurring between January 1, 2028 and June 30, 2029. The Attorney General must report annually to the Legislature on enforcement activity.
Consumer Health Data Privacy
Applies regardless of the Act's general size thresholds. Bars sale of consumer health data without consent, requires confidentiality obligations for employees/contractors and processors with health-data access, and prohibits geofencing within 1,850 feet (widened from the 1,750 feet proposed in the introduced bill) of any health care, mental health, or reproductive/sexual health facility for tracking or notification purposes.
Legal notice: This reference library is for informational purposes only and does not constitute legal advice. Excerpts are reproduced from official public sources and are current as of June 2026. Laws and regulations change: always verify against the authoritative source and consult a qualified attorney.