§ 2415cStatuteReference only

Exemptions

Effective January 1, 2028Reviewed July 2026

Reference only: This requirement is not currently tested by the Privisy scanner. It is included for reference. Consult a qualified attorney to assess your compliance posture.

What it requires

Replaces the introduced bill's blanket carve-outs for all nonprofits and higher-education institutions with a much more granular list: HIPAA-covered entities and business associates, specific federal human-subjects research regimes, Fair Credit Reporting Act activity, GLBA-regulated data, state-chartered banks/credit unions, licensed insurance producers, victim-services data, and narrow nonprofit/media carve-outs.

Legal text (excerpt)

This subchapter does not apply to: (1) ... a federal, state, tribal, or local government entity ...; (2)(A) a covered entity that is not a hybrid entity; ... (13) data subject to Title V of the Gramm-Leach-Bliley Act ...; (14) a state- or federally chartered bank or credit union ....

Vermont Data Privacy and Online Surveillance Act: § 2415c, Statute, effective 2028

Primary source

Vermont Office of the Attorney General: § 2415c: Exemptions

Legal notice: This page is for informational purposes only and does not constitute legal advice. The legal text excerpt is reproduced from official public sources and is current as of the stated effective date. Laws change: verify against the authoritative source and consult a licensed attorney for compliance guidance.

Stop Guessing. Start Knowing.

Find out exactly where your website stands before a regulator does.

Get My Compliance Audit