Data Protection and Impact Assessments; Disclosure to Attorney General
Reference only: This requirement is not currently tested by the Privisy scanner. It is included for reference. Consult a qualified attorney to assess your compliance posture.
What it requires
Controllers must conduct data protection assessments for high-risk processing (targeted advertising, sale of data, risky profiling, sensitive data). New in the enacted version: profiling used for legally or similarly significant decisions requires a separate, more detailed impact assessment covering intended use, foreseeable harms, input/output data categories, and post-deployment monitoring. Assessments are confidential but discoverable by the Attorney General; the duty applies only to activity created after January 1, 2028.
Legal text (excerpt)
Each controller that engages in any profiling for the purposes of making a decision that produces any legal or similarly significant effect concerning a consumer shall conduct an impact assessment for the profiling. ... Data protection and impact assessment requirements shall apply to processing activities created or generated after January 1, 2028, and are not retroactive.
Primary source
Vermont Office of the Attorney General: § 2415g: Data Protection and Impact Assessments; Disclosure to Attorney General ↗Legal notice: This page is for informational purposes only and does not constitute legal advice. The legal text excerpt is reproduced from official public sources and is current as of the stated effective date. Laws change: verify against the authoritative source and consult a licensed attorney for compliance guidance.