Media Centre

Vermont Enacts Comprehensive Privacy Legislation

Ariel Yosefi Tal Habas

25 June 2026

On 16 June 2026, Vermont’s governor signed into law the Vermont Data Privacy and Online Surveillance Act. The new act replaces an earlier privacy bill, which was vetoed by the governor in 2024.

The act contains several provisions that go beyond the now-familiar state privacy law model, featuring a low applicability threshold, provisions governing health data, and one of the first explicit transparency requirements relating to the use of personal data for training large language models.

The act will take effect on 1 January 2028, making Vermont the 23rd US state to enact a comprehensive consumer privacy law and the fourth to do so this year (see our recent updates on similar developments in Louisiana, Alabama and Oklahoma).

 

Scope of Application and Exemptions

The new act applies to any person that conducts business in Vermont or produces products or services that are targeted to Vermont residents, and that in the preceding calendar year:

  • controlled or processed personal data of at least 35,000 Vermont residents (excluding personal data controlled or processed solely to complete a payment transaction);
  • controlled or processed the sensitive data of at least 3,000 Vermont residents (excluding personal data controlled or processed solely to complete a payment transaction); or
  • offered for sale in trade or commerce the personal data of at least 3,000 Vermont residents.

 

Exemption

Like other state comprehensive privacy laws, the act exempts certain entities and data from its scope, such as government entities, covered entities and business associates as defined by the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) (except for “hybrid” entities), state or federally chartered banks or credit unions, investment advisers, some nonprofit organizations and certain news and media organizations. In addition, there are data-level exemptions, such as data subject to the Gramm-Leach-Bliley Act, protected health information under HIPAA, employees’ and job applicants’ data processed within the employment context, and publicly available information, as defined under the act.

 

Controller Obligations

Consistent with other US state privacy laws, the act imposes several obligations on controllers, including:

  • Limit data collection to what is “reasonably necessary and proportionate” for the disclosed purposes. Consent is required to process personal data for any “material new purpose” incompatible with the original disclosure;
  • Establish and maintain reasonable administrative, technical and physical data security practices to protect the confidentiality, integrity and accessibility of personal data;
  • Obtain consent prior to: (i) processing sensitive data, provided that such processing is reasonably necessary for the purposes for which the data was collected; and (ii) selling sensitive data. Where a controller knows, or willfully disregards, that a consumer is a child, it must process such data in accordance with the Children’s Online Privacy Protection Act (“COPPA”) and, if applicable, the Vermont Age-Appropriate Design Code;
  • Not process personal data in a manner that violates applicable state or federal anti-discrimination laws;
  • Provide consumers with an effective mechanism to revoke consent, and cease the processing of the relevant personal data within 15 days of receiving the revocation request;
  • Subject to certain exemptions under the act, refrain from selling or processing for targeted advertising purposes the personal data of consumers aged at least 13 but younger than 18, where the controller has actual knowledge and willfully disregards the consumer’s age. Controllers must process personal data of children under age 13 in accordance with COPPA and, if applicable, the Vermont Age-Appropriate Design Code;
  • Conduct and document data protection assessments for processing activities that present a heightened risk of harm to consumers, including processing of personal data for targeted advertising or for profiling (if presenting reasonably foreseeable risk), the sale of personal data and processing sensitive data. A separate impact assessment is required for any profiling used to make a decision that produces any legal or similarly significant effect concerning a consumer. These requirements apply to processing activities beginning after 1 January 2028, and are not retroactive;
  • Not discriminate against consumers for exercising their rights under the act;
  • Provide a clear and accessible privacy notice. Among other requirements, the notice must disclose a statement whether the controller collects, uses or sells personal data for training large language models, and the controller must make “all reasonable electronic measures” to inform consumers of retroactive material changes;
  • Share the privacy notice in each language in which the controller provides products or services;
  • Provide consumers and authorized agents with clear and effective mechanisms to opt out of targeted advertising and the sale of personal data, including via a conspicuous website link and by honoring opt out preference signals;
  • Ensure the processor is governed by a contract that includes clear instructions, rights and obligations, confidentiality duties, compliance verification rights, and require sub-processors to meet the same obligations.

 

Consumer Rights

The new act empowers consumers with a wide range of rights with respect to their personal data, including:

  • Right to confirm whether or not a controller is processing the consumer’s personal data;
  • Right to access personal data being processed, including any inferences derived from such personal data, and information about whether the consumer’s personal data is being used for profiling to make a decision that produces any legal or similarly significant effects;
  • Right to correct inaccuracies in the consumer’s personal data;
  • Right to delete personal data provided by or obtained about the consumer;
  • Right to data portability. Obtain a copy of the consumer’s personal data in a portable and readily usable format that allows the consumer to transmit the data to another controller without hindrance, where the processing is carried out by automated means;
  • Right to opt-out of targeted advertising, the sale of personal data or profiling in furtherance of any automated decision that produces legal or similarly significant effects;
  • Additional profiling rights. If the consumer’s personal data was processed for the purposes of profiling in furtherance of any automated decision that produced legal or similarly significant effects, consumers may (if feasible) question the result of such profiling, be informed of the reasoning, and review the personal data used. For housing-related decisions, consumers may also correct inaccurate personal data processed and request re-evaluation;
  • Right to obtain a list of third parties to which their personal data was sold, or a list of all third parties to which the controller has sold personal data.
  • Right to appeal a controller’s refusal to act (response required within 60 days).

 

The act further refers to ways of exercising consumer rights and to opting out of certain processing activities. Controllers must respond to consumers no later than 45 days of receipt (with a possible extension of an additional 45 days where reasonably necessary). The act also refers to controllers declining to take action, cost of information, and the establishment of an appeal mechanism by controllers for consumers whose requests are denied.

 

Consumer Health Data Privacy Section

The act prohibits anyone (regardless of whether they meet the applicability thresholds) from the following actions concerning consumer health data:

  • Providing an employee or contractor with access to consumer health data unless they are subject to a contractual or statutory duty of confidentiality;
  • Providing processors with access to consumer health data unless the processor complies with the act’s obligations;
  • Using a geofence to create a virtual boundary within 1,850 feet of any health care facility for identifying, tracking, collecting data from, or sending any notification to a consumer regarding the consumer’s health data; and
  • Selling or offering to sell consumer health data without obtaining the consumer’s consent.

 

 

Controlling Version

In the event of a conflict between the act and any other law, including the Vermont Age-Appropriate Design Code Act, the provisions affording the greatest privacy protection for consumers shall control.

 

Enforcement

The act grants exclusive enforcement authority to the Attorney General, with no private right of action. By 30 June 2029, the Attorney General must offer a 60-day cure period for violations (if the Attorney General believes a cure is possible). The Attorney General shall also provide guidance to controllers and processors for compliance with the terms of the act and submit an annual enforcement report.

 

Key Differences Between the Enacted Act and the Vetoed Bill

The new act retains many of the core protections of the 2024 vetoed bill, but introduces several notable changes. Most significantly, it eliminates the private right of action, leaving enforcement solely to the Attorney General, revises the applicability thresholds by removing the revenue-based test, removes the standalone age-appropriate design code while referencing separate legislation, adds prohibitions on targeted advertising and the sale of personal data of minors aged 13 to under 18, expands consumers’ profiling rights, requires disclosure of whether personal data is used to train large language models and introduces a separate, more detailed impact assessment requirement for profiling that produces legal or similarly significant effects.

 

Companies providing services to consumers in the United States should assess their exposure to this additional data protection regulatory regime in Vermont. Please feel free to contact us if you have any questions regarding the Act and its practical implications.

Related Practice Areas

Related Lawyers

More news

Louisiana to Join US States with Comprehensive Privacy Legislation
Colorado Scales Back its AI Act Ahead of Enforcement Deadline
Herzog contributes Israel chapter to Chambers Tax Controversy 2026 Guide
JOIN OUR
Newsletter

    © 2020, All rights reserved, Herzog Law
    Site by Gootte

    The information contained in this web site is provided for informational purposes only and should not be construed as legal advice on any subject matter and should not be relied upon as such. Herzog accepts no responsibility for any consequences whatsoever arising from use of the information contained in this web site. The accessing of information contained in this web site shall under no circumstances be considered as creating an attorney-client relationship between Herzog and any party accessing this web site. Contacting through email any lawyer named in this web site or sending information without prior agreement of Herzog shall not be construed as automatically creating an attorney-client relationship between Herzog and the party sending an email or information. The material contained in this web site has been created by and remains the property of Herzog. No reproduction, transmission, publication or any other form of dissemination shall be permitted unless the prior written consent of Herzog has been obtained. This web site may contain links to other web sites operated by third parties. Herzog does not sponsor, approve or endorse the content of any such web site and is not responsible for the materials appearing in such sites.