On June 16, 2026, Vermont Governor Phil Scott signed the Vermont Data Privacy and Online Surveillance Act (VDPOSA) into law. With its passage, Vermont became the 24th state to adopt a comprehensive consumer data privacy law, and the fourth to do so in 2026 alone. The law takes effect on January 1, 2028.
Vermont's law follows the now-familiar "controller/processor" framework adopted by a number of states, such as the Connecticut Data Privacy Act. Most of the Connecticut-model laws, including Vermont's data privacy law, channel enforcement primarily through state attorneys general.
Vermont's law is nonetheless notable for several features that push beyond the mainstream state model. Its lack of a blanket nonprofit exemption, its expanded definition of biometric data, its protections for neural data, and its AI training disclosure requirement collectively make it one of the more comprehensive frameworks enacted to date.
The breadth of its consumer health data provisions, which apply to all businesses operating in Vermont (regardless of size), reflects a growing legislative consensus that health and wellness data warrant special protection, given the sensitivity of the information and the risks of misuse.
Didomi outlines VDPOSA’s key provisions, including who the law applies to, how it differs from other state data privacy regulations, what businesses must do to comply, what rights are afforded to Vermont residents, and what penalties may be imposed for non-compliance. We also provide guidance on core compliance obligations that Vermont businesses should be prepared to meet in 2028.
Key facts about the VDPOSA
Who does the Vermont data privacy law apply to?
The VDPOSA applies to any person or legal entity that does business in Vermont or targets products and services to Vermont residents, and that in the preceding calendar year met at least one of the following thresholds:
- Controlled or processed the personal data of at least 35,000 Vermont consumers (excluding data processed solely to complete a transaction);
- Controlled or processed the sensitive data of at least 3,000 Vermont consumers; or
- Offered for sale the personal data of at least 3,000 Vermont consumers.
These thresholds are notably more modest than those in some other state laws, bringing a broader set of mid-sized businesses into the law's reach. Importantly, the VDPOSA adopts a single, uniform threshold structure, departing from an earlier tiered proposal that would have gradually expanded coverage to smaller businesses over successive years.
Processing consumer health data
One of VDPOSA's most distinctive features is its handling of consumer health data. The standard applicability thresholds don't apply. Any business operating in Vermont that touches health data is covered, regardless of size or volume.
This means VDPOSA’s consumer health data provisions apply to any person that does business in Vermont or targets products or services to Vermont residents.
This means small businesses, startups, and other entities that would not otherwise fall under the law's general scope must still comply with its health data requirements if they handle such data.
Exempted entities and data types
Like most state consumer data privacy laws, the VDPOSA exempts certain entities and categories of data from its scope. At the entity level, exemptions cover:
- Federal, state, tribal, and local government entities;
- HIPAA-covered entities (such as hospitals and health insurers) that are not hybrid entities, as well as their business associates;
- State- or federally chartered banks and credit unions, and their affiliates, are principally engaged in financial activities.
Notably, the VDPOSA does not include a blanket exemption for nonprofit organizations, which represents a departure from many other state privacy laws. Only a narrow set of nonprofits is exempt, including those established to detect insurance fraud, organizations that provide enrollment verification services for postsecondary schools, and certain noncommercial media entities.
In addition, Vermont’s consumer data privacy law includes only a data-level exemption for financial institutions under the Gramm-Leach-Bliley Act (GLBA), rather than a full entity-level GLBA exemption for all financial institutions found in many other state data privacy laws.
Information governed by existing federal frameworks is generally exempt from VDPOSA, including data governed by:
- The Fair Credit Reporting Act
- The Family Educational Rights and Privacy Act (FERPA)
- The Driver's Privacy Protection Act
- HIPAA-regulated protected health information.
In a notable conflict-of-laws provision, the VDPOSA states that, in any conflict between its requirements and other Vermont laws, including the Vermont Age-Appropriate Design Code, the provisions that offer the greatest privacy protections shall control.
{{children-privacy}}
What do covered companies have to do to comply with the Vermont data privacy law?
The VDPOSA imposes several specific compliance obligations on data controllers (i.e., businesses) and processors. Businesses already deploying a compliance framework to meet Connecticut’s data privacy law requirements will likely be well positioned to comply with the Vermont law. Below is an overview of core compliance obligations under the VDPOSA.
Data minimization and purpose limitation
Controllers, which are the entities that determine the purposes and means of processing, must limit their collection and use of personal data to what is reasonably necessary to fulfill the disclosed purposes. They may not process personal data for purposes that are incompatible with those purposes without first obtaining consumer consent.
Privacy notices
Controllers must provide consumers with a reasonably accessible, clear, and meaningful privacy policy that discloses, among other things:
- The categories of personal data collected and their purposes
- Whether the controller sells personal data or uses it for targeted advertising
- How consumers can exercise their rights
- The categories of third parties with whom personal data is shared.
Data protection and impact assessments
Under VDPOSA, controllers must conduct and document data protection assessments for processing activities that present a heightened risk of harm, including:
- Targeted advertising;
- The sale of personal data;
- Processing of sensitive data;
- Profiling that presents a reasonably foreseeable risk of unfair treatment, financial or reputational injury, privacy intrusion, or other substantial harm.
Where a controller uses profiling to make a decision with a legal or similarly significant effect on a consumer, such as decisions related to credit, employment, housing, or insurance, a separate impact assessment is required.
The assessment must address the purpose of profiling, the risks it poses, the categories of data used, performance metrics, transparency measures, and post-deployment monitoring. Both types of assessments are confidential but must be disclosed to the Vermont Attorney General upon request.
Assessment requirements are not retroactive and apply only to processing activities created or initiated on or after January 1, 2028.
Processor contracts
Businesses that engage third-party processors, such as vendors that process personal data on a controller's behalf, must enter into written data processing agreements that govern the scope, purpose, and nature of the processing.
Processors are prohibited from processing data outside the controller's instructions and must assist controllers in meeting their compliance obligations, including responding to consumer rights requests and maintaining data security.
AI training disclosure requirement
In a distinctive provision not common to most state privacy laws, the VDPOSA requires controllers to disclose whether personal data will be used to train large language models (i.e., AI systems).
This requirement reflects growing legislative attention to the use of consumer data in machine learning and AI development, and businesses should assess how this disclosure obligation intersects with their AI and data practices.
Heightened obligations when processing sensitive data
The VDPOSA establishes heightened protections for a broad category of sensitive data. Before processing sensitive data, controllers must obtain affirmative consumer consent, and any processing must remain reasonably necessary relative to the purposes for which the data was collected. Sensitive data includes:
- Consumer health data (including gender-affirming and reproductive health information)
- Genetic and biometric data
- Precise geolocation data
- Mental health data
- Financial account data
- Personal data of known children
- Immigration status
- Neural data, which is defined as information generated by measuring the activity of an individual's central nervous system.
Vermont's inclusion of neural data makes it one of only a handful of states to incorporate this category into its definition of sensitive data. The law's definition of biometric data is also broader than most state equivalents: it does not require that biometric data be processed for the purpose of uniquely identifying an individual, extending protections to biometric data collected or used for other purposes.
Controllers must also obtain explicit consumer consent before selling sensitive data, and are prohibited from selling it outright without this consent.
Consumer health data provisions
Vermont's health data rules go further than the general sensitive data framework and apply regardless of whether a business meets the general applicability thresholds. Under these provisions, businesses must:
- Restrict access to consumer health data to employees and contractors bound by confidentiality obligations
- Ensure that any processor with access to consumer health data is bound by contractual protections consistent with the law's processor requirements
- Refrain from deploying a geofence within 1,850 feet of any healthcare facility to identify, track, or collect data from consumers, or to send them notifications based on their health data
- Obtain consumer consent before selling consumer health data.
"Consumer health data" is defined broadly to include any personal data used to identify a consumer's physical or mental health condition, diagnosis, or status, a definition that may encompass data collected by wellness apps, fitness trackers, and other consumer technology products.
Heightened restrictions on children's data
The VDPOSA prohibits controllers from selling the personal data of minor consumers aged 13 to 17 or processing such data for targeted advertising without first obtaining consent.
For children under 13, controllers must comply with the federal Children's Online Privacy Protection Act (COPPA) and, where applicable, Vermont's Age-Appropriate Design Code.
What rights do Vermont consumers have under the VDPOSA?
The VDPOSA grants Vermont residents a suite of rights over their personal data that largely mirror the rights codified in other state consumer data privacy laws. For example, Vermont-based consumers have the right to:
- Access their personal data held by a controller, including any inferences drawn about them.
- Correct inaccurate personal data.
- Delete personal data they have provided or that has been collected about them.
- Obtain a portable copy of their personal data in a readily usable format, where feasible.
- Opt out of the processing of their personal data for targeted advertising, the sale of their data, and certain profiling activities that produce legal or similarly significant effects.
Consumers may also designate an authorized agent to exercise rights on their behalf.
Honoring consumer requests
Businesses must respond to consumer requests within 45 days of receipt, though this window may be extended by an additional 45 days where reasonably necessary. When a request is denied, controllers must inform consumers of the basis for the denial. Consumers may then submit an appeal, to which businesses must respond within 60 days.
What can happen if a Vermont business fails to comply with the VDPOSA?
If a company is alleged to have violated the VDPOSA, an enforcement action may only be brought by the Vermont Attorney General’s Office. This means there is no private right of action under the VDPOSA. In addition, there is no independent regulatory agency dedicated to privacy enforcement.
If the Attorney General decides to bring an enforcement action, they would allege a violation of the Vermont Consumer Protection Act, which carries civil penalties of up to $10,000 per violation. Each affected consumer can count as a separate violation, so costs can add up quickly.
60-day cure period
From January 1, 2028, through June 30, 2029, the Attorney General must issue a notice of violation and provide businesses with a 60-day cure period before initiating formal enforcement action, provided a cure is possible. After June 30, 2029, this cure period expires, and the AG may bring enforcement actions without prior notice.
Annual report requirement
The Attorney General is required to submit an annual report to Vermont's General Assembly disclosing the number of notices of violation issued, the nature of those violations, and the number of enforcement actions taken.
Compliance recommendations for Vermont businesses
Impacted businesses should begin preparing to comply with VDPOSA sooner rather than later. With that objective in mind, covered businesses should consider the following compliance protocols.
- Assess applicability: Determine whether your company meets one of the coverage thresholds (particularly the collection of sensitive data) and review whether any exemptions apply.
- Update privacy notices: Ensure your privacy policy reflects VDPOSA-required disclosures and add a consumer rights submission mechanism to your website.
- Review processor contracts: Ensure all data processing agreements are in writing and contain the elements required by the VDPOSA.
- Audit data practices: Map what personal data you collect, why you collect it, with whom you share it, and for what purposes.
- Conduct data protection assessments: Identify processing activities presenting heightened risks and document assessments for those activities.
How can Didomi help businesses comply with the Vermont Data Privacy and Online Surveillance Act?
The VDPOSA will require businesses operating in, or serving, Vermont residents to comply with a myriad of new regulatory obligations. For Vermont-based businesses, the practical steps toward compliance should begin sooner rather than later.
For example, covered businesses should take proactive steps to identify whether the data privacy law applies to their data collection practices, map data flows involving sensitive and health data, review contracts with processors, and build internal processes needed to honor data subject requests.
With nearly two dozen states now operating under comprehensive privacy frameworks, investment in a coherent, scalable privacy program is rapidly becoming a baseline expectation for doing business in the United States.
Learn more about our multi-regulation Consent Management Platform (CMP), which covers privacy laws and regimes in the U.S. and worldwide, and discuss your challenges with one of our experts:
{{talk-to-an-expert}}
Vermont Data Privacy and Online Surveillance Act: Frequently Asked Questions (FAQs)
When does the Vermont data privacy law go into effect?
VDPOSA is scheduled to go into effect on January 1, 2028.
Is there a private right of action under the Vermont law?
No. Vermont residents cannot sue a company for alleged violations of the VDPOSA. Enforcement authority is exclusively granted to the Vermont Attorney General’s Office.
What is the definition of a “consumer” under VDPOSA?
The law defines "consumer" as a Vermont resident acting in a personal, rather than commercial or employment, capacity. Employees and individuals acting in a business context are excluded from the definition.
How does the Vermont data privacy law define the “sale” of personal data?
The VDPOSA defines "sale of personal data" as the exchange of personal data by the controller to a third party for monetary or other valuable consideration. Notably, this means that disclosing data to a processor acting on the controller's behalf is not a “sale” of such data.






.avif)







