Publication

Vermont Data Privacy and Online Surveillance Act

Jul 08, 2026

On June 16, 2026, Governor Phil Scott signed the Vermont Data Privacy and Online Surveillance Act (S.71) into law.1 The law takes effect January 1, 2028, giving businesses roughly 18 months to establish compliance programs. With its signing, Vermont becomes the 21st state to enact a consumer data privacy law, a count that keeps climbing in the absence of federal legislation.

The final version of S.71 is friendlier to businesses than earlier drafts suggested it would be. After two years of negotiation, the law now closely tracks the Connecticut Data Privacy Act. This alignment was deliberate and encouraged by business groups that pushed throughout the process for a law that would align Vermont with neighboring states. The result is a framework that companies operating in the Northeast can largely fold into existing compliance infrastructure.

WHO IT COVERS

The law imposes new obligations on controllers. A controller under this law is any individual or entity that (1) conducts business in Vermont or targets products or services to Vermont residents and (2) meets one of three thresholds: (A) controlling or processing the personal data of at least 35,000 consumers; (B) controlling or processing the sensitive data of at least 3,000 consumers; or (C) offering for sale the personal data of at least 3,000 consumers.2 Consumer health data provisions apply more broadly. Health Insurance Portability and Accountability Act (“HIPAA”) covered entities, data subject to the Gramm-Leach-Bliley Act (“GLBA”), certain banks and their affiliates, and data subject to the Family Educational Rights and Privacy Act (“FERPA”) are exempt.

CONSUMER RIGHTS

As with many other states, Vermont consumers gain the right to access, correct, delete, and obtain copies of their personal data, as well as to opt out of targeted advertising, data sales, and consumer profiling used to make decisions with legal or similarly significant effects. Consumers may also request a list of the specific third parties to whom a controller has disclosed their personal data to.

Where profiling produces decisions with legal or significant effects, consumers have additional rights: to be informed of the reasoning behind a decision, question the result, review the data used, and in housing decisions, specifically correct inaccurate data and have the decision reevaluated. Controllers must respond to consumer requests within 45 days and maintain an appeal process, with appeals resolved within 60 days.

CONTROLLER OBLIGATIONS

Controllers must limit data collection to what is reasonably necessary and proportionate to disclosed purposes. Consent is required before processing personal data for any new purpose that is “material” and neither reasonably necessary nor compatible with the original disclosed purpose. Before collecting consumer health data, genetic and biometric data, precise geolocation, data collected from consumers known to be children, and neural data (collectively, “sensitive” data), controllers must first obtain consent for collection and before any sale, and limit processing to what is reasonably necessary for the disclosed purpose.

Controllers must also conduct data protection assessments for processing activities that present a heightened risk of harm to individuals, including targeted advertising, data sales, profiling, and sensitive data processing. Vermont goes further by requiring a separate impact assessment when profiling is used to make decisions with legal or significant effects. That assessment must cover prescribed components: purpose disclosure, risk analysis, categories of data used, performance metrics, transparency measures, and post-deployment monitoring. The assessments are confidential but subject to review by request of the Attorney General. These requirements apply only to processing activities that begin after January 1, 2028.

Finally, a controller’s privacy policies must disclose if personal data is collected, used, or sold to train large language models (“LLMs”). For users between 13 and 17 years of age, personal data may not be sold or processed for targeted advertising.

ENFORCEMENT

The Vermont Attorney General has exclusive enforcement authority, and civil penalties may reach $10,000 per violation. The Attorney General will provide a 60-day cure period to businesses for alleged violations until June 30, 2029. As enacted, the Attorney General is not obligated to provide the cure period after that date.

POTENTIAL FUTURE FRAMEWORKS

The LLM training disclosure is the provision to watch. AI training data practices are drawing increasing regulatory scrutiny, and other states may look to Vermont’s requirement both as a compliance template and as a signal about how legislatures plan to tackle consumer data in the AI context.

In the same legislative session, Vermont enacted H.814, which establishes neurological rights in state law and extends the state’s Artificial Intelligence Advisory Council through 2030.3 The Council’s mandate now includes studying AI applications in healthcare, education, insurance and government operations. S.71’s treatment of neural data as sensitive data should be read alongside H.814 as a reflection of a broader legislative posture on emerging data types. More AI-specific legislation is likely before the Council’s mandate expires.

For businesses already compliant with Connecticut’s new laws, the LLM training disclosure, the minor data prohibition, the enhanced profiling rights, and the third party disclosure obligation are the items requiring immediate attention in Vermont. There is an 18-month runway to January 2028. Data protection assessments, updated privacy policies, consumer rights workflows, and appeal mechanisms should be in place by that date.

Footnotes

  1. Vermont Data Privacy and Online Surveillance Act, 2026 Vt. Acts & Resolves No. 145, codified at 9 V.S.A. ch. 61A, subch. 1, §§ 2415a et seq.

  2. Data collected solely to complete a transaction is exempt from calculating a threshold.

  3. These rights include, inter alia, the right to freedom of thought, mental and neural privacy, and freedom from neurotechnological interventions or alterations in the mind. See 18 V.S.A. Chapter 42C.

Back to top

About Snell & Wilmer

Founded in 1938, Snell & Wilmer is a full-service business law firm with more than 500 attorneys practicing in 17 locations throughout the United States and in Mexico, including Phoenix and Tucson, Arizona; Los Angeles, Orange County, Palo Alto and San Diego, California; Denver, Colorado; Washington, D.C.; Boise, Idaho; Las Vegas and Reno-Tahoe, Nevada; Albuquerque, New Mexico; Portland, Oregon; Dallas, Texas; Salt Lake City, Utah; Seattle, Washington; and Los Cabos, Mexico. The firm represents clients ranging from large, publicly traded corporations to small businesses, individuals and entrepreneurs. For more information, visit swlaw.com.

©2026 Snell & Wilmer L.L.P. All rights reserved. The purpose of this publication is to provide readers with information on current topics of general interest and nothing herein shall be construed to create, offer, or memorialize the existence of an attorney-client relationship. The content should not be considered legal advice or opinion, because it may not apply to the specific facts of a particular matter. As guidance in areas is constantly changing and evolving, you should consider checking for updated guidance, or consult with legal counsel, before making any decisions.
Media Contact

Olivia Nguyen-Quang

Director of Communications & Marketing
media@swlaw.com 714.427.7490