Industry - Policy Change
Executive Summary
Vermont's governor signed the Vermont Data Privacy and Online Surveillance Act into law, establishing comprehensive data privacy protections that will take effect January 1, 2028. The law applies to businesses processing data of at least 35,000 Vermont consumers and grants residents rights to access, correct, delete their data, and opt out of targeted advertising, data sales, and certain profiling activities. Companies covered by the law must conduct risk assessments for high-risk processing ...
What Happened
On June 16, 2026, Vermont's governor signed the Vermont Data Privacy and Online Surveillance Act into law, making it the fourth U.S. state to enact comprehensive data privacy legislation that year. The law takes effect January 1, 2028, and applies to businesses that process personal data of at least 35,000 Vermont consumers, sensitive data of at least 3,000 consumers, or sell personal data of at least 3,000 consumers. The legislation exempts certain entities such as HIPAA-covered organizations, data governed by the Gramm-Leach-Bliley Act, certain banks and affiliates, and educational records under FERPA.
Who Is Affected
Vermont residents gain new privacy rights under this law, including the ability to access, correct, delete, and obtain copies of their personal data. Businesses conducting operations in Vermont or targeting Vermont residents that meet the specified consumer data processing thresholds must comply with the new requirements. Companies must respond to consumer rights requests within 45 days and establish appeal processes for denied requests.
Why It Matters
This law represents Vermont joining a growing number of U.S. states establishing comprehensive data privacy frameworks modeled after Connecticut's approach, signaling continued state-level privacy regulation in the absence of federal legislation. The inclusion of specific protections around automated profiling decisions that produce legal or similarly significant effects extends consumer rights beyond basic data access and deletion. The requirement for businesses to conduct risk assessments for high-risk processing activities, including targeted advertising and data sales, establishes accountability mechanisms that may influence how companies handle Vermont resident data.
What You Should Do
Vermont residents should prepare to exercise their new rights starting January 1, 2028, by identifying which companies hold their personal data and submitting requests to access, correct, or delete that information as needed. Residents can opt out of targeted advertising, data sales, and certain automated profiling by using designated mechanisms that companies must provide, potentially including browser settings or internet links. If you receive a denial to a data rights request, use the company's required appeal process to challenge the decision.
Summary generated from verified sources and reviewed before publication. How we summarize.