Vermont Data Privacy Act: What Does the Bill Have for Businesses?

With a ban on the sale of sensitive data and a limited private right of action against large data brokers, the Vermont Data Privacy Act emerges as a comprehensive state privacy law. By increasing the law’s extent by three phases, VDPA introduces a unique trend to privacy law enforcement in the United States. 

Effective date: July 1, 2025 (Update: The bill was vetoed by the Governor on June and will not take effect.)

Official text: H-0121

The Vermont Data Privacy Act seeks comprehensive privacy protection of users’ personal data. On 12 May 2024, the Vermont legislature passed the law, which is awaiting the Governor’s signature to take effect on July 1, 2025. However, the private right of action provision is expected to take effect only in 2027.

Similar to Maryland’s privacy law, the VDPA has stringent restrictions on processing personal and sensitive data. However, the law has a comparatively lesser threshold, thus stretching its scope and extent.

As of the latest, Vermont privacy law has 3 thresholds that come into effect one after the other in 2025, 2026, and 2027. This means more businesses will gradually come under the law’s scope. 

VDPA’s reach (from July 1, 2025) extends to businesses in Vermont or elsewhere that target its products or services toward the residents of the state and met any of the following requirements in the previous year:

• Controlled or processed the personal data of more than 25,000 consumers, except for completing payment transactions.
• Controlled or processed the personal data of more than 12,500 consumers and derived above 25% of gross revenue from the sale of personal data.

From July 1, 2026, the law applies to businesses that in the previous year:

• Controlled or processed the personal data of more than 12,500 consumers, except for completing payment transactions.
• Controlled or processed the personal data of more than 6,250 consumers and derived above 20% of gross revenue from the sale of personal data.

From July 1, 2027, the law applies to businesses that in the previous year:

• Controlled or processed the personal data of more than 6,250 consumers, except for completing payment transactions.
• Controlled or processed the personal data of more than 3,125 consumers and derived above 20% of gross revenue from the sale of personal data.

A consumer is a Vermont state resident who is not acting in an employment or commercial context or as an employee, director, officer, etc.

Provisions regarding minors and consumer health data

Though the law generally applies to the above entities, certain provisions, such as the duties of controllers to minors, data protection assessments for online services, products, or features offered to minors, the confidentiality of consumer health data, and other provisions related to it, apply to all persons that conduct business in Vermont or target their products/services toward the residents of the state. 

The Vermont privacy law does not apply to certain entities and information, including the following:

• Federal, state, tribal, or local government entities.
• A covered entity that is not a hybrid entity, health care component of a covered entity, or business associate as in HIPAA.
• Information used for public health activities or for purposes for which authorization is not required for disclosure.
• Non-profit organizations that prevent and detect insurance fraud.
• Non-commercial activities of persons connected with general publications such as newspapers, licensed radio, or television stations.
• Non-profit organizations providing programming for television or radio networks.
• Third-party administrator.
• An entity providing information service like a press association or wire service.

The exemption also pertains to the information that identifies a consumer in connection with lawful human subject research, patient-identifying information, information covered by laws like the Fair Credit Reporting Act and Driver’s Privacy Protection Act, non-public personal information covered by the Gramm-Leach-Bliley Act, etc.

Following recent trends, there is no blanket exemption for non-profit organizations. Furthermore, the VDPA does not apply to information processed or maintained for employment purposes, functions as a director or officer of a business, contractual relationships with a business entity, receipts of benefits from an employer, etc.

Under VDPA, personal data is any information capable of identifying a consumer or a device that can identify one or more individuals in a household. It includes unique identifiers and derived data. Unique identifiers are an umbrella term containing government identification numbers, cookies, biometric identifiers, etc.

Personal data does not include publicly available information and de-identified data.

Publicly available information is any information that is lawfully available through government records or is reasonably believable that the consumer made it available to the public through widely distributed media.

The Vermont privacy law provides robust protection for the sensitive data of Vermont residents. 

Businesses cannot process sensitive data without obtaining a consumer’s prior consent. Also, the law prohibits the sale of sensitive data.

Here is the list of categories of personal data that VDPA deems sensitive:

1. Personal data that reveals:
   • government-issued identifiers, such as a social security number, passport number, state identification card, or driver’s license, that are not required to be displayed publicly.
   • racial or ethnic origin, national origin, citizenship or immigration status, religious or philosophical beliefs, or union membership.
   • sexual orientation, sex life, sexuality, or status as transgender or non-binary.
   • status as a victim of a crime.
     
2. Financial information, including tax returns, account number, financial account and log-in, debit card number, credit card number with access codes, password, and credentials

3. Consumer health data

4. Personal data collected and analyzed from consumer health data.

5. Personal data disclosing past, present, or future mental or physical health status, treatment, disability, or diagnosis, including pregnancy.

6. Biometric or genetic data

7. Personal data collected from a known child

8. Precise geolocation

Transparency is a bedrock for data privacy, and VDPA requires businesses to provide the following information to consumers:

• Categories of personal data, including sensitive data that the controller/business processes
• Purposes for processing personal data
• Process for exercising consumer rights and appeal
• Categories of personal data, including sensitive data shared with third parties
• Categories of third parties with some details about them and their processing
• Email address or other online methods through which the consumers can contact the controller/business
• Identification of controller, including registered business name or any assumed business name
• Description of processing of personal data for targeted advertising, sale of personal data or profiling, and the procedure for opting out.
• Description of the process for submitting a consumer request

Businesses must observe the following obligations while processing personal data of Vermont consumers:

Data minimization

Businesses must limit the collection of personal data to what is reasonably necessary to provide the specific product or service requested by the consumer. From the conventional approach of limiting the processing to a specific purpose, VDPA limits it to a specific product or service.

Security safeguards

Implement security measures proportional to the nature and volume of personal data stored at physical, administrative, and technical levels.

Consent 

Businesses cannot process personal data for undisclosed purposes without obtaining consumer consent. The law also prohibits businesses from processing sensitive data without the consumer’s prior consent. For children’s data (below 13 years), obtain verifiable parental consent by following COPPA regulations.

Under VDPA, Consent is a freely given, specific, unambiguous, and informed affirmative action signifying the consumer’s agreement to the processing of personal data. Consent obtained through dark patterns is not valid. 

Consent revocation

Provide consumers with easy and convenient mechanisms to revoke consent once given. Upon revocation, cease to process the personal data within 15 days.

Response to consumer requests

VDPA requires businesses to respond to consumer requests within 45 days of its receipt. The law also allows an extension of the response period to another 45 days if necessary after prompt notification to the consumer. Furthermore, businesses must fulfill consumer requests free of charge once a year per person.

VDPA stipulates further that businesses must establish a process for the consumers to appeal against their decisions. The appeal response period prescribed by the law is also 45 days.

Sensitive data

The law expressly prohibits controllers from selling sensitive data. It also heightens the protection of sensitive data by requiring controllers to obtain consent before processing it.

Non-discrimination

Businesses must abstain from discriminating against consumers for exercising consumer rights. For example, denying the product, increasing the price, or reducing the quality. However, you do not need to provide a service or product for which you do not collect or maintain personal data. 

Businesses should also not process personal data that discriminates against individuals based on their race, origin, color, gender identity, etc.

Global opt-out

VDPA allows consumers to designate another person, including a global device setting, to exercise their rights. Therefore, businesses must recognize global opt-out signals.

Transparency

Vermont privacy law also requires businesses to provide consumers with a clear and meaningful privacy notice. We have already discussed the components of the privacy notice. The notice must also comply with the accessibility guidelines under the Americans with Disabilities Act and Section 508 of the Rehabilitation Act.

Duties of controllers to minors

Controllers offering an online service, product, or feature to a known child must take steps to prevent any heightened harm risks. They should also limit data retention to the time necessary to provide the specific product, online service, or feature. The law also imposes restrictions on the collection of minors’ geographical locations.

Contractual relationship

Have a contractual relationship with processors and third parties with access to the personal data collected by businesses. The contract must be valid and include decisions regarding the rights and obligations of parties, the nature of data, duration of processing, etc.

Data protection impact assessment

Controllers should regularly conduct and document data protection impact assessments for processing activities involving data with a heightened risk of harm. These include sensitive data, personal data used for profiling, targeted advertising, and the sale of personal data.

Vermont privacy law guarantees the following rights to consumers:

Right to confirm and access

Consumers have the right to confirm whether a business is processing their personal data and, if so, to access it.

Right to obtain

VDPA allows consumers to obtain information about the third parties with whom the controller shares his personal data. If the controller does not maintain this data in a suitable format for the consumer, then the consumer can obtain the list of third parties with whom the controller shares the personal data of consumers in general.

Right to correct

Consumers can correct any inaccuracies in their personal data maintained by businesses.

Right to delete

Unless required by law, consumers have the right to require businesses to delete their personal data obtained from them or other sources.

Right to portability

If the controller processes the personal data by automated means, consumers can obtain a copy of their personal data in a portable, readily usable, transmittable, and technically feasible format.

Right to opt-out

Similar to most US state privacy laws, the Vermont privacy law also guarantees consumers the right to opt out of targeted advertising, profiling, and sale of personal data.

 

The Attorney General of Vermont has the exclusive right to enforce Vermont privacy law. However, the law also provides consumers with a limited private right of action until 2029, after which a reauthorization is required. 

The AG may grant businesses a 60-day cure period depending on the complexity of the breach, the number of violations, etc.

Any violation of the act will be deemed unfair and deceptive under § 2453, and the penalties can be up to $10,000 for each unfair or deceptive act.

Consumers can exercise their conditional right to sue large data holders (process the personal data of more than 100,000 consumers) and data brokers for violations such as the sale of sensitive data or unauthorized sensitive data processing.

• Limit the collection of personal data to what is required to provide a specific product or service requested by a consumer
• Practice purpose limitation by not processing personal data for non-disclosed purposes without obtaining consumer consent
• Do not engage in the sale of sensitive data
• Obtain consent before processing sensitive data 
• Provide convenient methods to exercise consumer rights
• Respond to consumer requests promptly
• Provide a clear and accessible privacy notice confirming the US accessibility standards
• Recognize global opt-out signals
• Adhere to the controller’s obligations towards minors
• Implement reasonable and proportional security safeguards
• Do not discriminate against consumers
• Have a contractual relationship with processors and third parties
• Conduct data protection impact assessments for the processing of personal data involving heightened risks