Vermont Privacy Law Attorneys

Vermont Data Privacy and Online Surveillance Act (VDPOSA) — Effective January 1, 2028

Home / States / Vermont

Vermont Privacy Law Overview

Vermont has enacted a comprehensive consumer privacy law that is not yet in force. The Vermont Data Privacy and Online Surveillance Act takes effect January 1, 2028, so Vermont businesses have a window now to map their data, update privacy notices, and stand up consumer-rights processes before obligations begin.

The Vermont Data Privacy and Online Surveillance Act (VDPOSA)

The Vermont Data Privacy and Online Surveillance Act (VDPOSA) was signed into law in June 2026 and takes effect January 1, 2028. It follows the mainstream multistate framework, giving Vermont residents rights to access, correct, delete and port their personal data and to opt out of targeted advertising, the sale of data, and profiling, with opt-in consent required for sensitive data. Vermont's law is among the broadest in the nation and resembles Connecticut's, and Vermont separately maintains a longstanding data-broker registration requirement. Enforcement rests with the Vermont Attorney General; there is no private right of action. Businesses should use the lead time before January 1, 2028 to build their compliance programs.

Status: Enacted but not yet in force — the law takes effect January 1, 2028. Businesses should prepare now.

VDPOSA: Quick Overview

  • Effective Date: January 1, 2028
  • Citation: S.71 / Act 145 (2026)
  • Enforced By: Vermont Attorney General
  • Maximum Penalty: Civil penalties set by statute, enforced by the Vermont Attorney General
  • Private Right of Action: No (enforcement by the state only)
  • Right to Cure: Applies once the law takes effect on January 1, 2028

Who Must Comply

The VDPOSA applies to businesses that meet Vermont's applicability thresholds:

  • Applicability thresholds are set by the statute and take effect with the law on January 1, 2028; businesses operating in or targeting Vermont should assess coverage before that date.

What makes Vermont different: Vermont's law is among the broadest in the nation and resembles Connecticut's, and Vermont separately maintains a longstanding data-broker registration requirement.

Consumer Rights Under the VDPOSA

Vermont residents can exercise the following rights over their personal data:

  • Right to access / confirm what data is held
  • Right to correct inaccurate data
  • Right to delete personal data
  • Right to data portability
  • Right to opt out of targeted advertising
  • Right to opt out of the sale of personal data
  • Right to opt out of profiling for significant decisions

Sensitive personal data: Businesses must obtain opt-in consent before processing sensitive data (such as health, biometric, precise-geolocation, or demographic data).

Data Breach Notification in Vermont

Vermont requires a preliminary notice to the Attorney General within 14 business days and notice to affected residents within 45 days of discovery.

  • Deadline to notify residents: No later than 45 days after discovery
  • Attorney General notice: Notify the Vermont Attorney General of breaches; a preliminary notice is due within 14 business days
  • Covered data: Name combined with sensitive identifiers (SSN, driver's license, financial-account or medical information, and more)

Federal Privacy Laws That Apply in Vermont

Even where Vermont law is silent, residents and businesses are covered by federal privacy statutes:

  • HIPAA — health information held by providers, plans and their vendors
  • GLBA — privacy and safeguards rules for financial institutions
  • FERPA — student education records
  • FCRA — consumer reporting agencies and background screening
  • COPPA — online collection of data from children under 13
  • FTC Act §5 — unfair or deceptive privacy and data-security practices

Vermont Privacy Law FAQ

Is Vermont's privacy law in effect yet?
No. The Vermont Data Privacy and Online Surveillance Act has been signed but does not take effect until January 1, 2028. Until then, Vermont residents rely on the state's data-breach and consumer-protection laws and on federal privacy statutes, but businesses should prepare now for the new rights and obligations.
What should Vermont businesses do before the law takes effect?
Use the lead time to inventory what personal data you collect, update privacy notices, build processes to honor access/deletion/opt-out requests, put data-processing agreements in place with vendors, and obtain opt-in consent flows for sensitive data — all before January 1, 2028.

How a Vermont Privacy Attorney Can Help

For Businesses

  • Build and audit a privacy compliance program
  • Draft privacy policies, notices and vendor contracts
  • Respond to consumer rights requests
  • Manage data-breach response and notification
  • Defend regulatory investigations and enforcement

For Consumers

  • Enforce your privacy rights against non-compliant businesses
  • Pursue or join data-breach litigation
  • File complaints with the Vermont Attorney General
  • Seek damages for identity theft and fraud
  • Stop unlawful data sales and unwanted marketing

Need a Vermont Privacy Attorney?

Whether you are a business working toward compliance or a Vermont resident whose privacy has been violated, our network of Vermont-licensed attorneys can help.

Find a Vermont Privacy Attorney

Other State Privacy Laws

Connecticut

CTDPA – comprehensive privacy law

Maryland

MODPA – comprehensive privacy law

California

CCPA/CPRA – strongest consumer privacy law in the U.S.

New Jersey

NJDPA – comprehensive privacy law

Texas

TDPSA – comprehensive privacy law

Florida

FDBR – comprehensive privacy law