Starting January 1, 2028, many companies will be subject to a new, stringent comprehensive privacy law—the Vermont Data Privacy and Online Surveillance Act. The governor just signed into law a framework based on the consumer-friendly Connecticut framework circa 2025 (not the 2026 revisions). The uplift will be significant; Vermont doesn’t adopt the standard playbook—it lowers the bar for coverage while imposing some of the most operationally demanding requirements to date.

Who should pay attention now?

• Companies below traditional privacy law thresholds (especially those handling sensitive data)
• Wellness, digital health and adtech companies
• Businesses using AI or automated decision-making
• Organizations with teenage users or audiences

What are the notable deviations from the norm?

• Broader Scope. Adds a trigger based on whether the company processes sensitive data and a separate sale trigger that is not tied to a revenue threshold
• Stronger Substantive Limits. Prohibits selling personal data or processing it for targeted advertising on individuals a controller knows—and willfully disregards—are teenagers
• Enhanced AI and Profiling Obligations. Expands consumer rights on profiling and requires disclosing whether personal data is used or sold to train large language models
• Increased Protections for Health Data. Adds standalone protections covering personal data used to identify certain health information

Who is subject to the law?

The law generally applies to those conducting business in Vermont (or targeting goods/services to Vermonters) that meet any of the following thresholds:

• Personal Data Volume. Processes personal data on at least 35,000 Vermont residents
• Sensitive Data Volume. Processes sensitive data on at least 3,000 Vermont residents
• Monetization. Sells personal data on at least 3,000 Vermont residents

Only Connecticut has a similar setup. The practical impact here is that companies that fall below most states’ thresholds—especially those handling sensitive data or selling limited data—may still have obligations in Vermont.

Like Connecticut, missing those thresholds doesn’t mean a company is out of the woods. If a company processes consumer health data, but does not meet one of the triggers above, then they must comply with a subset of the law’s obligations. More on that below.

There are the standard set of data exemptions (e.g., PHI) and entity exemption (e.g., HIPAA covered entities), although nonprofits do not get a blanket carveout. And, in a shock to nobody, Vermont became the 22nd consecutive state to exclude employee or job-applicant data.

In sum, the law sweeps many companies into scope.

What are controllers’ obligations?

Vermont looks familiar, but it adds sharper teeth. We have the standard obligations—e.g., transparency, data governance, consumer rights (including honoring opt-out signals)—except they are supercharged. Key changes include:

• Data Protection Impact Assessments. Conduct an impact assessment that satisfies more granular requirements (similar to Colorado’s rules) than a standard assessment when conducting certain profiling
• Appeals. Inform consumers how to file a complaint with the attorney general after denying their appeal
• Sensitive Data. Treat neural data, government IDs and financial account details as sensitive
• Transparency. Share the privacy policy in each language that the company provides products/services or carries out such activities
• Policy Updates. Take “all reasonable electronic measures” to inform affected consumers of retroactive changes to the privacy policy
• Geofencing. Refrain from using a geofence around a healthcare facility to identify, track, collect data from or send notices to a consumer regarding their consumer health data
• Consent Revocation. Honor requests to withdraw consent within 15 calendar days
• Anti-Discrimination Risk. Avoid processing personal data in violation of anti-discrimination laws (which takes on increased significance because the law explicitly notes that anti-bias testing—or the lack thereof—is relevant to enforcement)

In a notable shift from the norm, sensitive data arguably cannot be repurposed—even with the consumer’s consent. The law precludes processing sensitive data “unless the consumer has provided consent and . . . the processing is reasonably necessary in relation to the purposes for which the sensitive data are collected.” In short, a company’s use of sensitive data must be tied to the original purpose.

These are meaningful changes. But there is also some good news sprinkled in, including only applying the DPIA requirement to activities “created or generated” after January 1, 2028, and adopting the standard data-minimization requirement.

What are consumers’ rights?

Vermont adopted souped-up versions of the standard rights—access, correction, deletion, appeals and opt-outs—and relatively novel provisions concerning profiling. Notable changes to the standard fare include:

• Accessing Inferences. Request any inferences drawn about a consumer from personal data
• Knowing Purchasers. Get list of third-party recipients to whom the controller sold the consumer’s data (or a list of all third parties to whom the controller sold personal data)

These are not unprecedented obligations; a few states, such as Colorado (inferences) and Oregon (third-party recipients), impose similar obligations. But it is a different story on profiling. Vermont lifted three profiling rights that were previously just in Connecticut law and, to a lesser extent, Minnesota:

• Confirming Profiling. Learn of any processing involving personal data for “profiling to make a decision that produces any legal or similarly significant effect” about the consumer
• Understanding Profiling. Question the result of profiling for automated decisions creating legal or similarly significant effect, learn the reason for the result, and review the personal data used
• Requiring Reevaluation. Correct personal data used for certain profiling decisions involving housing (such as automated tenant screening) and require the controller to reevaluate the decision with the corrected data

Luckily, the rights to understand and force reevaluation are not absolute. A company must act on those requests only “if feasible.”

What about consumer health data?

Consumer health data is treated differently, and more aggressively. Even companies below the law’s thresholds have obligations if they process that data. Companies operating in Vermont or targeting Vermont residents face substantive limits on processing personal data used to identify a consumer’s health condition, diagnosis or status. This includes information not typically covered by HIPAA, such as fitness-app data, inferred pregnancy status and adtech segments tied to health interests. A company processing consumer health data must:

• Execute DPAs. Enter into data processor agreements with vendors before sharing consumer health data
• Minimize Data. Limit collection and use of that data
• Obtain Consent. Obtain consent before selling, or even offering to sell, the data
• Ensure Confidentiality. Limit employee access to those subject to confidentiality obligations

Those are not the only limits on consumer health data. Because that information is also sensitive data, companies that meet one of the law’s general thresholds must also comply with the law’s other obligations for personal data—including notice and consumer rights.

In short, Vermont goes further than most states by expanding the substantive protections for health data while applying them to a broader set of companies.

How is the law enforced?

There is no private right of action. The attorney general has exclusive enforcement authority and, until June 30, 2029, must offer a 60-day period to cure violations if the attorney general believes a cure is possible. A violation of the law is deemed a violation of the Vermont Consumer Protection Act, which carries civil penalties of up to $10,000 per violation.

What can companies do to get ready?

Despite almost 18 months to get ready, companies will likely need much of the intervening time for compliance uplifts, especially because the low triggers will sweep in more companies than the standard privacy fare. Fear not, the lack of rulemaking means compliance obligations are clear(ish), so companies can get a running start. Items for consideration include:

• Assess Application. Evaluate exposure based on the new, lower processing targets and the potential application based on the use of consumer health data
• Update Data Maps. Identify newly regulated data (health data, neural data, teenage data)
• Identify AI Training. Confirm whether vendor or internal models rely on personal data for training—not just whether you "actively train" models
• Review Profiling Practices. Inventory automated decision-making systems that could produce legal or similar effects (e.g., credit, housing, underwriting, hiring tools)
• Build Revocation Workflows. Establish procedures to honor consent-revocation requests within 15 days
• Evaluate Teenager-Data Practices. Assess whether you “willfully disregard” age (e.g., platform demographics or inferred age signals)

Bottom line: This is not business as usual. Vermont lowers the bar for coverage while raising it for compliance, especially for AI, profiling and health data.