Vermont Data Privacy and Online Surveillance Act Compliance Guide

On June 16, 2026, the Governor of Vermont signed Vermont SB71, enacting the Vermont Data Privacy and Online Surveillance Act (VDPOSA). Once it goes into effect on January 1, 2028, this privacy law will provide comprehensive privacy rights and protections to residents of Vermont and will require certain businesses to meet its requirements, such as the requirement to have a Privacy Policy. In this Compliance Guide, we will discuss the following aspects of Vermont’s new privacy law: 

• Who needs to comply with Vermont’s privacy law; 
• How the law defines “personal data”;
• The privacy rights provided to residents of Vermont; 
• The Privacy Policy requirements of the Vermont Data Privacy and Online Surveillance Act; 
• Penalties for failure to comply; and 
• How Termageddon will handle updates for Vermont’s privacy law. 

Who needs to comply with Vermont’s privacy law 

Vermont’s privacy law applies to any person that does business in Vermont or that produces products or services that are targeted to residents of Vermont and that during the preceding calendar year:

1. Controlled or processed the personal data of not fewer than 35,000 residents of Vermont; 
2. Controlled or processed the sensitive data of not fewer than 3,000 residents of Vermont; or 
3. Offered for sale the personal data of not fewer than 3,000 residents of Vermont. 

VDPOSA specifically exempts nonprofits that are established to detect and prevent fraudulent acts in connection with insurance and nonprofits that provide programming to radio or television networks but does not exempt nonprofits working in other fields. 

How VDPOSA defines “personal data”

Since Vermont’s privacy law applies to those meeting any of the factors above, it is important to determine how this law defines “personal data”. Vermont’s privacy law defines personal data as “any information, including derived data and unique identifiers, that is linked or reasonably linkable to an identified or identifiable individual or to a device that identifies, is linked to, or is reasonably linkable to one or more identified or identifiable individuals.” This means that information commonly collected through websites such as names, emails, phone numbers, and IP addresses would qualify as “personal data” and thus be protected under this law. Notably, deidentified data and publicly available information is not included in the definition of “personal data” under this law. 

The privacy rights provided to residents of Vermont

The purpose of privacy laws is to provide residents of a particular state or country with the ability to have more control over their data and privacy and this is achieved through the provision of privacy rights. Vermont’s privacy law provides the following privacy rights to residents of the State: 

1. Confirm whether or not a controller is processing their personal data; 
2. Confirm whether a processor is processing personal data for the purposes of profiling to make a decision that produces a legal or similarly significant effect concerning the consumer; 
3. Access their personal data; 
4. Correct inaccuracies in the consumer’s personal data; 
5. Delete the consumer’s personal data; 
6. Obtain a copy of the personal data in a portable and, to the extent technically feasible, readily usable format that allows the consumer to transmit the data to another controller; 
7. Opt out of targeted advertising; 
8. Opt out of the sale of personal data; 
9. Opt out of the use of personal data for profiling in furtherance of any automated decision that produced any legal or similarly significant effect concerning the consumer. If a consumer’s personal data is used for profiling, the consumer also has the following privacy rights, if feasible:
   1. Question the result of the profiling; 
   2. Be informed of the reason that the profiling resulted in the decision; 
   3. Review the consumer’s personal data that were processed for the purposes of the profiling;
   4. If the profiling decision concerned housing, be allowed to correct any incorrect personal data that were processed for the profiling and have the decision reevaluated based on the corrected personal data; 
10. Obtain a list of the third parties to which the controller has sold the personal data;
11. Not be discriminated against for exercising any of their privacy rights. 

Individuals have the ability to designate an authorized agent to exercise their privacy rights on their behalf and organizations subject to the law must respond within 45 after receipt of the request (though this period may be extended by an additional 45 days where necessary). Similar to other US privacy laws, the Vermont Data Privacy and Online Surveillance Act provides residents of Vermont with the ability to appeal a privacy rights request and organizations have 60 days to reply to an appeal request. 

The Privacy Policy requirements of the Vermont Data Privacy and Online Surveillance Act

Vermont’s privacy law requires controllers to provide individuals with a reasonably accessible, clear, and meaningful Privacy Policy that includes the following disclosures: 

1. The categories of personal data processed; 
2. The purpose for processing the personal data; 
3. A description of how individuals may exercise their privacy rights, including how to appeal a privacy rights decision; 
4. The categories of personal data sold to third parties, if any; 
5. The categories of third parties, if any, to which the personal data is sold; 
6. Whether personal data is processed for targeted advertising or whether personal data is sold for targeted advertising; 
7. An active email address or other online mechanism that the individual may use to contact the controller; 
8. A statement disclosing whether the personal data is collected, used, or sold for the purpose of training large language models; 
9. The most recent month and year during which the Privacy Policy was updated. 

Penalties for failure to comply

The Attorney General of Vermont will be enforcing this privacy law and can impose penalties for violations under the Vermont Consumer Protection Act. The Act provides that violations can include civil penalties of up to $10,000 per violation for violating an injunction. 

How Termageddon will handle updates for Vermont’s privacy law 

We have been tracking Vermont’s privacy law from its inception and through its various iterations. We will continue to track VDPOSA for any rules, regulations and/or amendments. We will then email all affected customers prior to the effective date of January 1, 2028 to make updates to their Privacy Policies.