Decoding the Vermont Data Privacy Act: What Every Business Needs to Know

By Morgan Sullivan

Senior Content Marketing Manager II

June 20, 20248 min read

Share this article

Editor’s Note (June 2024): In a surprise turn, Vermont Governor Phil Scott vetoed the Vermont Data Privacy Act, returning it to the legislature without signature.

In his comments about the decision, Gov. Scott called out the bill’s limited private right of action, noting it would make Vermont “a national outlier and more hostile than any other state to many businesses and nonprofits.”

The Vermont legislature attempted a veto override—winning 128-17 in the House, but losing the motion 14-15 in the Senate. It would have 20 Senate votes for the override to go through.

As it stands, the law will not go into effect.


Vermont’s privacy law at a glance

  • Passed on May 11, 2024, the Vermont Data Privacy Act (VDPA) will take effect on July 1, 2025.
  • This law requires businesses to fulfill consumer rights for access, deletion, correction, etc., conduct data protection assessments, honor universal opt-out signals, and more.
  • Keep reading to explore the key provisions of the VDPA, including who it applies to, consumer rights under the law, and most critically, what businesses need to do to comply.

Whose subject to Vermont’s privacy law?

The Vermont Data Privacy Act (VDPA) applies to businesses that conduct operations in Vermont or target their products or services to Vermont residents. To fall under the law's scope, a business must meet one of the following thresholds during the preceding calendar year:

  • Control or process the personal data of not fewer than 25,000 Vermont consumers, excluding data processed solely for payment transactions OR
  • Control or process the personal data of not fewer than 12,500 Vermont consumers and derive more than 25% of their gross revenue from the sale of personal data

One unique thing to note about Vermont’s privacy law is that its applicability thresholds (based on consumer count) will decrease over time. By July 1, 2026, the threshold will drop to 12,500 consumers for the first criteria and 6,250 consumers for the second. Then, by July 1, 2027 it will decrease again to 6,250 and 3,125 consumers, respectively.

Compliance requirements under Vermont’s privacy law

The Vermont Data Privacy Act imposes several compliance requirements on businesses, including:

New consumer rights for Vermonters

Vermont’s privacy law grants consumers a comprehensive set of novel rights, including the right to access, confirm, correct, delete, and transfer their personal data. Businesses must also give consumers a way to opt-out of targeted advertising, data sales, and profiling.

Protecting minors

In alignment with the Children's Online Privacy Protection Act (COPPA), the Vermont Data Privacy Act mandates additional data protections for children aged 13 to 17. Businesses must obtain parental consent before processing personal data for minors in this age range for targeted advertising or data sales. For children under 13, verifiable parental consent is required for any data processing.

Data protection impact assessments

Businesses must conduct data protection impact assessments before engaging in high-risk data processing activities, such as processing sensitive data, targeted advertising, data sales, and profiling.

Universal Opt-Out Signals

Businesses must recognize and respect universal opt-out signals, like the Global Privacy Control, to allow consumers to easily opt-out of targeted advertising, data sales, and profiling.

Data Minimization

Businesses must limit the collection of personal data to what is reasonably necessary and proportionate to provide or maintain a specific product or service requested by the consumer.

How the Vermont Data Privacy Act compares to other state privacy laws

The VDPA sets itself apart from other state privacy laws through several key distinctions.

Private right of action

Perhaps the most noteworthy difference between the VDPA and other state privacy laws was the inclusion of a limited private right of action. This would have allowed individuals to sue companies for certain privacy violations, unlike most other state laws, which only permit enforcement by state authorities.

It’s important to note, however, that this private right of action could have only been applied to "large data holders" processing data of over 100,000 Vermont residents, and is further limited to violations involving sensitive or consumer health data.

Strict limitations on sensitive data

The VDPA strictly prohibits the sale of sensitive data, even with consumer consent—setting it apart from other states where such sales are often permitted with explicit consent. Despite this strict stance on sensitive data sales, Vermont’s privacy law still requires obtaining consent for processing sensitive data for other purposes, which aligns with provisions in other states.

The law also emphasizes data minimization by limiting data collection to what is necessary for providing services. It also enforces stricter purpose limitations on data processing, demanding either explicit consent or a clear, disclosed purpose for any secondary use of data.

Broad definition of "Sale"

Vermont's privacy law features an expanded definition of "sale" that includes not only monetary exchanges, but also transfers for other valuable considerations and any transactions for "a commercial purpose."

This broader scope is distinctive compared to other states, such as California, Colorado, Virginia, and Connecticut, which define "sale" primarily in terms of monetary or other valuable consideration. By encompassing transactions with commercial intent, Vermont's definition potentially captures a wider range of data transfers under its regulations.

This expanded definition implies that more data exchanges may fall under the law's restrictions on selling data, meaning businesses will need to reevaluate their data sharing practices and how they structure agreements with third-parties. The broader scope could lead to an increase in transactions requiring consumer consent and may limit data exchanges deemed permissible by other states' regulations.

Enhanced protections for minors

The Vermont Data Privacy Act enhances protections for minors by requiring robust privacy measures, such as a duty for data controllers to mitigate heightened risks to minors, restrictions on selling their data, and additional risk assessment requirements.

The VDPA takes a dual approach to protecting children online, combining comprehensive data protection under the VDPA with a streamlined version of California’s Age-Appropriate Design Code (AADC). This integration includes broad prohibitions against dark patterns and specific restrictions against addictive design features, such as endless scrolling.

By establishing separate duties of care within both the privacy and AADC sections, Vermont’s law offers a more layered and holistic approach to safeguarding minors' online experiences compared to other state privacy regulations.

In addition to these key differences, the VDPA also sports:

  • An expanded definition of targeted advertising: The Vermont Data Privacy Act takes a more expansive view of what constitutes targeted advertising, including the sharing of first-party data between distinctly branded websites operated by the same controller.
  • Strong anti-discrimination provisions: Unlike other state laws that prohibit only unlawful discrimination in data processing, Vermont's law goes further by prohibiting any discriminatory data processing that restricts access to goods and services based on protected classes.
  • Geolocation data limitations: The VDPA also imposes specific restrictions on how companies can use geolocation data, a provision not universally seen in other state privacy frameworks.

While sharing some common elements with other state privacy laws, these unique features make Vermont's law one of the most comprehensive and stringent in the country.

Ensuring compliance with Vermont's privacy law

For businesses operating in or targeting Vermont residents, compliance with the Vermont Data Privacy Act is essential. Here's a step-by-step checklist to help navigate the law's requirements:

1. Conduct a compliance assessment

Begin by thoroughly reviewing your company's data practices to determine if you fall under the scope of the Vermont Data Privacy Act. Assess whether you meet the applicability thresholds outlined in the legislation, which are based on the number of Vermont consumers whose personal data you control or process.

2. Establish a data inventory

Creating a comprehensive inventory of the personal data your business collects, processes, and stores is a crucial first step. Identify the types of data involved, the processing activities, and the legal basis for each. This will help you conduct a gap analysis to assess your compliance risk.

3. Implement consumer rights mechanisms

Develop robust processes to fulfill consumers' requests for data access, correction, deletion, and transfer. Ensure these processes include effective verification of consumer identity and prompt response times.

Implement a consent management platform across all your digital interfaces, including websites, web apps, mobile apps, and backend data stores. This will enable you to consistently enforce consumer consent preferences and honor browser-based signals like the Global Privacy Control (GPC) and "Do Not Sell" requests.

5. Conduct data protection assessments

Before engaging in high-risk data processing activities, such as selling personal data, targeted advertising, or profiling, you must conduct data protection impact assessments. Make sure to document the assessment outcomes, including risk analysis and mitigation strategies.

6. Provide comprehensive privacy notices

Develop clear and concise privacy notices that inform Vermont consumers about your data practices. Include details on the purposes of data collection, categories of data processed, and the specific rights granted to consumers under the VDPA.

7. Respect universal opt-out signals

Prepare your systems and processes to acknowledge and respect universal opt-out signals for targeted advertising, data sales, and profiling activities. Ensure your procedures seamlessly integrate these opt-out preferences to comply with Vermont's regulatory requirements.

8. Comply with sensitive data restrictions

The Vermont Data Privacy Act imposes strict limitations on the use of sensitive data, including prohibiting the sale of such information, even with consumer consent. Carefully review your data processing activities to ensure you are adhering to these heightened protections.

9. Prioritize minors' data protection

Vermont’s privacy law includes enhanced safeguards and duties of care related to the processing of personal data belonging to minors. Ensure your compliance efforts address these specialized requirements, including obtaining parental consent for certain data processing activities.

By following this comprehensive compliance checklist, businesses can effectively navigate the complexities of the Vermont Data Privacy Act, safeguarding consumer data and upholding the state's rigorous regulatory standards.


By Morgan Sullivan

Senior Content Marketing Manager II

Share this article