Light bulb Limited Spots Available: Secure Your Lifetime Subscription on Gumroad!

Jul 07, 2026 · 6 min read

Vermont's New Privacy Law: What S.71 Requires in 2028

On June 16, 2026, Vermont's Governor signed S.71, the Vermont Data Privacy and Online Surveillance Act, making Vermont the 24th U.S. state to enact a comprehensive consumer data privacy law. It takes effect January 1, 2028, and gives residents new rights over targeted advertising, profiling, and health data.

Vermont has spent years trying to pass a comprehensive privacy law. An earlier, tougher bill with a private right of action was vetoed in 2024. This time the state took a more measured route, and it worked. On June 16, 2026, Governor signed S.71 into law, and Vermont joined the roughly two dozen states that now regulate how businesses collect, sell, and profile consumer data.

Key Takeaways

  • Vermont's S.71, the Vermont Data Privacy and Online Surveillance Act, was signed on June 16, 2026 and makes Vermont the 24th state with a comprehensive consumer privacy law.
  • The VDPSA takes effect January 1, 2028, giving businesses roughly 18 months to build compliance programs before enforcement begins.
  • S.71 applies to businesses that control or process the personal data of at least 35,000 Vermont consumers, or that meet lower thresholds tied to sensitive data or data sales.
  • The law bans selling consumer health data without consent and prohibits geofencing health care facilities within 1,850 feet for certain purposes.
  • The Vermont Attorney General holds exclusive enforcement authority, with a 60-day cure period that sunsets on June 30, 2029.

What Does the Vermont Data Privacy Act Require?

The VDPSA follows the template most recent state privacy laws share, but with a few Vermont specific twists. Businesses that fall within scope must honor a defined set of consumer rights, obtain consent before processing sensitive data, and complete formal assessments before engaging in high risk data activities.

Data protection assessments are required for high risk processing, which the law defines to include targeted advertising, the sale of personal data, and the processing of sensitive data. Consequential profiling gets its own separate impact assessment. These documents are not filed publicly, but the Attorney General can demand them during an investigation, so businesses need to actually produce and retain them rather than treat them as a formality.

For a sense of how Vermont fits alongside its neighbors, the recent Connecticut CTDPA overhaul that took effect July 1 shows how quickly these frameworks are converging on similar obligations.

Who Has to Comply?

The VDPSA applies to any entity that does business in Vermont or targets Vermont residents and meets at least one of three thresholds:

  • Controls or processes the personal data of at least 35,000 consumers
  • Controls or processes the sensitive data of at least 3,000 consumers
  • Sells the personal data of at least 3,000 consumers

The 35,000-consumer floor is lower than the 100,000 threshold many first generation laws used, which pulls smaller businesses into scope. The separate sensitive data and data sale thresholds mean a company handling health, biometric, or precise location data can be covered even with a modest Vermont footprint. As the Mayer Brown analysis of the VDPSA notes, the tiered thresholds are designed to catch data brokers and adtech intermediaries who might otherwise slip below a single high consumer count.

What Rights Do Vermont Residents Get?

Consumers gain the familiar bundle of rights: to access their data, correct inaccuracies, delete it, and obtain a portable copy. On top of that, they can opt out of three specific activities: targeted advertising, the sale of their personal data, and profiling used to make automated decisions that produce legal or similarly significant effects.

The profiling provisions go further than opt out alone. A resident who is subject to a consequential automated decision can question the result, be told why the decision was reached, and review the personal data that fed into it. That transparency requirement matters for anyone building profiles from behavioral signals, including the open and click data that email marketing platforms collect. If those profiles drive decisions with significant effects on Vermont residents, the residents now have standing to interrogate them.

Sensitive data requires opt in consent before processing, and selling sensitive data likewise requires consent. Health data gets special treatment: the law bans selling consumer health data without consent, and it prohibits geofencing around health care facilities within 1,850 feet for certain purposes, a provision aimed squarely at location based advertising near clinics.

How Is It Enforced?

Enforcement rests exclusively with the Vermont Attorney General, who treats a VDPSA violation as a violation of the state's Consumer Protection Act. There is no private right of action, which is the compromise that got this version of the bill signed after the 2024 veto. A 60-day cure period lets businesses fix violations before the Attorney General acts, but that grace window sunsets on June 30, 2029. After that date, enforcement can proceed without a warning.

The absence of a private right of action makes this a more business friendly law than the vetoed 2024 proposal, but the delayed effective date and the sunsetting cure period signal that Vermont intends to enforce it seriously once companies have had time to prepare. The Koley Jessen breakdown of S.71 details how the Consumer Protection Act framing shapes the penalties available to the Attorney General.

The Vermont State House with its gold dome in Montpelier against the green mountains, representing the state's new consumer data privacy law

How Does Vermont Fit Into the State Privacy Patchwork?

Vermont is one of several states that enacted privacy laws in 2026, alongside Oklahoma's SB 546 and a new law in Alabama. With roughly 24 comprehensive state privacy laws now on the books, the United States has assembled a de facto national standard through repetition rather than through a single federal statute. Each new law nudges the baseline that a business operating nationally has to meet.

That patchwork is exactly why compliance teams increasingly build to the strictest common denominator. When Connecticut, Vermont, and a dozen other states all require opt out of targeted advertising and profiling, honoring those rights everywhere is simpler than segmenting by state. For a wider view of how several states stacked their effective dates this summer, see our roundup of the three state privacy laws that took effect July 1, 2026.

What to Do Before January 1, 2028

Vermont businesses have roughly 18 months, which is enough time to do this properly rather than in a scramble. The immediate priorities are to run a threshold analysis against all three coverage tests, inventory any sensitive and health data flows, and stand up consent mechanisms where none exist. Companies engaged in targeted advertising, data sales, or consequential profiling should begin drafting the required data protection and profiling impact assessments now, because those documents take time to do well.

For Vermont residents, the practical takeaway is that starting in 2028 you will be able to opt out of having your data sold or used to profile you, ask companies what they know about you, and demand an explanation when an automated system makes a consequential decision about your life. The law does not arrive for another year and a half, but it moves Vermont from a state with almost no consumer privacy protections to one whose residents can push back against the data economy in concrete ways.

Stop Email Tracking in Gmail

Spy pixels track when you open emails, where you are, and what device you use. Gblock blocks them automatically.

Try Gblock Free for 30 Days

No credit card required. Works with Chrome, Edge, Brave, and Arc.