On June 16, 2026, Governor Scott signed into law Senate Bill 71, the “Vermont Data Privacy and Online Surveillance Act” making Vermont the 23rd state to enact a comprehensive consumer data privacy law following California, Virginia, Colorado, Utah, Connecticut,  Iowa, Indiana, Tennessee, Montana, Texas, Oregon,  Delaware,  New Jersey, New Hampshire,  Kentucky, Nebraska, Maryland, Minnesota, Rhode Island,  Oklahoma, Alabama, and Louisiana. The Act will go into effect January 1, 2028.

Applicability

The Act applies to a person that conducts business in Vermont or a person that produces products or services that are targeted to residents of Vermont and that during the preceding calendar year:

  1. controlled or processed the personal data of not fewer than 35,000 consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction;
  2. controlled or processed the sensitive data of not fewer than 3,000 consumers, excluding personal data controlled or processed solely for the purposes of completing a payment transaction; or
  3. offered for sale in trade or commerce the personal data of not fewer than 3,000 consumers.

Exemptions

Exemptions include, in part:

  1. data subject to Title V of the Gramm-Leach-Bliley Act, Pub. L. No. 1 106-102, and regulations adopted to implement that act;
  2. a state- or federally chartered bank or credit union, or an affiliate or subsidiary that is principally engaged in financial activities, as described in 12 U.S.C. § 1843(k);
  3. any activity that involves collecting, maintaining, disclosing, selling, communicating, or using information for the purpose of evaluating a consumer’s creditworthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living if done strictly in accordance with the provisions of the Fair Credit Reporting Act, 15 U.S.C. §§ 1681–1681x;
  4. in the ordinary course of its operation, a federal, state, tribal, or local government entity or an instrumentality of the State;
  5. an agent, broker-dealer, investment adviser, or investment adviser representative, as those terms are defined in section 5102 of this title, who is regulated by the Department of Financial Regulation or the Securities and Exchange Commission;
  6. health care providers and health care facilities, as those terms are defined in 18 V.S.A. § 9402, provided such providers and facilities maintain all protected health information in accordance with the requirements of 16 18 V.S.A. § 1881 and HIPAA regardless of whether such providers or facilities are covered entities under 45 C.F.R. § 160.103;
  7. protected health information under HIPAA; and
  8. data processed or maintained in the course of an individual applying to, employed by, or acting as an agent or independent contractor of a controller, processor, consumer health data controller, or third party, to the extent that the data is collected and 5 used within the context of that role.

Consumer Rights

Consumers have the right to:

  1. confirm whether a controller is processing the consumer’s personal data and access such personal data, including any inferences about the consumer derived from such personal data and whether a controller or processor is processing a consumer’s personal data for the purposes of profiling to make a decision that produces any legal or similarly significant effect concerning a consumer;
  2. correct inaccuracies in the consumer’s personal data, taking into account the nature of the personal data and the purposes of the processing of the consumer’s personal data;
  3. delete personal data provided by, or obtained about, the consumer;
  4. obtain a copy of the consumer’s personal data processed by the controller, in a portable and, to the extent technically feasible, readily usable format;
  5. opt out of the processing of the personal data for purposes of targeted advertising, the sale of personal data, or profiling in furtherance of a decision that produces a legal or similarly significant effect concerning the consumer.

Sensitive Data

A controller may not process the sensitive data unless the consumer has provided consent and unless the processing is reasonably necessary in relation to the purposes for which the sensitive data are collected, not sell the sensitive data unless the consumer has provided consent; and

if the controller has actual knowledge, or willfully disregards, that the consumer is a child, process the sensitive data in accordance with Children’s Online Privacy Protection Act of 1998, 15 U.S.C. 6501 et seq., or process personal data in violation of state or federal laws that prohibit unlawful discrimination.

“Sensitive data” is personal data that includes:

  1. racial or ethnic origin, religious beliefs, sex life, sexual orientation, status as nonbinary or transgender, or citizenship or immigration status, or a mental or physical health condition, diagnosis, disability, or treatment;
  2. consumer health data;
  3. genetic or biometric data or information derived therefrom;
  4. personal data collected from an individual the controller has actual knowledge, or willfully disregards, is a child;
  5. precise geolocation data;
  6. neural data;
  7. a consumer’s financial account number, financial account login information, or credit card or debit card number that, in combination with any required access or security code, password, or credential, would allow access to a consumer’s financial account; or
  8. a government-issued identification number, including, but not limited to, Social Security number, passport number, State identification card number, or driver’s license number, that applicable law does not require to be publicly displayed.

Contract Requirements

A contract between a controller and a processor must govern the processor’s data processing and require that the processor:

  1. ensure that each person processing personal data is subject to a duty of confidentiality with respect to the data;
  2. at the controller’s direction, delete or return all personal data to the controller as requested at the end of the provision of services;
  3. upon the reasonable request of the controller, make available to the controller all information in its possession necessary to demonstrate the processor’s compliance with the obligations in the law;
  4. after providing the controller an opportunity to object, engage any subcontractor pursuant to a written contract that requires the subcontractor to meet the obligations of the processor with respect to the personal data; and
  5. make available to the controller upon a reasonable request all information in the processor’s possession necessary to demonstrate the processor’s compliance.

Data Protection Assessments

A controller must conduct and document a data protection assessment for each of the controller’s processing activities that presents a heightened risk of harm to a consumer, which includes:

  1. the processing of personal data for the purposes of targeted advertising;
  2. the sale of personal data;
  3. the processing of personal data for the purposes of certain profiling.

Enforcement

The Attorney General has exclusive authority to enforce the Act under the Vermont Consumer Protection Act and must provide and update, as necessary, guidance to controllers and processors for compliance with the terms of the Act.

For a chart comparing the state comprehensive data privacy laws, visit RMAI’s Privacy and Data Security Resource Center (login required).

RMAI strongly recommends that its members share this Member Alert with those in their organization who are responsible for their operations, compliance, and legal matters.

This Member Alert is intended for members of the Receivables Management Association International, is for informational purposes only, and is in no way intended to provide legal advice. Members are encouraged to consult with an attorney of their choice for legal advice concerning this matter.