On June 16, 2026, Governor Phil Scott signed Vermont H.211, amending the state's data broker registration law. When Vermont enacted its original law in 2018, it was the first of what has since become a growing trend of state data broker statutes – five enacted to date, overlapping in some ways and diverging in others. This recent amendment stops short of establishing a deletion right mechanism like have California and Connecticut laws, but adds major substance and teeth to what was previously a fairly modest registration regime. The amended law takes effect January 1, 2027. 

New Definition, New Scope

The basic framework remains the same: a business that knowingly collects and sells or licenses personal information about consumers with whom it has no direct relationship must register with the Secretary of State. But Vermont has now tightened its definition of “direct relationship” such that a consumer must intentionally interact with a business for purpose of accessing, purchasing, using, requesting, or obtaining information about its product or service. Simply collecting information directly from a consumer is not enough, the consumer must have actually meant to engage with that business. 

This raises real questions for businesses that operate in the background of a consumer transaction, or jointly with a more public-facing brand. Businesses that operate behind another business's consumer relationship – e.g., payment processors, loyalty program vendors, or white-label platform providers – should think carefully about whether they can establish the requisite consumer intent before concluding they're exempt. 

The definition of “brokered personal information” has similarly expanded. The prior law enumerated specific triggering data types: name, address, Social Security number, and so on. The amendment replaces that with a broader, modernized standard aligned with definitions in state privacy laws: any information that is linked or reasonably linkable to an identified or identifiable individual or to a household device, including derived data and unique identifiers. 

KYC Obligations

H.211 imposes affirmative due diligence obligations on data brokers before disclosing brokered personal information. A data broker must identify recipients and their purpose for receiving the data and obtain certification that the data will not be used for any other purpose. If a broker has reasonable grounds to believe the data will be used for other purposes or unlawfully, they must decline the transaction.

As we've seen at the federal level with the Bulk Sensitive Data Rule, this is effectively a know-your-customer requirement. It deputizes data brokers to actively screen who they sell to and why.

A Costlier Registration

The annual registration fee is increasing from $100 to $900. While that still pales in comparison to California's $6,000 annual fee, it's an ample step up. For data brokers registering across all five states, the total annual tab is now approximately $9,800, plus payment processing fees. That number will continue to rise as more states enact their own regimes and existing states raise fees to fund consumer-facing infrastructure.  

Vermont also introduces a first-of-its-kind requirement: a $20,000 surety bond, running to the state for any liability arising under the law. This addition may reflect Vermont's observation that, for the often risk-tolerant data broker industry, there may be little left to collect by the time enforcement comes. National Public Data's bankruptcy in the wake of its massive data breach illustrates the risk: California's enforcement action likely had little remaining to satisfy it. 

Enforcement Teeth

Penalties, too, have become stiffer. Failure to register now carries a fine of $200 per day, and incomplete registration not remedied within 30 days exposes a data broker to penalties of $1,000 per day. Strikingly, filing materially incorrect information carries a flat $25,000 penalty, plus $1,000 per day for each day after the 30-day correction window closes that the information remains uncorrected.

To date, Vermont has publicly enforced its law once: in 2020, against facial recognition technology company Clearview AI, which was dismissed on peculiar jurisdictional grounds. Whether Vermont will pursue less high-profile violators with the same tenacity, and whether the new penalty structure gives it more leverage to do so, remains to be seen.

Is a Vermont DROP Coming? Maybe?  

Although the amendment does not create Vermont's own deletion request platform, it does direct the Secretary of State to study the feasibility of one, with a final report with proposed legislation due December 2028. For now, Vermont has opted to buy time to watch what happens in other states like California and Connecticut before committing.