After years of false starts, Vermont has become the 23rd state to enact a comprehensive privacy law. In 2024, the legislature was unable to override Governor Scott's veto of a bill that included a private right of action. This time, lawmakers successfully advanced S.71 across the finish line. 

Although the law stops short of enabling private litigation, it includes several provisions that will require fine-tuning privacy programs. The product of extensive negotiation and compromise, Vermont's new law largely follows the familiar state privacy law framework while incorporating a few key deviations deserving of privacy pros attention:

• AI training disclosure. Controllers must disclose in their privacy notices whether they collect, use, or sell personal data to train large language models. Vermont is the second state to require such a disclosure, following Connecticut's amended privacy law (which takes effect July 1, 2026). As state legislatures increasingly focus on AI transparency, businesses should expect questions about AI training practices to become standard practice.  
• Consumer health data protections, with no applicability threshold. Vermont prohibits the sale of consumer health data without consent and restricts the use of geofencing around health care facilities, provisions familiar from consumer health privacy frameworks adopted in Washington, Nevada, and Connecticut. The restrictions are applicable to any business operating in the state, with no minimum consumer count or revenue threshold. Businesses that fall outside the general law's scope may nevertheless be subject to its consumer health data requirements.
• Expanded sensitive data categories. Vermont has expanded its definition of sensitive data to now include neural data, gender-affirming health data, and reproductive or sexual health data. As processing of these categories generally requires opt-in consent, businesses should audit their sensitive data inventories against Vermont's broader list.
• Restricted access request responses. Vermont prohibits controllers from providing certain categories of data in response to consumer access requests. Unlike most states, which simply require controllers to give consumers access to their data, Vermont specifies that controllers must not disclose, and instead must only confirm the existence of, Social Security numbers, government ID numbers, financial account numbers, health insurance or medical identification numbers, passwords or security questions, and biometric data. Controllers with automated access request workflows will need to build in filters for these data types.
• Profiling rights. Like Minnesota, Vermont gives consumers specific rights with respect to profiling in furtherance of automated decisions that produce any legal or similarly significant effect — including the right to question the result, be informed of the reason, review the data used, and in the context of housing decisions, have incorrect data corrected and the profiling decision reevaluated. Businesses using automated decision-making in covered contexts should assess whether their processes trigger these requirements.
• Protections for minors under 18. The law prohibits controllers with actual knowledge that a consumer is between the ages of 13 and 17 from processing their personal data for targeted advertising or selling their personal data. Most state privacy laws draw the line at 13 or 16, often permitting such processing with teen or parental consent. Maryland is the only other state to extend such a blanket prohibition to consumers up to 18. Businesses with teen users will need to ensure their targeted advertising and sale practices account for this broader range. 

The law takes effect January 1, 2028, and provides for a 60-day cure period that sunsets June 30, 2029.