Laws & Regulations

State Privacy Laws: Vermont

A summary of privacy laws in Vermont.

Overview

The Vermont Data Privacy and Online Surveillance Act (VDPOSA) is the most expansive of the comprehensive state privacy laws enacted in 2026. Modeled on Connecticut's framework, widely regarded as one of the stronger state privacy statutes, Vermont's law pushes meaningfully beyond the current norm with several distinctive provisions: it requires businesses to disclose whether personal data is used to train large language models (LLMs), gives consumers the right to question the results of profiling decisions, restricts the sale of consumer health data, and prohibits geofencing near health care facilities. Because it takes effect on January 1, 2028, businesses have a comparatively long runway to prepare.

Key Dates

  • Signed into law: June 16, 2026
  • Effective date: January 1, 2028

Thresholds

The VDPOSA applies to entities that conduct business in Vermont, or produce products or services targeted to Vermont residents, and during a calendar year meet at least one of the following:

  • control or process the personal data of at least 35,000 consumers (excluding data processed solely to complete a payment transaction); or
  • control or process the sensitive data of at least 3,000 consumers; or
  • offer for sale the personal data of at least 3,000 consumers.

The law does not include a revenue-based threshold. Its consumer health data provisions apply to any entity doing business in Vermont, with no threshold.

Consumer Rights

  • The right to confirm whether a controller is processing their personal data and to access that data.
  • The right to correct inaccuracies in their personal data.
  • The right to delete their personal data.
  • The right to obtain a portable copy of their personal data.
  • The right to opt out of the processing of their personal data for the purposes of targeted advertising, the sale of their personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects.
  • The right to question the result of profiling, learn the reason for a profiling decision, and review and correct the data used.
  • The right to obtain a list of the third parties to whom their personal data has been sold.
  • The right to appeal a controller's refusal to act on a request.

Sensitive Data

The law defines sensitive data broadly to include data revealing:

  • Racial or ethnic origin
  • Religious beliefs
  • A mental or physical health condition or diagnosis
  • Sex life, sexual orientation, or transgender or nonbinary status
  • Citizenship or immigration status
  • Genetic or biometric data
  • Neural data
  • Precise geolocation data
  • Personal data collected from a known child (under 13 years of age)

Penalties

Violations are enforced exclusively by the Vermont Attorney General as violations of the Vermont Consumer Protection Act, with civil penalties of up to $10,000 per violation. There is no private right of action. A 60-day right to cure is available through June 30, 2029, after which the opportunity to cure becomes discretionary.

Regions are used to customize the behavior and experience based on an individual user’s location. As an example, this allows you to provide different experiences to users based on regional differences (like GDPR in the EU vs. VDPOSA in Vermont). When a user visits your site, we will automatically determine their location and will match them to the most granular region rule that you have setup in Concord. This can go down to the state/province level, which allows for different experiences for different laws (like VDPOSA in Vermont).

Based on the current laws, we recommend the following regional settings:

  • Consent Mode: Implied
  • Blocking Mode: Strict
  • Google Consent Mode V2: Advanced
  • Consent Duration: 12 months
  • Enable Limit Sensitive Information: Enabled
  • Enable Do Not Sell Consent: Enabled
  • Enable Global Privacy Control: Enabled

For step-by-step instruction on how to configure your consent banner for different geographical regions within the Concord app, see our help document Configure Your Consent Banner for Different Geographical Regions.

While you can get as granular as you want, we typically recommend a single global policy that meets the strictest guidelines across regions, or higher splits (like separate GDPR and United States regions, only adding additional regions for stricter states like California if needed). If you have any questions on how and why to configure your regions in certain ways, please reach out to our support team.