Vermont Enacts Comprehensive Privacy Law, Andrew Folks

Vermont Enacts Comprehensive Privacy Law, Andrew Folks

https://technologylaw.fkks.com/post/102n4us/vermont-enacts-comprehensive-privacy-law

Publish Date: 2026-06-24 00:23:00

Source Domain: technologylaw.fkks.com

After years of false starts, Vermont has become the 23rd state to enact a comprehensive privacy law. In 2024, the legislature was unable to override Governor Scott’s veto of a bill that included a private right of action. This time, lawmakers successfully advanced S.71 across the finish line. 

Although the law stops short of enabling private litigation, it includes several provisions that will require fine-tuning privacy programs. The product of extensive negotiation and compromise, Vermont’s new law largely follows the familiar state privacy law framework while incorporating a few key deviations deserving of privacy pros attention:

• AI training disclosure. Controllers must disclose in their privacy notices whether they collect, use, or sell personal data to train large language models. Vermont is the second state to require such a disclosure, following Connecticut’s amended privacy law (which takes effect July 1, 2026). As state legislatures increasingly focus on AI transparency, businesses should expect questions about AI training practices to become standard practice.  
• Consumer health data protections, with no applicability threshold. Vermont prohibits the sale of consumer health data without consent and restricts the use of geofencing around health care facilities, provisions familiar from consumer health privacy frameworks adopted in Washington, Nevada, and Connecticut. The restrictions are applicable to any business operating in the state, with no minimum consumer count or revenue threshold. Businesses that fall outside the general law’s scope may nevertheless be subject to its consumer health data requirements.
• Expanded sensitive data categories. Vermont has expanded its definition of sensitive data to now include neural data, gender-affirming health data, and reproductive or sexual health data. As processing of these categories generally requires opt-in consent, businesses should audit their sensitive data inventories…

Source