What's Happening?
Vermont has passed a comprehensive consumer privacy law, signed by Governor Scott, which will take effect on January 1, 2028. The Vermont Data Privacy and Online Surveillance Act applies to companies that do business in the state or target Vermont residents,
meeting specific thresholds. The law mandates businesses to provide clear privacy notices, detailing the types of personal data processed, the reasons for processing, and the third parties involved. It also imposes data security obligations, particularly for health data, and prohibits geofencing near healthcare facilities. The law grants Vermont residents rights similar to those in other states, including access, deletion, and correction of their data, and the ability to opt out of targeted advertising and data sales.
Why It's Important?
The enactment of Vermont's privacy law is significant as it sets one of the lowest thresholds for applicability, impacting a wide range of businesses. This law enhances consumer protection by ensuring transparency in data handling and imposing strict data security measures, especially for sensitive health data. It reflects a growing trend of states enacting privacy laws, which could influence national standards and practices. Businesses operating in Vermont or targeting its residents must adapt to these regulations, potentially affecting their data management strategies and operational costs. Consumers gain more control over their personal data, aligning with increasing public demand for privacy rights.
What's Next?
As the law takes effect in 2028, businesses will need to prepare by reviewing and possibly overhauling their data privacy practices to comply with Vermont's requirements. The Attorney General will have exclusive enforcement authority, with a right to cure period for businesses until mid-2029. Companies must ensure they have the necessary data protection assessments and contractual measures in place, particularly concerning health data. The law's implementation may prompt other states to adopt similar measures, potentially leading to a more unified approach to data privacy across the U.S.
