When does the Vermont Data Privacy and Surveillance Act take effect?

The law takes effect on January 1, 2028, after being signed into law on June 16, 2026.

What makes this Vermont law stricter than other state privacy laws?

It requires opt-in consent for processing sensitive data, grants consumers a private right of action to sue, and restricts targeted advertising and behavioral profiling without explicit consent.

Which businesses are subject to the Vermont Data Privacy and Surveillance Act?

Businesses that control or process the personal data of 25,000 or more Vermont consumers annually, or those that derive 25% or more of gross revenue from selling personal data and process data of at least 12,500 consumers.

What categories of data require opt-in consent under this law?

Precise geolocation, health data, financial data, and data about minors all require opt-in consent before processing.

Can individual consumers bring lawsuits for violations of this law?

Yes, the law includes a private right of action that gives individual consumers legal standing to sue for certain violations, rather than leaving enforcement solely to state regulators.

Vermont Data Privacy and Surveillance Act: What It Means in 2028

Vermont's Governor signed S.71, the Vermont Data Privacy and Online Surveillance Act, into law on June 16, 2026, making Vermont one of the strictest states in the country on consumer data protection. The law doesn't take effect until January 1, 2028, but the countdown has already started for companies to get their practices in order. For consumers, the Vermont data privacy law surveillance provisions represent one of the most ambitious attempts yet by a US state to rein in how businesses collect, use, and share personal information.

What the Vermont Data Privacy and Online Surveillance Act Actually Requires

At its core, the law gives Vermont residents meaningful control over their personal data. It requires businesses to obtain opt-in consent before processing sensitive categories of information, including precise geolocation, health data, financial data, and data about minors. That opt-in standard is notably stricter than the opt-out frameworks found in many other state laws.

Businesses must also provide clear, accessible privacy notices, conduct data protection assessments for higher-risk processing activities, and honor consumer requests to access, correct, delete, and port their data. The law includes a private right of action for certain violations, which gives individual consumers legal standing to sue, not just state regulators. That feature alone sets Vermont apart from the majority of US state privacy frameworks, where enforcement is left entirely to attorneys general.

The "online surveillance" portion of the law is particularly notable. It places specific restrictions on the use of personal data for targeted advertising to consumers and limits how companies can build behavioral profiles without explicit consent.

Who Is Covered, and the Broad Net That Catches More Companies Than You'd Expect

Many state privacy laws include revenue or data volume thresholds that leave smaller companies off the hook. Vermont's thresholds are comparatively low. The law applies to businesses that control or process the personal data of 25,000 or more Vermont consumers annually, or those that derive 25 percent or more of their gross revenue from selling personal data and process the data of at least 12,500 consumers.

Vermont has a population of roughly 650,000. That means the 25,000-consumer threshold represents only about four percent of the state's residents. Companies that operate nationally and have even modest Vermont user bases could easily cross that line. Data brokers in particular face heightened obligations under the law, including stricter limits on selling sensitive data and a requirement to register with the state.

The "online surveillance" framing in the law's title signals its ambitions clearly. Platforms and advertising technology companies that rely on pervasive tracking to build consumer profiles are squarely in scope.

How Vermont's Law Compares to Other US State Privacy Legislation

Vermont is now among roughly two dozen states with comprehensive consumer privacy legislation, but its law sits at the stricter end of the spectrum. California's CPRA is often cited as the US gold standard, but Vermont's opt-in requirement for sensitive data processing and its private right of action go further than what California currently requires.

States like Texas and Florida have enacted laws with broader business exemptions and no private rights of action, leaving enforcement largely toothless in practice. Vermont's approach is closer in spirit to European data protection principles, without copying the GDPR directly. The combination of low applicability thresholds, an opt-in default for sensitive data, and individual lawsuit rights creates real accountability pressure on businesses.

The law also draws a tighter circle around data broker activity than most state frameworks, which is significant given how much of the commercial surveillance economy runs through data brokers rather than the companies consumers interact with directly.

What This Means for Your Data Rights Even If You Don't Live in Vermont

State privacy laws have a well-documented tendency to produce national policy shifts. When companies update their data practices to comply with a strict state law, they often apply those changes broadly rather than maintaining separate systems for different states. California's privacy law produced exactly this effect, with companies rolling out new consent flows and data deletion tools to all US users, not just Californians.

Vermont's law could trigger a similar dynamic, particularly around data brokers. If businesses must offer Vermont residents the right to opt out of their data being sold, many will find it operationally simpler to extend that option everywhere. For consumers outside Vermont, that represents a meaningful gain in data rights they wouldn't otherwise have.

The surveillance-specific provisions are also worth watching in a broader context. Legislation that targets behavioral tracking and online surveillance is increasingly part of the policy conversation at the federal level as well. Vermont's approach could inform how federal lawmakers frame future proposals.

Of course, legal protections only go so far. Laws set floors, not ceilings, and enforcement takes time. Using technical privacy tools alongside legal rights gives consumers a more complete picture. A VPN, for instance, limits what third parties can observe about your browsing activity at the network level, complementing whatever rights a state law provides on the data storage and sharing side.

Actionable Takeaways

If you run a business: Start reviewing your data inventory now. January 2028 may feel distant, but building compliant consent flows, assessment processes, and data subject request pipelines takes time.
If you're a Vermont resident: Your rights under this law will be enforceable starting January 1, 2028. Keep records of data requests you submit and responses you receive.
If you live outside Vermont: Watch how national companies respond to this law. New opt-out tools or consent options rolled out for Vermont users may become available to you as well.
For everyone: Legal protections and technical privacy practices work best together. Staying informed about state and federal surveillance legislation is a first step toward understanding what rights you actually hold.

Vermont's law is a significant marker in the ongoing effort to bring US privacy standards closer to what consumers in other parts of the world already expect. Whether it produces a national ripple effect will depend on how aggressively it is enforced and how willing companies are to build truly compliant data practices rather than minimal workarounds.