
In this article (4)
Vermont’s Greenlit Privacy Law Makes Modular Compliance Better Than State Checklists
Key Takeaways
- Put January 1, 2028 on the roadmap and start mapping Vermont data flows now.
- Treat health and sensitive data as separate modules, not footnotes to general privacy scope.
- Build reusable privacy controls that can absorb new state thresholds, notices, and rights workflows.
The new VDPOSA adds another state privacy regime, and another reason to stop treating compliance as fifty separate spreadsheets.
The tell is not the signing ceremony. It is the product manager asking whether Vermont needs its own toggle, its own deletion queue, its own vendor addendum, and its own notice copy. Vermont has now put another comprehensive privacy law onto the U.S. map, and the practical lesson is not that everyone needs a fresh checklist. The lesson is that state privacy compliance has become a control system problem.
The new date on
the compliance calendar Hunton Andrews Kurth reports that Vermont Governor Phil Scott signed Senate Bill S.71, the Vermont Data Privacy and Online Surveillance Act, on June 16, 2026. Hunton describes Vermont as the 23rd state with a comprehensive consumer privacy law, while Koley Jessen describes it as the 24th state to enact one. That mismatch is a useful reminder that privacy-law counting is not where builders should spend their limited compliance time. The date that matters is less debatable: Hunton and Koley Jessen both report that the law takes effect on January 1, 2028. Koley Jessen adds one politically relevant footnote: Governor Scott previously vetoed a stricter version in June 2024. Troutman Pepper says the enacted version also departed from an earlier tiered applicability structure and replaced it with a single, uniform threshold. Translation: the final law is not merely a rerun of the prior proposal with a new signature page. If your privacy roadmap still says monitor Vermont, that item can now move into implementation planning.
Who is in scope, and
who should not relax too much Pearl Cohen summarizes the core scope test this way: the Act applies to a person that conducts business in Vermont, or produces products or services targeted to Vermont residents, and met one of three preceding calendar year thresholds. Those thresholds are controlling or processing personal data of at least 35,000 consumers, controlling or processing sensitive data of at least 3,000 consumers, or offering for sale personal data of at least 3,000 consumers, with data processed solely to complete a payment transaction excluded in each case. That is the part your data inventory has to answer, not your brand team. Pearl Cohen also notes the important exception to the comfort blanket: consumer health data provisions apply without regard to those thresholds. Covington’s Global Policy Watch separately reports that Vermont enacted two privacy bills to regulate health-related information, including H.639, a genetic privacy bill regulating direct-to-consumer genetic testing companies. For builders, this means health-adjacent product surfaces deserve their own review even when the general consumer count looks small. A wellness feature, symptom questionnaire, fertility tracker integration, or genetic data workflow should not wait for someone to declare the company large enough to care.
The obligations look familiar, until they do not Hunton says VDPOSA follows
the familiar controller, processor, and consumer rights framework seen in many state comprehensive consumer data privacy laws, with certain distinctions. In plain English, that means the reusable parts of your privacy program still matter: know what data you collect, know why, know who receives it, assign controller and processor roles, and route consumer rights requests without hand sorting every mailbox. If that sounds boring, congratulations, it is the part that tends to survive contact with auditors. The distinctions are where modular design pays for itself. Pearl Cohen says personal data is defined broadly to include derived data and unique identifiers reasonably linkable to an identified or identifiable individual or to a device. Pearl Cohen also says sensitive data includes consumer health data, genetic and biometric data, precise geolocation, neural data, and data revealing race or ethnicity, religious beliefs, and other categories. Koley Jessen flags distinctive features including broad consumer health data provisions, an AI training disclaimer requirement, and an expanded definition of sensitive personal information. Article 52 this is not, but the contract and product work has the same flavor: notices, data classification, vendor instructions, and exception handling need to be configurable.
The checklist trap Troutman Pepper’s account of
the abandoned tiered structure is the part compliance teams should tape to the monitor. If a state can change the scope architecture between proposal and enactment, a static Vermont checklist is already the wrong artifact. The better artifact is a rules layer over common controls: eligibility thresholds, sensitive data handling, consumer rights intake, sale or sharing flags, health data flags, processor terms, and disclosure modules. That approach also handles the 23rd versus 24th state discrepancy without drama. Whether Vermont is counted one way by Hunton and Troutman Pepper or another way by Koley Jessen, the operational reality is the same: U.S. privacy law is cumulative. Each new state adds variations, but not a wholly new privacy universe. The companies that cope best will not be the ones with the thickest binder for Vermont. They will be the ones that can change a threshold, add a notice, tag a data category, and update a vendor workflow without rebuilding the program. The next useful step is not panic, and it is not a celebratory post about how much certainty has arrived. It is a gap review against January 1, 2028, with special attention to consumer health data, sensitive data definitions, AI training disclosures, and whether your rights workflow can absorb one more jurisdiction. Vermont is another state law. Treat it as another module, not another monument.