Governor Scott signed S.71, the Vermont Data Privacy and Online Surveillance Act, on June 16, making Vermont the 23rd state with a comprehensive consumer privacy law.
Two years ago, Scott was the first governor in the country to veto a comprehensive consumer privacy bill. That bill, H.121, included Maryland-style data minimization and a limited private right of action. The legislature couldn’t override the veto. It kept drafting.
The version Scott signed resembles Connecticut’s 2025 CTDPA, not H.121. It dropped the private right of action and uses Connecticut’s “reasonably necessary and proportionate” data minimization language rather than the standard Washington Privacy Act formulation.
Thresholds are low: 35,000 consumers for general personal data, 3,000 for sensitive data or personal data for sale. Sensitive data includes neural data, nonbinary and transgender status, and genetic or biometric-derived information. Consumer health data protections run broader — geofencing within 1,850 feet of healthcare facilities is prohibited regardless. Effective date: January 1, 2028. AG-only enforcement with a 60-day cure period through June 30, 2029.
The enforcement provision at Section 1, § 2415j is the structural signal worth reading. The legislature declared that if the AG doesn’t receive sufficient appropriations and resources, it will consider adding a private right of action. That’s a conditional PRA baked into statute: underfund enforcement and you hand the business community a liability it negotiated away. I haven’t seen another state frame it this way.
Vermont also passed a neural privacy right (H.814) and updated its data broker registry (H.211, effective January 1, 2027, with a $20,000 bond). The genetic testing law takes effect July 1, 2026.
Rebecca Lauren