Vermont Data Privacy Laws: Data Broker Registry & Consumer Rights (2026)

Vermont has earned a reputation as a national leader in one specific area of data privacy: regulating data brokers. In 2018, Vermont became the first state in the country to require data brokers to register with the government, creating a public registry that gives consumers visibility into which companies buy and sell their personal information.

However, Vermont does not have a comprehensive consumer data privacy law. A sweeping privacy bill passed the legislature in 2024 but was vetoed by the Governor. That means Vermont residents do not currently have broad statutory rights to access, delete, or opt out of the sale of their personal data the way consumers in California, Colorado, or Connecticut do.

What Vermont does have is a patchwork of targeted protections: a data breach notification law with strict timelines, the pioneering data broker registry, student privacy protections, and Social Security number safeguards. This guide covers every major Vermont data privacy statute, how the laws protect you, what businesses must do to comply, and where the state's privacy framework may be headed.

Vermont's Data Broker Registration Law (9 V.S.A. 2446-2447)

Vermont made history on May 22, 2018, when Act 171 (H.764) took effect. The law created the nation's first mandatory registration requirement for data brokers, codified at 9 V.S.A. 2446.

Before Vermont acted, data brokers operated in a regulatory blind spot. These companies collected and sold personal information about millions of consumers, but no state required them to identify themselves publicly. Vermont changed that.

What Is a Data Broker Under Vermont Law?

Vermont defines a data broker as a business that "knowingly collects and sells or licenses to third parties the brokered personal information of a consumer with whom the business does not have a direct relationship," according to 9 V.S.A. 2430.

The key phrase is "no direct relationship." If you buy something from a retailer and that retailer shares your data with a marketing partner, the retailer is not a data broker under Vermont law because you have a direct relationship with them. A data broker is a company that gathers your information from public records, online tracking, purchased datasets, and other indirect sources without ever interacting with you.

"Brokered personal information" includes computerized data elements organized for dissemination to third parties, such as your name, address, date of birth, Social Security number, and biometric data.

Registration Requirements

Every data broker that meets the statutory definition must register annually with the Vermont Secretary of State by January 31 of each year. The registration costs $100 per year.

Data brokers must disclose the following information in their registration:

• Business name, physical address, email address, and website URL
• A description of opt-out methods available to consumers, if any
• Which data collection or sales activities consumers cannot opt out of
• Whether the broker uses purchaser credentialing (verifying who buys data)
• The number of data security breaches experienced in the prior year
• The total number of consumers affected by those breaches
• Whether the broker collects data on minors, and if so, the collection and opt-out practices for that data

This information becomes part of a public registry, giving Vermont consumers and regulators visibility into the data broker industry for the first time.

Penalties for Failing to Register

A data broker that fails to register faces a civil penalty of $50 per day, capped at $10,000 annually for each year of noncompliance. The broker must also pay all back registration fees owed during the period of noncompliance. The Vermont Attorney General may pursue additional civil enforcement and injunctive relief.

Security Requirements for Data Brokers (9 V.S.A. 2447)

Beyond registration, Vermont imposes detailed security obligations on data brokers. Under 9 V.S.A. 2447, every data broker must "develop, implement, and maintain a comprehensive information security program" with safeguards appropriate to the business's size, resources, data volume, and the sensitivity of the information stored.

The law specifies ten minimum program requirements:

1. Designate one or more employees responsible for maintaining the security program
2. Conduct risk assessments that identify internal and external threats
3. Establish employee policies for storing and transporting records outside business premises
4. Implement disciplinary procedures for security policy violations
5. Prevent terminated employees from accessing personal data
6. Select third-party service providers capable of maintaining adequate safeguards and require contractual security obligations
7. Maintain physical security controls, including locked storage for records
8. Conduct regular monitoring to ensure program effectiveness
9. Perform annual reviews of the security program scope
10. Document all breach responses and conduct post-incident reviews

The law also mandates specific technical protections:

• Secure authentication protocols (unique IDs, strong passwords, or biometrics)
• Access controls that limit data access to employees who need it
• Encryption for all data transmitted over external networks and stored on portable devices
• Firewall protection and current security patches for operating systems
• Malware detection software with updated virus definitions
• Employee training on information security practices

Violations of these security requirements constitute "unfair and deceptive acts" under Vermont consumer protection law, enforceable by the Attorney General.

Why Vermont's Data Broker Law Matters Nationally

Vermont's registry exposed the sheer scale of the data broker industry. Hundreds of companies registered in the first year, many of them unknown to the public. The registry gave journalists, researchers, and policymakers concrete data about who was buying and selling personal information and how.

Several states have since followed Vermont's lead with their own data broker legislation, but Vermont remains the original model for this type of transparency requirement.

Vermont's Security Breach Notice Act (9 V.S.A. 2430, 2435)

Vermont's data breach notification law is codified at 9 V.S.A. 2435. The law applies to any "data collector," which the statute defines broadly as any person or entity that handles, collects, or disseminates personally identifiable information, including businesses, government agencies, universities, and retailers.

What Triggers a Notification

A notification is required when there is a "security breach," defined under 9 V.S.A. 2430 as the unauthorized acquisition of electronic data that compromises the security, confidentiality, or integrity of a consumer's personally identifiable information.

"Personally identifiable information" under Vermont law means a consumer's first name or initial combined with their last name, plus one or more of the following digital data elements:

• Social Security number
• Driver's license or state ID number
• Financial account number, credit card number, or debit card number (combined with any security code or password needed to access the account)
• Passwords or personal identification numbers for financial accounts
• Biometric data (fingerprint, retina scan, or similar identifier)
• Health records or wellness program records
• Individual taxpayer identification number

Login credentials (username combined with password or security question) are also covered, though the notification requirements are slightly different.

Notification Timeline

Vermont requires notification "in the most expedient time possible and without unreasonable delay, but not later than 45 days after the discovery or notification" of the breach.

The data collector must also notify the Vermont Attorney General (or the Department of Financial Regulation for regulated financial institutions) within 14 business days of discovering the breach. This preliminary notice must include a description of the breach.

If the breach affects more than 1,000 consumers, the data collector must also notify consumer reporting agencies.

What the Notice Must Include

Breach notifications must be "clear and conspicuous" and include:

• A general description of the security incident
• The types of personal information that were compromised
• The protective measures the company has implemented in response
• A toll-free contact number for consumer inquiries
• Advice about monitoring accounts and credit reports
• The approximate date of the breach

How Notice Can Be Delivered

Data collectors may provide notice through direct methods: written mail, email (with certain conditions), or telephone. If the cost of direct notice would exceed $10,000, or if affected consumers' contact information is unavailable, the data collector may use substitute notice, which requires both posting the notice prominently on the company's website and notifying major statewide media.

Exemptions

HIPAA-covered entities that comply with federal health privacy breach notification rules are deemed compliant with Vermont's law. Entities that can demonstrate to the Attorney General that misuse of the compromised information is "not reasonably possible" may also avoid consumer notification, though they must still notify authorities.

Breaches limited to login credentials that were not directly obtained from the data collector have reduced notification requirements.

Enforcement

The Vermont Attorney General and State's Attorneys enforce the breach notification law. The Department of Financial Regulation handles enforcement for regulated financial institutions.

Brokered Personal Information Prohibitions (9 V.S.A. 2431)

Separate from the data broker registry, Vermont law under 9 V.S.A. 2431 prohibits specific harmful uses of brokered personal information.

It is illegal in Vermont to:

• Acquire brokered personal information through fraudulent means
• Use brokered personal information for stalking, harassment, fraud, or unlawful discrimination

Violations are treated as unfair and deceptive trade practices, enforceable by the Attorney General under Vermont's Consumer Protection Act (Chapter 63 of Title 9).

Social Security Number Protection (9 V.S.A. 2440)

Vermont's Social Security Number Protection Act under 9 V.S.A. 2440 restricts how businesses and state agencies can handle Social Security numbers.

Business Restrictions

Businesses operating in Vermont may not:

• Intentionally make an individual's Social Security number available to the general public
• Print Social Security numbers on access cards or identification cards
• Require transmission of a Social Security number over an unsecured internet connection without encryption
• Require a Social Security number as the sole login credential for online access without additional authentication
• Print Social Security numbers on mailed materials unless legally required, and they may never appear on postcards or through visible envelope windows
• Sell or disclose Social Security numbers to third parties without written consent, unless the disclosure serves a legitimate business purpose

State Agency Restrictions

State government entities face similar prohibitions on collecting, displaying, transmitting, and publicly disclosing Social Security numbers. State agencies must provide disclosure statements explaining why they collect SSNs and must segregate SSN information in their records.

Exemptions

The restrictions do not apply when Social Security numbers are part of enrollment documentation, used for administrative verification or fraud investigation, required for credit reporting under federal law, ordered by a court or law enforcement, obtained from public records, or used under grandfathered arrangements that have been continuous since before January 1, 2007.

Student Privacy Protections (9 V.S.A. 2443-2443a)

Vermont added student privacy protections in 2019, codified at 9 V.S.A. 2443 (definitions) and 9 V.S.A. 2443a (operator prohibitions).

Who the Law Covers

The law applies to "operators," defined as entities running websites, online services, or applications with actual knowledge that their product is used primarily for PreK-12 school purposes and was designed and marketed for PreK-12 school purposes.

What "Covered Information" Includes

Covered information is broadly defined and includes personal data in any format that is either non-public or disclosed under the Family Educational Rights and Privacy Act (FERPA). Specifically, it encompasses discipline records, test results, special education data, juvenile dependency records, grades, evaluations, criminal records, medical records, health records, Social Security numbers, biometric information, disability status, socioeconomic information, food purchases, political affiliations, and religious information.

Prohibited Activities

Education technology operators may not:

• Engage in targeted advertising based on information acquired through PreK-12 school use of their platform
• Build student profiles using persistent identifiers or gathered data outside of educational purposes
• Sell, barter, or rent a student's covered information
• Disclose covered information except for specific authorized purposes

Permitted Disclosures

Operators may share covered information only for:

• Furthering educational purposes, with restrictions on how recipients can use the data
• Complying with legal or regulatory requirements
• Responding to judicial process
• Protecting user safety and security
• School or educational purposes requested by the student or parent
• Services provided by third parties under strict confidentiality contracts

Operators may freely use information for "maintaining, developing, supporting, improving, or diagnosing" their own platform.

Federal Privacy Framework in Vermont

Because Vermont lacks a comprehensive state consumer privacy law, several federal statutes provide important baseline protections for Vermont residents.

HIPAA (Health Insurance Portability and Accountability Act)

HIPAA protects health information held by covered entities such as hospitals, insurers, and healthcare providers. Vermont's breach notification law explicitly recognizes HIPAA compliance as sufficient to meet state requirements for healthcare data breaches.

FERPA (Family Educational Rights and Privacy Act)

FERPA protects student education records at institutions receiving federal funding. Vermont's student privacy law (9 V.S.A. 2443) references FERPA and extends protections to education technology operators that FERPA does not directly regulate.

COPPA (Children's Online Privacy Protection Act)

COPPA requires websites and online services to obtain verifiable parental consent before collecting personal information from children under 13. This federal law applies in Vermont and complements the state's student privacy protections.

Gramm-Leach-Bliley Act (GLBA)

GLBA requires financial institutions to explain their information-sharing practices and to safeguard sensitive data. Vermont's breach notification law coordinates with GLBA by routing financial institution breach reports through the Department of Financial Regulation rather than the Attorney General.

FTC Act Section 5

The Federal Trade Commission enforces prohibitions against unfair or deceptive practices, including data privacy violations. The FTC has increasingly pursued enforcement actions against companies that mishandle consumer data, providing a federal backstop in states like Vermont that lack comprehensive privacy statutes.

The Vetoed Comprehensive Privacy Bill (H.121, 2024)

In 2024, the Vermont legislature passed H.121, a comprehensive consumer privacy bill titled "An act relating to enhancing consumer privacy and the age-appropriate design code." The bill would have created broad consumer data rights similar to those in California, Colorado, and Connecticut.

The Governor vetoed H.121 on June 17, 2024, and the Senate sustained the veto. As a result, Vermont still does not have a comprehensive consumer data privacy law granting residents rights to access, correct, delete, or opt out of the sale of their personal data.

The bill underwent extensive committee review with testimony from the Attorney General's Office, financial regulators, healthcare organizations, privacy advocacy groups like the Electronic Privacy Information Center (EPIC) and the Future of Privacy Forum, technology industry representatives, and consumer protection organizations.

Whether Vermont will pursue similar legislation in future sessions remains an open question. As of March 2026, no replacement comprehensive privacy bill has advanced in the current legislative session.

How Vermont Compares to Other States

Vermont occupies an unusual position in the national data privacy landscape. It was a genuine pioneer with the data broker registry, but it lacks the comprehensive consumer rights framework that many other states have adopted.

Strengths of Vermont's approach:

• First state to require data broker registration, creating public transparency
• Strong security requirements for data brokers with detailed technical standards
• Relatively strict 45-day breach notification deadline
• Student privacy protections that extend beyond federal FERPA requirements
• Social Security number protections with specific use restrictions

Gaps in Vermont's framework:

• No comprehensive consumer data privacy law (no right to access, delete, correct, or port personal data)
• No universal opt-out right for the sale of personal information
• No private right of action for data privacy violations (only AG enforcement)
• Data broker registration penalties are modest ($50/day, capped at $10,000/year)
• No specific protections for biometric data beyond the breach notification context

More Vermont Laws

• Vermont Hit and Run Laws
• Vermont Dog Bite Laws
• Vermont Whistleblower Laws
• Vermont Lemon Laws
• Vermont Statute of Limitations
• Vermont Sexting Laws
• Vermont Car Seat Laws
• Vermont Child Support Laws

This article is for informational purposes only and does not constitute legal advice. Data privacy laws change frequently, and enforcement interpretations evolve over time. Consult a licensed attorney in Vermont for advice about your specific situation. Last reviewed: March 2026.