Vermont Data Privacy Laws: Data Broker Registry & Consumer Rights (2026)

Vermont requires all data brokers to register annually with the Secretary of State under 9 V.S.A. 2446, making it the first state in the nation to mandate this transparency when Act 171 took effect in 2018. Vermont does not yet have a comprehensive consumer data privacy law; its current framework covers data broker registration, breach notification, student privacy, and Social Security number protections.

Vermont has earned a national reputation in one specific area of data privacy: regulating data brokers. In 2018, Vermont became the first state in the country to require data brokers to register with the government, creating a public registry that gives consumers visibility into which companies buy and sell their personal information.

Vermont does not yet have a comprehensive consumer data privacy law. A sweeping privacy bill (H.121) passed the legislature in 2024 but was vetoed by Governor Phil Scott. The legislature revived the effort with S.71 in the 2025-2026 session, a bill that passed the Senate in March 2025 and was under active House committee review in spring 2026. As of May 2026, S.71 had not been signed into law.

What Vermont does have is a growing patchwork of targeted protections: a data breach notification law with strict timelines, the pioneering data broker registry, new minors-focused design code requirements, student privacy protections, and Social Security number safeguards. This guide covers every major Vermont data privacy statute currently in force, the key bills pending in 2026, and what businesses and consumers need to know.

Vermont's Data Broker Registration Law (9 V.S.A. 2446-2447)

Vermont made history on May 22, 2018, when Act 171 (H.764) took effect. The law created the nation's first mandatory registration requirement for data brokers, codified at 9 V.S.A. 2446. As of the 2025-2026 registration cycle, 283 data broker companies are on the public registry. A June 2025 review by the Privacy Rights Clearinghouse identified approximately 309 additional companies registered as data brokers in other states that had not registered in Vermont, flagging a compliance gap that Attorney General Charity Clark is positioned to address.

Before Vermont acted, data brokers operated in a regulatory blind spot. These companies collected and sold personal information about millions of consumers, but no state required them to identify themselves publicly. Vermont changed that.

What Is a Data Broker Under Vermont Law?

Vermont defines a data broker as a business that "knowingly collects and sells or licenses to third parties the brokered personal information of a consumer with whom the business does not have a direct relationship," according to 9 V.S.A. 2430.

The key phrase is "no direct relationship." If you buy something from a retailer and that retailer shares your data with a marketing partner, the retailer is not a data broker under Vermont law because you have a direct relationship with them. A data broker is a company that gathers your information from public records, online tracking, purchased datasets, and other indirect sources without ever interacting with you directly.

"Brokered personal information" includes computerized data elements organized for dissemination to third parties, such as name, address, date of birth, Social Security number, and biometric data.

Registration Requirements

Every data broker that meets the statutory definition must register annually with the Vermont Secretary of State by January 31 of each year. The current registration fee is $100 per year.

Data brokers must disclose the following in their registration:

• Business name, physical address, email address, and website URL
• A description of opt-out methods available to consumers, if any
• Which data collection or sales activities consumers cannot opt out of
• Whether the broker uses purchaser credentialing (verifying who buys data)
• The number of data security breaches experienced in the prior year
• The total number of consumers affected by those breaches
• Whether the broker collects data on minors, and if so, the collection and opt-out practices for that data

This information becomes part of a public registry maintained by the Vermont Secretary of State.

Penalties for Failing to Register

A data broker that fails to register faces a civil penalty of $50 per day, capped at $10,000 annually for each year of noncompliance. The broker must also pay all back registration fees owed during the period of noncompliance. The Vermont Attorney General may pursue additional civil enforcement and injunctive relief.

Security Requirements for Data Brokers (9 V.S.A. 2447)

Beyond registration, Vermont imposes detailed security obligations on data brokers. Under 9 V.S.A. 2447, every data broker must "develop, implement, and maintain a comprehensive information security program" with safeguards appropriate to the business's size, resources, data volume, and the sensitivity of the information stored.

The law specifies ten minimum program requirements:

1. Designate one or more employees responsible for maintaining the security program
2. Conduct risk assessments that identify internal and external threats
3. Establish employee policies for storing and transporting records outside business premises
4. Implement disciplinary procedures for security policy violations
5. Prevent terminated employees from accessing personal data
6. Select third-party service providers capable of maintaining adequate safeguards and require contractual security obligations
7. Maintain physical security controls, including locked storage for records
8. Conduct regular monitoring to ensure program effectiveness
9. Perform annual reviews of the security program scope
10. Document all breach responses and conduct post-incident reviews

The law also mandates specific technical protections: secure authentication protocols, access controls limiting data to employees who need it, encryption for all data transmitted over external networks and stored on portable devices, firewall protection and current security patches, malware detection software, and employee training.

Violations of these security requirements constitute "unfair and deceptive acts" under Vermont consumer protection law, enforceable by the Attorney General.

H.211: The Vermont Delete Act (Pending as of May 2026)

In March 2026, the Vermont House of Representatives passed H.211, modeled after California's 2023 Delete Act. H.211 passed the House on March 25, 2026, and was referred to the Senate Committee on Economic Development, Housing and General Affairs. As of May 2026, it had not been signed into law.

If enacted, H.211 would:

• Require data brokers to honor consumer deletion requests, removing personal information upon request
• Raise the annual registration fee from $100 to $900 to fund administrative costs
• Appropriate $50,000 in fiscal year 2027 for the Secretary of State to study the feasibility of a centralized opt-out portal where consumers could submit a single deletion request covering all registered brokers
• Require data brokers to certify that the information they collect is used for legitimate purposes and to provide breach notification consistent with existing Vermont law

The centralized deletion portal, if funded and built, would be the most significant expansion of Vermont data broker law since 2018.

Vermont's Security Breach Notice Act (9 V.S.A. 2430, 2435)

Vermont's data breach notification law is codified at 9 V.S.A. 2435. The law applies to any "data collector," which the statute defines broadly as any person or entity that handles, collects, or disseminates personally identifiable information, including businesses, government agencies, universities, and retailers.

What Triggers a Notification

A notification is required when there is a "security breach," defined under 9 V.S.A. 2430 as the unauthorized acquisition of electronic data that compromises the security, confidentiality, or integrity of a consumer's personally identifiable information.

"Personally identifiable information" under Vermont law means a consumer's first name or initial combined with their last name, plus one or more of the following data elements:

• Social Security number
• Driver's license or state ID number
• Financial account number, credit card number, or debit card number (combined with any security code or password needed to access the account)
• Passwords or personal identification numbers for financial accounts
• Biometric data (fingerprint, retina scan, or similar identifier)
• Health records or wellness program records
• Individual taxpayer identification number

Login credentials (username combined with password or security question) are also covered, though the notification requirements are slightly different.

Notification Timeline

Vermont requires notification "in the most expedient time possible and without unreasonable delay, but not later than 45 days after the discovery or notification" of the breach.

The data collector must also notify the Vermont Attorney General (or the Department of Financial Regulation for regulated financial institutions) within 14 business days of discovering the breach. This preliminary notice must include a description of the breach.

If the breach affects more than 1,000 consumers, the data collector must also notify consumer reporting agencies.

What the Notice Must Include

Breach notifications must be "clear and conspicuous" and include:

• A general description of the security incident
• The types of personal information that were compromised
• The protective measures the company has implemented in response
• A toll-free contact number for consumer inquiries
• Advice about monitoring accounts and credit reports
• The approximate date of the breach

How Notice Can Be Delivered

Data collectors may provide notice through direct methods: written mail, email (with certain conditions), or telephone. If the cost of direct notice would exceed $10,000, or if affected consumers' contact information is unavailable, the data collector may use substitute notice through prominent posting on the company's website and notification of major statewide media.

Exemptions

HIPAA-covered entities that comply with federal health privacy breach notification rules are deemed compliant with Vermont's law. Entities that can demonstrate to the Attorney General that misuse of the compromised information is "not reasonably possible" may also avoid consumer notification, though they must still notify authorities.

Enforcement

The Vermont Attorney General and State's Attorneys enforce the breach notification law. The Department of Financial Regulation handles enforcement for regulated financial institutions.

Brokered Personal Information Prohibitions (9 V.S.A. 2431)

Separate from the data broker registry, Vermont law under 9 V.S.A. 2431 prohibits specific harmful uses of brokered personal information.

It is illegal in Vermont to:

• Acquire brokered personal information through fraudulent means
• Use brokered personal information for stalking, harassment, fraud, or unlawful discrimination

Violations are treated as unfair and deceptive trade practices, enforceable by the Attorney General under Vermont's Consumer Protection Act (Chapter 63 of Title 9).

Social Security Number Protection (9 V.S.A. 2440)

Vermont's Social Security Number Protection Act under 9 V.S.A. 2440 restricts how businesses and state agencies can handle Social Security numbers.

Business Restrictions

Businesses operating in Vermont may not:

• Intentionally make an individual's Social Security number available to the general public
• Print Social Security numbers on access cards or identification cards
• Require transmission of a Social Security number over an unsecured internet connection without encryption
• Require a Social Security number as the sole login credential for online access without additional authentication
• Print Social Security numbers on mailed materials unless legally required, and they may never appear on postcards or through visible envelope windows
• Sell or disclose Social Security numbers to third parties without written consent, unless the disclosure serves a legitimate business purpose

State Agency Restrictions

State government entities face similar prohibitions on collecting, displaying, transmitting, and publicly disclosing Social Security numbers. State agencies must provide disclosure statements explaining why they collect SSNs and must segregate SSN information in their records.

Exemptions

The restrictions do not apply when Social Security numbers are part of enrollment documentation, used for administrative verification or fraud investigation, required for credit reporting under federal law, ordered by a court or law enforcement, obtained from public records, or used under grandfathered arrangements continuous since before January 1, 2007.

Vermont Age-Appropriate Design Code Act (S.69, Act 63)

Governor Phil Scott signed the Vermont Age-Appropriate Design Code Act (S.69) into law on June 12, 2025, as Act 63. The law takes effect January 1, 2027. The Vermont Attorney General's Office is conducting formal rulemaking in spring 2026 to develop implementing regulations.

Who the Law Covers

The AADC applies to "covered businesses" that operate online platforms, products, or services that are likely to be accessed by minors. It mirrors similar laws enacted in California and other states while reflecting Vermont-specific enforcement priorities.

Core Requirements

Covered businesses must:

• Default all privacy settings to the highest level of privacy available when the user is or is likely to be a minor
• Refrain from collecting or sharing a minor's personal data beyond what is strictly necessary to provide the requested service
• Avoid using design features that encourage minors to spend excessive time on the platform or to share more personal data than necessary
• Conduct data protection impact assessments for products and services likely to be accessed by minors before launching or significantly changing them

Enforcement

The Vermont Attorney General enforces the AADC. Violations are subject to civil penalties under Vermont consumer protection law. Because rulemaking is ongoing as of spring 2026, businesses have time to assess their compliance obligations before the January 1, 2027, effective date.

Student Privacy Protections (9 V.S.A. 2443-2443a)

Vermont added student privacy protections in 2019, codified at 9 V.S.A. 2443 (definitions) and 9 V.S.A. 2443a (operator prohibitions). These protections apply to PreK-12 education technology operators and complement the broader AADC requirements for minors online.

Who the Law Covers

The law applies to "operators," defined as entities running websites, online services, or applications with actual knowledge that their product is used primarily for PreK-12 school purposes and was designed and marketed for PreK-12 school purposes.

What "Covered Information" Includes

Covered information is broadly defined and includes personal data in any format that is either non-public or disclosed under FERPA. It encompasses discipline records, test results, special education data, juvenile dependency records, grades, evaluations, criminal records, medical records, health records, Social Security numbers, biometric information, disability status, socioeconomic information, food purchases, political affiliations, and religious information.

Prohibited Activities

Education technology operators may not:

• Engage in targeted advertising based on information acquired through PreK-12 school use of their platform
• Build student profiles using persistent identifiers or gathered data outside of educational purposes
• Sell, barter, or rent a student's covered information
• Disclose covered information except for specific authorized purposes

Permitted Disclosures

Operators may share covered information only for: furthering educational purposes (with restrictions on how recipients can use the data), complying with legal or regulatory requirements, responding to judicial process, protecting user safety and security, or purposes requested by the student or parent. Operators may freely use information for "maintaining, developing, supporting, improving, or diagnosing" their own platform.

Federal Privacy Framework in Vermont

Because Vermont lacks a comprehensive state consumer privacy law, several federal statutes provide important baseline protections for Vermont residents.

TAKE IT DOWN Act (Pub. L. 119-12, 2025)

President Trump signed the TAKE IT DOWN Act into law on May 19, 2025. The law creates federal criminal prohibitions on publishing nonconsensual intimate images (NCII), including AI-generated deepfakes. Criminal penalties took effect immediately upon signing. Platform obligations (covered platforms must establish a notice-and-removal process and remove flagged NCII within 48 hours of receiving a valid notice) became effective May 19, 2026, and are enforced by the Federal Trade Commission. Vermont residents who are victims of NCII can request removal from covered platforms under this federal framework regardless of the absence of a comprehensive state privacy law.

HIPAA (Health Insurance Portability and Accountability Act)

HIPAA protects health information held by covered entities such as hospitals, insurers, and healthcare providers. Vermont's breach notification law explicitly recognizes HIPAA compliance as sufficient to meet state requirements for healthcare data breaches.

FERPA (Family Educational Rights and Privacy Act)

FERPA protects student education records at institutions receiving federal funding. Vermont's student privacy law (9 V.S.A. 2443) references FERPA and extends protections to education technology operators that FERPA does not directly regulate.

COPPA (Children's Online Privacy Protection Act)

COPPA requires websites and online services to obtain verifiable parental consent before collecting personal information from children under 13. This federal law applies in Vermont and complements the state's student privacy protections and the new AADC.

Gramm-Leach-Bliley Act (GLBA)

GLBA requires financial institutions to explain their information-sharing practices and to safeguard sensitive data. Vermont's breach notification law coordinates with GLBA by routing financial institution breach reports through the Department of Financial Regulation rather than the Attorney General.

FTC Act Section 5

The Federal Trade Commission enforces prohibitions against unfair or deceptive practices, including data privacy violations. The FTC has pursued enforcement actions against companies that mishandle consumer data, providing a federal backstop in states like Vermont that lack comprehensive privacy statutes.

Pending Comprehensive Consumer Privacy Legislation

Vermont's most significant unfinished privacy business is enacting a comprehensive consumer data privacy law. Two legislative cycles have brought the state close.

H.121 (2024): Vetoed. The Vermont legislature passed H.121 in 2024, a bill titled "An act relating to enhancing consumer privacy and the age-appropriate design code." Governor Phil Scott vetoed it on June 17, 2024, primarily objecting to its private right of action provision. The Senate sustained the veto.

S.71 (2025-2026 session): Pending. The legislature revived comprehensive consumer privacy legislation as S.71, titled "An act relating to consumer data privacy and online surveillance." The Senate unanimously passed an amended version in March 2025 after stripping the private right of action that doomed H.121. The bill would grant Vermont residents rights to access, correct, and delete their personal data, and to opt out of certain data processing activities. The Vermont House Commerce and Economic Development Committee was reviewing S.71 in spring 2026. As of May 2026, S.71 had not passed the House or been signed by the governor. Vermont residents do not currently have comprehensive statutory data rights under state law.

Note on H.342: H.342 in the 2025-2026 session is a narrower bill addressing the personal information of certain public servants, not a comprehensive consumer privacy measure.

How Vermont Compares to Other States

Vermont occupies an unusual position in the national data privacy landscape. It was a genuine pioneer with the data broker registry and the AADC, but it still lacks the comprehensive consumer rights framework that many other states have adopted.

Strengths of Vermont's approach:

• First state to require data broker registration, creating public transparency since 2018
• Strong security requirements for data brokers with detailed technical standards under 9 V.S.A. 2447
• Relatively strict 45-day breach notification deadline with 14-day AG notification requirement
• Student privacy protections that extend beyond federal FERPA requirements
• Social Security number protections with specific use restrictions
• Age-Appropriate Design Code (Act 63) enacted June 2025, effective January 2027
• H.211 Delete Act (if signed) would add consumer deletion rights for brokered data

Gaps in Vermont's framework:

• No comprehensive consumer data privacy law in force (S.71 pending as of May 2026)
• No universal opt-out right for the sale of personal information currently in force
• No private right of action for data privacy violations (only AG enforcement)
• Data broker registration penalties are modest ($50/day, capped at $10,000/year)
• No specific biometric privacy statute beyond the breach notification and AADC contexts

More Vermont Laws

• Vermont AI Meeting Recording Laws
• Vermont Alimony Laws
• Vermont At-Will Employment Laws
• Vermont Car Accident Laws
• Vermont Car Seat Laws
• Vermont Child Custody Laws
• Vermont Child Support Laws
• Vermont Common Law Marriage Laws
• Vermont Deepfake Laws
• Vermont Divorce Laws
• Vermont Dog Bite Laws
• Vermont Emancipation Laws
• Vermont Expungement Laws
• Vermont Hit and Run Laws
• Vermont Landlord-Tenant Laws
• Vermont Lemon Laws

This article is for informational purposes only and does not constitute legal advice. Data privacy laws change frequently, and enforcement interpretations evolve over time. Consult a licensed attorney in Vermont for advice about your specific situation. Last reviewed: May 2026.

Related news

• Vermont Passes Data Privacy and Online Surveillance Act (S.71)

• Vermont H.211 Data Broker Overhaul Heads to the Governor (2026)