Vermont Biometric Privacy Laws: Collection, Consent & Penalties (2026)
Vermont occupies a unique position in the national biometric privacy landscape. The state came closer than almost any other to enacting one of the strongest comprehensive data privacy laws in the country, with robust biometric data protections and a private right of action. Governor Phil Scott's veto of H.121 in June 2024 stopped that effort, and the legislature failed to override the veto by a single Senate vote.
Despite that setback, Vermont is not without biometric data protections. The state's breach notification law explicitly covers biometric data, and Vermont's first-in-the-nation data broker registration law addresses biometric data collection and sale by data brokers. These protections, however, fall far short of the comprehensive framework that H.121 would have established.
For a broader overview of privacy protections in the state, see the parent guide to Vermont Data Privacy Laws.
The Vetoed Vermont Data Privacy Act (H.121)
Understanding what H.121 would have done is essential context for Vermont's current biometric privacy landscape. The bill passed the Vermont House with near-unanimous support and cleared the Senate before Governor Scott vetoed it on June 13, 2024.
What H.121 Would Have Done for Biometric Data
The bill as passed by both chambers would have:
- Classified biometric data as sensitive personal data requiring opt-in consent before processing
- Created a private right of action allowing individuals to sue for actual damages when companies mishandled sensitive data including biometric identifiers
- Required data minimization, limiting businesses to collecting only the biometric data necessary for a stated purpose
- Established purpose limitations preventing the use of biometric data beyond its original collection purpose
- Required businesses to conduct data protection assessments before processing biometric data
Why the Governor Vetoed It
In his veto letter, Governor Scott cited several concerns. He called the private right of action a provision that would make Vermont "a national outlier, and more hostile than any other state to many businesses and non-profits." He recommended Vermont instead adopt a framework similar to Connecticut's data privacy law, which does not include a private right of action.
The House voted 128-17 to override the veto, but the Senate fell short at 14-15, well below the 20 votes needed for a two-thirds override.
Vermont Attorney General Charity Clark issued a statement expressing disappointment with the veto and reaffirming her office's commitment to pursuing biometric data protections through other channels.
Current Biometric Data Protections
Without a comprehensive privacy law, Vermont's biometric data protections come from two existing statutes: the breach notification law and the data broker registration law.
Breach Notification Law (9 V.S.A. 2435)
Vermont's Security Breach Notice Act was expanded through Act 89 of 2020 to explicitly include biometric data within the definition of personally identifiable information (PII).
Under the law, biometric data means unique biometric data generated from measurements or technical analysis of human body characteristics used to identify or authenticate a consumer. Examples include:
- Fingerprints
- Retina or iris images
- Other unique physical or digital representations of biometric data
When a security breach exposes biometric data, the law triggers several requirements:
Consumer Notification: The data collector must notify affected Vermont residents within 45 days of discovering or being notified of the breach.
Regulator Notification: Entities regulated by the Vermont Department of Financial Regulation must notify the department within 14 business days of discovering a breach affecting even one Vermont resident.
Attorney General Notification: Breaches affecting a significant number of Vermonters must be reported to the Attorney General's office.
Credit Monitoring: For breaches involving Social Security numbers or financial account information, the data collector must offer free credit monitoring. This requirement does not specifically extend to biometric-only breaches.
Data Broker Registration Law (9 V.S.A. 2430)
Vermont's data broker law, enacted in 2018 as Act 171, was the first state law in the nation requiring data brokers to register with the government. The law is relevant to biometric privacy because data brokers that collect and sell biometric data must comply with its requirements.
Under the statute, "brokered personal information" includes unique biometric data generated from measurements or technical analysis of human body characteristics used to identify or authenticate a consumer, such as fingerprints, retina or iris images, or other unique physical or digital representations.
Data brokers must:
- Register annually with the Vermont Secretary of State and pay a $100 registration fee
- Disclose whether they collect biometric data
- Describe their data collection, sale, and licensing practices
- Develop comprehensive written information security programs
- Provide consumers a way to opt out of data collection
As of early 2026, approximately 283 data broker companies are registered with the Secretary of State.
What Vermont Law Does Not Cover
The gaps in Vermont's biometric privacy framework remain substantial.
No Collection Consent Requirements
Vermont has no law requiring businesses to obtain consent before collecting biometric data from consumers or employees. A company can implement fingerprint scanners, facial recognition systems, or voice authentication without prior notice or permission.
No Retention or Destruction Requirements
No Vermont law requires organizations to set retention schedules for biometric data or to destroy it when the purpose for collection has ended.
No Private Right of Action
Individuals cannot sue companies in Vermont for collecting, using, or selling their biometric data without consent. This was the most contentious provision in H.121 and the primary reason the governor vetoed the bill.
No Purpose Limitation
Businesses that collect biometric data in Vermont face no restrictions on how they use it, beyond the data broker registration requirements.
Enforcement
The Vermont Attorney General enforces biometric data protections primarily through the Vermont Consumer Protection Act (9 V.S.A. Chapter 63). The failure to maintain reasonable data security practices is considered an unfair or deceptive act under the Consumer Protection Act, and the AG can bring enforcement actions accordingly.
For breach notification violations, the Attorney General can seek injunctive relief and civil penalties. The Department of Financial Regulation also has enforcement authority over regulated financial entities.
Ongoing Legislative Efforts (2025-2026)
The veto of H.121 did not end the push for comprehensive privacy legislation in Vermont. Lawmakers broke the privacy agenda into separate bills for the 2025-2026 session.
S.71 passed the Vermont Senate unanimously in March 2025. It provides a comprehensive privacy framework but omits the private right of action to address Governor Scott's objection. The bill classifies biometric data as sensitive and requires consent for processing.
H.211 passed the Vermont House on March 25, 2025. It specifically targets the approximately 283 data broker companies registered with the Secretary of State that collect and sell personal information including biometric data.
As of early 2026, both bills remain in committee, stuck on the question of how to handle sensitive data categories including biometric information. Whether a comprehensive framework will reach the governor's desk during the current session remains uncertain.
Residents and businesses should monitor the Vermont Legislature website for updates on these and other privacy-related bills.
More Vermont Laws
- Vermont Recording Laws
- Vermont Recording Laws
- Vermont Recording Laws
- Vermont Recording Laws
- Vermont Data Privacy Laws
- Vermont Recording Laws
- Vermont Recording Laws
- Vermont Recording Laws
Sources and References
This article references Vermont statutes available through the Vermont Legislature website. For information about the H.121 veto, see the Governor's veto letter and the Attorney General's statement. For consumer complaints, contact the Vermont Attorney General's Privacy and Data Security division. For data breach information, visit the Vermont Department of Financial Regulation.
This article provides general legal information about Vermont biometric privacy laws. It is not legal advice. Consult a qualified attorney for guidance on your specific situation. Laws and regulations change frequently. Verify current requirements through official Vermont government sources.
Sources and References
- H.121 - Vermont Data Privacy Act (Bill Status)(legislature.vermont.gov).gov
- Governor Scott Veto Letter - H.121(governor.vermont.gov).gov
- AG Clark Statement on H.121 Veto(ago.vermont.gov).gov
- 9 V.S.A. 2435 - Security Breach Notice Act(legislature.vermont.gov).gov
- 9 V.S.A. 2430 - Data Broker Definitions(legislature.vermont.gov).gov
- Act 89 of 2020 - Breach Notification Expansion(legislature.vermont.gov).gov
- Vermont DFR - Data Breach Notifications(dfr.vermont.gov).gov
- Vermont AG - Privacy and Data Security(ago.vermont.gov).gov
- Vermont DFR - Security Breach Notice Act Bulletin(dfr.vermont.gov).gov
- H.121 As Passed by Both Chambers(legislature.vermont.gov).gov