Key takeaways
- Vermont Governor Phil Scott signed the Vermont Data Privacy and Online Surveillance Act into law on June 16, 2026.
- The legislation makes Vermont the 23rd U.S. state to enact a comprehensive consumer privacy framework.
- The new statutory requirements will officially take effect on January 1, 2027.
- This marks the fourth comprehensive data privacy law passed by a state legislature in 2026.
The Enactment
On June 16, 2026, Vermont Governor Phil Scott signed the Vermont Data Privacy and Online Surveillance Act into law, fundamentally altering the regulatory requirements for companies handling consumer information within the state. The legislative process reached its conclusion when the Vermont legislature passed the bill on May 29, 2026. Shortly thereafter, the development was first reported in legal media on or about June 4, 2026, signaling to the legal community that a major regulatory shift was imminent. The legislation, identified as S71, establishes comprehensive rules governing how corporate entities collect, use, and protect consumer data. The statutory requirements are scheduled to take effect on January 1, 2027, giving businesses a defined window to overhaul their data practices.
Why It Matters
The enactment positions Vermont as the 23rd state in the United States to adopt a comprehensive consumer privacy law. Furthermore, it represents the fourth comprehensive data privacy law passed by a state legislature in 2026 alone. This volume of legislative activity in a single calendar year demonstrates that data privacy remains a top priority for state lawmakers across the political spectrum. The addition of Vermont to this growing list means that nearly half of the country now operates under a comprehensive state privacy framework.
This rapid succession of state-level privacy legislation creates an increasingly difficult compliance environment for companies operating on a national scale. Without a preemptive federal standard to harmonize these rules, businesses must adapt to a fragmented regulatory system. The passage of the Vermont Data Privacy and Online Surveillance Act confirms that state legislatures are aggressively filling the regulatory void. Each new state law adds distinct obligations regarding data management, consumer rights, and online surveillance boundaries. For multi-state operators, the addition of a 23rd distinct legal framework multiplies the friction of regulatory compliance, forcing companies to either adopt a highest-common-denominator approach to privacy or build highly localized compliance mechanisms.
Who Should Care
For lawyers
Corporate counsel and privacy attorneys must immediately begin assessing their clients' data collection practices against the new Vermont standards. Because the law takes effect on January 1, 2027, practitioners have a specific, limited window to update privacy policies, revise vendor contracts, and implement technical mechanisms for consumers to exercise their newly granted data rights. Lawyers must guide their corporate clients through comprehensive data audits to prepare for the effective date. This involves identifying all data collection points, evaluating third-party sharing agreements, and drafting new public-facing privacy notices that comply with Vermont's specific statutory phrasing. Attorneys advising multi-state operators will need to map Vermont's specific provisions against the 22 other existing state frameworks to identify overlapping obligations and unique state-specific requirements.
For consumers
Vermont residents will gain new legal rights over their personal information. Once the law becomes active, individuals will have statutory mechanisms to access, correct, or delete the data that companies hold about them. The legislation also places boundaries on online surveillance, giving residents greater control over how their digital footprints are tracked and monetized by third parties. This shifts the balance of power, providing everyday citizens with actionable tools to protect their privacy in the digital economy.
Legal Background
Prior to this enactment, Vermont lacked a unified, comprehensive statutory framework for consumer data privacy. The state historically relied on targeted statutes covering specific sectors, such as its first-in-the-nation data broker registration law, rather than a broad consumer protection mandate. At the federal level, Congress has repeatedly debated but failed to pass a national standard. The absence of a unified federal privacy law has forced states to act as laboratories of democracy, though this has resulted in a fragmented legal system. While federal bills like S. 71 (U.S. Congress) are occasionally introduced to propose a nationwide standard, they have consistently stalled in committee or failed to secure floor votes. Consequently, states like Vermont have determined that they cannot wait for congressional action to protect their residents' digital privacy.
This persistent federal inaction left individual states to develop their own rules. Starting with California several years ago, the movement has steadily expanded. The trend has accelerated significantly, leading to the current environment where nearly half the states have established their own comprehensive regimes. Vermont's entry into this group highlights the continuing momentum of state-driven consumer protection initiatives.
What the Legislature Did
By passing the Vermont Data Privacy and Online Surveillance Act on May 29, 2026, state lawmakers established a broad regulatory structure for data controllers and processors. Governor Scott's signature on June 16, 2026, formalized these requirements into law. The legislature designed the statute to grant consumers affirmative rights over their personal data while imposing strict operational boundaries on the entities that process that information.
The legislative action codifies rules against unchecked online surveillance and mandates transparency in data practices. The legislature shifted the default rules of data collection in the state. By passing the bill, lawmakers signaled that the era of unregulated digital tracking in Vermont was ending. The statute requires businesses to implement reasonable security practices to protect the confidentiality of consumer data. Lawmakers structured the act to ensure that companies cannot indefinitely collect and monetize consumer data without providing clear disclosures and offering consumers a mechanism to opt out. The swift passage of the bill reflects a clear legislative intent to rein in unregulated data brokering and digital tracking within the state's borders.
How It May Be Applied
As the January 1, 2027, effective date approaches, regulatory attention will shift to compliance and enforcement. Open questions remain regarding how the Vermont Attorney General will interpret specific provisions of the law, particularly those concerning the exact boundaries of online surveillance. Companies will likely spend the latter half of 2026 testing their compliance infrastructure, conducting data protection assessments, and training staff on how to handle consumer rights requests.
Courts may eventually be asked to clarify the scope of the law's definitions and the extent of its jurisdictional reach over out-of-state entities processing Vermont residents' data. Enforcement actions following the effective date will serve as the primary indicator of how strictly the state intends to police minor technical violations versus systemic privacy failures.
Regulatory Shift at a Glance
| Feature | Prior Vermont Law | New Vermont Law (S.71) |
|---|---|---|
| Framework Type | Sector-specific statutes | Comprehensive consumer privacy |
| Consumer Rights | Limited to specific industries | Broad rights to access, correct, and delete data |
| Online Surveillance | Largely unregulated | Subject to new statutory boundaries |
| Effective Date | N/A | January 1, 2027 |
The Bottom Line
Vermont's decision to enact the Vermont Data Privacy and Online Surveillance Act adds another necessary layer of compliance for companies handling consumer data. By becoming the 23rd state to pass comprehensive privacy legislation, Vermont continues the national trend of state-led data protection. Businesses have until January 1, 2027, to align their operations with the new statutory mandates or face potential enforcement actions.
This article is general legal information and commentary about legal developments. It is not legal advice, does not address your specific situation, and is not a substitute for advice from a licensed attorney. Reading this article and contacting us through this website do not create an attorney-client relationship.
Sources & authorities
Further reading
Additional perspectives (a link is not an endorsement):