Vermont Passes Data Privacy Law: Vermont Data Privacy Act | Secure Privacy Blog | Secure Privacy Blog

What is the Vermont Data Privacy Act?

The Vermont Data Privacy Act is Vermont's comprehensive privacy legislation, set to take effect on July 1, 2025. This act aims to enhance data protection and privacy rights for Vermont residents. Notably, it grants individuals a private right of action starting from January 1, 2027, allowing them to seek legal recourse for violations of their data privacy rights.

Does the VDPA apply to my business?

The Vermont Data Protection Act (VDPA) applies to persons conducting business in Vermont or producing products or services targeted to Vermont residents, who during the preceding calendar year:

Controlled or processed the personal data of at least 25,000 consumers, excluding data processed solely for payment transactions.

Controlled or processed the personal data of at least 12,500 consumers and derived more than 25% of their gross revenue from the sale of personal data.

The health data provisions apply to all persons conducting business in Vermont or producing products or services targeted to Vermont residents, regardless of the number of consumers' data controlled or processed.

What is personal data under the Vermont comprehensive data privacy legislation?

Personal data is any information that could identify an individual, directly or indirectly.

The VDPA goes further to define what sensitive data is. The definition is necessary because the law gives it a special regime.

The following categories of data are considered sensitive:

According to the VDPA, "sensitive data" includes personal data that:

Reveals a consumer’s government-issued identifier, such as a Social Security number, passport number, state identification card, or driver’s license number, that is not required by law to be publicly displayed.

Reveals a consumer’s racial or ethnic origin, national origin, citizenship or immigration status, religious or philosophical beliefs, or union membership.

Reveals a consumer’s sexual orientation, sex life, sexuality, or status as transgender or nonbinary.

Reveals a consumer’s status as a victim of a crime.

Is financial information, including a consumer’s tax return and account number, financial account log-in, financial account, debit card number, or credit card number in combination with any required security or access code, password, or credentials allowing access to an account.

Is consumer health data.

Is personal data collected and analyzed concerning consumer health data or personal data that describes or reveals a past, present, or future mental or physical health condition, treatment, disability, or diagnosis, including pregnancy, to the extent the personal data is not used by the controller to identify a specific consumer’s physical or mental health condition or diagnosis.

Is biometric or genetic data.

Is personal data collected from a known minor.

Is precise geolocation data.

Do we need a privacy policy?

A controller must provide a privacy policy that is reasonably accessible, clear, and meaningful, containing the following information:

Categories of personal data processed

Purposes of processing

Consumer rights and how to exercise them

List all categories of personal data, including sensitive data, that the controller shares with third parties.

All categories of third parties with which the controller shares personal data at a level of detail that enables the consumer to understand what type of entity each third party is and, to the extent possible, how each third party may process personal data.

Contact Information

Controller Identification

A clear and conspicuous description of any processing of personal data for targeted advertising, sale of personal data to third parties, or profiling the consumer in furtherance of decisions that produce legal or similarly significant effects concerning the consumer, and a procedure by which the consumer may opt out of this type of processing.

What are the VDPA consumer rights?

Consumers in Vermont have the right to:

Know about the processing

Access their information

Delete their data

Correct their data

Opt-out oif the sale of personal data and targeted advertising

Consumers can submit consumer requests and you'll be abliged to respond within 45 days.

What are the VDPA opt-out requirements?

The Vermont Data Privacy Act requires businesses to provide clear opt-out mechanisms for consumers. Specifically, businesses must offer a conspicuous link on their website that allows consumers to opt out of the sale of their personal data. This link should be easily accessible and prominently displayed, ensuring that consumers can exercise their opt-out rights without difficulty.

In addition to the direct opt-out link, businesses are also required to recognize universal opt-out mechanisms. This means that businesses must comply with signals sent by consumers through browser settings or other automated tools indicating their preference to opt out of data sales.

What are the duties of controllers and processors?

Controllers, i.e. the companies who decide to process data, have the following general duties:

Limit the processing to the purpose the data has been coillected

Process only the minimum amount of data needed for the purposes

Not sell sensitive daat

Not discriminate

Implement technical and organizations measures for data security

Honor consumer requests

Have written contracts with data processors

Conduct data protection assessments where required

Processors, the companies you hire to process data on your behalf, have the following duties:

Follow controllers instructions about the processing

Enable the controller to respond to consumer requests

Ensure data security

Help the controller in conducting data protection assessment

Do we need to conduct a privacy impact assessment?

Controllers are required to conduct and document a data protection assessment for processing activities that present a heightened risk of harm to a consumer. This general requirement ensures that controllers thoroughly evaluate and mitigate potential risks associated with their data processing activities.

Specific situations requiring a data protection assessment include processing personal data for targeted advertising, selling personal data, and profiling that poses a reasonably foreseeable risk of unfair or deceptive treatment, financial, physical, or reputational injury, or significant intrusion into consumers' private affairs. Additionally, processing sensitive data necessitates an assessment to ensure appropriate safeguards are in place.

Controllers must retain data protection assessments for at least five years. The Attorney General can request disclosure of these assessments during investigations, but such disclosures do not waive attorney-client privilege or work product protection and remain confidential under the Public Records Act.

Vermont Passes Data Privacy Law: Vermont Data Privacy Act

Continue Reading

CCPA vs. GDPR: What Businesses Need to Know

HIPAA Privacy Policy: Essential Website Compliance for Healthcare Organizations

Iowa Consumer Data Protection Act (ICDPA): Comprehensive Data Privacy Law Overview for Iowa Businesses