The Solution
CookieHub CMP
The complete, fully-automated consent management platform for global privacy compliance.The complete, fully-automated consent management platform for global privacy compliance.
Features
Explore powerful tools for automatic cookie blocking, geo-targeting, and reporting.
By Framework
The Vermont Data Privacy and Online Surveillance Act, enacted as S.71 / Act 145, is Vermont’s comprehensive consumer privacy law. Signed on June 16, 2026, the law takes effect on January 1, 2028.
The Act applies to businesses that conduct business in Vermont or offer products or services targeted to Vermont residents and meet certain data processing thresholds. It gives consumers more control over their personal data and requires organizations to provide transparency, limit unnecessary data collection, protect sensitive data, and honor consumer opt-out requests.
For websites and digital services, the Act is particularly relevant where cookies, tracking technologies, analytics tools, advertising pixels, or third-party scripts collect or process personal data from Vermont residents.
To prepare for Vermont Data Privacy compliance, organizations should review how they collect, use, disclose, and sell personal data, including through cookies and other online tracking technologies.
Key compliance steps include:
Update privacy notices:
Provide a clear and accessible privacy notice explaining what personal data is processed, why it is processed, how consumers can exercise their rights, what categories of third parties receive data, and whether personal data is used, collected, or sold for training large language models.
Implement consent management:
Use cookie banners and preference centers to collect clear affirmative consent where required, especially when processing sensitive data or selling sensitive data.
Provide opt-out mechanisms:
Allow consumers to opt out of targeted advertising, the sale of personal data, and profiling that produces legal or similarly significant effects.
Respect universal opt-out signals:
Support opt-out requests submitted through authorized agents or technologies such as browser settings, browser extensions, global device settings, or internet links, where applicable.
Conduct assessments:
Carry out data protection assessments for higher-risk processing, including targeted advertising, sale of personal data, profiling with significant effects, and processing of sensitive data.
Manage vendors and processors:
Use appropriate contracts with processors and ensure third-party data sharing supports compliance with the Act.
The Vermont Data Privacy and Online Surveillance Act applies to persons or businesses that conduct business in Vermont or produce products or services targeted to Vermont residents and, during the preceding calendar year, meet at least one of the following thresholds:
Process the personal data of at least 35,000 Vermont consumers, excluding personal data processed solely to complete payment transactions.
Process the sensitive data of at least 3,000 Vermont consumers, excluding data processed solely to complete payment transactions.
Offer to sell the personal data of at least 3,000 Vermont consumers.
The Act also includes separate consumer health data provisions that apply more broadly to persons doing business in Vermont or targeting Vermont residents with products or services.
Certain entities and data types are exempt, including government entities, some HIPAA-regulated entities and data, certain GLBA-regulated entities and data, employment-related data, and other categories already governed by specific federal or state laws.
Vermont residents have several rights over their personal data, including:
Consumers can confirm whether their personal data is being processed and access the data held about them.
Consumers can request correction of inaccurate personal data held by a controller.
Consumers can request deletion of personal data provided by, or obtained about, them.
Consumers can obtain a copy of their personal data in a portable and usable format.
Consumers can opt out of targeted advertising, the sale of personal data, and certain profiling.
Consumers can question certain profiling decisions that produce legal or similarly significant effects.
Consumers can request information about third parties to which their personal data has been sold.
Consumers can appeal a controller’s decision if a privacy rights request is denied.
Controllers must generally respond to consumer requests within 45 days, with a possible 45-day extension where reasonably necessary. Consumers must also be provided with an appeal process if a request is denied.
Cookies and similar tracking technologies can collect personal data such as unique identifiers, device information, browsing behavior, location signals, and data used for analytics, personalization, targeted advertising, or profiling.
Under the Vermont Data Privacy and Online Surveillance Act, businesses should evaluate whether their cookies and third-party scripts process personal data, sensitive data, or data used for targeted advertising or sale. Sensitive data processing requires consent, and consumers must be able to opt out of targeted advertising, sale of personal data, and certain profiling activities.
A compliant cookie consent setup should make cookie purposes clear, avoid dark patterns, provide granular choices, support withdrawal of consent, and maintain records of consent and opt-out preferences.
The Vermont Attorney General has enforcement authority under the Vermont Data Privacy and Online Surveillance Act. A violation of the Act is treated as a violation of the Vermont Consumer Protection Act.
The law does not provide a private right of action for consumers. During the period from January 1, 2028, through June 30, 2029, the Attorney General must provide a notice of violation and a 60-day cure period if the Attorney General determines that the violation can be cured.
Organizations that fail to comply may face enforcement action, civil penalties, injunctions, and other remedies available under Vermont consumer protection law.
To prepare for the Vermont Data Privacy and Online Surveillance Act, organizations should:
Audit:
Identify all cookies, pixels, trackers, SDKs, and third-party scripts used across websites and apps.
Categorize:
Classify cookies and trackers by purpose, such as necessary, preferences, analytics, marketing, targeted advertising, sale, or sensitive data processing.
Review sensitive data:
Check whether cookies or digital services collect sensitive data, such as precise geolocation, biometric data, consumer health data, children’s data, neural data, or other protected categories.
Implement consent management:
Deploy a cookie banner and preference center that support clear choices, opt-outs, consent withdrawal, and consent logging.
Update privacy notices:
Ensure privacy notices describe data categories, purposes, consumer rights, third-party sharing, opt-out options, and whether personal data is used for training large language models.
Review third-party contracts:
Make sure processors and vendors support Vermont privacy obligations, including consumer rights requests, data security, and appropriate processing restrictions.
The Vermont Data Privacy and Online Surveillance Act is Vermont’s comprehensive consumer privacy law. It establishes consumer privacy rights and obligations for businesses that collect, process, sell, or use personal data from Vermont residents.
The Act takes effect on January 1, 2028.
The Act applies to businesses that conduct business in Vermont or target Vermont residents and meet certain thresholds, including processing personal data of at least 35,000 consumers, processing sensitive data of at least 3,000 consumers, or offering to sell personal data of at least 3,000 consumers.
Personal data means information, including derived data and unique identifiers, that is linked or reasonably linkable to an identified or identifiable individual or to a device linked to one or more individuals.
Sensitive data includes categories such as racial or ethnic origin, religious beliefs, sex life, sexual orientation, transgender or nonbinary status, citizenship or immigration status, health data, genetic or biometric data, children’s data, precise geolocation data, neural data, certain financial account information, and government-issued identification numbers.
The Act does not treat all cookies the same way. However, cookies that process sensitive data may require consent, and cookies used for targeted advertising, sale of personal data, or certain profiling activities must be covered by opt-out mechanisms. A cookie consent platform helps businesses provide transparency, manage preferences, and document consent and opt-outs.
The Vermont Attorney General enforces the Act. The law does not create a private right of action for consumers.
More information can be found in Vermont S.71 / Act 145 and future guidance from the Vermont Attorney General.
The information provided on this page is for general reference purposes only and is not intended to constitute legal or regulatory advice. Data privacy regulations are complex and subject to frequent updates, interpretations, and jurisdictional variations. While efforts are made to keep the material accurate and up to date, we cannot guarantee its completeness or applicability to your specific circumstances.
For guidance on compliance or legal obligations, please consult qualified legal professionals or the appropriate regulatory authorities.
Products
©2018-2026 CookieHub ehf.
CookieHub CMP offers tools and services for managing cookies and online privacy.
