On May 29, 2026, the Vermont legislature passed S.71, the Vermont Data Privacy and Online Surveillance Act, and sent it to Governor Phil Scott for signature. The vote closes a multi-year effort that began when Scott vetoed an earlier, more aggressive privacy bill in 2024 — a veto driven largely by concerns over a private right of action that the business community warned would invite litigation. S.71 is the legislature’s second serious attempt in three years, and this version arrived rebalanced to survive the governor’s desk.

If signed, Vermont becomes the twentieth U.S. state with a comprehensive consumer privacy law. For compliance teams that have spent the past four years building multi-state privacy programs, the headline question is whether Vermont adds genuinely new obligations or simply extends an existing playbook to another jurisdiction. The answer is some of both. Much of S.71 tracks the now-familiar Connecticut-derived model. But its online-surveillance provisions and its data-minimization posture reflect a more protective drafting philosophy that deserves attention.

What S.71 Does

At its core, S.71 establishes the rights and obligations that now define the American state privacy baseline. Vermont consumers gain the right to access the personal data a controller holds about them, to correct inaccuracies, to delete their data in most circumstances, to obtain a portable copy, and to opt out of three specific processing activities: targeted advertising, the sale of personal data, and certain profiling that produces legal or similarly significant effects.

Controllers must honor universal opt-out mechanisms — browser-level signals such as Global Privacy Control — so that a consumer can express a single opt-out preference without navigating each company’s settings individually. This requirement has become standard in newer state laws, and any program already configured for Colorado, Connecticut, or California’s GPC obligations will be most of the way to compliance here.

The law applies to entities that conduct business in Vermont or target Vermont residents and that meet defined processing thresholds tied to the number of consumers whose data they control or process. As with peer statutes, the thresholds are designed to capture meaningful data operations while exempting the smallest businesses, and they include a lower trigger where the sale of personal data is involved.

Where Vermont Diverges From the Standard Model

Three features distinguish S.71 from the median state privacy law and warrant specific review.

Online surveillance and data minimization. The statute’s title is not incidental. S.71 frames itself around limiting online surveillance, and it carries a data-minimization orientation that pushes controllers to tie collection and processing to what is reasonably necessary for the specific purposes disclosed to the consumer. This echoes the theory California advanced in its landmark enforcement action against General Motors earlier this month, where the state secured a $12.75 million settlement built explicitly on data-minimization principles rather than a simple notice failure. The regulatory center of gravity is shifting from “did you disclose it” to “did you actually need it,” and Vermont’s framing aligns with that trajectory.

Sensitive data and consent. Like its peers, S.71 requires opt-in consent before processing sensitive categories of personal data — information revealing health conditions, precise geolocation, racial or ethnic origin, sexual orientation, immigration status, and similar categories. Compliance teams should confirm that consent flows, not merely opt-out flows, are in place for these data types, because the failure mode here is structurally different: there is no cure for processing sensitive data you never had permission to touch.

Minors and targeted advertising. S.71 includes heightened protections for the data of known minors, restricting targeted advertising and data sales involving consumers the controller knows to be under a specified age. This continues the national trend, visible in the recent New York Safe by Design Act and Connecticut’s SB 4 amendments, of layering child-specific obligations on top of the general framework. Organizations that serve mixed-age audiences should revisit age-signal handling and the downstream advertising logic that consumes it.

Enforcement Architecture

S.71 is enforced by the Vermont Attorney General. Consistent with the compromise that made passage possible, the bill does not carry the broad private right of action that doomed the 2024 effort. This is the single most important structural fact for risk modeling: enforcement risk flows through a state regulator with finite resources and a cure-and-notice posture, not through the plaintiffs’ bar.

That distinction matters, but it should not breed complacency. The pattern across the state-privacy landscape in 2026 has been one of intensifying public enforcement. The California Privacy Protection Agency set a record in February 2026 with a $2.75 million settlement against a streaming service for opt-out failures, and Texas, Connecticut, and California attorneys general have all signaled that the early grace period is over. A right-sized AG enforcement regime in a small state is still an enforcement regime, and the conduct it targets — broken opt-outs, undisclosed sales, retention without purpose — is precisely the conduct that automated tools and consumer complaints surface most readily.

The Effective Date and the Compliance Runway

S.71’s obligations take effect on a delayed timeline, giving controllers a meaningful runway before enforcement begins. That runway is an asset, not a reason to defer. The work that actually consumes calendar time — mapping data flows, standing up consent management for sensitive categories, wiring universal opt-out signals into ad-tech and analytics, and rationalizing retention schedules — is the same work every recent state law demands. Teams that treat Vermont as a discrete project will overspend; teams that fold it into a harmonized, highest-common-denominator program will absorb it at the margin.

What To Do Now

For organizations already operating a mature multi-state privacy program, Vermont is an incremental extension. The practical checklist is short but specific:

  • Confirm Vermont scoping. Determine whether your processing volumes cross S.71’s thresholds for Vermont residents. Do not assume a small state means a small obligation — the sale-of-data trigger is lower than the general one.
  • Audit data minimization, not just notice. Re-examine whether the data you collect maps to a stated, necessary purpose. The GM settlement and S.71’s surveillance framing both signal that excess collection is now an independent liability, separate from any disclosure defect.
  • Verify universal opt-out handling. Ensure GPC and equivalent browser signals are honored end-to-end, including in downstream advertising and measurement pipelines where opt-outs are most often dropped.
  • Pressure-test sensitive-data consent. Confirm opt-in consent exists for health, precise geolocation, and other sensitive categories — and that the consent record is auditable.
  • Revisit minor-data logic. Review how age is detected and how that signal restricts targeted advertising and sales for known minors.
  • Update your privacy notice and data-subject-request workflow to reflect Vermont residents and the law’s specific rights.

The Bigger Picture

Vermont’s passage of S.71 underscores a reality compliance teams have been managing for years: in the continued absence of a federal comprehensive privacy law, the states are filling the vacuum one statute at a time, and the newer entrants are drafting toward a more protective standard than the early movers. The proposed federal SECURE Data Act, with its sweeping preemption provision, would in theory collapse this patchwork — but it remains a discussion draft, and Vermont’s legislature did not wait for it.

The operational lesson is the one this site has returned to repeatedly: build to the most protective standard, harmonize across jurisdictions, and treat each new state law as a confirmation of the trajectory rather than a surprise. Vermont does not change the direction of travel. It confirms it.

This article is provided for informational purposes only and does not constitute legal advice.