Practice Intelligence
current as of Jun 26, 2026
Olender Feldman LLP

PracticeData Privacy

Vermont Data Privacy and Online Surveillance Act (S.71) — 23rd State Comprehensive Privacy Law

us-vt Jan 1, 2028 Tracker lead

What just shifted

What this adds: Vermont's VDPOSA creates a comprehensive consumer privacy regime effective January 1, 2028 — the 23rd state to enact one — and adds two provisions not found in any prior state law: an explicit requirement to disclose when personal data is being used to train large language models, and a conflict-of-laws rule that defaults to whichever regulation provides the greatest privacy protection.

What this puts in question: Whether your data practices — and particularly any AI or LLM training pipelines that process personal data — can be disclosed to Vermont residents as required, and whether your privacy notice infrastructure can flag LLM-training use cases as a separate data-processing purpose by January 2028.

What clients should weigh

·If you process personal data of 35,000 or more Vermont residents — even incidentally, through a SaaS product or data analytics service — does your legal team know you are covered? Vermont's thresholds are lower than many states, and the law takes effect in January 2028.
·The LLM-training disclosure requirement is the provision most likely to create a compliance gap you don't know you have: if any vendor or internal team is using customer or user data to fine-tune a model, that purpose must be disclosed to Vermont residents. Is your current privacy notice capable of making that disclosure?
·Vermont's conflict-of-laws rule — apply whichever regulation gives the most protection — is an enforcement posture signal, not just a drafting choice. It suggests Vermont AG enforcement will lean toward the consumer on ambiguous compliance questions. How does your privacy compliance program account for jurisdictions that take that posture?
·This addresses the Vermont VDPOSA. It does not reach the Vermont data broker amendments (H.211, also signed June 16, 2026), which impose separate registration and breach notification obligations on data brokers specifically.

Ready to use

To-be-edited before sending to a client.

Client alert

Watch item — no client alert until confirmed operative.

Blog post

Watch item — no blog post until confirmed operative.