On June 16, 2026, Vermont Governor Phil Scott signed Senate Bill S.71, the Vermont Data Privacy and Online Surveillance Act (VDPOSA), making Vermont the 23rd state to enact a comprehensive consumer privacy law. The law becomes effective January 1, 2028, providing businesses with time to evaluate their privacy programs and prepare for compliance.
While VDPOSA follows many of the concepts found in other state privacy laws, including consumer rights, controller and processor obligations, and data protection assessments, it contains several unique provisions that may require special attention from automotive retailers and other businesses operating in Vermont.
Who Must Comply?
Unlike many state privacy laws that focus primarily on larger organizations, Vermont adopts a relatively low applicability threshold. The law generally applies to businesses that conduct business in Vermont or target products or services to Vermont residents and, during the preceding calendar year:
- Controlled or processed the personal data of at least 35,000 Vermont consumers (excluding data processed solely to complete a transaction);
- Controlled or processed the sensitive data of at least 3,000 Vermont consumers (excluding data processed solely to complete a transaction); or
- Offered the sale of the personal data of at least 3,000 Vermont consumers for monetary or other valuable consideration.
“Sale” of personal data is broadly defined as an exchange for monetary or other valuable consideration. Like many state privacy laws, VDPOSA contains both entity-level and data-level exemptions.
There is no entity level exemption for GLBA entities, but there are “data-level” exemptions for:
- Protected health information regulated by HIPAA;
- Information subject to the Gramm-Leach-Bliley Act (GLBA);
- Fair Credit Reporting Act (FCRA) regulated information;
- Employment-related information; and
- Certain other federally regulated data.
This distinction is particularly important for automotive retailers. Unlike some exempt entities, dealerships are not categorically excluded from the law simply because they engage in vehicle financing activities. Instead, the GLBA exemption generally applies narrowly to GLBA-covered information, not to all data collected by a dealership. As a result, information collected through dealership websites, marketing technologies, analytics tools, chat functions, digital retailing platforms, service and parts departments, and other non-GLBA contexts will be subject to the VDPOSA.
As a result, most dealers will be subject to the new law and should begin exploring ways to comply by the deadline.
Enhanced Privacy Notice Requirements
VDPOSA requires businesses to provide consumers with a clear and accessible privacy notice describing how personal information is collected, used, shared, and sold. Notably, the law requires businesses to disclose whether personal data is used to train or support large language models (LLMs) or other artificial intelligence systems. Vermont also requires businesses to notify consumers of material retroactive changes to their privacy practices and provide an opportunity to withdraw consent before previously collected data is used in a materially different manner.
Data Minimization and Purpose Limitation
VDPOSA adopts a strict data minimization standard. Businesses may collect and process only the personal data that is reasonably necessary and proportionate for disclosed purposes. Personal data may not be used for materially different purposes unless appropriate consent is obtained.
For dealerships, this requirement reinforces the importance of maintaining accurate data inventories and ensuring that data collected through websites, lead forms, digital retailing platforms, and marketing programs is used consistently with disclosed purposes.
Consumer Rights
Vermont residents receive a broad set of privacy rights, including the ability to:
- Confirm whether a business is processing their personal data;
- Access personal data and certain inferences derived from that data;
- Correct inaccurate information;
- Delete personal data;
- Obtain a portable copy of personal data;
- Opt out of:
- Targeted advertising;
- The sale of personal data; and
- Profiling that produces legal or similarly significant effects;
- Obtain information regarding profiling decisions;
- Receive a list of third parties to whom personal data has been sold; and
- Appeal the denial of a privacy rights request.
Businesses generally must respond to consumer requests within 45 days, with a possible 45-day extension when reasonably necessary.
Enforcement
The Vermont Attorney General has exclusive enforcement authority. Violations of VDPOSA constitute violations of the Vermont Consumer Protection Act and may result in enforcement actions by the Attorney General.
The law includes a temporary 60-day cure period from January 1, 2028, through June 30, 2029. After that date, businesses should not expect an automatic opportunity to cure violations before enforcement action is initiated.
What Dealers Should Do Now
Although the law does not take effect until 2028, dealerships should begin evaluating their privacy programs now, particularly in the areas of website tracking technologies, targeted advertising, consent management, vendor contracts, and consumer rights response processes.
As state privacy requirements continue to expand and become more complex, maintaining a comprehensive privacy compliance program remains one of the most effective ways for dealerships to reduce regulatory risk and instill consumer trust.
At ComplyAuto, this is what we do. We are the experts, and we will ensure that your dealership can comply with all of these complicated requirements. We automate the process for you and handle all the heavy lifting. ComplyAuto Privacy can help dealerships manage privacy notices, consumer requests, consent requirements, and evolving state privacy law obligations through a centralized compliance platform. Schedule a demo to learn more.