The Vermont House of Representatives has approved an amended version of Senate Bill 71, a comprehensive consumer privacy bill that could make Vermont the latest state to enact a broad privacy law if signed by Gov. Phil Scott.
The bill, titled “An act relating to consumer data privacy and online surveillance,” would create Vermont’s first comprehensive consumer privacy framework. The House approved its amendment by a wide margin, and the legislation now moves through the final stage of the process before potentially becoming law.
The amended version reflects a significant compromise from prior Vermont privacy proposals. Most notably, lawmakers removed the private right of action provision, included nonprofits within the scope of the bill, aligned certain definitions with Vermont’s Age-Appropriate Design Code Act, and added rights related to automated decision-making technology systems. The enforcement date is set for Jan. 1, 2028.
What Changed in the Amended Vermont Privacy Bill
Vermont has been one of the most closely watched states in the privacy law debate. In 2024, Gov. Phil Scott vetoed a prior comprehensive privacy bill, citing concerns over its private right of action and potential impact on businesses. The latest version of S.71 appears designed to preserve strong consumer privacy protections while reducing some of the litigation concerns that complicated the earlier bill.
The removal of the private right of action is the most commercially significant change. A private right of action would have allowed consumers to sue directly for certain violations. Without it, enforcement would likely remain primarily in the hands of state regulators. For businesses, that reduces class-action exposure, although it does not eliminate regulatory risk.
The bill also includes nonprofits within its scope. That is important because many state privacy laws exclude nonprofits or treat them differently. Vermont’s inclusion of nonprofits would broaden compliance obligations beyond traditional for-profit companies and could affect charities, associations, advocacy organizations, educational groups and other mission-driven entities that collect consumer data.
Another notable change is the alignment of key definitions with the state’s Age-Appropriate Design Code Act. That signals Vermont’s continued focus on children’s privacy, youth data protection and online design practices affecting minors.
Automated Decision-Making Rights Stand Out
One of the more forward-looking features of the amended bill is its treatment of automated decision-making technology. The bill would give consumers the ability to question decisions rendered by automated decision-making systems.
That provision reflects a broader national and international trend. Privacy laws are increasingly moving beyond basic notice-and-choice requirements and into algorithmic accountability. Regulators are asking whether consumers can understand, challenge or seek review of important decisions made by automated systems.
For businesses, this matters because automated decision-making is no longer limited to large technology companies. Companies use automated tools for advertising, fraud detection, employment screening, pricing, eligibility, personalization, lending, insurance, customer support and risk scoring. A consumer right to question automated decisions may require new workflows, documentation, human review procedures and vendor oversight.
Why the Jan. 1, 2028 Enforcement Date Matters
The amended bill’s Jan. 1, 2028 enforcement date gives businesses time to prepare, but companies should not treat that timeline as a reason to wait. Privacy compliance programs often take longer to operationalize than executives expect.
Businesses may need to update privacy notices, map data flows, classify sensitive data, review vendor contracts, build consumer rights workflows, evaluate targeted advertising practices, assess automated decision-making systems, and implement consent and opt-out mechanisms. Nonprofits that have not previously been subject to comprehensive state privacy laws may need even more lead time.
The long runway also creates an opportunity. Companies operating nationally can use the Vermont bill as part of a broader state privacy compliance roadmap rather than treating Vermont as a one-off jurisdiction.
What Businesses Should Do Now
If S.71 is signed into law, Vermont will join the growing list of states with comprehensive consumer privacy requirements. Companies should begin by determining whether they fall within the bill’s scope and whether they process Vermont consumer data.
Practical preparation steps include reviewing consumer data collection practices, identifying sensitive data, documenting data-sharing with vendors, evaluating targeted advertising and profiling activities, and assessing whether automated decision-making tools affect consumers in ways that may trigger explanation or review obligations.
Companies should also review their website tracking practices. State privacy laws increasingly focus on targeted advertising, opt-out rights, consent for sensitive data and universal opt-out mechanisms. A business that does not know which cookies, pixels, scripts and tracking vendors operate on its website will struggle to comply with modern privacy laws.
Vermont Privacy Bill
The amended Vermont privacy bill shows the direction of state privacy law: broader coverage, more attention to children’s data, stronger scrutiny of automated decisions, and continued pressure on companies to explain how they collect, use and share personal information.
Even without a private right of action, businesses should take the bill seriously. Regulatory enforcement, consumer complaints, attorney general scrutiny and reputational risk can still create meaningful exposure.
Captain Compliance helps businesses prepare for evolving state privacy laws by supporting website scanning, consent management, privacy notice automation, opt-out workflows and documentation of data practices across jurisdictions.
