The concerns over protecting users’ data and privacy have become increasingly critical in today’s digital era. Many states across the US have enacted comprehensive data protection and privacy laws to govern the collection, processing, sharing, and selling of users’ data while granting users more rights and control over their data. However, Vermont has not yet enacted a comprehensive consumer data privacy statute. To stay updated on new state developments, visit our US State Privacy Laws Tracker.
However, even in the absence of a comprehensive data privacy legal framework in Vermont, businesses operating in the state must abide by several sectoral and topic-specific privacy laws while maintaining strict privacy operations. This ensures compliance with existing state and federal-level laws while also fostering the adaptability potential to future changes in the privacy landscape.
The following guide provides an overview of the state’s current data protection laws and the primary considerations for businesses.
The Current State of Vermont Data Protection Laws
Vermont has a well-developed framework of targeted privacy and security laws:
- Security Breach Notice Act (9 V.S.A. § 2435): Businesses must notify affected consumers of a data breach “in the most expedient time possible and without unreasonable delay,” and no later than 45 days after discovery, with required notice to the Attorney General or Department of Financial Regulation generally within 14 business days. If more than 1,000 consumers are notified, consumer reporting agencies must also be informed.
- Document Safe Destruction Act (9 V.S.A. § 2445): Businesses must take reasonable measures (e.g., shredding, erasure) to securely dispose of documents containing personal information to prevent unauthorized access or use.
- Insurance Data Security Law (8 V.S.A. § 4728): Insurance “licensees” must implement a comprehensive information security program, conduct risk assessments, oversee third parties, and investigate cybersecurity events, aligning Vermont with the National Association of Insurance Commissioners (NAIC) Model 668 framework.
- General Consumer Protection (9 V.S.A. § 2453): Many violations of Chapter 62 (Protection of Personal Information) are expressly deemed unfair or deceptive acts under Vermont’s Consumer Protection Act, enabling enforcement by the Attorney General.
Applicable Federal Laws
As in every state, organizations handling regulated data must also comply with applicable federal laws, including the Health Insurance Portability and Accountability Act (HIPAA), Children's Online Privacy Protection Act (COPPA), Gramm-Leach-Bliley Act (GLBA), and Family Educational Rights and Privacy Act (FERPA).
Best Practices for Businesses
Businesses operating in Vermont are encouraged to implement certain measures to ensure that the security of their consumers’ personal data remains a top priority. Some best practices that businesses should consider are as follows:
- Data mapping automation to visualize data flows, lineage, and processing purposes, and to ensure adherence to breach response timelines.
- Implementing a risk-based security program that ensures technical, physical, and administrative safeguards.
- Adopting a privacy-by-design approach to minimize collection, limit usage, and avoid secondary uses.
- Strengthening breach readiness through incident playbooks, detection/response SLAs, AG/DFR notification templates, and CRA notification workflows.
- Operationalizing practices that ensure secure disposal of records containing personal information and verifying vendor destruction practices.
Conclusion
Although Vermont currently has no comprehensive consumer privacy law, its breach notification, safe destruction, and insurance data security statutes create meaningful obligations. By implementing robust privacy governance and security controls now, organizations can comply with Vermont’s existing framework and be well-prepared for any future comprehensive law.
