What Vermont's New Privacy Law Means for Ecommerce Brands

Here's why Vermont matters even if it never applies to your business.

What Vermont's New Privacy Law Means for Ecommerce Brands

Privacy laws have been moving quickly this year. Vermont became the fourth state in 2026 to pass a comprehensive privacy law, joining Oklahoma, Alabama, and Louisiana

At first glance, it's easy to dismiss Vermont as a small state with a limited customer base. But that's not really why this law matters.

The Vermont Data Privacy and Online Surveillance Act (VDPOSA) doesn't introduce many entirely new ideas. Instead, it pulls together many of the stricter requirements other states have added over the past few years, particularly Connecticut. That makes it less interesting as a standalone law and more useful as a preview of where state privacy laws are heading.

First, does it even apply to you?

Like every state privacy law, the VDPOSA only kicks in once you cross certain thresholds. You need to be doing business in Vermont and meet at least one of these in a year:

  • Process the personal data of 35,000 Vermont residents. Each unique Vermont website visitor likely counts, so this is about traffic as much as it is orders.
  • Process the sensitive data of 3,000 Vermont residents. This threshold is low enough that many ecommerce brands will meet it without realizing it. Sensitive data includes precise geolocation, health-related data, biometric data, and data from children under 13.
  • Offer the personal data of 3,000 Vermont residents "for sale in trade or commerce."

That last one is fuzzy, and Vermont didn't clarify it. "Sale" means exchanging personal data for money or "other valuable consideration," which, read broadly, can sweep in things like marketing co-ops, identity resolution vendors, and possibly even Google Analytics. The language appears aimed at data brokers, but the law doesn't explicitly say so.

One important distinction: the VDPOSA doesn't apply to employee data or B2B data. It's focused on consumer data.

The health data rules apply whether you hit those thresholds or not

This is the section most ecommerce brands should pay attention to. Unlike the rest of the law, Vermont's consumer health data rules apply to any business operating in or selling into the state, regardless of whether you meet the thresholds above.

And "health data" is broader than it sounds. It's any personal data used to identify someone's physical or mental health condition, diagnosis, or status. In practice, it reaches well beyond medical records, from workout data to shopping habits that suggest something specific, like buying patterns that imply a pregnancy.

If you sell supplements, beauty, wellness, fitness, or anything someone might buy for a health reason, assume this section is pointed at you.

Once you're processing consumer health data, Vermont requires you to:

  • Keep employees and contractors with access to consumer health data under a duty of confidentiality.
  • Share consumer health data only with processors whose contracts meet the law's requirements.
  • Don't use geofencing within 1,850 feet of a healthcare facility to identify, track, collect data from, or send notifications related to someone's health data. This is especially relevant if you run location-based mobile campaigns.
  • Get consent before selling consumer health data.

For most ecommerce brands, the sale requirement is the one to pay attention to. If customer data flows into ad platforms or partners in a way that could count as a sale, and any of it could be interpreted as health-related, you'll likely need consent first.

If you have customers under 18

If you know, or should reasonably know, that a customer is under 18, you can't sell their data or use it for targeted advertising. There's no workaround built into the law. If your audience skews young, it's worth checking whether your pixels and audience settings still match those requirements.

If you use customer data to train AI

Following Connecticut's lead, Vermont requires businesses to disclose in their privacy notices whether they use consumers' personal data to train large language models. If you or one of your vendors uses customer data to train AI models, your privacy notice needs to say so.

Two more worth knowing

If you use profiling to make automated decisions that carry legal or similarly significant weight, such as decisions related to housing, lending, or education, you'll need a profiling impact assessment. It's separate from the data protection assessment most privacy laws already require, so it's an additional assessment rather than the same document under a different name.

Consumers can't sue businesses directly under the VDPOSA because it doesn't include a private right of action. However, lawmakers noted they left it out with the expectation that the attorney general would receive enough funding to enforce the law. If that doesn't happen, they've left the door open to add a private right of action later.

The bigger pattern

Here's why Vermont matters even if it never applies to your business. It's a snapshot of where state privacy laws are heading. Lower thresholds. Health data defined broadly enough to include ordinary shopping behavior. Stronger protections for minors. New disclosure requirements around AI. None of these ideas are unique to Vermont anymore. They keep showing up, state after state, and they keep getting stricter.

Most ecommerce teams don't struggle because they missed one new law. They struggle because privacy compliance doesn't stay finished. The business keeps changing, and privacy has to keep up.

Privacy requirements rarely change on their own. They move alongside your vendors, your tracking setup, and the way customer data flows through your stack. That's why gaps build quietly over time. A pixel gets added, an app connects to your store, a new audience gets built, and eventually your privacy notice and workflows no longer match how the business actually operates.

A new state law is a good reason to check where your privacy program has drifted. Review what you're collecting, where customer data goes, what might qualify as a sale, and whether your privacy notice still reflects how your business actually works today.

If you'd like help understanding how Vermont affects your privacy program, or where your privacy workflows may have drifted as your business has changed, we're here to help.

Disclaimer: This content is provided for general informational purposes only and does not constitute legal or other professional advice. Without limiting the foregoing, the content may not reflect recent developments in the law, may not be complete, and may not be accurate or relevant in an applicable jurisdiction. This content is not a substitute for obtaining legal advice from a qualified licensed attorney in the applicable jurisdiction. The content is general in nature and may not pertain to specific circumstances, so it should not be used to act or refrain from acting based on it without first obtaining advice from professional counsel qualified in the applicable subject matter and jurisdictions.

Dive into a world of knowledge, trends, and industry updates on the TrueVault blog.