The Vermont Attorney General will enforce the statute. It applies to companies processing data on at least 35,000 Vermont residents or selling data of 3,000 residents. The law notably expands "sensitive data" to include neural data, gender-affirming health data, and reproductive or sexual health data. Vermont becomes the second state requiring companies to disclose whether they use personal data to train large language models.
The bill's passage follows a 2024 veto of a stronger privacy proposal by Governor Scott. This year's version represents a compromise. On the same day, Scott also signed H.211, which overhauls Vermont's data broker registration law—raising fees to $900, requiring surety bonds, and expanding compliance obligations. Consumer advocacy groups including Consumer Reports and Epic praised the core rights but criticized weak definitions and inadequate enforcement compared to the 2024 proposal.
Attorneys should track this as part of the accelerating state-by-state privacy movement. The neural data and AI training disclosure provisions set a new regulatory benchmark likely to influence other states. The simultaneous strengthening of data broker rules creates a comprehensive framework covering both direct processing and secondary data trading—a gap in the national landscape. Companies with Vermont operations face a January 2028 deadline to audit data practices across both statutes.