Skip to content

Menu

LexBlog, Inc. logo
NetworkSub-MenuBrowse by SubjectBrowse by PublisherJoin the NetworkGet StartedSubscribeSupport
Contact Us
Search
Close

Vermont Amends Its Data Broker Law: What Do You Need to Know?

By Odia Kagan on June 20, 2026
Email this postTweet this postLike this postShare this post on LinkedIn

Table of Contents

  • Different Scope
  • New obligations: 
  • Expanded disclosure upon registration.
  • Downstream obligations: 
  • Notice of Security Breaches:
  • Registrations, fees and penalties: 
  • Takeaway:

Last week, Governor Phil Scott signed Act 138, amending Vermont’s data broker law. The operative provisions go into effect January 1, 2027.

So what should companies be focusing on?

Link to Different Scope Different Scope

The law revises several core definitions that determine when companies fall in scope.

The most significant change is to “brokered personal information,” which now effectively covers all personal information, subject to a carve-out for publicly available data. Vermont has moved away from a narrow list of data elements and toward something closer to a general personal data framework. For most companies, that means more data is likely in scope.

At the same time, Vermont updated its definition of “direct relationship”, another key component in the definition of data broker activities, was revised and expanded to align with the very broad California definition. A direct relationship now requires intentional interaction by the consumer to access or request a service. Importantly, where such a relationship exists, a company can still be a data broker with respect to data collected outside that interaction and later sold.

This element has been a sticking point with the California DELETE Act. Many companies operate with a mix of first-party and third-party data. Under this model, having a customer relationship does not take all of your activity outside the law.

The statute also adds a new definition of “publicly available information.” This one generally aligns with the definitions in other data broker laws but specifically carves out obscene visual depictions, most genetic data and non consensual intimate images (whether real or deepfake).

The law also revises the definition of “consumer“. It defines consumer as an individual residing in this State but does not include an individual acting in a commercial or employment context here their interactions with the data broker occur solely within that role.  This is a different structure than other data broker laws, but it is not a broad B2B carve-out. It applies where a company is interacting directly with individuals in a business capacity. It does not apply where a data broker holds information about individuals with whom it has no interaction at all.

In practice, that means many typical data broker datasets, including information about third-party employees, will remain in scope.

Finally, the law aligns the definition of “sale” with other frameworks by adding familiar carve-outs for disclosures to processors, affiliates, to provide requested services, with consent, or in the context of corporate transactions.

Link to New obligations:  New obligations: 

The new law adds several new obligations on data brokers. Key among them is a duty with respect to the recipients of the data, which we have not seen in data broker laws before but which is a bit reminiscent of the recent requirements the FTC imposed on Kochava in the recent enforcement order.

Link to Expanded disclosure upon registration. Expanded disclosure upon registration.

Data brokers will be required to disclose  more information about the nature of the data collected; whether data had been shared in the past 12 months with foreign actors, government, law enforcement or developers of GenAI, link to a page that informs consumers of their rights;  

Link to Downstream obligations:  Downstream obligations: 

Under the new law data brokers are required to adopt a KYC-like duty (though not a full AML/KYC regime with respect to the parties to whom they sell data. More specifically, data brokers are required to:

  • maintain procedures that require prospective users of the data broker’s brokered personal information to identify themselves, state the purposes for which the information is sought, and certify that the information shall be used for no other purpose.  
  • make a reasonable effort to verify the identity of the prospective user of the information and review the user’s stated purposes for which the information is sought 
  • refrain from disclosing brokered personal information to a prospective user if the data broker has reasonable grounds for believing that the information will be used to violate State or federal law or will not be used for the purposes stated by the user pursuant to this subsection.

For context, similar ideas have started to appear in enforcement. The FTC’s recent Kochava order imposed downstream accountability requirements tied to third-party use of data. Under that order , the FTC required data broker Kochava within 30 days of discovering that a third party shared Kochava’s precise location data in violation of a contractual requirement, to report the incident to the FTC, including the date range, the types of information affected, the number of consumers impacted, and the remediation steps taken.

Link to Notice of Security Breaches: Notice of Security Breaches:

The law also introduces an additional, data-broker specific, requirement to report data breaches, both to consumers and to the Attorney General which operate alongside Vermont’s existing breach notification law.

Link to Registrations, fees and penalties:  Registrations, fees and penalties: 

In addition to obligations, the law also imposes new registration fees and higher penalties:

  • Registration fee raised from $100 to $900
  • $20,000 surety bond required to the State. 
  • Daily penalty for failure to register increased from $50/day capped at $10k to $200/day with no cap. 
  • Daily penalty for failure to amend data broker registration after having been notified by the regulator: $1,000/day. 
  • Penalty for materially incorrect filings: $25,000

Link to Takeaway: Takeaway:

If your activity falls under any of the existing data broker laws, you are likely to be in scope for the Vermont law as well. In addition to the extensive information security requirements already in place, as of January 1, 2027, companies will also need to provide expanded disclosures, implement additional data breach reporting processes, and establish procedures for identifying and vetting downstream recipients of personal data.

With the stakes now significantly higher: 200 per day for failure to register and $1,000 per day for failure to correct a deficient registration, companies would be well advised to review their Vermont data processing posture and make any necessary adjustments ahead of the effective date.

  • Posted in:
    Privacy and Cybersecurity
  • Blog:
    Privacy Compliance & Data Security
  • Organization:
    Fox Rothschild LLP
  • Article: View Original Source

Call us at 1-800-913-0988 or email sales@lexblog.com.

Facebook LinkedIn Twitter RSS
  • About LexBlog
  • The Field We Built
  • Our Beliefs
  • Our Team
  • Contact LexBlog
  • Disclaimer
  • Editorial Policy
  • Terms of Service
  • Get Started
  • Publishing Solutions
  • Compass
  • Submit a Request
  • Support Center
  • System Status
Copyright © 2026, LexBlog, Inc. All Rights Reserved.
Law blog design & platform by LexBlog LexBlog Logo