CIPA Litigation Prevention Guide

Understand why CIPA lawsuits are rising and how to minimize privacy risk on your website.

Thank you!
Please check your email to view the guide.

Vermont becomes 23rd state to pass a comprehensive consumer privacy law

July 2, 2026
5
 mins read
Robert Bateman
Robert Bateman
Senior Partner at Privacy Partnership law firm
Vermont passes privacy law

On June 16, 2026, Vermont became the 23rd US state to enact a comprehensive privacy law when Governor Phil Scott signed S.71 into law, alongside a separate data broker bill, H.211.

  • The law gives consumers the right to opt out of targeted advertising and the sale of personal data, requires controllers to honor opt-out preference signals (such as Global Privacy Control), and includes a specific disclosure requirement for the use of personal data in large language model training
  • The definition of "targeted advertising" covers cross-site behavioral advertising but explicitly excludes contextual ads, own-site or app activity, and ad measurement
  • Enforcement sits with the Attorney General only; there is no private right of action. The law takes effect on January 1, 2028, with an initial cure period running through June 30, 2029

What does the law do?

S.71 follows the Connecticut model that most recent state privacy laws have adopted. 

Consumers can access, correct, delete, and port their data. They can opt out of targeted advertising, the sale of personal data, and profiling that produces legal or similarly significant effects.

Controllers must get consent before processing sensitive data. Sensitive data includes: 

  • Health data
  • Precise geolocation
  • Biometric and genetic data
  • Data about minors
  • Neural data
  • Data revealing race, religion, sexual orientation, nonbinary or transgender status, citizenship, or immigration status

The law also creates standalone protections for consumer health data with no numerical processing threshold. 

It prohibits geofencing within 1,850 feet of a healthcare, mental health, or reproductive/sexual health facility for the purpose of identifying, tracking, or collecting health data from consumers. Selling consumer health data requires consent.

Why does this matter for advertising and adtech?

The “targeted advertising” definition is the key provision for digital advertising. 

It covers ads selected using personal data obtained or inferred from a consumer's activity over time and across nonaffiliated websites or apps

Contextual advertising, own-site/app activity, responses to consumer requests, and processing solely for ad frequency, performance, or reach measurement are all excluded. That carve-out means contextual ads and measurement are not "targeted advertising", but cross-site behavioral targeting is squarely in scope.

Controllers must support opt-out preference signals (like GPC) sent via a platform, technology, or mechanism chosen by the consumer. If a signal conflicts with a controller-specific setting or loyalty program, the controller must comply with the signal but may notify the consumer and offer a choice.

What else should privacy teams know?

Privacy notices must include a statement disclosing whether the controller collects, uses, or sells personal data for training large language models. This is a specific AI transparency obligation embedded in a general state privacy law, and it is a first among US state privacy statutes.

Data protection assessments are required for: 

  • Targeted advertising
  • The sale of personal data
  • Processing sensitive data 
  • Profiling that produces legal or similarly significant effects

Profiling assessments must cover purpose, risks, mitigations, input and output categories, performance metrics, and post-deployment monitoring.

Privado AI's agentic privacy platform automates multi-state compliance by mapping data flows, maintaining a RoPA, and tracking where each state's rules on targeted advertising, sale opt-outs, sensitive data, and opt-out preference signals diverge.

Industry insights you won’t delete. Delivered to your inbox.

Get regular updates from Privado AI

Request free website audit

Request Privado AI demo

Robert Bateman
Robert Bateman
Senior Partner at Privacy Partnership law firm

Get regular updates from Privado AI

Request free website audit

Request Privado AI demo

Continue Reading