
Understand why CIPA lawsuits are rising and how to minimize privacy risk on your website.
Thank you!
Please check your email to view the guide.

On June 16, 2026, Vermont became the 23rd US state to enact a comprehensive privacy law when Governor Phil Scott signed S.71 into law, alongside a separate data broker bill, H.211.
S.71 follows the Connecticut model that most recent state privacy laws have adopted.
Consumers can access, correct, delete, and port their data. They can opt out of targeted advertising, the sale of personal data, and profiling that produces legal or similarly significant effects.
Controllers must get consent before processing sensitive data. Sensitive data includes:
The law also creates standalone protections for consumer health data with no numerical processing threshold.
It prohibits geofencing within 1,850 feet of a healthcare, mental health, or reproductive/sexual health facility for the purpose of identifying, tracking, or collecting health data from consumers. Selling consumer health data requires consent.
The “targeted advertising” definition is the key provision for digital advertising.
It covers ads selected using personal data obtained or inferred from a consumer's activity over time and across nonaffiliated websites or apps.
Contextual advertising, own-site/app activity, responses to consumer requests, and processing solely for ad frequency, performance, or reach measurement are all excluded. That carve-out means contextual ads and measurement are not "targeted advertising", but cross-site behavioral targeting is squarely in scope.
Controllers must support opt-out preference signals (like GPC) sent via a platform, technology, or mechanism chosen by the consumer. If a signal conflicts with a controller-specific setting or loyalty program, the controller must comply with the signal but may notify the consumer and offer a choice.
Privacy notices must include a statement disclosing whether the controller collects, uses, or sells personal data for training large language models. This is a specific AI transparency obligation embedded in a general state privacy law, and it is a first among US state privacy statutes.
Data protection assessments are required for:
Profiling assessments must cover purpose, risks, mitigations, input and output categories, performance metrics, and post-deployment monitoring.
Privado AI's agentic privacy platform automates multi-state compliance by mapping data flows, maintaining a RoPA, and tracking where each state's rules on targeted advertising, sale opt-outs, sensitive data, and opt-out preference signals diverge.