Wooden judges gavel resting on its sound block on a desk

TL;DR: Vermont’s legislature passed S.71 on May 26, 2026, creating the state’s first comprehensive data privacy law. The standout provision: a ban on geofencing within 1,850 feet of any health facility, meaning data brokers and ad networks can’t track who walks into a clinic, hospital, or rehab center. The law also requires companies to honor Global Privacy Control browser signals, limits data collection to what’s “reasonably necessary,” and covers sensitive categories including biometrics, precise geolocation, and health data. Most provisions take effect January 1, 2028. But on June 3, the House Energy & Commerce Committee holds its first hearing on the SECURE Data Act, a federal bill that would preempt every state privacy law, including this one.

Two Years to Get Here

Vermont tried this before. In June 2024, Governor Phil Scott vetoed H.121, a sweeping privacy bill that would have made Vermont the first state to give residents the right to sue companies for privacy violations, a private right of action [1]. The House overrode Scott’s veto 128-17. The Senate voted 14-15, six votes short of the 20 needed for a two-thirds override [2].

The kill shot? Scott objected to the private right of action, calling it too risky for Vermont businesses. He wanted Connecticut’s model instead: the Attorney General enforces, consumers don’t sue [1].

So the legislature gave him what he wanted. Senator Robert Plunkett stripped the private right of action from S.71. The bill passed the Senate 29-0 in March 2025, sat in the House Commerce Committee through 2025, and finally cleared the House 129-3 on May 26, 2026 [3]. The Senate concurred with House amendments the same day.

Consumer Reports analyst Matt Schwartz called the final version a product of “the brute power of the Big Tech lobby” [4]. The Vermont Chamber of Commerce said it “strikes the right balance.” The truth is somewhere uglier: Vermont got a privacy law by surrendering the one provision that would have given it real teeth.

The Geofencing Ban: Why It Matters

The strongest provision in S.71 has nothing to do with browser settings or opt-out buttons. It’s the health data geofencing ban.

Under S.71, no one can deploy a geofence within 1,850 feet of any healthcare facility to identify, track, collect data from, or send notifications to a consumer about their health data [5]. The definition of “geofence” is broad: GPS coordinates, cell tower connectivity, cellular data, RFID, WiFi, or any combination of location-detection technologies.

Why 1,850 feet? That’s roughly a third of a mile. Far enough that someone driving past a clinic won’t trigger the fence. Close enough that anyone entering the parking lot, walking through the doors, or sitting in the waiting room is protected.

This isn’t theoretical. After Dobbs v. Jackson Women’s Health Organization in 2022, location data brokers were caught selling visit logs from reproductive health clinics. Anti-abortion groups purchased geofence-targeted ads aimed at people inside abortion clinics [6]. Data brokers offered bulk location histories showing which phones had visited Planned Parenthood locations across multiple states.

Vermont’s ban doesn’t just cover reproductive health. It covers every healthcare facility: mental health clinics, addiction treatment centers, HIV testing sites, oncology practices. And unlike the general privacy provisions, the health data section has no business-size threshold. It applies to any person or entity that conducts business in Vermont or targets Vermont residents [5].

What Else S.71 Does

The rest of the law follows a familiar template (Vermont is now the 23rd state with a comprehensive privacy law) but a few provisions stand out:

  • Global Privacy Control: Companies must honor opt-out signals sent through browser extensions and privacy settings like GPC. No more burying the opt-out three menus deep [4].
  • Data minimization: Businesses can only collect data that’s “reasonably necessary” for the purpose they disclosed. Hoovering up everything because you might use it later doesn’t qualify [3].
  • Sensitive data consent: Explicit consent required before processing race, religion, sexual orientation, health conditions, biometrics, or precise geolocation (defined as within a 1,750-foot radius) [4].
  • Consumer rights: Access, correct, delete, and obtain copies of personal data. Opt out of targeted advertising, data sales, and automated profiling [3].
  • Targeted ad opt-out: Consumers can reject ads based on cross-site behavioral tracking. Contextual ads (ads matched to the page you’re reading, not your browsing history) are still allowed [4].

The law applies to businesses that process data of at least 35,000 Vermont consumers, handle sensitive data on 3,000 or more consumers, or sell data on 3,000 or more consumers [3].

The Enforcement Problem

Here’s what Vermont gave up to get this law past the governor’s desk: you can’t sue.

The AG’s office is the sole enforcer. There’s a 60-day cure period (sunsets June 30, 2029) during which businesses that violate the law get a chance to fix the problem before facing penalties [3]. A small state AG office with limited staff and budget is supposed to police every data broker, ad network, and tech company doing business in Vermont.

For comparison: California’s CCPA started with AG-only enforcement and immediately ran into capacity problems. California had to create an entirely new agency (the California Privacy Protection Agency, with a $10 million budget) just to keep up. Vermont’s AG office doesn’t have that kind of funding.

The original H.121 would have let Vermonters take companies to court themselves. That’s 640,000 potential enforcers instead of one understaffed office. Scott killed it. Now the question is whether the AG can make the law mean anything on its own.

The Federal Threat: June 3

Two days from now, the House Energy & Commerce Subcommittee holds its first hearing on the SECURE Data Act (HR 8413). If that bill becomes law, Vermont’s geofencing ban, its Global Privacy Control requirement, its health data protections: all of it gets preempted by a single federal standard [7].

The SECURE Data Act’s preemption language is broad. It wouldn’t just override Vermont. It would override California’s CCPA, Illinois’s BIPA, and every other state privacy law on the books. The EFF called it “not a serious piece of privacy legislation” [7].

Vermont’s timing is brutal. The legislature spent two years negotiating, compromising, and stripping provisions to get S.71 past a skeptical governor. The law takes effect January 1, 2028. And Congress might erase it before Vermonters ever get to use it.

This is the core tension in American privacy law right now. States are building protections one by one, 22 and counting. Congress wants to replace all of them with a single, weaker standard. The geofencing ban is the perfect example: it exists because Vermont legislators responded to a specific, documented threat to their residents. A federal one-size-fits-all law wouldn’t have that provision. The people who sell location data from clinic parking lots would keep selling it.

What You Can Do

  • If you’re in Vermont: S.71 takes effect January 1, 2028. Once it does, you can opt out of targeted advertising, request data deletion, and exercise your privacy rights with any covered business. Install Global Privacy Control in your browser now. Companies will be legally required to honor it once the law kicks in.
  • If you’re not in Vermont: Check whether your state has a comprehensive privacy law. 22 states now do. If yours doesn’t, contact your state representative. Vermont’s path shows it can take two years and a veto, but it can happen.
  • Either way: Watch the June 3 SECURE Data Act hearing. If federal preemption passes, none of these state laws matter. The EFF has a call-to-action page. Use it.

Sources

  1. StateScoop: “Vermont Gov. Phil Scott Vetoes Intensive Data Privacy Bill, Citing High ‘Level of Risk’” (June 2024)
  2. EPIC: “Vermont Senate Fails to Override Vermont Data Privacy Act Veto” (June 2024)
  3. Vermont Business Magazine: “Legislature Passes Data Privacy Bill, S.71” (May 27, 2026)
  4. MediaPost: “Vermont Passes Opt-Out Privacy Bill” (June 1, 2026)
  5. Vermont Legislature: “Bill Status S.71” (2026)
  6. IAPP: “Why the Vermont Veto Is a Step Backward for Privacy” (2024)
  7. IAPP: “SECURE Data Act Analysis of the New Federal Privacy Bill” (2026)