Data Privacy Regulations

Terms of Use

This summary of regulations is provided for information purposes only.
No action based on this summary alone should be undertaken.
Each individual or entity must obtain appropriate guidance for its specific circumstances.


Did You Know?

  • Comprehensive provisions for notifications and 45 day deadline
  • Limited methods of notification delivery
  • Report to VT Attorney General (w/in 14 days) or Dept. of Financial Reg., as applicable
  • Notify consumer reporting agencies if greater than 1,000 consumers
  • Data collectors are responsible for breach reporting and notifications
  • AG may investigate, prosecute, penalize, order restitution, etc. for violations
  • Laws also cover data protection and destruction
  • Other state, federal, industry regulations, and/or out-of-country laws may apply

Who Me?


Vermont breach and notification laws may apply if you:

  • Are a data collector that owns or licenses computerized data containing PII
  • Maintain or possess computerized data containing PII they do not own or license
  • Are a data collector that acts or conducts business in VT that maintains or possess computerized data containing PII they do not own or license 

 There are exemptions.

What is PII?


PII relevant to a breach in Vermont include a person's name plus one of the following:

  • Social Security Number
  • Driver license or identification number or non-driver identification card number
  • Financial account number or credit  or debit card number in combination any security code, access code or password, etc. permitting access to the person's account
  • Account passwords or personal identification numbers or other access codes for a financial account



A few of these laws include, but are not limited to:

Title 9 – Commerce and Trade

Chapter 62 - Protection of Personal Information, Subchapters 1 and 2

Chapter 63 – Consumer Protection, Subchapter 1


A few of these laws include, but are not limited to:

Title 9 – Commerce and Trade

Chapter 62 - Protection of Personal Information

Subchapter 3 - Social Security Number Protection

Subchapter 4 - Document Safe Destruction Act



The Attorney General and the State's Attorney (as designated through VT Dept. of State’s Attorneys and Sheriffs) have sole authority to investigate potential violations and to enforce, prosecute, obtain, and impose remedies under Title 9, Chapter 62 “Protection of Personal Information”, and under Chapter 63 “Consumer Protection” which stipulates they may bring an action in the name of the State, impose up to $10,000 in penalty for each violation, order restitution of cash or goods or reimbursement of state services, etc.



When considering reporting requirements, it would include, but not limited to:

  • The combination of personal information breached;
  • If the PII was, or may have been, acquired without valid authorization;
  • The combination of personal information breached;
  • If the data was computerized;
  • Whether the data was encrypted or secured;
  • If misuse of the PII is reasonably possible.


Notification with required information must be made to the Vermont Attorney General or to the Department of Financial Regulation, as appl., within 14 days. The notification may be delayed if law enforcement advises the covered entity, in writing, that it will interfere with an investigation for a specified period, otherwise must be made in the most expedient manner possible and without unreasonable delay, but within 45 days. Notification may be required to the consumer reporting agencies.


Requires detailed information and potential provision of services

Detailed information must be included in the notification. Delivery methods of the notifications are specific. A substitute notice, with specific requirements, may be sent if the business demonstrates that the cost will exceed $5,000 or the persons to be notified exceed 5,000, or they do not have sufficient contact information.

Contact the Privacy Experts at CSR