Vermont’s new privacy law comes with broad consumer health data requirements

By Paul Rothermel

New Vermont Privacy Law Puts Health Data at the Forefront

Vermont’s new privacy law adds another layer of regulation for health-related data that may fall outside HIPAA. Effective January 1, 2028, the Vermont Data Privacy and Online Surveillance Act (“VDPOSA”) will require covered businesses to provide privacy notices, honor consumer rights, limit unnecessary data collection, protect personal data, complete assessments for higher-risk processing, and impose contractual requirements on processors. For companies in the FDA-regulated space, a notable feature is the law’s separate treatment of consumer health data, which may reach common commercial and digital activities such as product websites, mobile apps, patient support programs, and connected-device tools.

Who does the VDPOSA apply to?

The VDPOSA generally applies to businesses that conduct business in Vermont or target products or services to Vermont residents and meet one of three thresholds: processing personal data of at least 35,000 Vermont consumers, processing sensitive data of at least 3,000 Vermont consumers, or selling personal data of at least 3,000 Vermont consumers in the preceding calendar year. The consumer health data provisions are particularly important for FDA-regulated companies because they are not tied to the numerical thresholds and may apply to any person doing business in Vermont or targeting Vermont residents with products or services.

What are the key requirements relevant to FDA-regulated companies?

The VDPOSA should be viewed as part of the broader state-law trend addressing health-related information that sits outside the Health Insurance Portability and Accountability Act (“HIPAA”). It requires privacy notices, consumer rights processes, consent for sensitive-data processing, data minimization, reasonable security safeguards, processor contracts, opt-out mechanisms, and data protection assessments for higher-risk processing. In practice, those obligations may arise in connection with product education sites, digital health tools, patient support programs, reimbursement support, adverse event intake, post-market surveillance, targeted advertising, analytics, profiling, or AI-related uses of personal data.

How is the VDPOSA enforced?

The Vermont Attorney General has exclusive enforcement authority. The law does not include a private right of action, but violations may still create meaningful regulatory risk, especially where the same conduct also raises FTC, HIPAA, state consumer protection, cybersecurity, or advertising concerns. The temporary cure period is also scheduled to sunset after the initial implementation period, so companies should not treat post-notice remediation as a long-term strategy.

What practical steps should FDA-regulated companies take?

Companies should start by identifying where consumer health data or other relevant personal data are collected and how they use and disclose that data. They should then evaluate existing privacy notices, consent flows, opt-out mechanisms, vendor agreements, and data protection assessment processes against the VDPOSA. Common sources of personal data can be website analytics, consumer interest forms, symptom questionnaires, connected-device telemetry, and other data that may reveal or suggest a consumer’s health status, treatment interests, or use of an FDA-regulated product.

Key Takeaways for FDA-Regulated Companies

The VDPOSA takes a different spin on protecting consumer data than Washington’s My Health My Data Act, but the two laws address a similar concern: health-related data collected outside HIPAA can be highly sensitive and may need special notice, consent, and governance controls. Washington’s law is more directly focused on consumer health data, including health data privacy notices, consent for certain sharing, and location-based restrictions near health care facilities. Vermont uses a different model by placing consumer health data protections inside a broader comprehensive privacy law, while also using a sensitive-data threshold and applying its consumer health data provisions without the general numerical thresholds.

The HIPAA interaction is important. While HIPAA-covered entities, business associates, and protected health information regulated by HIPAA may be exempt in many cases, it is also critical to note that HIPAA compliance does not resolve VDPOSA obligations. Health-related data collected directly through consumer-facing digital tools, product websites, advertising technologies, connected-device ecosystems, or patient engagement programs is likely to fall outside HIPAA, instead qualifying as consumer health data or sensitive data under state privacy laws.

The practical point is that HIPAA status does not end the analysis. Vermont’s law, like Washington’s My Health My Data Act, requires companies to look closely at health-related data collected through consumer-facing and digital channels that may sit outside traditional PHI workflows.

Paul Rothermel, Managing Attorney

How Gardner Law Can Help

Gardner Law helps FDA-regulated companies assess how new state privacy laws apply to their products, data flows, and commercialization activities. We can assist with VDPOSA and Washington My Health My Data applicability assessments, HIPAA and non-HIPAA data flow reviews, privacy notice updates, consent and opt-out workflows, vendor contracting, data protection assessments, and practical compliance roadmaps for medical device, pharmaceutical, biotechnology, and digital health companies.