U.S. privacy patchwork keeps expanding
- Katarzyna Celińska
- 16 hours ago
- 2 min read
I have written before about the growing legal patchwork around AI.
The same is happening in privacy, in the U.S. and globally.
✅ Vermont has now become the 23rd U.S. state to enact a comprehensive consumer privacy law. Governor Phil Scott signed the Vermont Data Privacy and Online Surveillance Act on 16 June 2026, and the law will enter into force on 1 January 2028. Vermont also adopted a data broker registration law and a separate genetic data privacy law.
Photo: freepik
✅ The U.S. still does not have one federal, comprehensive privacy law equivalent to the GDPR. Instead, organizations face a growing number of state-level privacy laws, each with its own scope, thresholds, definitions, opt-out rules, sensitive data requirements, enforcement mechanisms and implementation timelines.
✅ New law applies to controllers or processors handling personal data of more than 35,000 Vermont residents, processing sensitive personal data of at least 3,000 residents, or selling personal data of at least 3,000 residents.
The law also requires organizations to respect opt-out preference signals and authorized agent requests. An interesting AI-related element is that privacy notices must disclose whether a controller collects, uses or sells personal data to train large language models.
We should be careful with headlines such as “Vermont is the 23rd state to regulate privacy.” That is true only if we mean comprehensive consumer privacy laws. In reality, there are many more state-level privacy-related regulations in the U.S. covering specific areas such as health data, genetic data, children’s data, data brokers, biometric data, online tracking, advertising, breach notification, financial information or employee data. So the privacy patchwork is even broader than the number “23” suggests.
☑️ A mature privacy program should be built around an internal framework that includes:
✅ data mapping,
✅ legal basis assessment,
✅ transparency and notices,
✅ consent and preference management,
✅ sensitive data controls,
✅ data subject rights,
✅ vendor and data broker governance,
✅ AI training data assessment,
✅ breach response,
✅ retention and deletion,
✅ evidence of compliance.
Then each local requirement should be mapped against that framework.
Author: Sebastian Burgemejster
Comments