Introduction to Vermont Privacy Rights
Vermont has established itself as a national leader in privacy protection, consistently enacting some of the most comprehensive consumer privacy laws in the United States. The Green Mountain State has taken a proactive approach to safeguarding residents' personal information, often surpassing federal requirements and setting precedents that other states follow. Vermont's privacy landscape is characterized by robust data broker regulations, stringent data breach notification requirements, and consumer-focused protections that give residents meaningful control over their personal information.
Vermont's commitment to privacy is exemplified by its groundbreaking Data Broker Law, codified in 9 V.S.A. § 2430 et seq., which was the first of its kind in the nation when enacted in 2018. This legislation requires companies that collect and sell personal information to register with the state, maintain security programs, and report data breaches. Beyond data broker regulation, Vermont has enacted comprehensive statutes addressing financial privacy, insurance information security, student data protection, and employment privacy rights.
Compared to other states, Vermont ranks among the top tier for privacy protections. While California's Consumer Privacy Act (CCPA) receives more national attention, Vermont's Data Broker Law actually preceded California's legislation and addresses gaps that many state laws overlook. Vermont also provides stronger protections for financial information than federal law requires and has implemented rigorous standards for health information beyond HIPAA requirements. The state's approach combines transparency requirements, security mandates, and enforcement mechanisms that create a multi-layered privacy framework protecting Vermont residents from unauthorized data collection, use, and disclosure.
Vermont's State Privacy Laws
Vermont's privacy legal framework consists of multiple statutes addressing different aspects of personal information protection. The cornerstone of Vermont's privacy regime is the Data Broker Law, found in 9 V.S.A. § 2430 through § 2446. This statute defines a data broker as any business that knowingly collects and sells or licenses personal information of consumers with whom the business does not have a direct relationship. Under this law, data brokers must register annually with the Vermont Secretary of State, pay a $100 registration fee, and provide specific information about their data collection and security practices.
The Data Broker Law requires registered entities to implement and maintain comprehensive information security programs reasonably designed to protect personal information from unauthorized access, destruction, use, modification, or disclosure. These programs must include administrative, technical, and physical safeguards, and companies must conduct regular risk assessments. Violations can result in civil penalties up to $10,000 per violation, with the Vermont Attorney General having exclusive enforcement authority.
Vermont's Security Breach Notice Act, codified at 9 V.S.A. § 2430 and § 2435, establishes one of the nation's strictest data breach notification requirements. The law requires any data collector—defined as a person who, for any purpose, handles, collects, disseminates, or otherwise deals with personally identifiable information—to provide notice of a security breach to affected Vermont residents. The notification must be made in the most expedient time possible and without unreasonable delay, but not later than 45 days after discovery of the breach, unless law enforcement determines notification will impede a criminal investigation.
The statute specifies that notice must include: the date or estimated date of the breach, a description of the personal information involved, information about what the data collector has done to protect individuals, contact information for consumer reporting agencies if Social Security numbers were compromised, and information about the data collector's contact procedures. If a breach affects more than 1,000 consumers, the data collector must also notify consumer reporting agencies and the Vermont Attorney General without unreasonable delay.
Financial privacy protections in Vermont exceed federal standards. Title 8 V.S.A. § 10201 et seq. implements the Vermont Financial Privacy Law, which regulates how financial institutions collect, use, and share nonpublic personal financial information. Vermont opted for stricter standards than required by the federal Gramm-Leach-Bliley Act, requiring financial institutions to obtain affirmative consent (opt-in) rather than merely providing opt-out opportunities for certain types of information sharing. Vermont financial institutions must provide clear privacy notices and cannot share account numbers or access codes with nonaffiliated third parties for marketing purposes.
Employee privacy rights in Vermont are protected through multiple statutes. Under 21 V.S.A. § 495, employers may not require employees or applicants to provide access to personal social media accounts, though employers can request access to accounts created specifically for business purposes. Vermont law at 21 V.S.A. § 495d prohibits employers from requiring employees to have identification devices, including radio frequency identification (RFID) chips, implanted into their bodies as a condition of employment.
Vermont also protects employee health information through 21 V.S.A. § 471, which restricts genetic testing by employers and prohibits discrimination based on genetic information. The state's workers' compensation laws at 21 V.S.A. § 652 include provisions protecting the privacy of medical information obtained during claims processes, requiring written authorization before disclosure of medical records.
Freedom of Information / Open Records in Vermont
Vermont's public records law is known as the Vermont Public Records Act, codified at 1 V.S.A. § 315 through § 320. This law establishes that public records are available for public inspection unless specifically exempted by law. The statute defines public records broadly as any written or recorded information, regardless of physical form, produced or acquired in the course of public agency business. This includes documents, emails, databases, photographs, and other recorded information maintained by state and local government agencies.
Under 1 V.S.A. § 316, any person may inspect or copy public records during regular business hours. The law does not require requesters to be Vermont residents, identify themselves, or explain why they want the records, though agencies may require identification to prevent identity theft or unauthorized access to confidential information. Requests should be specific enough to allow the agency to identify and locate responsive records with reasonable effort.
Vermont public agencies must respond to records requests "as soon as reasonably possible" but no later than three business days after receiving the request. However, this three-day period is only for acknowledging the request and indicating whether the records exist and will be provided. The actual production of records may take longer, depending on the volume and complexity of the request. If an agency needs more than ten business days to provide records, it must provide a written explanation for the delay and a reasonable timeline for when records will be available.
The Public Records Act contains numerous exemptions at 1 V.S.A. § 317, protecting specific categories of information from disclosure. Key exemptions include: personnel and medical files where disclosure would constitute an invasion of privacy; trade secrets and confidential commercial or financial information; records of law enforcement investigations; attorney-client privileged communications; records related to pending litigation; preliminary drafts and notes; and personal information in government databases including Social Security numbers, unlisted telephone numbers, credit card information, and dates of birth (except year of birth).
Vermont agencies may charge fees for public records, but these must be limited to actual costs. Under 1 V.S.A. § 316(c), agencies can charge for staff time spent locating and copying records at actual hourly wages, plus the cost of copying materials. However, the first 30 minutes of staff time must be provided without charge. Agencies must provide a fee estimate if costs will exceed $25 and may require prepayment.
If a records request is denied, requesters have multiple appeal options. First, they may appeal to the head of the public agency within 30 days of denial. If that appeal is unsuccessful, requesters can file an appeal with the Vermont Civil Division of the Superior Court under 1 V.S.A. § 319. Courts may review denials de novo and can order agencies to produce records, assess costs against the agency, and impose other remedies. The statute also provides that prevailing requesters may recover reasonable attorney's fees and costs.
HIPAA and Health Privacy
The Health Insurance Portability and Accountability Act (HIPAA) establishes federal baseline protections for medical information that apply to covered entities throughout Vermont, including healthcare providers, health plans, and healthcare clearinghouses. HIPAA's Privacy Rule, codified at 45 CFR Part 160 and Part 164, gives patients rights to access their medical records, request corrections, receive an accounting of disclosures, and file complaints about privacy violations. Vermont healthcare providers must comply with these federal requirements as the minimum standard for protecting patient information.
Vermont has enacted additional state-level protections that exceed HIPAA requirements in several areas. The Vermont Health Information Privacy Law, found at 18 V.S.A. § 9351 et seq., provides enhanced protections for health information maintained by healthcare providers and insurers. This law requires written authorization for disclosure of health information beyond what HIPAA permits and includes stricter standards for marketing communications using health information.
Vermont law provides particularly strong protections for mental health records under 18 V.S.A. § 7103. Mental health treatment records maintained by mental health professionals require specific written consent before disclosure, even to other healthcare providers involved in treatment, with limited exceptions for emergencies. These records receive heightened protection beyond standard medical records, recognizing the sensitive nature of mental health information and potential for discrimination.
Vermont's HIV confidentiality statute at 12 V.S.A. § 1705 prohibits disclosure of HIV test results without specific written consent, with narrow exceptions for treatment purposes, legally required reporting to public health authorities, and court-ordered disclosure. Violations can result in civil liability for damages. Similarly, substance abuse treatment records maintained by Vermont facilities are protected by both federal regulations at 42 CFR Part 2 and Vermont law, requiring specific consent forms and limiting disclosure even in response to court orders.
Patients in Vermont can protect their medical records by understanding their rights under both HIPAA and state law. Individuals should request copies of their medical records annually to verify accuracy, submit written requests to restrict disclosures beyond what is required for treatment and payment, and file complaints with the Vermont Department of Health or the federal Office for Civil Rights if they believe their health privacy rights have been violated. Vermont residents can contact the Office of the Health Care Ombudsman at 1-800-917-7787 for assistance with health privacy concerns.
Consumer Data Privacy Rights
Vermont residents enjoy substantial rights regarding personal data collected about them, primarily through the state's Data Broker Law and various sector-specific privacy statutes. While Vermont has not yet enacted a comprehensive consumer privacy law similar to California's CCPA or Virginia's Consumer Data Protection Act, the existing framework provides meaningful protections and transparency requirements.
Under Vermont's Data Broker Law at 9 V.S.A. § 2433, consumers have the right to know which data brokers are registered in Vermont by searching the Secretary of State's online registry. This transparency allows Vermont residents to identify companies collecting and selling their information. While the law does not provide a direct opt-out right from data broker collection, the registration requirement enables consumers to contact data brokers and request removal of their information under each company's individual policies.
Vermont's Security Breach Notice Act provides consumers with the right to timely notification when their personal information is compromised. This enables individuals to take protective measures such as fraud alerts, credit freezes, and identity theft monitoring. When breaches involve Social Security numbers, financial account information, or other sensitive data, affected consumers have the right to receive information about available protective services, often including free credit monitoring provided by the breached entity.
For financial privacy, Vermont residents have enhanced opt-out rights under 8 V.S.A. § 10201 et seq. Financial institutions must provide annual privacy notices explaining their information-sharing practices and offering consumers the ability to opt out of certain types of sharing with nonaffiliated third parties. Vermont's opt-in requirement for sharing with affiliates gives consumers more control than federal law provides.
To remove personal information from data broker and people-search sites, Vermont residents should follow a systematic approach. First, identify major data brokers through Vermont's official registry at the Secretary of State's website. Contact each registered data broker using their designated privacy contact information and request removal of your personal information. For major people-search websites like Whitepages, Spokeo, BeenVerified, and Intelius, visit their individual opt-out pages and follow specific removal procedures, which typically require submitting your name, address, and email confirmation.
Under the federal Fair Credit Reporting Act (FCRA), Vermont residents have the right to obtain free annual credit reports from each of the three major credit bureaus—Equifax, Experian, and TransUnion—through AnnualCreditReport.com. Vermont consumers can dispute inaccurate information on credit reports by submitting written disputes to credit bureaus, which must investigate within 30 days. Vermont's own credit reporting regulations at 9 V.S.A. § 2480a provide additional protections, including requirements that credit bureaus maintain toll-free telephone numbers for Vermont consumers and respond to disputes within specific timeframes.
Vermont law at 9 V.S.A. § 2480h provides consumers with the right to place security freezes on their credit reports free of charge. A security freeze restricts access to credit reports, preventing identity thieves from opening new accounts. Credit bureaus must implement freezes within one business day of receiving a request and lift freezes within one hour if requested electronically or by telephone, or within three business days if requested by mail.
Employment Background Checks & Privacy
Vermont regulates employment background checks through multiple statutes that protect applicant and employee privacy while balancing employer interests in workplace safety and informed hiring decisions. The primary framework is established by the federal Fair Credit Reporting Act (FCRA), which applies to background checks conducted by third-party consumer reporting agencies, but Vermont has supplemented these protections with state-specific requirements.
Under Vermont law at 21 V.S.A. § 495i, employers must comply with specific procedures when obtaining criminal background checks. Vermont has implemented a modified "ban-the-box" law that prohibits employers from inquiring about criminal history on initial job applications for most positions. Specifically, employers cannot ask about criminal history until after an applicant has been selected for an interview or, if there is no interview, until after a conditional offer of employment has been made. This law applies to employers with five or more employees and covers both public and private sector employers.
There are exceptions to Vermont's ban-the-box law for positions where federal or state law disqualifies individuals with certain criminal convictions, positions requiring state or federal security clearances, and positions in law enforcement agencies. Additionally, employers may inquire about criminal history at any point when required by law or when necessary to comply with legal obligations regarding hiring restrictions.
Vermont law at 13 V.S.A. § 7602 governs access to criminal records for employment purposes. Employers can access conviction records through the Vermont Crime Information Center (VCIC), but the law specifies limitations on what can be considered. Significantly, Vermont has sealed records statutes that restrict access to certain criminal history information. Under 13 V.S.A. § 7602(a), records of arrests that did not result in conviction are generally sealed and not available to employers.
The state provides expungement and sealing options that affect employment background checks. Vermont law at 13 V.S.A. § 7601 allows individuals to petition for expungement of criminal records in specific circumstances, including certain qualifying crimes after waiting periods without subsequent convictions. Once expunged, these records are destroyed and do not appear in background checks. Additionally, Vermont allows sealing of certain conviction records after waiting periods, typically five years for misdemeanors and ten years for nonviolent felonies, though specific crimes may have different requirements.
Vermont employers conducting background checks through consumer reporting agencies must comply with FCRA requirements, including obtaining written authorization from applicants, providing pre-adverse action notice if considering rejecting an applicant based on background check information, and providing copies of reports and notices of rights. Vermont's Consumer Protection Act at 9 V.S.A. § 2453 provides additional enforcement mechanisms for FCRA violations affecting Vermont residents.
Individuals who discover inaccurate information on employment background checks have multiple avenues for correction. First, they should dispute errors directly with the consumer reporting agency that provided the report, which must investigate within 30 days under FCRA. Second, if inaccuracies involve criminal records, individuals can contact the Vermont Crime Information Center to request corrections. Third, for court records errors, individuals should contact the Vermont Judiciary Records Unit to request corrections to official court records.
Vermont law at 21 V.S.A. § 495 also protects employees from social media intrusion by prohibiting employers from requiring access to personal social media accounts as a condition of employment. Employers cannot request usernames, passwords, or other authentication information for personal social media accounts, nor can they compel employees to add supervisors or other company representatives to their social media contacts.
Protecting Yourself in Vermont
Vermont residents can take concrete steps to protect their privacy and control personal information. This section provides practical, actionable guidance for implementing privacy protections available under Vermont and federal law.
Opting Out of People-Search Sites
Start by identifying your presence on major people-search websites. Search for yourself on Whitepages.com, Spokeo.com, BeenVerified.com, PeopleFinder.com, and Intelius.com. Each site has its own opt-out procedure. For Whitepages, visit their opt-out page, locate your listing, and submit the removal request, which typically processes within 24-72 hours. Spokeo requires you to find your listing, copy the URL, visit their privacy page, paste the URL, and verify via email. BeenVerified requires submitting a request through their suppression form with verification.
Check Vermont's Data Broker Registry maintained by the Secretary of State at sos.vermont.gov to identify registered data brokers. Contact each broker's designated privacy contact (listed in their registration) to request removal of your information. Keep records of all opt-out requests including confirmation numbers and dates, as you may need to follow up or repeat requests periodically.
Implementing Credit Freezes
Vermont residents should implement security freezes with all three major credit bureaus. Contact Equifax at 1-800-349-9960 or equifax.com/personal/credit-report-services/credit-freeze, Experian at 1-888-397-3742 or experian.com/freeze/center.html, and TransUnion at 1-888-909-8872 or transunion.com/credit-freeze. Under 9 V.S.A. § 2480h, credit bureaus cannot charge Vermont residents for placing, lifting, or removing security freezes. The freeze must be implemented within one business day of your request.
When placing a freeze, you'll receive a PIN or password to use when you need to temporarily lift the freeze for legitimate credit applications. Store this information securely. If requested online or by phone, bureaus must lift freezes within one hour. Consider also placing freezes with secondary credit reporting agencies like Innovis and the National Consumer Telecom & Utilities Exchange (NCTUE) for comprehensive protection.
Requesting Criminal Record Sealing and Expungement
To seal or expunge criminal records in Vermont, first determine your eligibility under 13 V.S.A. § 7601 and § 7602. Generally, you may petition for expungement of certain qualifying crimes after specified waiting periods without subsequent convictions. Obtain a copy of your Vermont criminal history record from the Vermont Crime Information Center by submitting a record check request with fingerprints through an authorized agency.
File a petition for expungement or sealing in the Vermont Superior Court in the county where the conviction occurred. The petition must include specific information about the conviction, evidence of rehabilitation, and reasons supporting expungement. The court will notify the prosecutor, who may oppose the petition. A hearing may be scheduled where you can present evidence supporting your request. If granted, the court will order records sealed or expunged, and you can legally state that the incident did not occur for most purposes.
For assistance with expungement petitions, contact Vermont Legal Aid at 1-800-889-2047 or the Vermont Defender General's Office. The Vermont Judiciary website at vermontjudiciary.org provides forms and instructions for expungement petitions.
Protecting Health Information
Request copies of your medical records annually from all healthcare providers to verify accuracy. Under HIPAA and Vermont law, providers must provide copies within 30 days. Submit written requests to restrict disclosures of your health information beyond treatment, payment, and healthcare operations purposes. Vermont providers must honor reasonable restriction requests under 18 V.S.A. § 9351 et seq.
For particularly sensitive health information, such as mental health or substance abuse treatment records, understand that Vermont provides enhanced protections requiring specific written consent for disclosure. Exercise your right to request an accounting of disclosures from your healthcare providers to track who has accessed your information.
Key Vermont Privacy Contacts
Maintain contact information for key privacy-related agencies. The Vermont Attorney General's Consumer Assistance Program handles privacy complaints and data breach notifications: 802-656-3183 or ago.vermont.gov. The Vermont Secretary of State's Office maintains the Data Broker Registry: 802-828-2363 or sos.vermont.gov. The Vermont Department of Financial Regulation oversees insurance and financial privacy: 802-828-3301 or dfr.vermont.gov.
For health privacy concerns, contact the Vermont Office of the Health Care Ombudsman at 1-800-917-7787. For employment discrimination or privacy issues, contact the Vermont Human Rights Commission at 1-800-416-2010. For criminal record questions, contact the Vermont Crime Information Center at 802-244-8727.
Vermont Data Breach Notification
Vermont's Security Breach Notice Act at 9 V.S.A. § 2430 and § 2435 establishes comprehensive requirements for notifying individuals when their personal information is compromised. The law applies to any "data collector," defined as a person who, for any purpose, handles, collects, disseminates, or otherwise deals with personally identifiable information. This broad definition encompasses businesses, government agencies, nonprofits, and individuals who maintain personal information about Vermont residents.
The statute defines a "security breach" as unauthorized acquisition of electronic data, or a reasonable belief of unauthorized acquisition, that compromises the security, confidentiality, or integrity of personally identifiable information maintained by the data collector. Personally identifiable information includes an individual's first name or initial and last name in combination with Social Security number, driver's license number, financial account numbers with access codes, or medical information.
Upon discovering a security breach, data collectors must conduct a prompt investigation to determine the scope of the breach and restore security. If the investigation determines that misuse of personal information has occurred or is likely to occur, the data collector must provide notice to affected Vermont residents. Notice must be made "in the most expedient time possible and without unreasonable delay" but no later than 45 days after discovery of the breach, unless law enforcement requests a delay because notification would impede a criminal investigation.
The content of breach notifications is specifically prescribed by statute. Notices must include: the date or estimated date of the breach; a description of the personal information that was acquired or reasonably believed to have been acquired; information about what the data collector has done to protect affected individuals from further harm; the toll-free contact numbers and addresses for major consumer reporting agencies if Social Security numbers were compromised; and the data collector's own contact information so affected individuals can inquire about the breach.
Methods of notification vary based on circumstances. Direct notice must be provided by written notice to the last known postal address, telephone notice, or electronic notice if the individual has consented to electronic communications. If the cost of providing direct notice exceeds $10,000, the number of affected individuals exceeds 5,000, or the data collector does not have sufficient contact information, substitute notice is permitted through email if the data collector has email addresses, conspicuous posting on the data collector's website, and notification to major statewide media.
For breaches affecting more than 1,000 consumers, data collectors must notify all consumer reporting agencies of the timing, distribution, and content of the notices, without unreasonable delay. Additionally, data collectors must notify the Vermont Attorney General's Office without unreasonable delay. The Attorney General maintains records of reported breaches and uses this information for enforcement purposes.
Vermont's data breach law includes specific provisions for third-party data processors. If a person or business that maintains or stores personal information on behalf of a data collector becomes aware of a breach, it must notify the data collector as soon as practicable following discovery. The data collector then bears responsibility for providing required notifications to affected individuals and the Attorney General.
Violations of Vermont's breach notification requirements can result in enforcement actions by the Vermont Attorney General under the state's Consumer Protection Act, 9 V.S.A. § 2453. Civil penalties can reach up to $10,000 per violation. The Attorney General has been active in enforcing breach notification requirements, investigating companies that fail to provide timely notifications and pursuing penalties for non-compliance.
Children's Privacy in Vermont
Vermont provides multiple layers of protection for children's personal information through federal law compliance and state-specific enhancements. The federal Children's Online Privacy Protection Act (COPPA), enforced by the Federal Trade Commission, applies to websites and online services directed to children under 13 or that have actual knowledge they are collecting information from children under 13. COPPA requires verifiable parental consent before collecting, using, or disclosing personal information from children, and Vermont businesses must comply with these federal requirements.
Vermont has supplemented federal protections with state-specific laws addressing student data privacy. Vermont's Student Privacy Act, codified at 16 V.S.A. § 164, regulates how educational agencies and third-party service providers handle student personally identifiable information. The law prohibits operators of websites, online services, and mobile applications used primarily for K-12 school purposes from engaging in targeted advertising based on student data, selling student information, or creating profiles of students for commercial purposes unrelated to educational functions.
Under Vermont law, educational service providers must implement security measures to protect student data from unauthorized access, destruction, or use. They must delete student personally identifiable information within a reasonable timeframe when it is no longer needed for educational purposes, unless parents or students consent to retention. The law provides enforcement authority to the Vermont Attorney General, who can pursue violations under consumer protection statutes.
The Family Educational Rights and Privacy Act (FERPA), a federal law codified at 20 U.S.C. § 1232g, protects the privacy of student education records at schools receiving federal funding. Vermont schools must comply with FERPA requirements, which give parents rights to inspect and review their children's education records, request corrections to inaccurate information, and control disclosure of personally identifiable information from education records with certain exceptions. When students reach age 18 or attend postsecondary institutions, these rights transfer to the students themselves.
Vermont parents can access their children's education records by submitting written requests to their school's principal or records custodian. Schools must comply within 45 days of the request. If parents believe records contain inaccurate or misleading information, they can request amendments. If the school refuses, parents have the right to a hearing and can place statements in the record explaining their position.
Vermont law at 13 V.S.A. § 2821 provides criminal penalties for unauthorized disclosure of juvenile court records, ensuring confidentiality of proceedings involving minors in the justice system. These records are generally sealed and not accessible to the public, protecting children from long-term consequences of juvenile offenses. Vermont also restricts disclosure of child abuse and neglect records under 33 V.S.A. § 4913, limiting access to authorized personnel involved in child protection.
Frequently Asked Questions
How can I find out which data brokers have my information in Vermont?
Vermont maintains a public Data Broker Registry through the Secretary of State's office, accessible at sos.vermont.gov. Any business meeting the definition of a data broker under 9 V.S.A. § 2430 must register annually and provide information about their data practices. You can search this registry to identify registered data brokers, then contact each company's designated privacy representative to inquire about what information they maintain about you and request removal. While the registry includes many major data brokers, some companies may not be required to register if they don't meet Vermont's specific definition, so you should also independently search for yourself on major people-search websites.
What should I do if a company fails to notify me of a data breach involving my information?
If you discover a company suffered a data breach that affected your personal information but failed to provide required notification under 9 V.S.A. § 2435, you should file a complaint with the Vermont Attorney General's Consumer Assistance Program at 802-656-3183 or through their website at ago.vermont.gov. The Attorney General has enforcement authority for breach notification violations and can investigate companies that fail to comply with the 45-day notification requirement. Additionally, you should immediately implement protective measures including credit freezes, fraud alerts, and monitoring of financial accounts and credit reports for suspicious activity.
Can Vermont employers ask about my criminal history during a job interview?
Yes, under Vermont's ban-the-box law at 21 V.S.A. § 495i, employers can inquire about criminal history once you have been selected for an interview. They cannot ask about criminal history on initial job applications, but once you've advanced to the interview stage, employers may ask about and consider criminal convictions. However, employers must consider the nature of the offense, how long ago it occurred, and its relationship to the job duties when making employment decisions. Certain exceptions apply for positions where law requires background checks or restricts hiring of individuals with specific convictions.
How long do I have to wait before I can expunge a criminal conviction from my record in Vermont?
The waiting period for expungement in Vermont depends on the type of offense and is governed by 13 V.S.A. § 7601. For most misdemeanors, you must wait at least five years after completion of your sentence, including probation, before petitioning for expungement. For non-violent felonies, the waiting period is typically ten years. You must have no subsequent criminal convictions during the waiting period. Certain serious crimes, including violent felonies and sex offenses, may not be eligible for expungement. You should consult with an attorney or contact Vermont Legal Aid at 1-800-889-2047 to determine your specific eligibility and receive assistance with the petition process.
What are my rights if I find errors in my medical records at a Vermont hospital?
Under HIPAA and Vermont health privacy law at 18 V.S.A. § 9351 et seq., you have the right to request amendments to inaccurate or incomplete medical records. Submit a written request to the healthcare provider's medical records department explaining what information is incorrect and why. The provider must respond within 60 days (with a possible 30-day extension). If the provider agrees, they must make the amendment and notify others who received the incorrect information. If they deny your request, you can submit a written statement of disagreement that must be included with your records. You also have the right to file a complaint with the Vermont Department of Health or the federal Office for Civil Rights if you believe your privacy rights were violated.
How do I request public records from Vermont state agencies?
To request public records under Vermont's Public Records Act at 1 V.S.A. § 316, submit a written request to the custodian of records at the specific state agency that maintains the records you're seeking. Your request should describe the records with enough specificity that the agency can locate them with reasonable effort. You do not need to explain why you want the records or be a Vermont resident. The agency must acknowledge your request within three business days and indicate whether the records exist and will be provided. Actual production may take longer depending on the volume of records. If your request is denied, you can appeal to the agency head and ultimately to Vermont Superior Court.
Can I place a security freeze on my child's credit report in Vermont?
Yes, Vermont law at 9 V.S.A. § 2480h allows parents or legal guardians to place security freezes on their children's credit reports. This is an important protection because children typically have no credit history, making them attractive targets for identity thieves. Contact each of the three major credit bureaus—Equifax, Experian, and TransUnion—along with Innovis, and request a security freeze for your child. You will need to provide documentation proving your identity and your relationship to the child, such as birth certificates and identification. There is no charge for placing, lifting, or removing freezes for children in Vermont. This protection remains in place until you remove it or your child reaches adulthood and requests removal.
What penalties can companies face for violating Vermont's Data Broker Law?
Companies that violate Vermont's Data Broker Law at 9 V.S.A. § 2430 et seq. face enforcement actions by the Vermont Attorney General under the state's Consumer Protection Act. Penalties can include civil fines up to $10,000 per violation. Violations include failing to register as a data broker when required, failing to implement adequate security programs, and failing to report data breaches to the Attorney General. Each instance of non-compliance can constitute a separate violation, meaning penalties can accumulate significantly for companies with multiple violations. The Attorney General can also seek injunctive relief requiring companies to change their practices and may require companies to implement specific security measures or notification procedures as part of settlement agreements.