On April 14, the Vermont Department of Financial Regulation (DFR) issued updated guidance on the Privacy Rule in Chapter 10 of the Vermont Securities Regulations, which took effect April 10. The new regulations codify consumer privacy requirements that were previously maintained under prior department regulations and orders. The Privacy Rule applies to any investment adviser or broker-dealer registered with the department, including federal covered investment advisers that make notice filings, as well as their representatives, agents, and employees. The rule protects nonpublic personal information (NPI) defined to include financial and health data provided by consumers to obtain products or services, as well as information an investment adviser or broker-dealer acquires about a consumer in connection with providing a product or service.

The revised bulletin, which remains substantively unchanged from its initial December 2025 publication, outlines several core obligations under the Privacy Rule. Investment advisers and broker-dealers must provide “clear and conspicuous” privacy notices to customers at the start of the relationship and at least annually thereafter. The Vermont rule differs from the federal opt-out framework by requiring consumers to affirmatively opt-in before firms may share NPI with non-affiliated third parties. Under the rule, a consumer’s opt-in authorization remains in effect until the consumer revokes it, with firms obliged to provide a “reasonable” method for revocation. The rule permits limited exceptions to the opt-in and notice requirements, including disclosures necessary for processing or servicing transactions requested by consumers, disclosures to affiliates, and disclosures to service providers or for joint marketing activities under a written contract that prohibits the recipient from using or disclosing the information beyond the purpose for which it was received.