Vermont Enacts First Data Broker Law | Practical Law

Vermont Enacts First Data Broker Law | Practical Law

Vermont has become the first state to enact a law that provides residents with more information about data brokers, their data collection practices, and consumer opt-out rights. The law also imposes information security requirements on data brokers, defined as businesses that collect and sell or license personal information about state residents with whom they do not have direct relationships.

Vermont Enacts First Data Broker Law

Practical Law Legal Update w-015-0012 (Approx. 4 pages)

Vermont Enacts First Data Broker Law

by Practical Law Data Privacy Advisor
Published on 30 May 2018USA (National/Federal), Vermont
Vermont has become the first state to enact a law that provides residents with more information about data brokers, their data collection practices, and consumer opt-out rights. The law also imposes information security requirements on data brokers, defined as businesses that collect and sell or license personal information about state residents with whom they do not have direct relationships.
On May 22, 2018, Vermont enacted House Bill 764, a first-of-its-kind law regulating data brokers trading in personal information about Vermont residents (consumers). The Vermont Attorney General's Office also issued a press release explaining the importance of this law. The new law:
  • Establishes new registration, consumer disclosure, and data security requirements for data brokers.
  • Creates new causes of action under Vermont's Consumer Protection Act that prohibit acquiring brokered personal information:
    • fraudulently; or
    • for the purpose of committing wrongful acts such as stalking, harassment, fraud, identity theft, or discrimination.
It adopts a broad, but targeted, definition of data brokers to include any business that knowingly collects and sells or licenses:
  • Brokered personal information about a Vermont consumer with whom it does not have a direct relationship.
  • To third parties.
Businesses with a direct consumer relationship do not fall under the statute's data broker definition. Examples of a direct relationship include situations where the consumer is a past or present:
  • Customer, client, subscriber, or user of the business's goods or services.
  • Employee, contractor, agent, or investor of or donor to the business.
The law also provides exceptions for:
  • Certain business activities, including incidental brokered personal information collection and sale or licensing, that:
    • develop or maintain third-party e-commerce or application platforms;
    • provide 411 directory assistance or directory information services, including name, address, and telephone number, on behalf of or as a function of a telecommunications carrier;
    • provide publicly available information related to a consumer's business or profession; or
    • provide publicly available information via real-time or near-real-time alert services for health or safety purposes.
  • One-time or occasional business asset sales as part of a transfer of control that is not part of the business's ordinary conduct.
  • Data sales or licenses that are merely incidental to the business.
The new law only applies to commercial entities, not Vermont state agencies, political subdivisions, or vendors acting solely on Vermont's behalf or direction.
The law defines brokered personal information as computerized data elements categorized or organized for dissemination to third parties that include one or more of the following items about a Vermont consumer:
  • Name or address of either the consumer or any member of the consumer's immediate family or household.
  • Date or place of birth.
  • Mother's maiden name.
  • Unique biometric data used to identify or authenticate the consumer, such as a fingerprint, retina or iris image, or other unique physical or digital representation of biometric data.
  • Social Security or other government issued identification number.
  • Other information that, alone or in combination with the other information sold or licensed, would reasonably allow the consumer's identification with reasonable certainty.
However, the brokered personal information definition specifically excludes publicly available information that relates to a Vermont resident's business or profession.
Covered data brokers must now:
  • Register annually with the Secretary of State on or before January 31 by paying a $100 registration fee and providing:
    • the broker's name and primary physical, email, and internet addresses;
    • a statement disclosing specific details about its opt-out policies and purchaser credentialing practices;
    • the number of data broker security breaches it experienced in the prior year and, if known, the total number of affected Vermont consumers;
    • for any data about minors the broker actually knows that it possesses, a separate statement describing the data collection practices, databases, sales activities, and opt-out policies for that data; and
    • any other relevant information about its data collection practices.
  • Adopt an information security program with appropriate administrative, technical, and physical safeguards to protect personal information that meets specified minimum requirements.
The new law also:
  • Imposes civil penalties of $50 per day, not to exceed $10,000 per year, for data brokers that fail to register.
  • Gives the attorney general the authority to adopt rules to conduct civil investigations, bring civil actions, and otherwise enforce the new law, making violations an unfair and deceptive act.
  • Amends the Vermont Fair Credit Reporting Act to eliminate fees for placing or removing a credit freeze.
  • Requires the legislature to consider:
    • designating a chief privacy officer;
    • whether to expand new the data broker requirements to businesses with direct consumer relationships.
The section relating to data brokers takes effect on January 1, 2019. All other sections of the new law took effect immediately after its passage.