The Bottom Line
- The Vermont data broker registration requirement commences on January 1, 2019, giving data brokers subject to the law some time to become familiar with its requirements and to begin compliance efforts.
- After years of talking about data brokers, the first law in the nation to broadly address this industry could open the floodgates to more privacy legislation. More than ever, those involved in the collection and use of consumer data should evaluate their practices in light of new and pending legislation.
With summer approaching, we would hope to see new flavors of ice cream coming out of Vermont. Instead, Vermont has just delivered a new law that imposes data security and privacy-related obligations on data brokers and, beginning January 1, 2019, will require them to register annually with the state. The law is the first in the United States specifically governing data brokers.
The New Law
The Vermont legislature acknowledges in the introduction to the new law that data brokers provide information that is “critical to services offered in the modern economy,” including targeted marketing and sales; credit reporting; and decisions by banks, insurers, and others as to whether to provide services.
The law then states that although data brokers offer “many benefits,” there also are “risks associated with the widespread aggregation and sale of data about consumers.” These risks, the law says, relate to consumers’ ability to know and control information held and sold about them and risks arising from the unauthorized or harmful acquisition and use of consumer information.
The Vermont legislature also indicates in the law that consumers may not be aware that data brokers exist, who the companies are, or the information they collect. These are themes that have been repeatedly echoed by the Federal Trade Commission (FTC) in workshops and guidance.
Since definitions drive all new privacy laws, the definitions in the Vermont law must be carefully examined.
The law defines a “data broker” as a business that knowingly collects and sells or licenses to third parties the brokered personal information of a consumer with whom the business does not have a direct relationship. Basically, data brokers are those without a consumer-facing presence. A business is not a data broker for purposes of the law if it collects information from its own customers, employees, users, or donors.
“Brokered personal information” is defined as one or more of the following computerized data elements about a consumer, if categorized or organized for dissemination to third parties:
- date of birth;
- place of birth;
- mother’s maiden name;
- unique biometric data generated from measurements or technical analysis of human body characteristics used by the owner or licensee of the data to identify or authenticate the consumer, such as a fingerprint, retina, or iris image;
- name or address of a member of the consumer’s immediate family or household;
- Social Security number or other government-issued identification number; or
- “other information that, alone or in combination with the other information sold or licensed, would allow a reasonable person to identify the consumer with reasonable certainty.”
“Brokered personal information” does not include publicly available information to the extent that it relates to a consumer’s business or profession.
The intent of the law is to provide consumers in the State of Vermont with transparency about data brokers, their data collection practices, and the right to opt out. Accordingly, one of the key features of the law is the requirement that data brokers register annually with the Vermont Secretary of State.
When registering, a data broker must provide information about its data collection activities, opt-out policies (in particular, whether it permits consumers to opt out of its collection of brokered personal information), and purchaser credentialing practices.
A data broker also must report the number of security breaches that it has experienced during the prior year and, if known, the total number of consumers affected by the breaches.
Moreover, where a data broker has actual knowledge that it possesses the brokered personal information of minors, it must provide the Secretary of State with a separate statement detailing the data collection practices, databases, sales activities, and opt-out policies that are applicable to the brokered personal information of minors.
Information Security Program
The new law requires that data brokers adopt an information security program with administrative, technical, and physical safeguards to protect sensitive personal information. The safeguards must be appropriate to the data broker’s size, scope, and type of business; the amount of resources available to the data broker; the amount of stored data; and the need for security and confidentiality of personally identifiable information. Again, these are common themes from other state laws regarding data security and FTC workshops and guidance, though the Vermont law enumerates specific procedures and controls that must be implemented.
There are various other significant provisions in the new Vermont law. For example, the law prohibits data brokers from acquiring personal information through fraudulent means or with the intent to commit wrongful acts. Toward that end, the law provides that the acquisition of brokered personal information through fraudulent means and the acquisition or use of brokered personal information to stalk or harass or to commit fraud or engage in unlawful discrimination is an unfair and deceptive act.