Vermont became the first state in the country to pass legislation to regulate data brokers, when it mandated that they register with a state regulator and establish minimum security standards.
The law broadly defines a data broker as “a business, or unit or units of a business, separately or together, that knowingly collects and sells or licenses to third parties the brokered personal information of a consumer with whom the business does not have a direct relationship.”
“Brokered personal information” includes “one or more of the following computerized data elements about a consumer, if categorized or organized for dissemination to third parties: name; address; date of birth; place of birth; mother’s maiden name; unique biometric data, including fingerprints, retina or iris images, or other unique physical or digital representations of biometric data; name or address of a member of the consumer’s immediate family or household; Social Security number or other government-issued identification number; or other information that, alone or in combination with the other information sold or licensed, would allow a reasonable person to identify the consumer with reasonable certainty.”
Covered entities must pay a $100 annual fee to register with the Vermont attorney general. In addition, on an annual basis, data brokers must disclose their practices related to the collection, storage and sale of consumers’ personal information, as well as the number of data breaches they experienced during the prior year (and, if known, the total number of consumers affected by the breaches).
All registered data brokers must also “develop, implement and maintain a written comprehensive information security program” that contains appropriate physical, technical and administrative safeguards designed to protect consumers’ personal information.
Violations of the law constitute an “unfair and deceptive act” under the state’s consumer protection law that provides the attorney general with the power to bring an enforcement action. The new law also eliminates any charge for Vermont residents to freeze and unfreeze their credit reports.
“This new law slashes fees, helps stop fraudsters and promotes transparency,” Vermont Attorney General T.J. Donovan said in a statement. “Vermonters care about their privacy. This bill not only saves them money, but also gives them information and tools to help them keep their personal information secure.”
With the exception of registration and data security obligations, which take effect Jan. 1, 2019, the rest of the law took effect immediately.
Why it matters: Back in 2014, the Federal Trade Commission conducted a study of nine data brokers and published a report concluding the industry operates with a “fundamental” lack of transparency, recommending that federal legislation be enacted to regulate data brokers. For years, federal lawmakers have debated how to regulate data brokers, but efforts at the federal level repeatedly stalled. In the wake of the massive Equifax data breach, however, lawmakers in Vermont enacted the new law. Whether other states follow suit remains to be seen.