On May 22, 2018, the State of Vermont enacted the country’s first data broker law.
As set forth by the new law, a data broker is defined as “a business, or unit or units of a business, separately or together, that knowingly collects and sells or licenses to third parties the brokered personal information of a consumer with whom the business does not have a direct relationship.” In other words and with limited exception, those that collect data second hand and resell it.
The policy behind the enactment is to provide consumers with more information about data brokers’ collection practices and to bolster security requirements.
The Vermont data broker law requires that data brokers to:
- Register with the Secretary of State (annually)
- Implement security measures to handle personally identifiable information
- Notify authorities of security breaches
- Eliminate fees associated with initiating or lifting credit freezes
Interestingly, the new law refers to “brokered personal information” which is broader than the definition of personally identifiable information. PII is the subject of the law’s information security program requirements.
Brokered PI includes one or more elements such as name address, place of birth, mother’s maiden name, biometric authentication data, contact information of immediate family members, SSN or other government identification numbers, or “other information that, alone or in to combination with the other information sold or licensed, should allow a reasonable person to identify the consumer with reasonable certainty.”
As part of the registration process, data brokers must disclose, without limitation, whether and what activities consumers can opt-out of with respect to the collection of brokered personal information, the method for doing so, whether a purchaser credentialing process has been implemented, information regarding past security breaches, and other information concerning data collection practices.
Notably, a data broker is not required to permit a consumer to opt-out of the collection and sale of brokered personal information. However, a data broker must inform the Vermont Secretary of State about such activities, including, without limitation, how to request an opt-out and related applicability.
Written information security programs must be developed and maintained, and should contain administrative, technical and physical safeguards.
The effective date relating to data brokers’ registration and data security obligations is January 1 2019. The remaining provisions are immediately effective.
It is anticipated that this new law will be enforced aggressively by the Vermont Attorney General. Compliance efforts must be documented.
In a press statement, Attorney General TJ Donovan stated that “Vermonters care about their privacy” and that the new law “not only saves them money, but it gives them information and tools to help them keep their personal information secure.”
Richard B. Newman is a regulatory litigation, investigations and compliance attorney at Hinch Newman LLP focusing on advertising and digital media matters.
ADVERTISING MATERIAL. Informational purposes only. Not legal advice. Always seek the advice of an attorney. Previous case results do not guarantee similar future result. Hinch Newman LLP | 40 Wall St., 35th Floor, New York, NY 10005 | (212) 756-8777.