Vermont’s New Data Broker Law

On May 22, 2018, the State of Vermont enacted the country’s first data broker law.

As set forth by the new law, a data broker is defined as “a business, or unit or units of a business, separately or together, that knowingly collects and sells or licenses to third parties the brokered personal information of a consumer with whom the business does not have a direct relationship.”  In other words and with limited exception, those that collect data second hand and resell it.

The policy behind the enactment is to provide consumers with more information about data brokers’ collection practices and to bolster security requirements.

The Vermont data broker law requires that data brokers to:

  • Register with the Secretary of State (annually)
  • Implement security measures to handle personally identifiable information
  • Notify authorities of security breaches
  • Eliminate fees associated with initiating or lifting credit freezes

Interestingly, the new law refers to “brokered personal information” which is broader than the definition of personally identifiable information. PII is the subject of the law’s information security program requirements.

Brokered PI includes one or more elements such as name address, place of birth, mother’s maiden name, biometric authentication data, contact information of immediate family members, SSN or other government identification numbers, or “other information that, alone or in to combination with the other information sold or licensed, should allow a reasonable person to identify the consumer with reasonable certainty.”

As part of the registration process, data brokers must disclose, without limitation, whether and what activities consumers can opt-out of with respect to the collection of brokered personal information, the method for doing so, whether a purchaser credentialing process has been implemented, information regarding past security breaches, and other information concerning data collection practices.

Notably, a data broker is not required to permit a consumer to opt-out of the collection and sale of brokered personal information. However, a data broker must inform the Vermont Secretary of State about such activities, including, without limitation, how to request an opt-out and related applicability.

Written information security programs must be developed and maintained, and should contain administrative, technical and physical safeguards.

The effective date relating to data brokers’ registration and data security obligations is January 1 2019. The remaining provisions are immediately effective.

It is anticipated that this new law will be enforced aggressively by the Vermont Attorney General. Compliance efforts must be documented.

In a press statement, Attorney General TJ Donovan stated that “Vermonters care about their privacy” and that the new law “not only saves them money, but it gives them information and tools to help them keep their personal information secure.”

Contact an FTC compliance lawyer at

Richard B. Newman is a regulatory litigation, investigations and compliance attorney at Hinch Newman LLP focusing on advertising and digital media matters.

ADVERTISING MATERIAL. Informational purposes only. Not legal advice. Always seek the advice of an attorney. Previous case results do not guarantee similar future result. Hinch Newman LLP | 40 Wall St., 35th Floor, New York, NY 10005 | (212) 756-8777.

Richard B. Newman

Richard B. Newman is a nationally recognized FTC advertising compliance, CID investigation and regulatory enforcemetn attorney. He regularly provides advertising counsel and represents clients in high-profile investigations and enforcement proceedings initiated by the Federal Trade Commission, state attorneys general, departments of consumer affairs, and other federal and state agencies with jurisdiction over advertising and marketing practices. Richard is also an ecommerce lawyer and spam defense attorney. His practice additionally focuses upon false advertising defense, data privacy, cybersquatting, intellectual property law and transactional matters relating to the dissemination of national advertising campaigns, including the gamut of affiliate marketing, telemarketing, lead generation, list management and licensing agreements. Richard advises clients on how to minimize the legal risks associated with digital marketing, email marketing, telemarketing, social media influencer campaigns, endorsements and testimonials, negative option marketing models, native advertising, online promotions and comparative advertising,

To Learn More About This Topic or if You Have Questions, Contact an Experienced FTC Compliance and Defense Lawyer