On January 1st, a new Vermont statute dealing with data brokers went into effect. Data brokers are businesses that collect personal information about consumers and sell that information to other businesses. Data brokers collect information from multiple public and non-public sources such as court records, property records, voter registration information, purchase histories and web-browsing activity. Data brokers create profiles of consumers and sell the profiles to businesses who want to use them for targeted marketing purposes. Vermont is the first state in the U.S. to regulate data brokers.
In the data broker statute, the Vermont legislature noted that consumers may not be aware that data brokers are collecting information about them or that they even exist. This is in contrast to businesses with whom consumers have a direct relationship. Consumers who have a direct relationship with traditional and e-commerce businesses may have some level of knowledge and control over the businesses’ data collection practices, including the choice to use the businesses’ products or services and the ability to opt out of certain data collection practices. Given consumers’ lack of any relationship with data brokers, the Vermont law aims to provide consumers with necessary information about the data brokers, including information about their data collection activities, opt-out policies, purchaser credentialing practices, and security breaches.
Under the statute, a “data broker” is defined broadly as a business that collects and sells or licenses to third parties the “brokered personal information” of a Vermont resident with whom it does not have a direct relationship. “Brokered personal information” includes an individual’s name, address, date of birth, place of birth, mother’s maiden name, unique biometric data, identification numbers, and any other information that would allow a reasonable person to identify the consumer with reasonable certainty.
Under the statute, data brokers are required to:
- Annually register with the Secretary of State and pay a registration fee of $100.00.
- Annually disclose to the Vermont Attorney General information regarding their practices related to the collection, storage or sale of brokered personal information. Data brokers also must annually disclose their practices for allowing consumers to opt out of the collection, storage or sale of the consumers’ personal information. Further, the law requires data brokers to annually report the number of data breaches experienced during the prior year and, if known, the total number of consumers affected by the breaches. There are additional disclosure requirements relating to the data broker’s collection practices of brokered personal information as it relates to minors. Importantly, the law does not require data brokers to offer consumers the ability to opt out.
- Implement and maintain a written, comprehensive information security program that contains appropriate physical, technical and administrative safeguards designed to protect consumers’ personal information.
The law also eliminates fees associated with a consumer placing or lifting a security freeze. A violation of the law could be considered an unfair and deceptive act in commerce in violation of Vermont’s consumer protection law.
In 2014, the Federal Trade Commission (“FTC”) released the results of an in-depth inquiry into the practices of data brokers. At the conclusion of this inquiry, the FTC recommended that Congress enact legislation requiring data brokers to provide consumers access to their data in reasonable detail and the ability to control whether or not it is shared for marketing purposes. Though Congress did not enact any legislation in response to the FTC recommendation, the Equifax data breach in 2017 brought renewed attention to data brokers, leading to the Vermont legislation. Given that Congress has been slow to regulate data brokers, it is expected that other states will follow Vermont’s lead on the issue.