The Applicability of Vermont’s Data Broker Law to the Lead Generation Industry

By Richard NewmanAugust 1, 2018

There has been shortage of blog posts since May 2018 discussing Vermont’s groundbreaking data broker disclosure and security legislation. The law is the first data broker-specific legislation in the nation.

As drafted, lead aggregators and other such intermediaries appear to be within the purview of the legislation.

The legislation regulates data brokers that buy and sell personal information. The law defines “data broker” and “brokered personal information” broadly.

With regard to the former, a data broker is defined as “a business, or unit or units of a business, separately or together, that knowingly collects and sells or licenses to third-parties the brokered personal information of a consumer with whom the business does not have a direct relationship.”

“Brokered personal information” is means one or more of the following computerized data elements about a consumer, if categorized or organized for dissemination to third-parties:

  • Name;
  • Address;
  • Date of birth;
  • Place of birth;
  • Mother’s maiden name;
  • Biometric data (e.g., fingerprints, retina images, etc.);
  • Name or address of immediate family;
  • SSN; or
  • Other information that, alone or in combination with the other information sold or licensed, would allow a reasonable person to identify the consumer.

The law requires such data brokers to register annually with the Vermont Attorney General. It also obligates covered entities to disclose prior data breaches, and information pertaining to data collection, use and dissemination to third-parties. The law requires disclosure of opt-out protocols and whether data brokers utilize a purchaser/licensee credentialing process.

Additionally and not dissimilar to the recently enacted Colorado cybersecurity legislation, the Vermont law also requires data brokers to design and implement appropriate written information security programs. Employees should be trained and designated to maintain such programs. Risk assessments should be conducted regularly. There are also computer system security requirements that align with Federal Trade Commission recommendations.

The law is already effective, with the exception of the registration and data security obligations which become effective in January 2019. Importantly, the failure to comply with Vermont’s data broker legislation shall be considered an unfair and deceptive act. Investigations and enforcement actions can be initiated by the Vermont Attorney General or by a private citizen pursuant to the state’s consumer protection laws.

Vermont’s new legislation also includes provisions pertaining to credit report security freezes.

Takeaway: State-specific and international online privacy-related legislation is proliferating at a rapid pace. The federal government is presently contemplating its own data privacy legislation. Marketers in consumer data-centric businesses should become familiar with applicable cybersecurity legislation, the differing statutory definitions of key terms and whether the information that it collects triggers legal obligations. Time will tell how aggressive the Vermont Attorney General will enforce the new law and who it is enforced against. 

Richard Newman is a member of the International Association of Privacy Professionals. Contact the author at rnewman@hinchnewman.com to discuss data privacy and written information security program compliance, including Vermont’s data broker provisions.

Informational purposes only. Not legal advice. Previous case results do not guarantee similar future result.  Advertising Material

Other Stories You Might Like

How to Tackle Lead Generation: Tips From Top Agency Marketers
October 17, 2018, 8:00 am

The 4 Stages of Retargeting Emotion for Consumers
October 16, 2018, 8:00 am

FCC Seeks Public Comment On TCPA’s Autodialer Definition After Ninth Circuit Decision
October 15, 2018, 8:00 am

8 Effective Ways to Drive Ecommerce Lead Generation
October 11, 2018, 8:00 am

My Chat Bot Adventure (with Insights into Automating Lead Gen)
October 10, 2018, 8:00 am

Why 82% Of Lenders Think They’re More Innovative Than They Are
October 9, 2018, 8:00 am

How To Accelerate Revenue By Rethinking Your Lead Distribution Strategy
October 4, 2018, 8:00 am

Your Short Guide to Measuring Social Media ROI
October 2, 2018, 8:00 am

Despite Powerful Allies, Problems Persist In For-Profit Education
September 26, 2018, 8:00 am

Using Lateral Thinking in Your Marketing to Ignite Growth
September 25, 2018, 12:00 pm

© 2018 Access Intelligence, LLC – All Rights Reserved. ||