There has been shortage of blog posts since May 2018 discussing Vermont’s groundbreaking data broker disclosure and security legislation. The law is the first data broker-specific legislation in the nation.
As drafted, lead aggregators and other such intermediaries appear to be within the purview of the legislation.
The legislation regulates data brokers that buy and sell personal information. The law defines “data broker” and “brokered personal information” broadly.
With regard to the former, a data broker is defined as “a business, or unit or units of a business, separately or together, that knowingly collects and sells or licenses to third-parties the brokered personal information of a consumer with whom the business does not have a direct relationship.”
“Brokered personal information” is means one or more of the following computerized data elements about a consumer, if categorized or organized for dissemination to third-parties:
- Date of birth;
- Place of birth;
- Mother’s maiden name;
- Biometric data (e.g., fingerprints, retina images, etc.);
- Name or address of immediate family;
- SSN; or
- Other information that, alone or in combination with the other information sold or licensed, would allow a reasonable person to identify the consumer.
The law requires such data brokers to register annually with the Vermont Attorney General. It also obligates covered entities to disclose prior data breaches, and information pertaining to data collection, use and dissemination to third-parties. The law requires disclosure of opt-out protocols and whether data brokers utilize a purchaser/licensee credentialing process.
Additionally and not dissimilar to the recently enacted Colorado cybersecurity legislation, the Vermont law also requires data brokers to design and implement appropriate written information security programs. Employees should be trained and designated to maintain such programs. Risk assessments should be conducted regularly. There are also computer system security requirements that align with Federal Trade Commission recommendations.
The law is already effective, with the exception of the registration and data security obligations which become effective in January 2019. Importantly, the failure to comply with Vermont’s data broker legislation shall be considered an unfair and deceptive act. Investigations and enforcement actions can be initiated by the Vermont Attorney General or by a private citizen pursuant to the state’s consumer protection laws.
Vermont’s new legislation also includes provisions pertaining to credit report security freezes.
Takeaway: State-specific and international online privacy-related legislation is proliferating at a rapid pace. The federal government is presently contemplating its own data privacy legislation. Marketers in consumer data-centric businesses should become familiar with applicable cybersecurity legislation, the differing statutory definitions of key terms and whether the information that it collects triggers legal obligations. Time will tell how aggressive the Vermont Attorney General will enforce the new law and who it is enforced against.
Richard Newman is a member of the International Association of Privacy Professionals. Contact the author at firstname.lastname@example.org to discuss data privacy and written information security program compliance, including Vermont’s data broker provisions.
Informational purposes only. Not legal advice. Previous case results do not guarantee similar future result. Advertising Material