The Applicability of Vermont’s Data Broker Law to the Lead Generation Industry

By Richard NewmanAugust 1, 2018

There has been no shortage of blog posts since May 2018 discussing Vermont’s groundbreaking data broker disclosure and security legislation. The law is the first data broker-specific legislation in the nation.

As drafted, lead aggregators and other such intermediaries appear to be within the purview of the legislation.

The legislation regulates data brokers that buy and sell personal information. The law defines “data broker” and “brokered personal information” broadly.

With regard to the former, a data broker is defined as “a business, or unit or units of a business, separately or together, that knowingly collects and sells or licenses to third-parties the brokered personal information of a consumer with whom the business does not have a direct relationship.”

“Brokered personal information” is means one or more of the following computerized data elements about a consumer, if categorized or organized for dissemination to third-parties:

  • Name;
  • Address;
  • Date of birth;
  • Place of birth;
  • Mother’s maiden name;
  • Biometric data (e.g., fingerprints, retina images, etc.);
  • Name or address of immediate family;
  • SSN; or
  • Other information that, alone or in combination with the other information sold or licensed, would allow a reasonable person to identify the consumer.

The law requires such data brokers to register annually with the Vermont Attorney General. It also obligates covered entities to disclose prior data breaches, and information pertaining to data collection, use and dissemination to third-parties. The law requires disclosure of opt-out protocols and whether data brokers utilize a purchaser/licensee credentialing process.

Additionally and not dissimilar to the recently enacted Colorado cybersecurity legislation, the Vermont law also requires data brokers to design and implement appropriate written information security programs. Employees should be trained and designated to maintain such programs. Risk assessments should be conducted regularly. There are also computer system security requirements that align with Federal Trade Commission recommendations.

The law is already effective, with the exception of the registration and data security obligations which become effective in January 2019. Importantly, the failure to comply with Vermont’s data broker legislation shall be considered an unfair and deceptive act. Investigations and enforcement actions can be initiated by the Vermont Attorney General or by a private citizen pursuant to the state’s consumer protection laws.

Vermont’s new legislation also includes provisions pertaining to credit report security freezes.

Takeaway: State-specific and international online privacy-related legislation is proliferating at a rapid pace. The federal government is presently contemplating its own data privacy legislation. Marketers in consumer data-centric businesses should become familiar with applicable cybersecurity legislation, the differing statutory definitions of key terms and whether the information that it collects triggers legal obligations. Time will tell how aggressive the Vermont Attorney General will enforce the new law and who it is enforced against. 

Richard Newman is a member of the International Association of Privacy Professionals. Contact the author at rnewman@hinchnewman.com to discuss data privacy and written information security program compliance, including Vermont’s data broker provisions.

Informational purposes only. Not legal advice. Previous case results do not guarantee similar future result.  Advertising Material

Other Stories You Might Like

New MSP Lead Generation Trends for 2020
November 7, 2019, 8:00 am

How To Improve Your Lead Conversion Strategy
November 6, 2019, 8:00 am

Lead Generation Strategies From 10 Startups
November 5, 2019, 8:00 am

UrbanDigs Wants to Be Like “eHarmony for Real Estate” with New Lead-Gen Play
October 30, 2019, 12:00 pm

Why Connected TV & OTT is the New Customer Acquisition Channel for DTC Brands
October 30, 2019, 10:40 am

24 Landing Page Examples To Inspire You And Boost Conversions
October 24, 2019, 8:00 am

Connect to Convert 2019: 4 Trends in MarTech Market Diversification
October 21, 2019, 12:55 pm

8 Ways to Improve Your LinkedIn Lead Generation Ads Today
October 17, 2019, 8:00 am

How to Know Which Marketing and Sales Strategy is Best
October 4, 2019, 8:00 am

How to Improve Lead Conversion Without Increasing Costs
October 3, 2019, 2:00 pm

© 2019 Access Intelligence, LLC – All Rights Reserved. ||