Vermont’s recent data broker legislation mandates that registration must take place prior to January 31, 2019.
The law defines a “data broker” as a business that “knowingly collects and sells or licenses to third parties the brokered personal information of a consumer with whom the business does not have a direct relationship.” Data brokers must maintain a record of “data broker breaches” and provide such information, as well as information about business operations, on an annual basis to the state as part of a new registration process.
Data brokers – businesses that aggregate data on individuals and sell or license it – will now have to set forth how they permit individuals to opt-out of having information collected, stored or disseminated. Data brokers will also have to, without limitation, develop and maintain comprehensive information security programs, train employees on computer security, encrypt transmitted records containing personal data sent across public networks.
Data broker breaches are defined more broadly that just “personal information.” For broker breaches, personal information also includes name, address, date of birth, place of birth, mother’s maiden name, and name or address of family members. The “broker breach” definition (i.e., when there is a duty to notify the state) imposes notice obligations when there is an unauthorized acquisition. It does, however, contain encryption and good faith exceptions.
Takeaway: Marketers must bear in mind the law’s disclosure requirements for data brokers lay the foundation for a “deceptive act.” It requires notifying the state about a broader category of data breaches than what currently exists under the general breach notice obligations. Data brokers must register with state by end of January and national brokers should assume that they hold Vermonters’ data.
Informational purposes only. Not legal advice.