Recently, Vermont became the first state to enact legislation that regulates data brokers who buy and sell personal information. Under the new law, data brokers in Vermont will now have to register with the state, adopt standard security measures, and provide information to the state regarding their data collection practices. The law was passed in response to reported risks associated with the widespread aggregation and sale of data about consumers, and is intended to provide consumers with more information about data brokers and their data collection practices.

Who Does the Law Apply To?

 A “data broker” is defined under the law as “a business or unit/s of a business, separately or together, that knowingly collects and sells or licenses to third parties the brokered personal information of a consumer with whom the business does not have a direct relationship.” Personal information in this context is defined broadly, and includes one or more computerized data element such as name, address, date or place of birth, mother’s maiden name, biometric data, as well as “other information that, alone or in combination with the other information sold or licensed, would allow a reasonable person to identify the consumer (with reasonable certainty) to a third party.” Importantly, the law does not apply to businesses that collect data in the course of providing a consumer-facing product or service, such as websites, apps, or e-commerce platforms.

What Are the Law’s Requirements?

The law imposes three main requirements on data brokers:

  • Prohibitions on Use. Data brokers may not acquire personal information by fraudulent means, and may not use personal information for the purposes of stalking or harassment, committing fraud, or to engage in unlawful discrimination.
  • Registration and Disclosures. Data brokers must pay $100 and register annually with the Vermont Secretary of State. Upon registration, data brokers must also provide information on whether and how consumers can opt out of the broker’s data collection, databases, or certain sales of data; whether the broker implements a purchaser credentialing process; the number of security breaches the broker experienced during the prior year and the number of consumers affected; and a statement detailing the data collection practices applicable to the personal information of minors.
  • Information Security Requirements. Data brokers must develop, implement, and maintain a comprehensive information security program that contains appropriate administrative, technical, and physical safeguards. The law specifically requires a number of minimum features, such as ongoing employee training, a means for detecting and preventing security system failures, security policies, disciplinary measures for violations, and supervision of service providers.

When Does the Law Take Effect?

Data brokers will have until January 1, 2019 to comply with the annual registration and information security requirements. Enforcement of the law is regulated by the Vermont Attorney General’s Office and violations may result in civil penalties and appropriate injunctive relief. A private right of action is not provided.

While this bill is the first of its kind, it may not be the last. With increased scrutiny on the buying and selling of personal information, and increased interest in consumer privacy, we may see greater attention to the regulation of data brokers in the future.