The First Data Broker Law
Vermont is the first state to enact a law that will regulate data brokers that aggregate and sell data about consumers. The driving impetus of the legislation is to provide consumers with more information about the collection of their data and to protect consumers from data theft. Vermont made a point of distinguishing data brokers from other types of businesses that collect information about their customers and that distinction hinges on having a direct relationship with the consumer. “Data broker means a business, or unit or units of a business, separately or together, that knowingly collects and sells or licenses to third parties the brokered personal information of a consumer with whom the business does not have a direct relationship,” according to the legislation.
It should be noted that the law includes a fairly broad definition of “brokered personal information”. “Brokered personal information” includes many of the data types commonly by federal state law, such as name, address, Social Security Number and government-issued identification numbers. However, the law also applies to data types such as: date of birth, place of birth, mother’s maiden name, biometric data that can be used to identify or authenticate an individual, and the name or address of any member of a person’s immediate family or household.
Companies that fit the data broker bill will have to register with the State Attorney General annually by paying a $100 fee. The state will require data brokers to provide information about their data collection activities, opt-out policies, purchaser credentialing practices, and security breaches as well as to protect consumers against security breaches by requiring data brokers to implement a comprehensive information security program.
While data brokers are not mandated to offer consumers the ability to opt-out, data brokers must provide the state with their opt-out policies and procedures, including how consumers can opt-out, which activities and sales the opt-out applies to, whether data brokers permit a third-party to opt-out on the consumer’s behalf, and a list of data collection, databases, or sales activities from which a consumer may not opt out.
In addition to providing information about opting out, data brokers must also notify the state of the number of data broker security breaches that the data broker has experienced during the prior year, and if known, the total number of consumers affected by the breaches. Data brokers must disclose if they possess brokered personal information of minors and provide a separate statement detailing the data collection practices, databases, sales activities, and opt-out policies that are applicable to the brokered personal information of minors.
In an effort to prevent data breaches that compromise the sensitive personal information of billions of consumers, Vermont will also require data brokers to adopt an information security program with appropriate administrative, technical, and physical safeguards to protect sensitive personal information. The law enumerates several specific requirements of the information security program that are substantially similar to the requirements of the Massachusetts data security regulations, 201 CMR 17.00.
Finally, the Vermont legislature has taken steps to significantly reduce the burden of implementing security freezes with credit reporting agencies. The law also forbids credit reporting agencies from charging consumers a fee to place or remove freezes on their credit reports in an attempt to protect their data. In addition, the law instructs the Vermont Attorney General to investigate further ways to reduce the burden of placing and lifting security freezes, including allowing consumers to place a freeze with one national credit reporting agency and requiring that agency to initiate a freeze with other credit reporting agencies.
Only time will tell if other states will follow Vermont’s lead but it is quite possible that Vermont will ignite a trend. Data brokers should take note and be ready to adapt their practices to avoid fines and litigation.