On May 22, 2018, the State of Vermont enacted the country’s first law of its kind: a regulatory scheme governing data brokers. Data Brokers search for and collect consumer data points from multiple sources and sell that information to service providers, such as marketing companies, political campaigns, and credit reporting agencies. In enacting House Bill Number 764 (the “Data Broker Law”), the Vermont Legislature expressed its intention to provide consumers with more information about data brokers, their respective collection practices, the right to opt out from data collection, and to ensure that data brokers have implemented adequate security measures.
What Obligations do Data Brokers have under Vermont’s Data Broker Law?
Vermont adopted what its Legislature described as a narrowly-tailored definition of “data broker,” namely “a business, or unit or units of a business, separately or together, that knowingly collects and sells or licenses to third parties the brokered personal information of a consumer with whom the business does not have a direct relationship.” Businesses satisfying the definition of a data broker have until January 31, 2019 to register with the Vermont Secretary of State and pay the registration fee of one hundred dollars. A data broker which fails to register is subject to a civil penalty of fifty dollars per day, not to exceed ten thousand dollars for each year that it remains unregistered (as well as other fees and penalties that may be imposed by law).
Pursuant to the Data Broker Law, a data broker does not have to permit a consumer to opt out of the data broker’s collection and sale of brokered personal information. But in the event that a data broker does not offer certain or any opt-out options, it must provide a statement to the Vermont Secretary of State specifying the data collection, databases, or sales activities from which a consumer may not opt out. In the event that a data broker does offer opt-out options, it must provide to the Vermont Secretary of State: (1) the method for requesting an opt-out; (2) if the opt-out applies to only certain activities or sales, the broker must specify what they are; and (3) whether the data broker permits consumers to authorize a third party to perform the opt-out on their behalf.
Additional provisions of the Data Broker Law require data brokers to maintain comprehensive information security programs with appropriate safeguards to protect sensitive personal information. The minimum information security requirements imposed by the Data Broker Law include: (1) having one or more designated employees that maintain the company’s security program; and (2) employing secure user authentication protocols, secure access control measures, encryption of information, and firewall and malware protections.
The foregoing aspects of the Data Broker Law do not take effect until January 1, 2019.
Data Brokers: Proceed with Caution
We have previously blogged about privacy and data security law enactments and various other statutory and regulatory matters affecting this sector. Other states may soon follow Vermont in regulating consumer data collection and information security practices. Against this backdrop, it is clear that privacy and data security compliance are of paramount importance. As such, it is recommended that companies operating in the data broker space retain qualified legal counsel to help navigate the existing and emerging issues presented by applicable state and federal law.