On May 22, 2018, Vermont passed the first law in the United States regulating data brokers. The new law provides greater protection for Vermont consumers by increasing their access to information about data brokers and further securing brokered information.

Starting January 1, 2019, any business that collects and sells or licenses brokered personal information to third parties about consumers with whom they lack a direct relationship will be required to register as a data broker with the Secretary of State. The annual registration process entails several disclosures, such as the broker’s opt-out procedures, credential requirements for its purchasers, and the number of breaches experienced within the last year.

The law also directs data brokers to “develop, implement, and maintain a comprehensive information security program.” This security program must meet specific minimum standards that seek to safeguard consumers’ personally identifiable information.

Implementation and enforcement of the law lies with the Vermont Attorney General, who may pursue civil penalties and injunctive relief for failure to comply. In addition, any violation of the security program provisions constitutes an unfair and deceptive act. The law provides that on top of the AG filing suit, consumers will have private causes of action.

TIP: Data brokers should begin implementing an information security program that fits the new law’s minimum requirements. They should also be prepared for more states to follow Vermont’s example.