On May 22, Vermont passed the nation’s most expansive data broker legislation in an effort to provide consumers with more information about data brokers, their data collection practices, and consumers’ right to opt out.

The legislation, which in part takes effect on January 1, 2019, defines “data brokers” to mean “a business … that knowingly collects and sells or licenses to third parties the brokered personal information of a consumer with whom the business does not have a direct relationship.” While this definition appears to be broad in scope, the controlling test to determine whether a business is a “data broker” is whether the sale or license of data is merely incidental to the business. If the sale or license of data is merely incidental, the business would likely not be considered a data broker.

The legislation takes note of the fact that there are important differences between data brokers and businesses with whom consumers have a direct relationship. Specifically, it finds that consumers who have a direct relationship with traditional and e-commerce businesses typically have some level of knowledge and control over the businesses’ data collection practices, including the choice to use the businesses’ products or services and the ability to opt out of certain data collection practices. By contrast, however, consumers may not be aware that data brokers are collecting information about them or that they even exist. As such, the new law aims to provide consumers with necessary information about data brokers, including information about their data collection activities, opt-out policies, purchaser credentialing practices, and security breaches.

Once the enacted legislation goes into effect, data brokers will be required to:

1. Annually register with the Secretary of State and pay a registration fee of $100.00. Notably, registration would only be required if, in the prior year, the data broker collected and licensed or sold to a third party the personal information of a Vermont consumer.

2. Annually disclose the following information about its data collection practices:

a. Whether the data broker permits a consumer to opt out of the data broker’s collection of brokered personal information, opt out of its databases, or opt out of certain sales of data;

b. A statement specifying the data collection, databases, or sales activities from which a consumer may not opt out;

c. A statement whether the data broker implements a purchaser credentialing process;

d. The number of data security breaches experienced during the previous year, and if known, the total number of consumers affected by the breaches; and

e. The data broker’s collection practices as it relates to minors.

3. Develop, implement, and maintain a comprehensive information security program that contains administrative, technical, and physical safeguards appropriate for the size, scope, and type of business of the data broker. Notably, a violation of the legislation’s information security requirements will constitute an “unfair and deceptive act” for which the Attorney General is authorized to bring an enforcement action.

Attorney General T.J. Donovan applauded lawmakers for the passage of the law and stated that “the state has a strong public safety interest in transparency, data security, and consumer protection generally with respect to commercial interests that elect to engage in the business of buying and selling consumer data without the consumer’s knowledge.” And while “transparency of information is great when it comes to government,” said Vermont Secretary of State Jim Condos, it is not “for individuals and their personal information.”