Vermont's recently enacted data broker privacy law (H.764) is the first of its kind in the United States. Its aim is to regulate businesses that collect, aggregate, and sell data about consumers with whom the business does not have a relationship. Businesses that collect, share, or sell their own consumers' data are not affected by this law, so long as they have a direct business relationship with those consumers.
The law becomes effective January 1, 2019.
Why is the VT data broker privacy law significant?
Beyond the direct regulatory implications for affected businesses (key points summarized below), the VT data broker privacy law is the latest in an expanding array of state laws that regulate privacy and data security. By way of a quick and non-exhaustive list of examples, there now are literally hundreds of state privacy and data security laws with their own definitions and scope, and covering a divergent array of issues such as: (i) limitations on printing Social Security Numbers, (ii) content requirements for privacy statements, (iii) restrictions on text messaging, (iv) content and choice requirements for marketing, (v) restrictions on data collections at points of sale, (vi) data portability and access obligations, (vii) limits on utilization of particular technologies for authentication, such as biometrics, (viii) limits on the usage of security cameras, (ix) secure disposal requirements, and (x) data breach notification duties. The list goes on.
In the past, there has been federal pre-emption when the patchwork of state laws has become unworkable. For example, the proliferation of a wide variety of state laws on electronic signatures were ultimately pre-empted by the federal E-SIGN Act. Similarly, the array of state laws on email marketing were pre-empted by the CAN SPAM Act. A close examination of the market conditions on state privacy and security laws suggest that we are at (or past) a tipping point where pre-emption of state privacy and data security laws would be helpful.
How is data broker defined?
The law defines a data broker as a business that "knowingly collects and sells or licenses to third parties the brokered personal information of a consumer with whom the business does not have a direct relationship."
A consumer is defined as an individual residing in Vermont. Given that the law does not have any specific jurisdictional provisions, presumably it is intended to apply whenever a data broker collects data about Vermont residents, regardless of where the business is established.
Brokered personal information includes any of the following data elements, if computerized and organized/categorized for dissemination to third parties: name, address, date of birth, place of birth, mother's maiden name, unique biometric data, name or address of an immediate family member, Social Security Number or other government-issued ID number, and any other information that, alone or in combination with the other information sold or licensed, would allow a reasonable person to identify an individual with reasonable certainty.
Notably, a data broker is not a business that develops or maintains third-party e-commerce or application platforms, provides publicly available information related to a consumer's business or profession, or provides publicly available information in real-time or near-real-time for the purpose of health or safety alerts.
What qualifies as a business relationship?
Any of the following types of individuals can qualify as a consumer having a business relationship with a private entity:
- a customer, client, subscriber, or user of the business's goods or services
- an employee, contractor, or agent of the business
- an investor in the business
- a donor to the business
The law applies to the extent the consumer is a resident of the State of Vermont.
What obligations are imposed on data brokers?
Data brokers are forbidden from acquiring brokered personally identifiable information ("PI") by fraudulent means, as well as using the PI in order to harass, stalk, commit fraud, or engage in unlawful discrimination (including in the context of employment and housing).
Data brokers must disclose their practices to consumers by providing them with contact information, giving them the opportunity to opt out of data collection, and disclosing if they've experienced recent security breaches.
Data brokers must register annually with the Vermont Secretary of State, pay a registration fee, and provide detailed information about their activities. Failure to register may result in civil penalties of $50 for each day, not to exceed $10,000 for each year.
Data brokers have heightened obligations to protect PI, including the duty to develop, implement, and maintain a comprehensive security program that contains administrative, technical, and physical safeguards to safeguard the PI in its possession. The requirements for the security program are similar to those mandated by the Gramm-Leach-Bliley Act or the Health Insurance Portability and Accountability Act and must include, among others:
- assessment of reasonably foreseeable internal and external risks to the PI in the data broker's possession
- security policies for employees, including disciplinary measures for violations
- supervision of service providers
- restrictions on access to PI
- policies and procedures in the event of security incidents
- continuous review, revisions, and updates to the security program
- secure authentication protocols and access control measures
- up-to-date security measures, such as encryption of PI and overall protection of security systems
Finally, data brokers are required to make annual disclosures to the State Attorney General, detailing their practices related to data brokering.
What are the penalties?
Violations of the law are considered unfair and deceptive acts under Vermont law, such that the Vermont Attorney General has the authority to conduct civil investigations, bring civil actions, and take other enforcement actions allowed by the law against the data broker.