Effective January 1, 2019, a new Vermont law imposes data security and annual disclosure obligations on data brokerage companies (e.g., Acxiom, Experian, Epsilon). The law requires data brokers to register annually with the Vermont Attorney General and pay an annual registration fee. Data brokers must disclose annually to the State Attorney General, among other things, information regarding practices related to the collection, storage and sale of personal information, applicable opt-out practices (if any), and the number of data breaches experienced during the prior year along with the the total number of consumers affected by such breaches (if known). The law further requires data brokers to develop, implement, and maintain a written comprehensive information security program. Importantly, the law does not require data brokers to offer consumers the ability to opt out. However, there are additional requirements if the data broker knowingly possesses personal information of minors. Failure to comply with the new law could be considered an unfair and deceptive act in commerce in violation of Vermont’s consumer protection law.

TAKEAWAY: Advertisers should routinely review their agreements with data brokers in order to ensure they are complying with this new Vermont law, including the registration and disclosure requirements.