In the Data Business? You May Be Obligated to Register in Vermont by Thursday

Data brokers have until this Thursday to register with the Vermont Secretary of State as part of a new data broker oversight law that became effective January 1st.

Approved unanimously by the Vermont Senate last May, the Vermont Data Broker Regulation, Act 171 of 2018, requires data brokers to register annually, pay an annual filing fee of $100, and maintain minimum data security standards, but the law does not prevent data brokers from collecting or selling consumer data.

What Qualifies as a “Data Broker”?

The law only applies to “data broker[s],” defined as a “business, or unit or units of a business, separately or together, that knowingly collects and sells or licenses to third parties the brokered personal information of a consumer with whom the business does not have a direct relationship.”

Guidance from the Vermont Attorney General issued last month provides four criteria for determining if your business is a data broker:

1. Does the business have a direct relationship with the consumers whose data is at issue? If yes, the law does not apply.

The law is aimed at monitoring practices by businesses that buy and sell data about consumers without offering services to those consumers. Thus, Vermont’s law does not apply when there is a direct relationship with the consumer. For example, a retailer that sells information about its customers is not a data broker under the law, because the retailer has a direct relationship with its customers.

2. Is the consumer data about Vermont residents? If no, the law does not apply.

The data broker law only applies to data about consumers residing in Vermont.

3. Does the business collect and sell or license the data? If no, the law does not apply.

For the law to apply, there must be both collection and sale or licensure of data. If a company collects data for its own use, it is not a data broker. Also, if a company uses a third party to process data for the company’s own purposes, the company is not acting as a data broker. Selling or licensing activities that are “merely incidental to the business” also do not count for purposes of this law. It is only when a company collects and then sells or licenses the data that the company is deemed to be a data broker.

4. Does the data meet the criteria for “brokered personal information?” If no, the law does not apply.

Only brokered personal information is subject to this law. To be eligible, the data must be (a) computerized, (b) categorized or organized for dissemination to third parties, and (c) include a name, address, data of birth, place of birth, mother’s maiden name, biometric information, name or address of a family member, social security number, or government-issued identification number.

Are there Exemptions?

Yes, certain activities are exempt from the data broker law, such as: (a) developing or maintaining a third-party e-commerce or application platform, (b) providing 411 directory assistance services, (c) providing publicly-available information related to a consumer’s business or profession, or (d) providing publicly-available, real-time alerts for health or safety purposes.

What are Data Broker Compliance Obligations?

Data brokers must annually register with the Vermont Secretary of State. In the registration statement, a data broker must disclose information about consumer opt-out options, purchaser credentialing processes, the number of data breaches that took place in the prior year, and whether the data broker possesses information about minors.

Additionally, data brokers are required to comply with minimum data security standards to protect consumer data. The law requires data brokers to develop a comprehensive, written information security program with appropriate administrative, technical, and physical safeguards that conform to the requirements specified in the law.

The law also makes it illegal for anyone – whether or not a data broker – to acquire brokered personal information through fraudulent means, or to acquire such information for purposes of stalking, harassment, fraud, or discrimination.

Enforcement of Violations

Failure to comply with minimum data security standards; acquisition of brokered personal information through fraudulent means; and acquisition of brokered personal information for prohibited purposes are all considered to be “unfair and deceptive act[s] in commerce” prohibited by Vermont consumer protection law. Vermont law permits the Attorney General and individual consumers to enforce this law through legal action.

When is the Deadline to Register?

Companies who met the definition of a “data broker” in 2018 are obligated to register with the Vermont Secretary of State by January 31, 2019 to avoid a penalty of $50 per day, up to a maximum of $10,000 per year.