Skip to content

Discerning Data

  • About Us
  • Additional Resources
  • Contact Us

DISCERNING DATA

A Faegre Drinker Blog Covering the Latest in Privacy, Cybersecurity and Data Strategy

  • Privacy
  • Cybersecurity
  • Data Strategy
  • Disruptionware

Vermont First State to Pass Data Broker Law

Share

Vermont lawmakers recently passed a first-of-its-kind data broker law, which protects consumers from credit freeze fees, data fraud and clarifies data security requirements.

The new law defines a data broker as: “a business, or unit or units of a business, separately or together, that knowingly collects and sells or licenses to third parties the brokered personal information of a consumer with whom the business does not have a direct relationship.”

The Vermont Data Broker Law requires that data brokers:

• register annually with the Secretary of State.
• incorporate standard security measures in handling their personally identifiable information.
• notify authorities of security breaches.
• eliminate fees associated with initiating or lifting credit freezes. Note: The Economic Growth, Regulatory Relief and Consumer Protection Act signed by President Trump on May 24 also includes a provision that eliminates fees associated with initiating or lifting credit freezes.

The law refers to “Brokered PI” which is broader than the definition of personally identifiable information (PII) that is the subject of the law’s information security program requirements. Brokered PI includes one or more elements such as name address, place of birth, mother’s maiden name, biometric authentication data, contact information of immediate family members, Social Security numbers or other government identification numbers, or “other information that, alone or in to combination with the other information sold or licensed, should allow a reasonable person to identify the consumer with reasonable certainty.”

When registering with the Secretary of State, data brokers are required to disclose whether and what activities consumers can opt out of with respect to the collection of brokered personal information (PI) and the method for doing so. In addition, the registration must include a statement on whether the data broker implements a purchaser credentialing process, the number of security breaches the broker has experienced in the last year, whether it has actual knowledge that it possesses brokered PI relating to minors, and any additional information or explanation the data broker chooses to provide concerning its data collection practices. It is expected that consumers and regulators will be able to access this registry.

The law requires that data brokers develop, implement and maintain a comprehensive written information security program appropriate to the size, scope and type of business and shall adopt safeguards that are consistent with the safeguards for personally identifiable information. The law specifies minimum features of an information security program to include the designation of one or more employees to maintain the program, identification and assessment of reasonably foreseeable internal and external risks to the security of the PII and employee training, supervision of service providers, reasonable access restriction, and regular monitoring, and upgrading information safeguards to limit risks. The law also requires a number of specific requirements relating to authentication protocols, encryption of PII stored on laptops or other portable devices, and other measures to ensure security of the networks.

In addition to the disclosures required in the registration process, the law allows consumers to request and obtain specific information from credit reporting agencies, including the names of users requesting their information in the last 12 months.

The effective date relating to data brokers (registration and data security obligations, is January 1 2019. The other provisions will take effect immediately.

The Attorney General has authority to enforce the law and adopt rules to implement the law.

Finally, the law requires that the Attorney General file a report on or before January 15, 2019 with respect to whether additional legislative and regulatory approaches are necessary to protect the data security and privacy of Vermont consumers including whether to create or designate a Chief Privacy Officer and whether to expand or reduce the scope of regulation to businesses with direct relationships to consumers.

In a press statement, Attorney General TJ Donovan said that “Vermonters care about their privacy” and commented that the law “not only saves them money, but it gives them information and tools to help them keep their personal information secure.” In 2017, AG Donovan convened a working group in partnership with the Department of Financial regulation that issued a report with a menu of options for the legislature to consider. The new law incorporated some of those recommendations.

The material contained in this communication is informational, general in nature and does not constitute legal advice. The material contained in this communication should not be relied upon or used without consulting a lawyer to consider your specific circumstances. This communication was published on the date specified and may not include any changes in the topics, laws, rules or regulations covered. Receipt of this communication does not establish an attorney-client relationship. In some jurisdictions, this communication may be considered attorney advertising.

Receive Email Alerts to New Articles

SUBSCRIBE

June 4, 2018
Written by: Discerning Data Editorial Board
Category: Privacy
Tags: Attorney General, consumers, data broker, data broker law, data fraud, personal information, personally identifiable information, PI, PII, privacy, registry, security, security breach, Vermont

Post navigation

Previous Previous post: Information Governance Can Still Help Your Organization with GDPR Compliance
Next Next post: Eleventh Circuit Vacates FTC LabMD Order but Does Not Challenge FTC Authority

Search the Blog

Sign Up for Email Alerts

PODCASTS

Faegre Drinker on Law and Technology

©2023 Faegre Drinker Biddle & Reath LLP. All Rights Reserved. Lawyer Advertising.

  • About Us
  • Additional Resources
  • Contact Us
We use cookies to improve your experience with our website. By browsing our site, you are agreeing to the use of cookies. For more information about how we use cookies, please review our privacy policy and cookie policy. OK
Privacy & Cookies Policy

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Non-necessary
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
SAVE & ACCEPT