The Vermont Act 171 of 2018 Data Broker Regulation, how to comply?

The Vermont Act 171 of 2018 Data Broker Regulation or the Vermont Data Broker Regulation for short is a data privacy law that was passed in Vermont in 2018. Under the law, data brokers within the state of Vermont must adhere to a variety of requirements when processing the “brokered personal information” or BPI of Vermont residents. Under the Vermont Data Broker Regulation, “BPI” is defined as “one or more of such data types as “name, address, date of birth, place of birth, mother’s maiden name, unique biometric data, name or address of a member of the consumer’s immediate family or household, SSN or government-issued ID”, or “other information that, alone or in combination with other information sold or licensed, would allow a reasonable person to identify the consumer with reasonable certainty.”

What’s more, despite the fact that BPI covers so many different forms of personal information, the Vermont Data Broker Regulation does contain certain limitations. These limitations include:

• BPI must be digitized at all times, information that is solely in paper form does not constitute BPI under the law.
• BPI must be organized, categorized, and prepared for use by third parties.
• BPI does not include publicly available information in the context of information that is related to a specific business or profession.

How is the term “data broker” defined under the Vermont Data Broker Regulation and what are the requirements of data brokers under the law?

Under the Vermont Data Broker Regulation, the term “data broker” is defined as “a business, or unit or units of a business, separately or together, that knowingly collects and sells or licenses to third parties the brokered personal information of a consumer with whom the business does not have a direct relationship”. Examples of a direct business relationship in relation to the Vermont Data Broker Regulation include a customer and client relationship, a subscriber and user relationship, and an employee and contractor relationship, among a host of others. Under the law, data brokers must adhere to the following requirements when collecting the BPI of Vermont residents:

• Register with the Vermont Secretary of State Annually and provide the following forms of information. A contact to whom acknowledgement that said information has been received can be provided, the name and primary physical, internet, and email address of the particular data broker, if the data broker permits consumers to opt out of said data brokers collection of BPI, databases, or certain sales of data, the method consumers can use when requesting an opt-out, if the opt-out only applies to certain activities or sales of data, which ones, whether a particular data broker permits a consumer to authorize a third party to perform an opt-out on a consumers behalf, a statement specifying the data collection, sales activities, or databases from which a consumer is not permitted to opt out from, a statement specifying whether a particular data broker utilizes a purchaser credentialing process, the number of data broker security breaches that a data broker has experienced during the prior calendar year, and if know, the total number of consumers affected by said breaches, whether a data broker has actual knowledge that is posses the BPI of minors, including a separate statement in regards to the data collection practices, sales activities, databases, and opt-out policies that are applicable to minors, and any additional information relating to a data brokers data collection practices.
• Maintain certain data security standards. All data brokers are responsible for maintaining reasonable data security standards. Furthermore, data brokers who collect personally identifiable information or PII in addition to BPI are required to adhere to a variety of standards. Some of these standards include developing, implementing, and maintaining a comprehensive security program that is in writing, designation of one or more employees to maintain said security program, performance of a risk assessment, the training of employees, including temporary and contractual employees, tracking employee compliance with specific procedures and policies, having a mean for both detecting and preventing security system failures, having security policies for employees relating to the access, storage, and transportation of PII outside of business premises, having disciplinary procedures in place for violations of program rules, having measures in place to prevent terminated employees from accessing the PII of consumers, restricting of physical access to PII, the supervision of service providers, monitoring and upgrade of said security standards as needed, reviewing the scope of of the security measures at least annually or whenever there is a material change in business practices that might impact security of PII, and documenting responsive actions taken in connection with security breaches and review such incidents to determine whether practices should change.

In contrast to other state privacy laws around the country, the Vermont Data Broker Regulation does not require data brokers to provide Vermont consumers with the ability to opt-out of the collection, storage, and sale of their personal information. Additionally, business entities and organizations that may not be physically located within the state of Vermont but are nonetheless registered to do business within the state must also be in compliance with the law.

What are the penalties for violating the Vermont Data Broker Regulation?

Data brokers who are found to be in violation of the Vermont Data Broker Regulation are also considered to be in violation of Vermont’s Consumer Protection Act. In accordance with both laws, penalties for violation can include monetary fines of up to $10,000 per violation, in addition to other forms of relief. Moreover, Vermont consumers are also permitted to bring a private right of action against data brokers in relation to violations of the law, including injunctive relief, damages, and associated costs such as court and attorney fees. Alternatively, the Vermont Data Broker Regulation does not carry any criminal penalties. The law is enforced by the Vermont State Attorney General.

As states around the U.S. continue to examine what it means to protect the personal privacy rights of their residents, the Vermont Data Broker Regulation is one of the many data privacy laws to be passed around the country in recent years. Much like the EU’s General Data Protection Regulation or GDPR and the California Privacy Rights Act or CCPA, the Vermont Data Broker regulation outlines specific requirements for the collection of personal data and information from Vermont residents. While the Vermont Data Broker Regulation is less restrictive than other privacy laws in regards to the requirements that businesses must adhere to, the penalties for violating are also steeper than other laws. As such, Vermont residents can rest assured that their data privacy rights are being safeguarded at all times.