Under a Vermont law, data brokers that process information regarding Vermont residents are now subject to registration and security requirements beginning January 1, 2019. Included in the new law are three notable components: (1) a broad statutory definition of a “data broker,” (2) an annual registration requirement for data brokers, and (3) reporting on data broker security breaches.
Definition of a “Data Broker”
The law takes a technology-neutral approach to its definition of a “data broker,” instead defining the term based on the normal functions of the business. The statute defines a data broker as “a business … that knowingly collects and sells or licenses to third parties the brokered personal information of a consumer with whom the business does not have a direct relationship.” In other words, any business that regularly sells or licenses brokered personal information must comply with the law, even if this activity is not the business’s primary function. The law cabins this definition, however, so as to not be all-encompassing of any business that ever sells or licenses brokered personal information. The statute states that the following activities do not, on their own, qualify a business as a data broker:
- Developing or maintaining third party e-commerce or application platforms;
- providing 411 directory assistance or directory information services, including name, address, and telephone number, on behalf of or as a function of a telecommunications carrier;
- providing publicly available information related to a consumer’s business or profession; and
- providing publicly available information via real-time alerts for health or safety purposes.
Similarly, the statute states that one-time, occasional, or incidental sale or license of data that is not part of the business’s ordinary conduct also does not qualify a business as a data broker.
The new law requires data brokers to register annually with the state of Vermont. As part of this registration process, the data broker must provide information on its business practices, including:
- How and when consumers may opt-out of the data broker’s databases or its sales of data;
- the data collection, databases, or sales activities for which the business does not offer a consumer opt-out;
- whether the data broker implements a purchaser credentialing process;
- a separate statement that covers any data collection practices, databases, sales activities, and opt-out policies applicable to the brokered personal information of minors; and
- the number of data broker security breaches the data broker has experienced in the previous year and, if known, the total number of affected customers in those breaches.
Data Broker Security Breaches
The law sets out a specific definition for “data broker security breaches” that must be included in the annual registration. Similar to existing state data breach notification laws, the Vermont law defines a “data broker security breach” as “an unauthorized acquisition, or a reasonable belief of an unauthorized acquisition of more than one element of brokered personal information maintained by a data broker” when the data is not encrypted or otherwise made unreadable or unusable by an unauthorized person.
Unlike traditional state data breach notification laws, however, the Vermont law more broadly defines “brokered personal information” as one or more of a list of computerized data elements about a consumer that are categorized or organized for dissemination to third parties, including:
- Date of birth,
- Place of birth,
- Mother’s maiden name,
- Unique biometric data used for authentication (e.g., fingerprint),
- Name or address of a member of the consumer’s immediate family or household,
- Social Security number or other government-issued ID number, and
- Other information that, alone or in combination with other information sold or licensed, would allow a reasonable person to identify the consumer with reasonable certainty.
Where a breach involving only a name, address, and date of birth would not trigger notification requirements under traditional state data breach notification laws, the Vermont law would require a data broker to include this incident in its annual registration.
The Vermont law creates statutory penalties for any business that meets the statutory definition of “data broker” but does not complete an annual registration. Failure to complete a required annual registration can result in a civil penalty of $50 per day the data broker fails to register (with a maximum of a $10,000 penalty for each year; an amount equal to the registration fees required by the law for the period the data broker failed to register; and any other penalties imposed by law.
In addition to the reporting requirements outlined above, the Vermont law also implements a number of consumer protection safeguards, including:
- Minimum data security requirements for data brokers in Vermont that closely tracks existing requirements under the neighboring Massachusetts regulation.
- Elimination of existing fees for consumers to institute or lift a credit freeze following a data breach.
- Making it illegal to acquire data fraudulently or for the purposes of stalking, harassment, identity theft, or discrimination.
The full text of the Vermont law is available here.