Vermont: The key takeaways of the Data Broker Act
On 1 January 2019, key elements of the Act Relating to Data Brokers and Consumer Protection (No. 171, 2018) ('the Data Broker Act') came into effect in the State of Vermont. The Data Broker Act introduces, among other things, requirements relating to registration for entities who collect and sell or licence the personal data of citizens of Vermont, and data security standards for personally identifiable information ('PII'). Heather Egan Sussman and David Curtis, of Orrick, Herrington & Sutcliffe LLP, provide insight into the provisions of the Data Broker Act, and the key takeaways in comparison to similar bills brought forward by other US states.
Regulators in the US are increasingly focused on the perceived hazards of what they call 'surveillance capitalism,' which is the collection, use, sale, and disclosure of consumer data at scale and for profit. As policymakers in Washington DC and state legislatures start to think about new ways to address these concerns, Vermont's new Data Broker Act may prove a useful model. Unlike the new California Consumer Privacy Act of 2018, which focuses on the data practices of all companies no matter the sector, and grants sweeping rights to individual consumers, the Data Broker Act zeroes in on the data broker business more specifically. The Data Broker Act requires certain businesses that sell or licence the personal information of Vermont residents to register annually with the Vermont Secretary of State, and subjects them to minimum data security standards1. The Data Broker Act also prohibits all businesses and individuals from fraudulently acquiring certain types of data, or using such data to commit bad acts2.
Under the Data Broker Act, a 'data broker,' defined as a business that collects and sells or licences the personal information of Vermonters with whom the business does not have a 'direct' relationship, must register with the Vermont Secretary of State by 31 January each year3. A business that fails to register before 31 January following the year in which it qualifies as a data broker may be liable for a civil penalty of $50 for each day it fails to register, with a maximum penalty of $10,000 per year.
To register, a data broker must pay a $100 fee, and complete a registration form that requires the data broker to disclose information including:
- instructions on how to opt out of the data broker's collection and sale of personal information (if the data broker permits such opt outs);
- whether the data broker has a 'purchaser credentialing' process to avoid sharing information with scammers, identity thieves, and other bad actors;
- information regarding any security breaches experienced by the data broker in the past year; and
- a separate statement regarding any data collection practices, databases, sales activities, and opt-out policies applicable to the brokered personal information of minors.
The registration requirement applies to any data broker that sells or licences computerised information that alone or in combination with other information would allow a reasonable person to identify with 'reasonable certainty' a Vermont resident with whom the data broker does not have a 'direct' relationship. A business that has such a 'direct' relationship, such as a retailer that sells information about its customers, a company that sells information about its employees, or a technology startup that sells information about its users, is exempt from registration4. A business that collects data solely for its own internal use or analysis, such as an insurance company that buys data sets to calculate rates, or a newspaper that publishes personal information in its articles, is similarly exempt5.
At the time of writing, 128 data brokers have been registered with the Vermont Secretary of State for 2018. However, according to one estimate, there are between 2,500 and 4,000 data brokers in the US6. The Vermont Attorney General's office ('AG') has stated that there is a "non-trivial chance" that many data brokers with a national scope are subject to the registration requirement7. Nonetheless, the AG has yet to announce any fines for covered data brokers who have failed to register.
Minimum security standards
The Data Broker Act also requires a covered data broker to handle PII in compliance with minimum data security standards. In particular, the Data Broker Act requires the development, implementation, and maintenance of a 'comprehensive' written information security programme that contains administrative, technical, and physical safeguards appropriate to the size, scope, and type of business of the data broker. The Data Broker Act provides examples of specific features that a security programme must have in order to be considered 'comprehensive,' including a risk assessment, ongoing employee training, supervision of service providers' access to PII, and detailed minimum cybersecurity measures. The AG has the power to enforce failures to meet these standards as violations of Vermont's legislative provisions covering consumer protection, subject to penalties of up to $10,000 per violation8.
Vermont's minimum data security standards largely track the language of an established cybersecurity regulation in neighbouring Massachusetts, which has been in effect since 20109. However, unlike Massachusetts, Vermont's minimum standards only apply to data brokers. According to the AG, this limited approach may be intended to address the specific risks associated with a breach of a data broker's security systems, such as potential identity theft, spear-fishing, and fraud.
The lessons so far
Rather than taking California's approach of imposing a complicated set of requirements on all businesses in the State, which could negatively impact growth and innovation, Vermont's legislature has focused more specifically on businesses it believes underpins this alleged world of 'surveillance capitalism.' The Data Broker Act allows for easy identification of data brokers that collect and sell or licence the personal information of Vermonters, and enables Vermonters to better understand whether and how they can opt out of these practices under the data brokers' existing policies. In addition, by requiring disclosures regarding data brokers' purchaser credentialing practices and past data breaches, the registration requirements provide interesting insight into common steps data brokers may already be taking to protect consumers' personal information. Although companies that have a direct relationship with Vermonters whose data they sell are exempt both from the registration requirement and from the Data Broker Law's minimum security standards, they are still prohibited from fraudulently acquiring certain types of data, or using such data to commit bad acts10. Because of this tailored approach, the Data Broker Act is more closely aligned with traditional state and federal efforts toward consumer protection.
1. See §§2446-47 of Title 9 of Vermont Statutes Annotated ('V.S.A.')
2. Ibid at §2433.
3. Ibid at §2430(4).
4. See Vermont Office of the Attorney General, Guidance on Vermont's Act 171 of 2018 ('Vermont AG Guidance'), 11 December 2018, available at: https://ago.vermont.gov/wp-content/uploads/2018/12/2018-12-11-VT-Data-Broker-Regulation-Guidance.pdf at p2.
6. Paul Boutin, The Secretive World of Selling Data About You, Newsweek, 30 May 2016, available at: https://www.newsweek.com/secretive-world-selling-data-about-you-464789.
7. Vermont AG Guidance at p4.
8. See §2447(d)(1) of Title 9 of V.S.A.; Vermont AG Guidance at p11.
9. See §17 of Title 201 of the Code of Massachusetts Regulations.
10. See §2433 of Title 9 of V.S.A..