Vermont: Overview of the Data Broker Act
The Act Relating to Data Brokers and Consumer Protection (No. 171, 2018) ('the Data Broker Act'), located at §§2430-31, 2447, and 2466 of Title 9 of the Vermont Statutes Annotated, went into full effect on 1 January 2019. The Data Broker Act imposes specific registration, disclosure, and security requirements on data brokers. Additionally, the Data Broker Act prohibits any person or entity from fraudulently acquiring or using brokered personal information. Matthew S. Borick and Jennifer J. Drake, from Downs Rachlin Martin PLLC, discuss the Data Broker Act and its impact.
The Data Broker Act defines the term 'data broker' as any business or unit of businesses that knowingly collects and sells, or licenses to third parties, 'brokered personal information' of a consumer (i.e. a Vermont resident) with whom the business does not have a direct relationship. 'Brokered personal information' includes any of the following data elements about a consumer, if categorised or organised for dissemination to third parties:
- date or place of birth;
- mother's maiden name;
- unique biometric data that can identify or authenticate a consumer (e.g. fingerprint, retina, or iris image);
- name or address of a member of the consumer's immediate family or household;
- social security number or other government-issued identification number; or
- any other information that, alone or in combination with the other information sold or licensed, would allow a reasonable person to identify the consumer with reasonable certainty.
Brokered personal information does not include publicly available information related to a business or profession. For example, according to the Guidance on Vermont's Act 171 of 2018 Data Broker Regulation1, issued by the Vermont Office of the Attorney General ('AG') ('the Guidance'), the address and phone number of a doctor's office is not brokered personal information, whereas a doctor's personal cell phone number may be.
The Data Broker Act and its associated guidance outline a number of activities, on their own, that do not qualify a business as a data broker, including, for example:
- a business collecting information from its own customers, clients, subscribers, donors, or users;
- a business selling information about its employees or investors;
- an application, website, or social media platform selling information about its users;
- a business buying data about individuals to develop new products;
- a business acquiring lists of individuals to market to them, without reselling the data;
- a business providing publicly available information using real-time alerts for health or safety purposes; and
- a business collecting data or stories about individuals to produce news articles.
In contrast, businesses generally qualify as data brokers when, in their ordinary course of business, they collect information about Vermont consumers and then alter or augment the data in order to sell or license it to others.
Requirements for data brokers
The Data Broker Act requires data brokers to meet two general requirements: registration and minimum security standards.
Requirement to register and disclose
Data brokers must register with the Vermont Secretary of State annually and must provide certain information as part of that process. The purpose of the registration requirement is to provide consumers with factual information to help protect themselves from deception related to data broker activities.
Each year, data brokers must register with the Vermont Secretary of State and pay a $100 fee. In the course of registering, data brokers must provide the following information:
- name and primary physical, email, and internet addresses;
- if the data broker allows consumers to opt out of collection, database storage, or sales of data: (i) the method for requesting an opt-out; (ii) any limitations on the applicability of opt-outs; and (iii) whether a third party may opt-out on the consumer's behalf;
- the data collection, databases, or sales activities from which a consumer may not opt out;
- whether the data broker implements a purchaser credentialing process;
- the number of 'data broker security breaches' (defined in the Act) the data broker has experienced during the prior year, and if known, the total number of consumers affected;
- the data collection practices, databases, sales activities, and opt-out policies applicable to brokered personal information of minors (if the data broker has actual knowledge that it possesses brokered personal information of minors); and
- any additional information or explanation the data broker chooses to provide concerning its data collection practices.
The Data Broker Act does not require data brokers to permit consumers to opt out of collection, sales, or storage of their information; however, the AG has taken the position that providing opt-outs is a 'best practice'. Also, while the Data Broker Act does not require data brokers to notify consumers or the AG of a data broker security breach, data brokers still have a responsibility to provide notice to the State and consumers of any breaches that involve 'personally identifiable information.'
Requirement to maintain minimum standards
As data brokers collect large amounts of consumers' sensitive data, data breaches are of particular concern because they could lead to many negative consequences including identity theft, fraud, and spear-phishing attempts. As such, the Data Broker Act requires that data brokers maintain minimum security standards with respect to the handling of personally identifiable information. Data brokers must develop, implement, and maintain a comprehensive written information security program that is readily accessible and contains appropriate administrative, technical, and physical safeguards. The information security program must contain the following features and elements:
- designation of one or more employees to maintain the program;
- privacy and security risk assessments;
- security policies for employees, including training, compliance, and detection;
- disciplinary measures for and records of violations of the program;
- measures to prevent terminated employees' access to personally identifiable information;
- management and supervision of third-party vendors and service providers;
- physical restrictions to records containing personally identifiable information;
- regular monitoring, review, and updates to the security program;
- documentation of actions taken in response to security breaches and post-incident reviews;
- secure user authentication protocols (user IDs, passwords, access restrictions);
- secure access control measures for computers, records, and files;
- encryption of records and files containing personally identifiable information that are transmitted across public or wireless networks, and of all personally identifiable information stored on laptops or other portable devices;
- monitoring of systems for unauthorised use of or access;
- reasonably up-to-date firewall protection and operating system security patches;
- reasonably up-to-date versions of system security agent software; and
- education and training of employees on proper use of the computer security system and the importance of personally identifiable information security.
General requirements in the Data Broker Act
The Data Broker Act prohibits any person or business, not just data brokers, from fraudulently acquiring brokered personal information and from acquiring or using such information for improper purposes, namely: (i) stalking or harassment; (ii) committing fraud (such as identity theft, financial fraud, or email fraud); and (iii) engaging in unlawful discrimination (including employment and housing discrimination). The Vermont Superior Court has interpreted 'fraud' in the traditional, common law sense, rather than as consumer fraud. Specifically, 'fraud' in the Act requires some form of misrepresentation or deception.
The AG enforces the registration of data brokers. A data broker that fails to register is liable to the State of Vermont for: (i) a civil penalty of $50 per day, not to exceed $10,000 for each year; (ii) an amount equal to fees during the period it failed to register; and (iii) other penalties imposed by law. The AG may bring an action in the Vermont Superior Court to collect these penalties and to seek injunctive relief.
Failure by a data broker to meet security program requirements is deemed an unfair and deceptive act in commerce under the Act. Violation of the prohibition on fraudulent acquisition or use of brokered personal information also is deemed an unfair and deceptive act in commerce.
Matthew S. Borick Director
Jennifer J. Drake Associate Attorney
Downs Rachlin Martin PLLC, Burlington
1. See: https://ago.vermont.gov/wp-content/uploads/2018/12/2018-12-11-VT-Data-Broker-Regulation-Guidance.pdf