Brokers who collect and sell consumer data for advertisers are facing a new set of regulations in Vermont, under a law aimed at cracking down on those who make a living tracking users’ personal information.
Data brokers must report information about their data collection activities publicly under the the law, enacted May 22, and opt-out policies for consumers. They must also disclose security breaches that happened in the prior year—including the total known number of consumers affected.
The Vermont law comes amid growing concerns over online privacy and covers a lesser-known part of the data business. Brokers are usually invisible because they don’t directly interact with consumers who share data, knowingly or not, on platforms like Facebook Inc., airline booking reservation sites and other sites.
“Vermont has a reputation for being consumer-oriented,” said Katherine Armstrong, counsel at Drinker Biddle & Reath, who has focused on data brokers dating back to her time at the FTC. The state’s new data broker law follows that tradition in the digital realm, Armstrong said.
Data brokers must register with the secretary of state each year, starting Jan. 1, 2019, for a fee of $100. Brokers that fail to register could be fined up to $10,000. Most the other of the other provisions of the law have already taken effect.
The Vermont law defines brokered personal information as including a person’s name, address, Social Security number, date of birth, and unique biometric data, among other personal identifiers.
Before the new law was enacted, Vermonters hit by a data breach had to pay $10 to place a credit freeze on their account. Another $5 was charged to lift the freeze. The data broker law eliminates those fees.