A new Vermont law that imposes data security and annual disclosure obligations on data brokerage companies—the first of its kind in the country—takes effect Jan. 1.
The law comes as state and federal lawmakers ramp up pressure for more regulation of corporate data practices. Data brokers—businesses that aggregate data on individuals and sell or license it—must register with the state by the end of January.
“Consumers seldom know these companies even exist, possess little details about their practices, and are usually unfamiliar with available recourse,” Harry Valetk, a partner at Baker McKenzie’s global privacy and security group based in New York, told Bloomberg Law in an email.
Valetk said the “likelihood that other jurisdictions will enact similar data protection requirements is high—and not just for data brokers.”
Data brokers must create a comprehensive security program, train employees on computer security, and encrypt transmitted records containing personal data sent across public networks, among other data security standards in the new law.
Failing to meet the standards will be considered an unfair or deceptive practice under the state’s consumer protection law.
Brokers will have to disclose information on business operations in their annual registrations, including if and how consumers can opt out of data collection and sales. They’ll also have to disclose the number of “data broker security breaches” the company had in the prior year, and additional information if they knowingly hold brokered personal information of minors.
The mandated disclosures “create the foundation for a deceptive act” by requiring disclosures similar to those in privacy statements, Ron Raether, a partner who leads the cybersecurity and privacy group at Troutman Sanders LLP in Orange County, Calif., told Bloomberg Law. Vermont could find a company’s actions inconsistent with its filing, which could “set the stage for a potential deceptive claim” by the state or an individual, he said.
As part of their annual disclosure, data brokers will “need procedures to track security breaches covered by Vermont’s expanded definition of personal information,” Valetk said. “This process will likely be separate from any security breach tracking already in place under current security breach notification laws,” he said.
Vermont defines a data broker as a business, or its units, that knowingly collects and sells or licenses the brokered personal data—such as names, addresses, dates of birth and biometric information—of a Vermont resident with whom the company doesn’t have a “direct relationship.” Brokered personal information under the law is computerized information that is “categorized or organized for dissemination to third parties.”
The type of information could be categorized by characteristics, such as “people with incomes over $100,000" or “people preparing for a wedding,” the Attorney General’s office said in guidance released in December.
“Although Vermont has a relatively small population, if you are a data broker with a national scope, there is a non-trivial chance you possess Vermonters’ data,” according to the guidance.
The state Legislature “cited a lack of transparency between companies with whom consumers have a direct relationship, and others collecting, using, and selling personal information in the shadows without a direct relationship,” Valetk said.