The Vermont Data Broker Law
There have been substantial events in the data industry over the past year, such as Cambridge Analytica being under fire for illegally using Facebook information. Equifax had a data breach that leaked the personal information of 143 million Americans. Also, the California Consumer Privacy Act goes into effect January 2020. As a result, on May 22, 2018 House Bill Number 764, also called the Vermont Data Broker Law, was passed. This bill allowed Vermont put the kibosh on data being sold or used for more malicious reasons, such as stalking, committing fraud, or engaging in discrimination. For data brokers, the entire industry is changing to keep personal data private and out of the wrong hands.
Vermont Governor, Phil Scott, did not sign this bill, since he does not agree with the broad definition for what defines a “data broker.” The bill currently defines “data broker” as a “business, or unit or units of a business, separately or together, that knowingly collects and sells or licenses to third parties the brokered personal information of a consumer with whom the business does not have a direct relationship.” Even though the Governor did not sign the Vermont Data Broker Law, he let it pass. He believes there should be no cost for credit freezes, and agrees with regulations for third-party data brokers.
What Does This Bill Mean For Data Brokers?
Using this bill, Vermont created a laundry list for what data brokers need to follow. Brokers must register with the state of Vermont and pay a $100 registration fee. Registration must be completed by January 31st 2019, and full compliance is needed once businesses are registered. For businesses that don’t register, there is a civil penalty of $50 a day until they register, up to $10,000.
There will be annual registering, and data brokers need to report the number of security breaches for the past year, along with how many consumers were affected.
Businesses must inform consumers about collected data, and provide clear instructions for opting out.
Every time there is a security breach, thorough documentation is mandatory, followed by a post-incident review of the events and actions that should be taken to prevent breaches in the future.
The business must develop, implement, and maintain a security program with safeguards for personal information, that must align with FTC standards.
Credential checks are required for the buyers of their information.
Brokers must comply with these laws effective January 1st 2019.
Brokered personal information does not include publicly available information about a business or profession. When a minor’s personal information is collected, it is subject to additional disclosure requirements, including how the information was obtained. Here are the different forms of personal information that are protected under this bill.
- Consumer’s name
- Address
- Place of birth
- Mother’s maiden name
- Biometric authentication data (fingerprints, retina or iris images, or unique physical or digital representations)
- Name or address of consumer’s immediate family or someone in household
- Social security number or government-issued identification number
- Any other information, alone or combined with other information, that would allow a reasonable person to identify the consumer with reasonable certainty."
What Does It Mean For Citizens?
Vermont is the first state to have such a scrutinous law for data brokers, and others will follow. It makes sense that Vermont would be the first state to do so. Their citizens value their data double that of the national average at $4,125 per person.
The citizens of Vermont will now be able to enjoy being better informed about what’s happening with their data. They also now have the ability to easily opt out when a business wants to use their data.
Charges for credit report freezes and unfreezes will now be dropped, so this allows anyone to freeze their credit if they suspect someone has access to their information, without cost. Vermont citizens can also ask credit agencies if anyone has requested their personal information in the last year.
How Does This Tie Back Into Lead Generation?
With Vermont enacting a law of this kind, other states are sure to follow. California is already on track with their privacy act that goes into effect in 2020.
Data brokers aggregate and sell data about consumers that the business does not have a direct relationship with. When consumers know a business has their information, they will not be seen as a data broker. Lead aggregators should look into this bill, since they are talked about specifically.
If lead names or addresses are included in data that you send or receive, you should look into this bill. If you do sales leads in Vermont, it would be a good idea to check with an attorney.
This post is not intended to convey or constitute legal advice. We are not lawyers and encourage you to seek legal counsel to ensure total compliance with the law.