The Green Mountain state is the first in the country to enact (without its governor's signature) a new law establishing a registry and security standards for data brokers. A data broker is defined in the law as a "business.... that knowingly collects and sells or licenses to third parties the brokered personal information of a consumer with whom the business does not have a direct relationship." The law further defines "brokered personal information" as personally identifying "computerized data elements about a consumer," such as name, address, biometric data, or other information that would "allow a reasonable person to identify the consumer with reasonable certainty" and which is "categorized or organized for dissemination to third parties." It does not include publicly available information that relates to a person's business or profession.
The new law is designed to provide consumers with more information about data brokers, their data collection practices, and the right to opt out. It is also intended to protect Vermont consumers from credit freeze fees and the fraudulent acquisition of their data, as well as to establish minimum security requirements for data brokers.
Accordingly, as explained by the Office of the Attorney General, the new law was enacted to address four key issues:
(1) Eliminate fees for credit freezes: The new law requires credit reporting agencies to offer consumers free credit report security freezes and unfreezes. As the AG's office noted: "If every Vermonter affected by one of the most recent breaches took advantage of a credit freeze and lifted a freeze at each of the major credit reporting agencies it would represent more than $10 million of savings to Vermonters."
(2) Fraud prevention: The law makes fraudulent acquisition of data, or acquisition of data for purposes of stalking, harassment, ID theft, or discrimination illegal.
(3) Minimum data security requirements: Vermont's requirements for data brokers will now expressly track those of its "sister state," Massachusetts.
(4) Transparency: The new law requires data brokers to register with a state-run registry which will provide consumers with information about the brokers, opt out instructions and alerts.
The credit freeze fee removal provision went into effect immediately; the sections of the law addressing data brokers goes into effect on January 1, 2019.
As Vermont goes, so goes the country? Stay tuned.
The Attorney General said the state has a strong public safety interest in transparency, data security, and consumer protection generally with respect to commercial interests that elect to engage in the business of buying and selling consumer data without the consumer’s knowledge.