The Vermont Data Broker Regulation (“VDBR”) (9 V.S.A. §§ 2430, 2433, 2446–2447) went into effect on January 1, 2019. Therefore, data brokers must register with the Vermont Attorney General by January 31st and comply with minimum data security requirements.
Applicability of the VDBR
Subject to the exceptions set forth in 9 V.S.A. §§ 2430(4)(C), under the VDBR, a data broker is a business that:
- Knowingly collects and sells or licenses to third parties;
- Brokered personal information (“BPI”); and
- Does not have a direct relationship with the Vermont resident to whom the BPI relates.
BPI means one or more of the following data elements about a Vermont resident, if the data is computerized and categorized or organized for dissemination to third parties: name, address, date of birth, place of birth, mother’s maiden name, biometric data, name or address of a member of the consumer’s immediate family or household, SSN or other government-issued identification number, or other sold or licensed information, that alone or in combination with other information reasonably identifies a consumer. BPI does not include publicly available information, to the extent that it is related to a business or profession.
VDBR Requirements for Data Brokers
(1) The VDBR requires that data brokers: Register with the Vermont Secretary of State and pay a $100 registration fee. Registration forms can be completed online at https://www.vtsosonline.com/online or submitted via mail. Registration forms can be found in the Vermont Attorney General’s Guidance on Vermont’s Act 171 of 2018 Data Broker Regulation. Failing to register subjects data brokers to a $50 per day penalty, not to exceed $10,000 in a year. Registration requires providing information about the following:
- Company name, physical, and internet addresses.
- Consumer opt outs, and, if consumers are permitted to opt out, information regarding the methods and scope of the opt out.
- Whether or not it implements a purchaser credentialing process. The VDBR does not require data brokers to implement a purchaser credentialing process, but having one is considered a best practice.
- The number of known or reasonably known unauthorized accesses to unencrypted BPI from the prior year (aka “data broker security breaches”). Under the VDBR, there is no requirement to notify the Attorney General or consumers of data broker security breaches, unless “personally identifiable information” is included, in which case Vermont’s breach notification law will apply. “Personally identifiable information” is defined as first name or first initial and last name in combination with: (i) SSN; (ii) motor vehicle operator’s license number or non-driver identification card number; (iii) financial account number or credit or debit card number, if the number could be used without additional identifying information (e.g., access codes); or (iv) account passwords or PINs or other access codes for a financial account.
- The data broker’s collection practices, databases, sales activities, and opt-out policies that are applicable to the brokered personal information of minors, if the data broker knowingly brokered BPI of minors.
(2) Maintain minimum data security standards for PII (but not BPI, though there is some overlap between the definitions). The VDBR tracks Massachusetts’ data security regulations at 201 C.M.R. 17. Compliance with the Massachusetts regulation likely means compliance with the VDPR. The failure to implement such measures is considered an unfair or deceptive act under the Vermont Consumer Protection Act.
VDBR Requirements for All Businesses
Under the VDBR, it is now illegal for any person or business to acquire BPI though fraudulent means or acquire BPI for the purpose(s) of harassment, fraud, or discrimination. Violation of these prohibitions is considered a violation of the Vermont Consumer Protection Act. This means an action could be brought by the Attorney General for penalties of up to $10,000 per violation, and a consumer may bring an action for injunctive relief, damages, and attorneys’ fees.
The Attorney General’s Guidance provides additional insight into many of the above definitions, and the intent and scope of the VDBR. One point that the Guidance makes clear is that the law “is only applicable to businesses over which Vermont courts could assert jurisdiction” and that the VDBR “is not an attempt to regulate businesses throughout the United States, only those that could be subject to jurisdiction in Vermont.”
Whether jurisdiction over your business could be asserted in Vermont will often be a factual question, dependent on your business and physical connections to Vermont. For some businesses, it may be strategically useful to make certain disclosures under the VDBR while also maintaining the position that they are not submitting to Vermont’s jurisdiction. For others, it may be clear that jurisdiction exists in Vermont.