In 2018, the state of Vermont enacted the nation’s first law regulating data brokers which went into effect on January 1, 2019. Data brokers were required to register by February 1, 2019.
The law defines a data broker as a business that “knowingly collects and sells or licenses to third parties the brokered personal information of a consumer with whom the business does not have a direct relationship.” The law applies only to data brokers with information on Vermont consumers.
An important limitation on the definition of “data broker” is that the law doesn’t apply to businesses that collect information from their own customers, employees, users or donors, or to businesses that “provide services for consumer-facing businesses and maintain a direct relationship with those consumers, such as a website, ‘app,’ and e-commerce platforms.”
The law requires data brokers to register with the state Attorney General and pay an annual $100 registration fee. The registration requires that a data broker disclose its opt-out practices, whether it uses a purchaser credentialing process and its collection or use of information of minors.
The law requires that the data broker develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts and contains administrative, technical, and physical safeguards that are appropriate to: (i) the size, scope, and type of business of the data broker obligated to safeguard the personally identifiable information under such comprehensive information security program; (ii) the amount of resources available to the data broker; (iii) the amount of stored data; and (iv) the need for security and confidentiality of personally identifiable information.
Failing to register results in a penalty of $50 per day up to $10,000 per year.
The Vermont Attorney General’s Office guide to the law is below.