As data breaches become increasingly common, states across the country are leading the charge to introduce privacy laws to protect consumers. Each of the laws vary in some manner, with some states focusing on narrow privacy issues like biometrics, and other states, like California, pushing more comprehensive regulation that approaches the same scope as the EU’s wide-reaching General Data Protection Regulation (GDPR).
In Vermont, the state passed the Data Broker Legislation in 2018, which went into effect at the start of 2019. The law generally applies only to data brokers—third-party companies that collect and sell data on consumers—and carves out a large exemption for any type of consumer-facing business, like retailers, or organizations like charity groups. At the time of writing, 143 businesses have registered with Vermont.
Ryan Kriger, an assistant attorney general for the state, said the idea for the legislation stemmed from both a lack of knowledge about the data broker industry and concerns about consumer protection.
“We know very little about this industry and we know very little about these players,” Kriger said. “Why don’t we do something that introduces a little more sunlight into this industry, which is notoriously known for its opacity?”
What the bill covers
The law narrowly defines data brokers as businesses that collect and sell data to third parties but don’t have a direct relationship with a consumer. That means publishers, retail brands or tech platforms with direct consumer relationships aren’t beholden to the law; neither are businesses that collect and buy data but don’t sell it. Businesses that buy data but don’t resell that data, like insurance companies, do not qualify as data brokers under Vermont’s law.
The law also only applies to data brokers that have information on residents of Vermont.
Data brokers that do qualify under all of these parameters must register with Vermont’s Secretary of State and disclose whether or not they allow consumers to opt out of being a part the data broker’s databases, “certain sales of data,” or the collection of “brokered personal information.” If a data broker does not allow consumers to do so, it must say so in the registry.
Under the law, data brokers must register annually with the state, which includes paying a $100 fee. Additionally, data brokers must adopt the necessary means to keep data safe, and they are required to disclose any data breaches, including how many consumers were affected. Data brokers can’t use data to harass someone, discriminate or obtain data through fraudulent means. Lastly, credit reporting agencies must allow consumers to freeze their credit for free.
How Vermont’s bill affects the advertising and marketing industry
Because of the way Vermont defines data brokers, the state law doesn’t affect large tech platforms like Google or Facebook, nor does it affect big consumer-facing brands. The law also does not apply to publishers that maintain direct relationships with consumers.
However, some brands that provide data to fuel targeted advertising and marketing, like the database management companies Acxiom (which IPG bought last year) and Oracle, are in Vermont’s registry.
Kriger said he doesn’t think the new law has had any major effects on businesses in Vermont other than encouraging businesses to adopt new policies like an opt-out clause in their terms. However, he’s heard from some types of companies—such as businesses that provide background checks—about the impact of the bill on their businesses. In those cases, the attorney general’s office tries to help “reason their way through the law” without giving legal advice.
Why Vermont sought to regulate the data broker industry
The Office of the Attorney General started thinking about these privacy issues back in 2017 before the massive Equifax breach and Cambridge Analytica scandals. The attorney general’s office intentionally chose to focus narrowly on data brokers to help shed light on how the industry works instead of trying to regulate an “entire economy,” Kriger said.
Kriger said that while it’s relatively easy for consumers not to do business with a consumer-facing brand if they don’t like their policies. there was “no way for the market to correct bad behavior” from data brokers. And unlike in the case of big tech platforms that provide free products or services in exchange for consumer data, data brokers are “collecting your data for their own profit” without providing additional services, he said.
Joe Jerome, policy counsel for the privacy and data project at the Center of Democracy and Technology, said the law, which is a “basic transparency measure,” is a net positive and has already uncovered some bad actors. It also falls into line with many of the recommendations put forth in an FTC report from 2014.
“This is an industry that despite whatever it says has serious transparency issues,” Jerome said. “Vermont should be applauded for bringing this industry into the light.”