Vermont Becomes First State To Regulate Data Brokers

Data brokers that sell personal information about residents of Vermont must register with the state, under a new law regulating the industry.

The law (H-764) -- which is the first state measure regulating data brokers -- was enacted last week without the governor's signature. In addition to the registration provision, the bill requires data brokers to notify people about security breaches, and to disclose whether they allow consumers to opt out of having their information collected, stored or sold. The measure also prohibits data brokers from charging customers to place a freeze on their accounts.

"While data brokers offer many benefits, there are also risks associated with the widespread aggregation and sale of data about consumers, including risks related to consumers’ ability to know and control information held and sold about them and risks arising from the unauthorized or harmful acquisition and use of consumer information," the law states.

The measure was backed by Vermont Attorney General TJ Donovan, who stated the bill "promotes transparency" and "helps stop fraudsters."

The bill's broad definition of data broker includes companies that "aggregate and sell the personal information of consumers with whom they do not have a direct relationship." Companies that collect information firsthand -- including retailers, social media sites and search engines -- aren't covered by the measure.

"There are important differences between 'data brokers' and businesses with whom consumers have a direct relationship," the bill states. "Consumers who have a direct relationship with traditional and e-commerce businesses may have some level of knowledge about and control over the collection of data by those businesses... By contrast, consumers may not be aware that data brokers exist, who the companies are, or what information they collect, and may not be aware of available recourse."

Ad industry groups, data brokers and Silicon Valley opposed the measure. The Association of National Advertisers recently said the measure "has an overly broad definition of “'personal information,'" among other concerns.

The type of personal information covered by the bill includes names, birthdates, addresses, biometric data (like fingerprints or retina scans), Social Security numbers and "other information that, alone or in combination with the other information sold or licensed, would allow a reasonable person to identify the consumer with reasonable certainty."

The definition excludes "publicly available information to the extent that it is related to a consumer’s business or profession."

The ANA -- along with the Data and Marketing Association, Internet Association and various other organizations and companies -- unsuccessfully urged Vermont Governor Phil Scott to veto the bill. The groups criticized the measure on a number of fronts, including its definition of personal information.

"The definition of 'brokered personal information' includes innocuous, lone data elements, such as: name, names of relatives, and place of birth. Much of this information is already publicly available and would not pose a risk of harm to consumers if breached," the groups wrote to Scott last week.

The ANA and others also objected to defining personal information as information that can be combined with other data to piece together people's identities. "While almost any piece of data could be linked to a consumer, it is appropriate to consider whether such a link is practical or likely in light of current technology," they wrote.

Next story loading loading..