Hacker using laptop. Lots of digits on the computer screen.

On Jan. 1, 2019, a new Vermont law intended to protect consumers by imposing new requirements on “data brokers,” companies that aggregate and sell consumer information, and credit reporting agencies took effect. Under the new law, data brokers must comply with registration, information security safeguards and reporting requirements, while credit reporting agencies are prohibited from assessing fees for establishing or removing security freezes. The Vermont legislature’s intent in enacting the new law is fourfold: (1) inform consumers about data brokers and their data collection practices; (2) protect consumer information by requiring that data brokers implement certain administrative, technical and physical safeguards; (3) prevent harm to consumers by prohibiting certain methods of acquisition and use of their information by data brokers; and (4) make it easier and less expensive for consumers to obtain and protect their credit information.

Data Brokers Who Engage in Prohibited Acquisitions and Uses of Consumer Data May Be Subject to Enforcement Action

The new law outlines prohibited acquisitions and uses of consumer data, including the acquisition of such data through fraudulent means and the use of such data for stalking, harassment, unlawful discrimination or fraud. The Vermont attorney general is empowered to bring enforcement action against any data broker found to be engaging in prohibited acquisitions or uses of consumer data, which constitutes an unfair deceptive act in commerce under the new law.

Data Broker Annual Registration

Under the new law, data brokers are required to register annually with the Vermont secretary of state. The registration, which must be completed by Jan. 31 of each year, imposes a fee of $100 and requires data brokers to make certain disclosures regarding their data collection practices. These disclosures include whether the data broker permits consumers to “opt out” of its data collection activities, and, if so, an explanation of how consumers can request such an “opt out.” Data brokers must also disclose whether they implement a purchaser credentialing process, the number of security breaches they experienced during the prior year, the number of consumers affected in those incidents and their policies related to the collection of data pertaining to minors. Data brokers who fail to implement such safeguards will be deemed to have committed an unfair deceptive act in commerce, and, under the new law, the Vermont attorney general is empowered to bring enforcement actions against data brokers who engage in such conduct.

Data Brokers Must Implement New Safeguards as Part of Their Overall Information Security Programs 

To help protect consumers from security breaches, the new law requires that data brokers develop, implement and maintain certain administrative, technical and physical safeguards as part of their information security programs. Modeled on the safeguards required by the HIPAA Security Rule, the new law mandates safeguards including access controls, strong password policies, encryption, firewalls, malware prevention software, and employee education and training. In addition, data brokers are required to conduct risk assessments on an annual basis and must document what steps they are taking to address the risks identified. Further, data brokers must monitor their third-party service providers to ensure that they are in compliance with the data brokers’ security programs. Data brokers must also maintain documentation related to any security incidents involving personally identifiable information. Data brokers who fail to register in accordance with the new law could be assessed a civil penalty of $50 for each day they are not in compliance, up to $10,000, as well as the registration fees owed and other penalties imposed by law. In addition, the Vermont attorney general is authorized to bring civil actions against noncomplying data brokers and may also seek appropriate injunctive relief.

New Disclosure Content Requirements and Fee Prohibitions for Credit Reporting Agencies

To help consumers access and protect their credit information, the new law also imposes new requirements on credit reporting agencies. Credit reporting agencies are now required to include certain language in their disclosures to Vermont consumers. In addition, although credit reporting agencies are already banned from assessing consumers fees for credit freezes under the federal Economic Growth, Regulatory Relief, and Consumer Protection Act, Vermont’s new law reiterates this prohibition.

Will Other States Follow Vermont’s Lead?

Vermont’s new law is part of a growing trend among state legislatures and attorneys general of ramping up their data privacy and data protection enforcement activities. Whether other states will enact more data protection legislation specifically targeting specific entities, such as data brokers, remains to be seen.