Although the prospect of federal legislation on data privacy remains uncertain, states appear to be stepping up the range of their activity on privacy and security. Washington State notably adopted a law on net neutrality and there is the prospect of a ballot initiative in California that would give individuals the right to know which categories of their or their children’s personal data have been collected or traded by businesses. Though Vermont is one of the smallest states, it has been active in privacy regulation and, on May 22, 2018, enacted the first state-level measure aimed at data brokers.
The new law, An act relating to data brokers and consumer protection, was enacted as House Bill 764 (“H-764”) and defines “data broker” as “any business, or unit(s) of a business, separately or together, that knowingly collects and sells or licenses to third parties the brokered personal information of [any individual residing in Vermont] with whom the business does not have a direct relationship.” The information covered under this statute includes any individual’s name, address, date/place of birth, mother’s maiden name, unique biometric data, identification numbers, and any other information that would allow a reasonable person to identify the consumer with reasonable certainty.
H-764 requires data brokers to register as such with the Secretary of State, or be subject to civil and other penalties. It also requires data brokers to disclose information about their collection activities, adopt standard security measures, and notify authorities of security breaches. As part of their security measures, data brokers must develop, implement, and maintain a comprehensive information security system containing administrative, technical, and physical safeguards. The statute contains detailed requirements for these computer security plans that include multiple secure user authentication protocols; secure access control measures restricting access to personally identifiable information only to those who need the information to perform their jobs; and certain encryption requirements for transmitted records or files containing personally identifiable information. A data broker that fails to adopt and maintain the specified measures will be in violation of Vermont’s consumer protection laws and subject to enforcement actions by either the Attorney General or by a private citizen by virtue of declaring these violations unfair and deceptive practices or acts under Vermont’s Little FTC Act.
The law also makes actionable the acquisition or use of personal information by data brokers for criminal purposes such as fraud, harassment, and stalking (a violation of Vermont law). The Vermont Attorney General is authorized to adopt implementing rules and to enforce this provision by conducting civil investigations, entering into assurances of discontinuance, and bringing civil actions against practices that violate H-764. The law also mandates free credit freezes in the event of a data breach from a credit reporting agency, a response to last year’s Equifax breach. The law will go into effect on January 1, 2019.
The Federal Trade Commission (“FTC”) shined a spotlight on the practices of data brokers in an inquiry conducted from 2012 through 2014. At the conclusion of this inquiry, the FTC recommended that Congress enact legislation requiring data brokers to provide consumers access to their data in reasonable detail and the ability to control whether or not it is shared for marketing purposes; the Commission has also brought enforcement cases against a number of data brokers on various grounds, including the illegal sale of information to scammers. The Equifax data breach in 2017 brought renewed attention to data brokers, leading Vermont’s senior Senator Patrick Leahy to refile a bill regulating them.
A previous law from Vermont limiting the sale of data ran afoul of the Supreme Court. In Sorrell v. IMS Health, the Court struck down a law that restricted the sale, disclosure, and use of pharmacy records that reveal the prescribing practices of individual doctors as an unconstitutional burden on protected speech. Unlike the law in that case, the newly-enacted H-764 does not categorically prohibit the trade or disclosure of certain kinds of information. Nonetheless, it affects the collection and dissemination of information and interstate operations, and thus may elicit First Amendment concerns.
How the law is enforced will be determined by Vermont’s Attorney General, T.J. Donovan, who applauded its passage. Businesses that collect and sell data relating to individuals with whom they do not have a direct relationship will need to consider whether such data includes personal data on Vermont residents, and take this new state law into account if they do. Other states may consider the Vermont approach.