On December 11, 2018, the Vermont Office of the Attorney General published new guidance on the state’s data broker law (Act 171 of 2018), which imposes new data breach notification requirements on “data brokers” and takes effect on January 1, 2019.  The new guidance clarifies the definitions of key statutory terms and the scope of the law’s various requirements.

Definition of “Data Broker”: The law defines “data broker” as a business or business unit “that knowingly collects and sells or licenses to third parties the brokered personal information of a consumer with whom the business does not have a direct relationship.”  The new guidance suggests that many businesses are not covered by the law.  For instance, the new guidance notes that “an application, website, or social media platform that sells information about its users is not a data broker” because those businesses have a “direct relationship” with users.  Similarly, because “data brokers” must “collect” and “sell or license” data, “[a] business that acquires lists of individuals in order to market to them or customize their product offerings, but does not resell the data, is not a data broker.”  On the other hand, “a business that collects information about consumers and then adds additional data elements, cleans up the data, or categorizes the data into lists in order to sell or license the data … is a data broker.”

Definition of “Brokered Personal Information”: The law defines “brokered personal information” as “one or more” of a list of “computerized data elements about a consumer, if categorized or organized for dissemination to third parties,” as well as “other information that … would allow a reasonable person to identify the consumer with reasonable certainty.”  9 V.S.A. § 2430(1).  The guidance explains that, because “brokered personal information” must be “categorized or organized for dissemination,” the business possessing the data “must have done something to the data to prepare it for dissemination” in order for it to be implicated under the law.  Accordingly, “[d]ata that is stored in a business’s databases for internal use by that business, with no intention of disseminating outside the business,” does not constitute “brokered personal information” under the law.

Scope of Data Broker Obligations:  Businesses that qualify as “data brokers” must register with the Vermont Secretary of State annually and provide certain information.  For instance, if a data broker permits consumers to opt out of its collection, sale, or storage of their information, it must detail the method for requesting such an opt-out.  The new guidance clarifies, however, that the law “does not require a business to permit consumers to opt out of its collection, sales, or storage of their information, if that is not its practice.”  The guidance also notes that data brokers must track and report to the Secretary of State annually the number of security breaches they experience during the prior year and, if known, the number of Vermont consumers affected.

Data Security Standards: The law requires data brokers to maintain certain data security standards in order to protect consumers’ personally identifiable information.  The new guidance stresses that “critical elements” of these new security requirements include that data brokers maintain a written security program; perform a risk assessment; track employee compliance with policies and procedures; implement measures that prevent terminated employees from accessing personally identifiable information; and review the scope of security measures at least annually.