Vermont’s new Data Broker Regulation (“Regulation”) takes effect on January 1, 2019. The Regulation requires, among other things, that data brokers register with the Vermont Secretary State and protect personally identifiable information of Vermont residents. This week, the Vermont Attorney General issued guidance on the Regulation, which helps address questions on process and scope. Below are some of the key takeaways from the Regulation and guidance.
- Data Broker Obligations and Registration Process
Under the Regulation, data brokers: (1) must register annually with the Vermont Secretary of State; and (2) have a duty to protect personally identifiable information of Vermont residents. Businesses that fall within the definition of a data broker for 2018 (more on that below) must register as a data broker by mail or through the online form by January 31, 2019. There is a filling fee of $100. Businesses that don’t register by the deadline and are found to be data brokers face penalties of $50 per day up to a maximum of $10,000 per year, in addition to relief resulting from a violation of the Regulation (also discussed below).
- Registration Form and Opt Out Information
The guidance includes a copy of the annual filing form as Appendix A. Data brokers must provide:
- a company contact;
- the name and physical, email, and internet address of the data broker;
- whether the data broker permits consumers to opt out of the data broker’s collection of brokered personal information (defined below), databases, or certain sales of data, and if so, information about the opt out;
- a statement specifying the data collection, databases, or sales activities from which a consumer may not opt out;
- and (6) a statement regarding whether the data broker implements a purchaser credentialing process;
- the number of security breaches the data broker has experienced during the prior year and, if known, the number of Vermont residents affected by the breaches;
- information regarding its practices for brokered personal information of minors;
- any additional information concerning their data practices (this response is optional); and
- a certified signature.
The guidance addresses a number of questions about how to fill out the form. In particular, the guidance clarifies that the Regulation does not require data brokers to change their practices or give consumers the right to opt out of data collection, sales, or storage, provided that data brokers must disclose their opt out practices, and if they offer opt out, specify the scope of and any restrictions around those opt outs.
- What Is a Data Broker
The Regulation defines data broker as a business that (1) knowingly collects and sells or licenses to third parties (2) the brokered personal information (3) of a consumer with whom the business does not have a direct relationship. The guidance sheds light on each of these requirements.
- Collects and sells or licenses to third parties
The guidance explains that data brokers both collect and sell or license data. If your business only collects data for its own use or analysis (such as acquiring a list of individuals in order to market to them or customize product offerings), but does not sell or license it, you are not a data broker.
Collection is a broad term that includes the purchase or licensing of data from third parties or third party sources (such as public records or internet searches). Sale or license means supplying data to a third party in exchange for something in return (which can be money, other datasets, or anything of value). The difference between a sale and license is that ownership passes to the recipient in a sale while ownership stays with the licensor in a license.
Many businesses may be concerned about the license aspect of the Regulation. If you enter into a contract with a service provider to license data, does that license fall within the definition of license under the Regulation? According to the guidance, the answer is no so long as the recipient can only use that data for the sole benefit of the owner. For example, “[a] company providing data of non-customers to an analysis firm that will clean up, analyze, or supplement the data, and then return the data set to the provider, is not licensing the data, so long as the analysis firm is not permitted to continue to use the data for its own purposes or resell the data.”
The license restriction highlights the importance of careful contract drafting and negotiation. If your agreements with your service providers allow for them to use the data you provide for their own purposes (such as improving their services), you are more likely to be giving them a license within the definition of the Regulation. Further, if your agreements accidentally or interchangeably use the term “sell” instead of “license,” you might find your business subject to restrictive obligations under both the Regulation and the new California Consumer Privacy Act.
- Brokered Personal Information
Under the Regulation, brokered personal information means computerized data elements about individuals residing in Vermont, including: (i) name, (ii) address, (iii) date of birth, (iv) place of birth, (v) mother’s maiden name, (vi) unique biometric data, (vii) name or address of a member of the consumer’s immediate family or household, (viii) SSN or government issued ID, or (ix) “other information that, alone or in combination with other information sold or licensed, would allow a reasonable person to identify the consumer with reasonably certainty.”
This last catch-all data element is particularly significant. According to the guidance, businesses have a duty to determine whether data is reasonably re-identifiable. The guidance suggests that the catch-all requires a broad interpretation since data can be “easily” re-identified using as few as three data elements and from “anonymized” datasets such as customer transaction records, online movie viewing history, hospitalization records, and taxi ride records.
- No Direct Relationship
The third requirement for establishing a data broker is that the brokered personal information must relate to consumers with whom the business does not have a direct relationship (whether past or present). Rather than focus on situations where a business does not have a direct relationship with consumers, the guidance provides examples of where a business does have a direct relationship with consumers and is not a data broker. Some of these examples include a retailer that sells information about its own customers, a platform that sells information about its own users, and a magazine that sells information about its own subscribers.
- Obligations that Apply to All Businesses
The guidance issues a reminder that the Regulation also includes obligations that apply to all businesses. Under the Regulation, all businesses must maintain reasonable data security to protect personally identifiable information of Vermont residents (which has a different definition than brokered personal information) and not use brokered personal information for prohibited purposes. With respect to the security obligation, while all businesses must protect personally identifiable information, data brokers are held to a higher standard due to the nature of their data intensive businesses.
- Penalties and Relief
The guidance restates that a violation of the Regulation constitutes a violation of Vermont’s Consumer Protection Act, and that all businesses (not just data brokers), are subject to the penalties and relief. The Consumer Protection Act allows for actions both by the Attorney General (for penalties of up to $10,000 per violation plus other relief) and consumers (for damages, attorney’s fees, and other relief).