On May 22, 2018, the State of Vermont enacted House Bill Number 764 (the "Bill") to, among other things, regulate how Vermont data brokers collect consumer data and sell that information to third parties. The Bill went into effect on January 1, 2019, giving Vermont data brokers until January 31, 2019, to register as data brokers with the Vermont Secretary of State. If data brokers fail to register (and pay the annual $100 registration fee), they are subject to a penalty of $50 per day until registered, not to exceed a penalty of $10,000 per annum. In addition to registration fees, Vermont data brokers are required to annually provide information concerning their data collection activities, opt-out policies, purchaser credentialing practices, and any security breaches.

Who are data brokers within the meaning of the Bill?

Defining Vermont "Data Brokers"

The Bill defines a data broker as "a business . . . that knowingly collects and sells or licenses to third parties the brokered personal information of a [Vermont] consumer with whom the business does not have a direct relationship." Please note that it was the intention of the Vermont Generally Assembly to narrowly tailor the definition of data broker. As such, the following conduct is not considered data brokering activity:

  1. developing or maintaining third-party e-commerce or application platforms;
  2. providing 411 directory assistance or directory information services, including name, address, and telephone number, on or behalf of or as a function of a telecommunications carrier;
  3. providing publicly available information related to a consumer's business or profession; or
  4. providing publicly available information via real-time alerts for health or safety purposes.

Complying with the Bill

We have previously blogged about the obligations that the Bill imposes on Vermont data brokers and how those obligations have been crafted to protect Vermont consumers. It is likely that other states will follow the lead of Vermont and California in regulating consumer data collection and information security practices. As such, it is recommended that companies operating in the data broker space retain qualified legal counsel to help navigate the existing and emerging issues presented by applicable state and federal law.

Related Blog Posts:

Does the California Consumer Privacy Act Apply to Your Business?

GDPR: The EU's New Data Protection Law

New Vermont Auto-Renewal Law for Consumer Contracts

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.