A New Year Brings A New Vermont Law Aimed At Data Brokers And Credit Reporting Agencies

On Jan. 1, 2019, a new Vermont law intended to protect consumers by imposing new requirements on "data brokers," companies that aggregate and sell consumer information, and credit reporting agencies took effect. Under the new law, data brokers must comply with registration, information security safeguards and reporting requirements, while credit reporting agencies are prohibited from assessing fees for establishing or removing security freezes. The Vermont legislature's intent in enacting the new law is fourfold: (1) inform consumers about data brokers and their data collection practices; (2) protect consumer information by requiring that data brokers implement certain administrative, technical and physical safeguards; (3) prevent harm to consumers by prohibiting certain methods of acquisition and use of their information by data brokers; and (4) make it easier and less expensive for consumers to obtain and protect their credit information.

Data Brokers Who Engage in Prohibited Acquisitions and Uses of Consumer Data May Be Subject to Enforcement Action

The new law outlines prohibited acquisitions and uses of consumer data, including the acquisition of such data through fraudulent means and the use of such data for stalking, harassment, unlawful discrimination or fraud. The Vermont attorney general is empowered to bring enforcement action against any data broker found to be engaging in prohibited acquisitions or uses of consumer data, which constitutes an unfair deceptive act in commerce under the new law.

Data Broker Annual Registration

Under the new law, data brokers are required to register annually with the Vermont secretary of state. The registration, which must be completed by Jan. 31 of each year, imposes a fee of $100 and requires data brokers to make certain disclosures regarding their data collection practices. These disclosures include whether the data broker permits consumers to "opt out" of its data collection activities, and, if so, an explanation of how consumers can request such an "opt out." Data brokers must also disclose whether they implement a purchaser credentialing process, the number of security breaches they experienced during the prior year, the number of consumers affected in those incidents and their policies related to the collection of data pertaining to minors. Data brokers who fail to implement such safeguards will be deemed to have committed an unfair deceptive act in commerce, and, under the new law, the...