On January 1, 2019 Vermont’s breach notice law will include obligations specific to data brokers. A “data broker” is defined as a business that “knowingly collects and sells or licenses to third parties the brokered personal information of a consumer with whom the business does not have a direct relationship.” Under the law, data brokers must keep a record of “data broker breaches” and annually tell this information to the state. Brokers will need to provide this as part of a new annual registration process. The registration also requires data brokers to explain how they let individuals opt-out of having information collected, stored or sold. Finally, data brokers also have to develop and maintain a comprehensive information security program.
Data broker breaches are defined as unauthorized acquisition of “broker personal information.” This is broader than personal information that triggers general breach notice obligations. For broker breaches, personal information also includes name, address, date of birth, place of birth, mother’s maiden name, and name or address of family members. The “broker breach” definition (i.e., when there is a duty to notify the state) imposes notice obligations when there is an unauthorized acquisition. It does, though, contain encryption and good faith exceptions.
Putting it Into Practice: This law is one of the first to have specific disclosure obligations for data brokers, and will require telling the state about a broader category of data breaches than what exists under the general breach notice obligations.