Vermont Attorney General warning to data brokers

The Attorney General of Vermont has reminded data brokers to register their 2018 brokering activities before January 31, 2019.

Registrants must declare whether consumers are permitted, and able to opt-out of the collection, use, or sale of their personal information. Brokers must also state the number of security breaches experienced and affected individuals associated with the breach.

The AG also warns Data Brokers that failure to register by the end of January will result in fines of $50 per day, up to $10,000 for each year.

So, what is the true definition of “Data Broker”, and what are the rules governing the acquisition, use, and sale of consumer data?

In general terms, a Data Broker, also known as an Information Broker or Information Reseller, is a business that collects personal information about consumers and sells that information to other organizations.

As far as Vermont’s Data Broker Regulation is concerned, a Data Broker is “a business, or unit(s) of a business, that knowingly collects and sells or licenses to third parties” - i.e. the Brokered Personal Information (BPI) of a consumer with whom the business does not have a direct relationship.

There are two main activities that qualify a company as a Data Broker:

  • Collection, sale, or licensed use of data of consumers with whom there is no direct relationship.

In this first example, organizations that sell information about its;

  1. Employees (businesses);

  2. Customers (retailers);

  3. Donors (charities);

  4. Users (social media platforms/websites);

  5. Subscribers (magazines);

  6. Investors (corporations);

Are not classified as Data Brokers.

  • Collecting and 1) selling, or 2) licensing data.

Organizations that collects data for its own use is not a Data Broker. For example:

  1. A business that acquires a mailing list of individuals to market their products or services to them;

  2. A real estate agent that acquires a list of potential property buyers, to send them details of upcoming property sales;

  3. A publisher that collects details of readers, to create magazine content.

 Activities that do not qualify as a Data Broker:

  • Companies that provide publicly available information:

    • Relating to a consumer’s business or profession; or

    • Real-time alert services for health or safety purposes

  • developing third-party e-commerce or application platforms

  • providing phone directory information such as;

    • name, address and phone number, on behalf of a tele-comms carrier.

The Regulation only applies to personal information of residents of Vermont, and brokered information must be:

  1. computerized;

  2. categorized or organized for dissemination to third parties; and

  3. contains one of the following elements:

    • name;

    • address;

    • date of birth;

    • mother’s maiden name;

    • biometric inf name or address of a member of the consumer's immediate family or household information;

    • social security number or other government-issued identification number; or

    • information that, alone or in combination with other information, would allow a reasonable person to identify the consumer;

  4. does not contain publicly available information that is related to a business or profession.

 Any business that operated as a Data Broker during the prior year must register with the Vermont Secretary of State via an online form. The deadline to register will be January 31 each year.

Sources and credits:

Vermont AG - Guidance on Vermont's Act 171 of 2018 - Data Broker Regulation