Earlier this year, Vermont became the first state to enact a privacy law specifically targeting data brokers. This law, which will become fully effective on January 1, 2019, requires state registration of any business “that knowingly collects and sells or licenses to third parties the brokered personal information of a consumer with whom the business does not have a direct relationship”.
According to Guidance provided earlier this month by the Attorney General’s Office, the type of consumer information subject to this new law includes: “People with incomes over $100,000,” “People who like to play billiards,” or “People preparing for a wedding.”
Data broker registrations must include information regarding how consumers can opt out of data collection and sales as well as disclosure regarding the number of “data broker security breaches” sustained in the prior year. This beach notification requirement exists in addition to the one created by Vermont’s data breach law.
In addition to an annual registration, data brokers must also maintain certain protective measures involving those administrative, technical and physical safeguards appropriate for the scope and size of the business or face a potential unfair or deceptive practice claim under the state’s consumer protection law.
The statutory civil penalties of this new law are actually quite limited given that a data broker required to register who fails to do so will be subject to a penalty of $50 for each day it fails to register, beginning February 1, 2019, up to a maximum of $10,000 per year. The real bite is found in the potential civil action that may be brought under Vermont’s Consumer Protection Law, namely potential treble damages and reasonable attorneys’ fees. By linking privacy violations with an established consumer protection law, the Vermont statute nicely meshes existing law – and related interpretative rulings, into an effective privacy battle axe.
While Vermont may never become a real challenger to California when it comes to privacy laws or regulations, this new law could have a ripple effect with other states eventually providing similar protections. And, given the call for a federal privacy law to harmonize patchwork state laws, the statute can also very easily be a model for certain provisions in a new federal omnibus privacy law. Combined with other laws that will be vigorously enforced regarding consumer consent, the coming year is shaping up as a strong one for consumer privacy rights.