In January, a law regulating data brokerage companies came into force in Vermont. It is the first state law regulating these businesses specifically, and it imposes additional obligations and restrictions on such companies to enable more transparency for consumers.
The justification for the law is rooted in the trend of data subjects not having a clear idea of what’s being done with their personal data on a daily basis – who is it sold to? How is it stored? What do the buyers do with it? The European GDPR tries to address these concerns, although doesn’t specifically mention data brokers. Vermont’s Act 171 of 2018, codified in 9 V.S.A. chapter 62 para. 2430, 2433, 2446 and 2447 that went into effect on January 1st, 2018, is a continuation of the state data protection law trend, started by the CCPA, the New York Shield Act and the NYPA we covered earlier this month.
Vermont, with its Vermont Data Broker Regulation (“VDBR”), is the first US state to attempt to regulate a murky industry of data brokerage. We’ve taken a look at the regulation and prepared an overview of what data brokerage actually is, how VDBR works and its potential practical applications.
What is a data broker?
Data brokerage business is a direct result of the effect the Internet’s had on our lives. With the amount of personal data circulating online and processed with incredible speed thanks to the power of computers, it’s now easier than ever to make a profile of an individual based on the information available about them.
A data broker does exactly that – compiles a profile based on your age, gender, race, physical characteristics, income, net worth, marital status, political affiliations, and other info. They then sell these profiles to third-party organizations that can tailor their marketing and advertising strategies based on the profiles. The more detailed the profile, the easier it is for a company looking to sell to an individual to reach that individual.
Often, a consumer has no idea which of their data is collected, packaged and sold, and usually, there’s no option to opt-out. And if there is, it’s not always aligned with consumer expectations.
Under the VDBR, a “data broker” is a business that collects and sells, or licenses, the data of consumers with whom they don’t have a direct relationship. In other words, companies that sell information about their clientele, websites that sell information about their users or subscribers aren’t data brokers. They both collect and sell data, but they do have a direct relationship with the consumers.
News organizations that collect data about third-party consumers but don’t sell them aren’t data brokers either. The purposes of the third-party transfer cannot relate to the original data collector/owner. For instance, a company that e-mails (NOT paper transfer!) Excel sheets of names and phone numbers to a printing company to formalize them into a booklet is NOT a data broker, unless the printing company then uses the data for their own purposes.
What does the law entail?
The above explanations of a “data broker” come from the VDBR and the Attorney General’s guidance. The regulation’s aim to push the brokers out of the shadows and to provide more transparency for consumers. It requires data brokers to register with the Vermont Secretary of State for a $100 fee. The deadline for registration was January 31st, 2019. The registration would allow for a database of data brokers that consumers can check out and find out information about companies that sell their data for themselves, as well as the options available to them.
In addition to the registration requirement, the law also imposes new security standards on data brokers. These standards include, amongst others, training employees on cybersecurity and encrypting the records containing the personal data. The brokers are also obliged to disclose in their annual registrations their operations, specifying how, if at all, consumers can opt-out from having their data sold to third parties, the number of security breaches which they would need to track through special procedures.
The regulation also makes it illegal for all business to acquire brokered personal information (BPI) through “fraudulent means” or for the purpose of harassment or discrimination. That allows both consumers and the Attorney General to bring an action for such violations under the state’s Consumer Protection Act.
The penalties for failure to register are $50 per day, no more than $10,000 per annum.
What does it mean in practice?
Vermont might not be a very populated state in comparison with others, but the impacts of the law are significant enough for the data brokers across the country.
Firstly, the VDBR applies to Vermont residents only. Therefore, if a company that collects and sells/licenses data doesn’t do that with the data of Vermont residents, it doesn’t have to worry about the VDBR. However, any US-wide-operating data broker would process Vermont residents’ data – so it would apply to them. So, big data brokers processing the data of residents from all states would have to register even if they’re not targeting Vermont residents specifically and aren’t located on its territory.
This, whie an important step toward systemizing information about the previously unregulated data broker businesses, could prove problematic for some companies, especially if other states pass a law with the requirements that differ from those of the VDBR.
To have to register in (worst case scenario) all fifty states would place a huge administrative and financial burden on data brokers. And if some regulations follow the path of the GDPR and impose requirements on data brokers outside the US that work with US residents’ personal information, the burden would be extraterritorial.
Of course, this could be an excellent business opportunity for DRaaS-like start-ups – there would most likely be plenty of demand for services that would take care of all the formalities across the country in one click. However, we have no knowledge of such start-ups to date.
Secondly, the requirement to register and disclose information on data brokers’ business practices that were intended to clear things up for consumers could very well do just that. In many cases, consumers don’t even know they can opt-out of their data being sold to other parties.
Having this information publicly available for Vermont residents could help them make more informed decisions about their personal information. However, so far, the registered companies have provided little information that could be of use. And chances are that if the brokers outsource the data processing to third parties (they don’t qualify as brokers in such cases), they might not have all the information about what the latter do.
Also, although the deadline for registration has long passed, less than 200 brokers have registered so far. And the estimated number of data brokers processing Vermont residents’ BPI is believed to be between 400 and 1,200. So, a few months in, and the law still sees low levels of compliance. That’s not too different from the GDPR, and the regulators seem to understand that. It remains to be seen to what extent they are going to enforce the fines.
Finally, the definition of data brokers in the law is quite narrow and doesn’t cover the entire scope of data-driven business. For instance, if you’re a Vermont resident and an e-commerce store collects and sells your data to a third party that then causes some damage to you through its misuse, you won’t be able to bring an action under the consumer protection law against that store because they’re not a data broker. Perhaps this gap would be addressed in different jurisdictions.
The VDBR isn’t the first privacy state-level statute in the US, but it is a pioneer attempt of regulating data brokers. One mustn’t expect first attempts to be completely smooth, and many companies have already registered with errors whilst trying to comply.
Some didn’t bother registering at all. Enforcement of compliance with privacy laws has always been tricky, though, not least because of technology’s developments being several miles ahead of legislative developments.
The fact that Vermont has chosen to single out data brokers specifically speaks volumes on how the legislators are finally trying to understand and regulate an industry that capitalizes on dubious privacy practices. Perhaps the VDBR could be an example for other jurisdictions to learn from and try to avoid its pitfalls.