Data Brokers – Why You Should be Aware of the Vermont Data Broker Regulation

Note: This article does not constitute legal advice. It is provided for informational purposes only. This article alone should not be relied on to determine how the law might apply to you and your organization. We encourage you to consult with your legal advisor to discuss the 2018 Vermont Data Broker Regulation, how it applies specifically to your organization, and how best to ensure compliance.

The Vermont Data Broker Regulation (Act 171 of 2018) has been in effect since January 1, 2019, and is codified in 9 V.S.A. §§ 2430, 2433, 2446 and 2447. By January 31 of each year, beginning in 2019, any business that operated as a data broker during the prior year must register with the Vermont Secretary of State. The annual filing fee is $100 USD. Any failure by a data broker who is required to register but fails to do so will result in a penalty of $50 for each day that they fail to register, beginning February 1, 2019, up to a maximum of $10,000 per year, plus the fees due and other penalties imposed by law. The Attorney General may also maintain an action in the Civil Division of the Superior Court to collect the penalties imposed on the data broker and to seek appropriate injunctive relief.

This article will explore the circumstances in which the Vermont Data Broker Regulation (VDBR) may apply to your organization, either within or outside Vermont, and what you should be aware of to stay compliant.

What Is a Data Broker? 

“Data broker” is defined in the VDBR as a business, or a unit or units of a business, separately or together, that knowingly collects and sells or licenses the data of consumers with whom they do not have a direct relationship.

Is the Data About Consumers Who Are Vermont Residents?

Under the VDBR, a “consumer” is defined as an individual residing in the state of Vermont. It means that if your organization has no data of Vermont residents, the VDBR does not apply to you. 

However, it is the data broker’s responsibility to determine whether or not it possesses data of Vermont consumers. Although Vermont has a relatively small population, if your organization has a national scope, there is a significant chance that you possess data of Vermont consumers. Therefore, if you do not know the state of residence of individuals whose data you collect, you might presume that there may be at least one Vermont resident in your data set.

What Does the VDBR Consider to Be a “Business”?

Under the VDBR, “business” means “a commercial entity, including a sole proprietorship, partnership, corporation, association, limited liability company, or other group, however organized and whether or not organized to operate at a profit, including a financial institution organized, chartered, or holding a license or authorization certificate under the laws of this State, any other state, the United States, or any other country, or the parent, affiliate, or subsidiary of a financial institution, but does not include the State, a State agency, any political subdivision of the State, or a vendor acting solely on behalf of, and at the direction of, the State.” 

Does the VDBR Apply to Your Organization?

Based on the definition of a “business” under the VDBR, if you are an organization either within or outside Vermont that is a data broker and collects and sells or licenses the data of at least one Vermont resident, the VDBR applies to you. 

However, the Data Broker Regulation Guidance issued by the Vermont Office of the Attorney General provides insights on the territorial scope of the VDBR. It makes it clear that the VDBR “is not an attempt to regulate businesses throughout the United States, only those that could be subject to jurisdiction in Vermont.” Hence, the law only applies to businesses over which Vermont courts could assert jurisdiction. 

How do you know whether your business could be subject to the Vermont jurisdiction?

To answer this question, we can apply the two main criteria determining the territorial scope of the VDBR: “establishment” and “targeting”.

The VDBR generally reflects the legislature’s intention to ensure comprehensive protection of the rights of Vermont residents and thus intends to establish the applicability of the VDBR for all organizations active in the Vermont markets.

Obviously, if you are an established data broker in Vermont and maintain Vermont residents’ data – the VDBR applies to you.

On the other hand, when it comes to determining if the VDBR applies to an organization not established in Vermont it is necessary to look at whether the processing activities carried out by the organization are related to the targeting (whether the processing relates to the offering of goods or services or to the monitoring of the behavior) of Vermont residents. The targeting criterion largely focuses on what the “processing activities” are “related to”, which is to be considered on a case-by-case basis.

If, for example, you are a data broker and the center of your activities concerns the provision of services online, you are registered and doing business in the State of California with no establishment in Vermont, but you are targeting Vermont consumers by offering your products to them – the VDBR applies to you.

On the other hand, if you are an organization registered and doing business in the State of California with no establishment in Vermont and you possess data of Vermont residents, but you are NOT targeting the behavior of Vermont residents, it appears that your organization does not qualify as a data broker under the meaning of the VDBR. It will, therefore, be hard for the Vermont judiciary to assert jurisdiction over this type of business. Hence, VDBR does not apply to you.

Key Considerations

It is prudent for data brokers, especially those offering goods and services on an international level, to undertake a careful assessment of their processing activities in order to determine whether their processing of personal data falls under the scope of the VDBR.

However, this analysis is challenging given the broad definition of “business” under the VDBR. The VDBR imposes its requirements on every data broker established in the State of Vermont, every other state, and any other country. At the same time, the Data Broker Regulation Guidance establishes that the VDBR is only intended to regulate entities over which the State of Vermont is able to assert jurisdiction. Therefore, instead of providing clarity for businesses, the VDBR and the Data Broker Regulation Guidance creates further questions. VeraSafe considers that practical guidance from the Attorney General concerning data brokers not located in Vermont is urgently needed. 

VeraSafe can assist your business to determine whether it qualifies as a data broker regulated by the VDBR, prepare and implement an effective compliance program for you, and assist you with the necessary registration. Contact VeraSafe today at [email protected] to learn more.

Contact VeraSafe to discuss your data security management and privacy program today.