California is not the only state concerned with data privacy. In May 2018, before the General Data Protection Regulation (GDPR) came into effect in the European Union, Vermont passed a consumer privacy law as well. It is a law that is meant to serve as a fraud and compliance solution. It regulates data brokers—these are the companies that collect and sell consumer personal information.
The law went into effect January 1, 2019, and has broad-reaching protections, just like GDPR and CCPA. The Vermont law protects the citizens of Vermont, US citizens, and non-US citizens. The goal of the fraud and compliance solution is to stop criminals from using consumer information and making the data trade more transparent.
Why the Vermont Law is an Important Fraud and Compliance Solution
Many US consumers are not aware of how this law serves as a fraud prevention solution. They are also not aware that companies use the data they collect about them from social media visits or website traffic.
Many companies use the data to create “shadow” profiles of consumers. These profiles help determine creditworthiness, favorability of offers from financial institutions, and even which job openings to show people online. For the most part, these “shadow” profiles are unregulated in the US. The Vermont law changes this.
What the Vermont Law Does
Under the guidelines of the new bill, data brokers must register with the Vermont Secretary of State and pay an annual $100 fee. Registering with the state presents new scrutiny for data brokers. Vermont requires brokers to better inform consumers about the data they collect about them. It requires them to provide clear instructions for opting out of data collection. Brokers must be transparent and report information about how they collect, store and sell consumer data to the state. They must also implement a comprehensive data security system that builds a fraud prevention solution. Plus, they must create safeguards to protect consumers’ personal data.
How the Law Defines a Data Broker
The new law in Vermont changes the definition of what a data broker is. It takes a broad approach and defines a data broker as a business or collection of businesses that knowingly collects and sells or licenses personal information from consumers to third parties with whom they do not have a relationship.
Businesses that collect, sell and license their own consumer’s data are not affected by the law, as long as they have a direct relationship with those consumers and the sale of data is merely incidental. This means that companies like Google, who collects data directly from consumers that use their search engine, are not affected by the law while data brokers, who collects data through indirect means, are affected.
Noncompliance is Costly
Data brokers are forbidden from acquiring consumer personally identifiable information (PII) through illegal means. It also prohibits them from using PII to harass, stalk, commit fraud or perform any other illegal activity. If a data broker fails to meet the standards set forth by Vermont or suffers a data breach, they will have to notify authorities about the incident. Previously, they were not required to do so. Regulators within the state will be able to keep tabs on companies through this law. This will allow them to penalize a data broker through legal enforcement actions if they find out they are using consumer data for unethical purposes, such as in the Cambridge Analytica scandal where Facebook users were unaware that their PII was being accessed and used to manipulate the 2016 US election.
Additional Consumer Protections
The Vermont bill adds some benefits to its residents. It waives the $10 fee for freezing a credit report and $5 fee for lifting the freeze. Credit reporting bureaus like Equifax, Experian and Transunion will have to allow Vermont residents to control their accounts without charging those fees. If a consumer feels that their data was sold and led to illegal discrimination, they can now take a data broker to court and hold them responsible for the injustice. This gives Vermont residents the ability to monitor and safeguard their own credit. It will empower them in a way unavailable to most US consumers.
How Does it Compare to GDPR
Overall, GDPR is still a stricter fraud and compliance solution than the Vermont law. Nevertheless, Vermont is paving the way for future consumer privacy legislation in the US. Clearly, the support for consumer data protection is there, especially given the amount of data breaches plaguing US citizens in 2018. California has also followed suit and created their own consumer privacy laws, called CCPA, creating more of a demand for consumer data protection. It seems likely that many more states will follow Vermont and California’s lead and introduce privacy laws to protect consumers in the near future. This could pave the way for federal legislation concerning consumer privacy in the US.