The Vermont data broker registration statute 9 V.S.A. § 2446 (the “Statute”) regulates the data broker industry, which collect hundreds or thousands of data points about consumers from various sources. The legislation is intended to mitigate the risk that consumers may not be aware that data brokers exist, who the companies are, and what information they collect.

Applicability

The Statute defines a data broker as a business that collects and sells (or licenses) brokered personal information to third parties.  The personal information must be about a person with whom the data broker does not have a direct relationship, such as a customer or employee.

Requirements

Data brokers are subject to, among others, the following obligations under the Statute:

  1. register with the Vermont Secretary of State
  2. pay a registration fee of $100.00
  3. provide details regarding their policies to opt-out of data broker’s collection and sale of personal information
  4. the number of security breaches and consumers affected
  5. details regarding the data collection practices, databases, sales activities, and opt-out policies applicable to the personal information of minors

Enforcement & Liability

The Vermont Attorney General is authorized to file an action in the Superior Court to enforce compliance with the statute. An injunction may also be obtained to mandate the data broker’s compliance.

Penalties

Data brokers that violate the statute by failing to register may be subject to civil fines of $50 per day that the data broker remains unregistered during the year. The aggregate of the fines should not exceed $10,000.