You might have heard of data brokers—entities that collect personal information and analyze, append, and repackage it for sale to third parties—from reports such as the FTC’s 2014 study or a 2017 proposed congressional bill that would have imposed breach notification obligations on brokers following the Equifax breach. But you may have never thought that your company’s practices could land you in this category.

Beginning on January 1, 2019, Vermont will be the first state in the nation to regulate data brokers that process personal information regarding its residents. This new law incorporates a very broad definition of “data broker” and requires businesses defined as such to register annually and report on security breaches to the Secretary of State. 

Under the statute, a “data broker” is a business that knowingly collects and sells or licenses the personal information of a Vermont resident with whom it does not have a direct relationship. To qualify as a data broker, the business must sell or license brokered personal information including:

  • One or more computerized data elements (e.g., name, address, date or place of birth, mother’s maiden name, or biometric data), and
  • “Other information that, alone or in combination with the other information sold or licensed, would allow a reasonable person to identify the consumer (with reasonable certainty) to a third party.”

Excluded from this definition are businesses collecting “information from their own customers, employees, users, or donors, including: banks and other financial institutions, utilities, insurers, retailers and grocers, restaurants and hospitality business, social media websites and mobile ‘apps’, search websites, and businesses that provide services for consumer-facing businesses and maintain a direct relationship with those consumers, such as website, ‘app,’ and e-commerce platforms.”