Culhane Meadows partners David Jacoby and Linda Priebe recently authored an informative article for Legal BlackBook’s CyberInsecurity column about Vermont’s new data broker law, which companies throughout the United States need to know. Here is a relevant excerpt:

After all the attention garnered in recent weeks by the EU’s General Data Protection Regulation (GDPR), there’s another regulation that you may have missed. And with good reason, given that only about 0.2 percent of the United States population lives in Vermont. But the state’s new, first-of-its-kind law regulating data brokers is likely to have an impact far beyond what that number alone would suggest.

The statute creates significant obligations for businesses that collect or make available defined types of personal data for individuals with whom the businesses do not have a direct relationship. And the law will apply if data of any Vermont resident is included. It also imposes standards for information security safeguards and makes the failure to have them in place actionable by the state’s attorney general or by individuals suing under the state’s unfair and deceptive acts and practices statute.

But first, let’s clarify what we’re talking about.  Data brokerage differs from traditional online behavioral advertising. Under the Vermont law, a data broker is a business “that knowingly collects and sells or licenses to third parties the brokered personal information of a consumer with whom the business does not have a direct relationship.” (Your favorite online store isn’t a data broker because you have a direct relationship with it.)

To download a PDF of the entire article click HERE. 

To view the full article online click HERE.