California isn’t the only state to aggressively address data privacy. Vermont’s new privacy law is the first one in the country designed to regulate data brokers, the companies selling our personal information.
I’ve heard very little about what Vermont was doing because California’s Consumer Privacy Act was garnering all the headlines. Yet, Vermont’s law was passed in May before GDPR went live and goes into effect in January 2019. Like GDPR, it has broad-reaching protections for both the people of Vermont and U.S. and non-U.S. citizens.https://o1.qnsr.com/log/p.gif?;n=203;c=204663295;s=11915;x=7936;f=201904081034270;u=j;z=TIMESTAMP;a=20410779;e=i
Linda V. Priebe, partner at Culhane Meadows and former Deputy General Counsel to the White House Office of Drug Policy and Ethics Advisor to the White House Office of the Counsel to the President, brought the Vermont law to my attention and encouraged me to tell my readers about it. So that’s what I’m doing.
Why is the Vermont law important to data privacy? As Priebe told me in our email conversation:
U.S. consumers don’t often know that the personal information U.S. companies collect from their customers and website and social media visitors is also used to create “shadow” profiles of consumers which are unregulated in the U.S. These “shadow” profiles can be used to determine credit worthiness (provided no actual credit score is used; that triggers the Federal Fair Credit Reporting Act), the favorability of terms of financial services offers, and even which job notices to display to a person online.
Any data broker subjected to the law has to register with the Vermont Secretary of State and pay a $100 annual fee. They must also report information about their practices regarding collection, storage and sale of consumer information. Priebe added:
Like the GDPR, data brokers subject to the Vermont law also are required to put in place a written, comprehensive data security system, including physical, technical and administrative safeguards for consumers’ personal data. Additional requirements govern minors’ personal information also like the GDPR.
GDPR is still stricter than the Vermont law, but clearly Vermont is trying to address a data privacy problem most Americans either don’t know about or don’t think about – that there are companies that are in the business to specifically sell our information for a profit. It’s bad enough how much the companies we are willing give our data to use it, but we really don’t have any control over it as a commodity on the market.
Someone told me that there are at least 43 states that are in some stage of introducing data privacy. Unfortunately, what that says to me is that we’re going to see uneven laws and enforcement, similar to data breach reporting.
Sue Marquette Poremba has been writing about network security since 2008. In addition to her coverage of security issues for IT Business Edge, her security articles have been published at various sites such as Forbes, Midsize Insider and Tom's Guide. You can reach Sue via Twitter: @sueporemba