Earlier this week, Vermont became the first state in the US to enact a law that will regulate data brokers that buy and sell personal information in an attempt to add a new layer of accountability to the massive, data-trading companies that often operate without much oversight.
As TechCrunch noted, under the guidelines of the bill - which passed into law Tuesday without the signature of Republican Governor Phil Scott — data brokers will have to pay a $US100 ($132) annual fee to register with the state, and will have to comply with new rules meant to protect Vermonters from suffering at the hands of another data breach like the one that befell Equifax last year and exposed the data of 145 million (and counting) Americans.
Once data brokers register with the state, they will find themselves exposed to new scrutiny. Vermont will require the brokers to better inform consumers on the data they collect and provide clear instructions for opting out when that option is available. It will also establish new security standards that the companies will be expected to live up to.
When data brokers fail to meet those standards or suffer from a breach, they will be required to notify authorities of the incident — something they have inexplicably not been required to do in the past. State regulators will also be able to keep tabs on the companies and if they catch them using data for criminal purposes such as fraud, the state can take action against them.
(In 2015, a data broker was discovered to be collecting financial information from payday loan applicants and selling it to scammers who stole money from the borrowers by debiting their bank accounts and charging their credit cards, so having a mechanism to punish that type of behaviour is pretty important.)
Vermont lawmakers snuck in a little benefit for its residents that will remove the $US10 ($13) fee required to freeze credit reports and $US5 ($7) fee required to lift the freeze. Those will be eliminated, and credit reporting bureaus like Equifax, Experian, and Transunion will have to allow Vermonters to control their accounts without charging.
The law also takes a very broad approach to defining data broker, which could open up a number of companies that make their bones in the data trade to new examinations of their business practices:
"Data broker" means a business, or unit or units of a business, separately or together, that knowingly collects and sells or licenses to third parties the brokered personal information of a consumer with whom the business does not have a direct relationship.
Vermont Attorney General TJ Donovan lent his support to the law, saying in a statement that it "slashes fees, helps stop fraudsters, and promotes transparency." According to Donovan, it will save residents of the state money as well as give them "information and tools to help them keep their personal information secure."
Governor Scott did share that excitement about the bill and warned lawmakers that he may veto it because it imposed a new fee on data brokers, which he apparently felt violated his pledge not to impose new taxes or costs on Vermonters. (The bill saves citizens of Vermont money by waiving credit freeze fees and requires companies to pay to register within the state, but whatever.) Scott allowed the bill to pass into law but did not lend his signature to it.
It's perhaps not surprising that Vermont is the first state to pursue this type of law. Vermonters place a higher value on their personal information than most states, according to a recent survey. While the average American values their data at $US2,163, citizens of Vermont place the price tag at $US4,125.