Sackler Embraced Plan to Conceal OxyContin’s Strength From Doctors, Sealed Testimony Shows
Behind the Scenes, Health Insurers Use Cash and Gifts to Sway Which Benefits Employers Choose

New Vermont Law Regulating Data Brokers Drives 120 Businesses From The Shadows

In May of 2018, Vermont was the first (and only) state in the nation to enact a law regulating data brokers. According to the Vermont Secretary of State, a data broker is defined as:

"... a business, or unit or units of a business, separately or together, that knowingly collects and sells or licenses to third parties the brokered personal information of a consumer with whom the business does not have a direct relationship."

The Vermont Secretary of State's website contains links to the new law and more. This new law is important for several reasons. First, many businesses operate as data brokers. Second, consumers historically haven't known who has information about them, nor how to review their profiles for accuracy. Third,  consumers haven't been able to opt out of the data collection. Fourth, if you don't know who the data brokers are, then you can't hold them accountable if they fail with data security. According to Vermont law:

"2447. Data broker duty to protect information; standards; technical requirements (a) Duty to protect personally identifiable information. (1) A data broker shall develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts and contains administrative, technical, and physical safeguards that are appropriate... identification and assessment of reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of any electronic, paper, or other records containing personally identifiable information, and a process for evaluating and improving, where necessary, the effectiveness of the current safeguards for limiting such risks... taking reasonable steps to select and retain third-party service providers that are capable of maintaining appropriate security measures to protect personally identifiable information consistent with applicable law; and (B) requiring third-party service providers by contract to implement and maintain appropriate security measures for personally identifiable information..."

Before this law, there was little to no oversight, no regulation, and no responsibility for data brokers to adequately protect sensitive data about consumers. A federal bill proposed in 2014 went nowhere in the U.S. Senate. You can assume that many data brokers operate in your state, too, since there's plenty of money to be made in the industry.

Portions of the new Vermont law went into effect in May, and the remainder went into effect on January 1, 2019. What has happened since then? Fast Company reported:

"So far, 121 companies have registered, according to data from the Vermont secretary of state’s office... The list of active companies includes divisions of the consumer data giant Experian, online people search engines like Spokeo and Spy Dialer, and a variety of lesser-known organizations that do everything from help landlords research potential tenants to deliver marketing leads to the insurance industry..."

The Fast Company site lists the 120 (so far) registered data brokers in Vermont. Regular readers of this blog will recognize some of the data brokers by name, since prior posts covered Acxiom, Equifax, Experian, LexisNexis, the NCTUE, Oracle, Spokeo, TransUnion, and others. (Yes, both credit reporting agencies and social media firms also operate as data brokers. Some states do it, too.) Reportedly, many privacy advocates support the new law:

"There’s companies that I’ve never heard of before," says Zachary Tomanelli, communications and technology director at the Vermont Public Interest Research Group, which supported the law. "It’s often very cumbersome [for consumers] to know where the places are that you have to go, and how you opt out."

Predictably, the industry has opposed (and continues to oppose) the legislation:

"A coalition of industry groups like the Internet Association, the Association of National Advertisers, and the National Association of Professional Background Screeners, as well as now registered data brokers such as Experian, Acxiom, and IHS Markit, said the law was unnecessary... Requiring companies to disclose breaches of largely public data could be burdensome for businesses and needlessly alarming for consumers, they argue... Other companies, like Axciom, have complained that the law establishes inconsistent boundaries around personal data used by third parties, and the first-party data used by companies like Facebook and Google."

So, no companies want consumers to own and control the data -- property -- that describes them. Real property laws matter. To learn more, read about data brokers at the Privacy Rights Clearinghouse site. Related posts in the Data Brokers section of this blog:

Kudos to Vermont lawmakers for ensuring more disclosures and transparency from the industry. Readers may ask their elected officials why their state has not taken similar action. What are your opinions of the new Vermont law?

Comments

Feed You can follow this conversation by subscribing to the comment feed for this post.

Verify your Comment

Previewing your Comment

This is only a preview. Your comment has not yet been posted.

Working...
Your comment could not be posted. Error type:
Your comment has been saved. Comments are moderated and will not appear until approved by the author. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.

Working...

Post a comment

Comments are moderated, and will not appear until the author has approved them.

Your Information

(Name and email address are required. Email address will not be displayed with the comment.)