At the Federal level, no law fully regulates businesses that collect and sell or share consumers’ personal information. Certain laws touch on this type of market activity but they are sectoral or specific to certain uses (i.e., FCRA proscribes certain uses of credit reporting information). The FTC has consistently expressed interest in regulating data brokers and has supported national legislation to that end but, to date, data broker regulations have been taken up only on the state level.
Two states, Vermont1 and California2, enacted data broker laws in 2018 and 2019, respectively. Both states define ‘data broker’ as a business that “knowingly collects and sells or licenses to third parties” the personal information of consumers with whom it does not have a direct relationship.3 These laws take a broad approach to the definition of personal information, and require data brokers to register annually with the Secretary of State (Vermont) or the Attorney General (California). Failure to register may result in civil penalties, other fines, and pecuniary damages.
The Vermont law requires data brokers to disclose certain collection practices and the number (if any) of security breaches it experienced in the prior year, including the number of affected consumers (if known).4 An additional disclosure is required where the data broker has actual knowledge it possesses the personal information of minors.5 The Vermont law also requires data brokers to maintain an appropriately tailored, “comprehensive information security program.”6 Failure to do so constitutes an unfair and deceptive act in commerce under Vermont law.7
The California data broker law does not contain cybersecurity principles, but is constructed to function alongside, and otherwise defers to, obligations and penalties pursuant to CCPA.8