I once wrote a paper about data brokers during my third year at GW Law. From my research on that paper, I heard of the data brokerage industry for the first time and was surprised at how powerful it was (and still is). Data brokers hold massive volume of personal information about millions of people and sell their data services to a wide variety of clients including government agencies. In contrast to such power, when I was writing that paper in 2016, data brokerage was still largely a business operated in shadow. Many people didn’t realize its existence, and more worrisomely, it was barely regulated.
Three years after, some progress has been achieved – now we have an effective GDPR and a to-be-effective CCPA that regulate applicable data brokers. Particularly, the state of Vermont has started to enforce a data broker law, the Vermont Data Broker Regulation (Act 171), effective since January 1, 2019,
Data brokers are those who collect information for the purpose of resale. They typically don’t have a direct relationship with data subjects (whose personal data are collected) and they collect data through sources like government records, other commercial companies and digital tracking tools, rather than directly from consumers. Consumers lack the ability to well control and manage their personal data held by data brokers. As mentioned above, many people simply don’t know the existence of data brokers – not to mention that their data are collected and sold by data brokers.
The Vermont legislators were aware of these issues. But they also recognized the benefits of data brokers, supplying critical information to modern society in many areas such as targeted marketing, background checks, credit reporting, strategic political campaign, etc. So I was interested in seeing how the Vermont data broker law tried to balance between these two fronts, which turned out to be somewhat disappointing as it could have been more privacy protective while not overburdening the data brokerage industry.
First of all, the Vermont law narrows down its applicable targets. Compared to the definition of “data brokers” by the Federal Trade Commission (FTC) which refers to “companies that collect information … from a wide variety of sources for the purpose of reselling such information…,” Vermont limits data brokers to businesses that “knowingly collects and sells or licenses to third parties the brokered information of a consumer with whom the business does not have a direct relationship.” So the FTC definition covers businesses who collect information directly from consumers for the purpose to resell, but the Vermont law does not. Additionally, the Vermont law gives a list of business activities and exempts data collection and sale or licensing that are merely incidental to these activities.
Secondly, the Vermont law requires annual registration of data brokers for transparency. To fulfill the registration duty, data brokers need to disclose their basic information such as name and address, if and how consumers may be allowed to opt out, the number of data breaches, and their data practices related to minors. But the law does not give individual consumers the right to know the details about their personal information held by data brokers, such as which data broker has what specific information. Data brokers don’t need to disclose their data sources. Neither are they required to take reasonable steps to ensure maximum possible accuracy of the collected data, offer consumers the right to correct inaccurate data, or allows consumers to opt out.
Thirdly, the law prohibits data collection in fraudulent manners or for the purposes of wrongful acts (e.g., stalking and harassing, committing a fraud, or engaging in unlawful engagement). But this anti-fraud duty is only imposed on data collection, not on any further processing activities like selling or licensing of the data to third parties. Consumers will be better protected if data brokers are also required to be reasonably diligent against wrongful or suspicious data usage when they sell the data services.
My last concern is regarding the enforcement. Violations of the fraudulence and data security requirements would be decided as “an unfair and deceptive act in commerce” under the state’s consumer protection law. And the annual registration will be enforced through the Vermont Attorney General. The law grants individual rights to bring a private action against data brokers that violate the credit reporting provisions. But no such private rights are granted for any violations of other provisions. As I mentioned repeatedly in earlier posts, allowing impacted individuals to bring lawsuits is necessary for an efficient data protection mechanism because they will not need to wait for the government to take actions and this will also more incentivize businesses to follow the law.
