Data brokers intrude on the privacy of millions of people by harvesting and monetizing their personal information without their knowledge or consent. Worse, many data brokers fail to securely store this sensitive information, predictably leading to data breaches (like Equifax) that put millions of people at risk of identity theft, stalking, and other harms for years to come.
Earlier this year, Vermont responded with a new law that begins the process of regulating data brokers. It demonstrates the many opportunities for state legislators to take the lead in protecting data privacy. It also shows why Congress must not enact a weak data privacy law that preempts stronger state data privacy laws.
What Vermont’s Law Does
Vermont’s new data privacy law seeks to protect consumers from data brokers through four important mechanisms.
Transparency. Data brokers must annually register with the state. When doing so, they must disclose whether consumers may opt-out of data collection, retention, or sale, and if so, how they may do so. A data broker must also disclose whether it has a process to credential its purchasers, and its number of security breaches.
Duty to secure data. Data brokers must adopt comprehensive data security programs with administrative, technical, and physical safeguards.
No fraudulent collection. Data brokers may not collect personal information by fraudulent means, or for the purpose of harassment or discrimination.
Free credit freezes. Credit freezes are an important way for consumers to protect themselves from the fallout of a data breach. Many businesses will not extend credit absent a report from a credit reporting agency, and a credit freeze bars these agencies from issuing a report until a consumer lifts the freeze when they actually want credit. Vermont already empowered consumers to use credit freezes to protect themselves from credit fraud. The new Vermont law bars credit agencies from charging consumers fees for this protection.
What Vermont Should Do Next
Vermont’s legislators must not rest on their laurels. Rather, they should consider three sets of improvements to their state’s data privacy laws.
“First party” data miners. The new Vermont law defines a “data broker” as a business that collects and sells personal information from consumers with whom the broker has no direct relationship. Thus, the Vermont law begins to address “third-party” data mining (that is, data mining by companies that have no direct relationship with consumers). But it does not address “first-party” data mining (that is, data mining by companies that do have a direct relationship with consumers). For example, the Vermont law does not cover a social media platform like Facebook, or a retailer like Walmart, when those companies gather information about how consumers interact with their own websites.
The Vermont Attorney General is now holding hearings regarding whether Vermont should next regulate first-party data mining (among other things). We hope Vermont will find smart, appropriately tailored ways to do so.
More rules for data brokers. Vermont should do more to protect consumers from data brokers. As EFF has explained, new laws should: (i) impose on data brokers a fiduciary duty towards the consumers whose data they harvest and monetize; (ii) establish a government office to assist the victims of data breaches; and (iii) ensure that victims of data breaches can seek compensation for their non-financial injuries, and not just their financial injuries.
EFF also supports a consumer’s “right to know” what personal information a data broker has gathered about them, how the broker obtained it, and to whom they sold it. Such legislation must be carefully tailored to avoid undue burdens on free speech and innovation. Under the Vermont law, however, a consumer can only learn which data brokers are operating in the state, and a few general facts about those operations, but nothing about the harvesting of the consumer’s own personal information.
Further, the Vermont law does not require any form of consumer consent for data collection or sale. Rather, it only requires data brokers to publicly disclose whether there is a way for consumers to opt-out, and if so, how. In some cases, data brokers should be required to obtain consent to collect or sell a consumer’s personal information. For example, the new Vermont law defines “personal information” to include biometrics, and no one should be allowed to collect or sell someone else’s biometrics without their informed, opt-in consent.
Stronger enforcement. The new Vermont law provides that violations of the data security requirement and the ban on fraudulent acquisition are “unfair and deceptive acts” under existing state law. These means consumers can sue violators of these two new rules. This ability to bring a private cause of action is a powerful enforcement tool, because consumers don’t have to wait for the government to hold a data broker accountable. Instead, they can do it themselves.
Unfortunately, the same does not hold true for the new Vermont rule requiring transparency from data brokers. It should, and we urge Vermont to look for ways to give consumers a way to enforce the transparency rule as well.
The Vermont Attorney General may enforce all of these rules, which is good. But it is no substitute for the empowerment of “private attorneys general” to enforce the law when an Attorney General cannot or will not do so.
Note to Congress: Don’t Get In the Way
Vermont is helping lead a national movement for data privacy. It joins other states like California, which recently enacted its Consumer Privacy Act, and Illinois, which nearly a decade ago enacted its Biometric Information Privacy Act.
EFF hopes more states will enact smart, tailored laws that protect the privacy of technology users, while steering clear of First Amendment concerns and undue burdens. State legislatures have long been known as “laboratories of democracy” and they are serving that role now.
But some tech giants aren’t happy about that, and they are trying to get Congress to pass a weak federal data privacy law that would foreclose state efforts. They are right about one thing: it would be great to have one nationwide set of protections – but not if those protections are illusory or inadequate. Over 90% of Americans feel like they have no control over their privacy. Congress should be working to give them that control, instead of letting the companies with the worst privacy track records dictate users’ legal rights.