Data Broker and Consumer Protection Act

    United States of America (USA)

    Data Broker and Consumer Protection Act

    No. 171. An Act Relating to Data Brokers and Consumer Protection

    The Vermont Data Broker and Consumer Protection Act was enacted on May 22, 2018. The Act requires data brokers to meet certain standards, including registering with the State, maintaining a comprehensive security program and reporting data breaches. All key requirements under the Act will come into force on January 1, 2019, except the requirement of removing financial barriers to protect consumer credit information which took effect on May 22, 2018 upon passage of this Act.

    Last Updated: July 30, 2019

  • General

    The Vermont Data Broker and Consumer Protection Act is aimed to (1) provide consumers with more information about data brokers, their data practices, and the right to opt out; (2) ensure that data brokers have adequate security standards; (3) prohibit the acquisition of personal information through fraudulent means or with the intent to commit wrongful acts; (4) remove financial barriers to protect consumer credit information.

    The Act protects Personal Identifiable Information (PII) from security breaches. PII means a consumer’s first name or first initial and last name in combination with any one or more of the following digital data elements:

    1. Social Security number;
    2. Motor vehicle operator’s license number or nondriver identification card number;
    3. Financial account number or credit or debit card number, if circumstances exist in which the number could be used without additional identifying information, access codes, or passwords;
    4. Account passwords or personal identification numbers or other access codes for a financial account.

    Personal information that are redacted, encrypted or protected by other methods that render the personal information unreadable or unusable by unauthorized persons will not be deemed as PII, and therefore not subject to this Act.

  • Security & Prevention

    The Act requires data brokers to adopt an information security program with appropriate administrative, technical, and physical safeguards to protect sensitive personal information.

  • Accountability & Recordkeeping

    Data brokers need to establish and maintain documentation of

    1. responsive actions taken in connection with any incident involving a breach of security; and
    2. mandatory post-incident review of events and actions taken, if any. Such review or actions are to improve business practices relating to protection of PII.
  • Data Subjects Rights

    A credit reporting agency is required to notice Vermont consumers that (1) they are allowed to receive one free copy of their credit report every 12 months from each credit reporting agency as well as (2) a right to obtain security freeze free of charge.

  • Incident & Breach

    Data brokers need to register annually with the Secretary of State and provide information about their data broker security breaches. Data brokers need to provide the number of data broker security breaches it has experienced during the prior year, and if known, the total number of consumers affected by the breaches.

    “Security breach” means

    1. unauthorized acquisition of electronic data, or
    2. a reasonable belief of an unauthorized acquisition of electronic data

    that compromises the security, confidentiality, or integrity of a consumer’s PII maintained by a data collector.

  • Enforcement

    Vermont Attorney General has the authority to adopt rules to implement provisions under the Act and to conduct civil actions or other enforcement actions provided under Vermont law. In addition, individuals are entitled to initiate civil actions when there is a fraudulent collection or misuse of their personal data.

Want to learn more? Login to the full DataGuidance platform.

About OneTrust

OneTrust is the #1 most widely used privacy, security and third-party risk technology platform trusted by more than 3,000 companies to comply with the CCPA, GDPR, ISO27001 and hundreds of the world’s privacy and security laws. OneTrust's three primary offerings include OneTrust Privacy Management Software, OneTrust PreferenceChoice™ consent and preference management software, and OneTrust Vendorpedia™ third-party risk management software and vendor risk exchange. To learn more, visit or connect on LinkedIn, Twitter and Facebook.