As of February, businesses collecting and selling data about Vermont residents are required to register under the country’s first law governing the murky “data broker” industry. So far, 121 companies have registered, according to data from the Vermont secretary of state’s office.
The law also requires companies to spell out whether there’s any way for consumers to opt out of their data collections, to specify whether they restrict who can buy their data, and to indicate whether they’ve had any data breaches within the past year.
The list of active companies includes divisions of the consumer data giant Experian, online people search engines like Spokeo and Spy Dialer, and a variety of lesser-known organizations that do everything from help landlords research potential tenants to deliver marketing leads to the insurance industry.
“We’re looking to shed some sunlight and transparency on an industry that’s traditionally been pretty opaque,” says Christopher Curtis, chief of the public protection division in the state attorney general’s office.
The law faced fierce industry opposition in the legislature before it went into effect last May, but has generally won praise from consumer advocates who say it’ll help consumers understand who might be tracking their data and what they can do to opt out.
“There’s companies that I’ve never heard of before,” says Zachary Tomanelli, communications and technology director at the Vermont Public Interest Research Group, which supported the law. “It’s often very cumbersome to know where the places are that you have to go, and how you opt out.”
Some of the backers of the law were support groups for domestic violence survivors, he says, who are often concerned about abusers using commercial data to track them without their knowledge. The law also makes it a crime to buy brokered personal data through fraud or to use it to stalk or harass someone, although it doesn’t set any standards for how brokers must vet data buyers.
Additionally, while the law does require data brokers to meet minimum security standards for storing personal information–requirements that officials say mirror rules already in place in Massachusetts–it doesn’t mandate that consumers have a way to opt out of data collection. It also doesn’t give consumers a right to access and review what data is stored and sold about them, or to know how their data was obtained and who’s buying it. And it doesn’t permit citizens to bring legal action against companies that violate the law.
Those rules are still on the wish list for many privacy groups in Vermont and around the country.
“We would always love to see the legislature pass strong privacy protections and ensure Vermonters can have control over their data,” says Chloe White, policy director of the American Civil Liberties Union of Vermont, who also had praise for the new law. “We really applaud the legislature and the governor for working on this,” she says.
Joel Winston, an attorney focused on privacy who formerly served as a deputy attorney general for the State of New Jersey, hailed the bill as “the first legislation by any American state to force data mining companies out of the shadows.” But he says the regulations are “more symbolic than substantive.”
“Vermonters did not gain any new rights to request their data, opt-out of data collection, or file lawsuits against scofflaw data miners,” he says. “Express violations of the law, including the use of personal data to discriminate in housing decisions, or a data miner’s failure to follow basic security protocols, can only be enforced by the Vermont Attorney General.”
Additionally, Winston says that many companies trafficking in third-party data still haven’t registered with the state. “Out of thousands eligible, less than 200 data mining companies actually registered by the deadline.”
Vermont’s rules also only cover third-party data brokers, not businesses that track their own users or customers, like search engines, cell-phone, carriers or social networking services. That means some of the businesses most closely associated with controversies around personal data are outside the law’s purview, even if they sell access to customer data.
Another wish-list item is the option to “delete” one’s data. In January, Apple CEO Tim Cook called on the Federal Trade Commission to establish a national database of data brokers that would give individuals “the power to delete . . . data on demand, freely, easily, and online, once and for all.”
“We think every user should have the chance to say, ‘Wait a minute. That’s my information that you’re selling, and I didn’t consent,'” he wrote in Time.
After Cook’s op-ed, Senator Ron Wyden (D-OR) said he planned to reintroduce the Data Broker Accountability and Transparency Act, which would let people request their data from data brokers, and enable them to correct that data, or demand that companies stop using it.
How the data industry responded
Any efforts to rein in what Cook called a “shadow economy” of personal data are certain to see the type of resistance the Vermont law faced. A coalition of industry groups like the Internet Association, the Association of National Advertisers, and the National Association of Professional Background Screeners, as well as now registered data brokers such as Experian, Acxiom, and IHS Markit, said the law was unnecessary.
In an open letter sent last spring urging Governor Phil Scott (R-VT) to veto the bill, they argued that much of what must be reported to the state is already spelled out in corporate privacy policies, that the data security requirements could hamper their ability to respond to technological change, and that the definition of “brokered personal information” could prove overly broad.
“Much of this information is already publicly available and would not pose a risk of harm to consumers if breached,” they argued. “For example, under this broad definition of personal information, a breach involving unauthorized acquisition of a list of consumer places of birth along with the name of a relative of the consumer would require reporting to the Secretary of State. Place of birth and names of relatives do not pose a risk to consumers.”
Requiring companies to disclose breaches of largely public data could be burdensome for businesses and needlessly alarming for consumers, they argue.
“Other information such as account numbers and things like that certainly do pose a risk of harm to the consumer,” says Christopher Oswald, senior vice president of government relations at the Association for National Advertisers. “It’s that type of personally identifiable information we thought should be included in what would be data security legislation, and many of the states have that [in existing privacy laws].”
Other companies, like Axciom, have complained that the law establishes inconsistent boundaries around personal data used by third parties, and the first-party data used by companies like Facebook and Google.
“We opposed the data broker registry in Vermont because we believe it is unnecessary to single out a specific industry (in this case, ‘data brokers,’) when first-party data controllers often have as much data as companies like Acxiom,” the company’s chief data ethics officer Jordan Abbott told Wired.
(Scott eventually allowed the bill to go into effect last May without his signature: Amid the voluble opposition, he had expressed reservations about whether the registration fee violated a pledge not to raise taxes.)
Now that those first data broker registrations are in, officials and outside groups are planning to review them to get a better sense of who’s operating in the industry and how accommodating they are to consumers who wish to opt out.
“What we heard from industry a lot is that most companies are already providing an opt-out,” Tomanelli says. “This will be an interesting way to say, is that true. If the answer comes back that 200 data brokers register and only 40 allow for opt-outs, then that may be something we need to consider or take a look at.”
Other states are also likely to look to Vermont as they consider their own approaches to data regulations. California has proven to be a trailblazer in the area, passing a law last summer requiring companies beyond just third-party brokers to reveal what data they have if requested by consumers, let consumers opt out of much data sharing, and let them request that their data be deleted.
“They’re kind of two tools that go together, the broker registration process in Vermont and the right to know that we’re seeing in states like California,” says Adam Schwartz, a senior staff attorney at the Electronic Frontier Foundation.
It’s possible the federal government will pass its own data privacy legislation in coming years, something that’s been advocated both by privacy advocates seeking strong nationwide protections, and by industry leaders wary of having to comply with 50 different state data regimes.
However new laws take shape, data collected through Vermont’s registration system will likely influence both federal and state lawmakers, starting with Vermont legislators who are scheduled to receive a report this month on the law’s implementation so far.
“I’d like to see how this bill works for a year, and then I’d like to go back to Vermont and say, Here’s what we know, what do you think about X, Y, and Z,” says Pam Dixon, executive director of the World Privacy Forum. “We’re going to for the first time have actual data.”
Correction: This story had incorrectly identified Winston as an assistant attorney general of New Jersey. He was a deputy attorney general. We regret the error.