Vermont's new consumer protection law could be a harbinger for tech industry
State attorneys general are a major line of defense for consumers. However, as commerce has gone digital, many AGs find themselves playing catch-up.
“The future of consumer protection is online,” says Christopher Curtis, chief of the public protection division at the Vermont Attorney General’s Office.
In Vermont, prioritizing online consumer protection means shining a light on the shadowy world of third-party data brokers. On Jan. 1, a new state law went into effect that requires increased standards and transparency of these companies that collect, buy or resell consumer data without having a direct relationship with the consumer.
Curtis notes that while many people understand they are giving up personal data when making a purchase, for example, they don’t know how that same data is then bought and sold.
“People are alarmed,” he says, “and the good news is that Vermont is doing something about it.”
To many, this landmark legislation is a strong next step forward as America tries to grapple with online privacy and internet regulation. Data brokers and internet companies, however, feel the law is an unworkable burden.
Whether aware of it or not, most Americans have heard of at least one third-party data broker. The recent controversies around Facebook’s lax relationship with brokers such as Cambridge Analytica and the breach of 145 million Americans’ records by Experian in 2017 have brought the industry to the fore. However, the need for broker transparency has been discussed for years.
In 2012, the Federal Trade Commission released a report that found data brokers fall into three categories: those subject to the Fair Credit Reporting Act, a 1970 law that supported accuracy, fairness and privacy of consumer data used by consumer reporting agencies; those that maintain data for marketing; and those that collect data outside of FCRA regulation and marketing purposes, such as people-locating services.
Characterizing its own report in 2014, the FTC noted that the latter two categories “remain opaque” and called for the transparency and accountability of these companies, which has not yet occurred at the federal level.
Containing a ‘free-for-all’
In Vermont, policymakers took a “light touch” approach that focused on “sunlight and transparency,” according to Curtis.
The law requires brokers dealing with Vermonters’ data to register annually with the attorney general’s office; creates a prohibition on using data for discriminatory purposes and using fraudulently attained data, such as through phishing; sets a minimum data security requirement for data brokers; and eliminates fees for credit freezes, which is now reflected by federal law.
As of late April, 134 third-party data brokers had registered with the attorney general’s office, according to Curtis. This information includes whether the company allows for consumers to opt out of the broker’s collection, how many data breaches the broker experienced in the previous year, and whether the broker possesses data from minors.
Praising the final product, Pam Dixon, executive director of the World Privacy Forum, says the law strikes a good balance.
“You can’t just lock data away; that’s not how the digital economies are working globally,” she says. “But, on the other hand, you can’t just have a free-for-all.” She says this law takes a step toward containing that free-for-all.
While there is general agreement that something needs to be done regarding data brokers, the bill wasn’t without opposition. A coalition of 14 data brokers and internet industry interest groups, such as Experian, the Internet Association—which counts Amazon, Facebook and Google as members—and the National Association of Professional Background Screeners, petitioned Vermont Gov. Phil Scott to veto the bill.
“This bill, if enacted, would create serious unintended consequences and negatively impact consumers, business and the internet,” the coalition wrote. The bill “would make Vermont a far more difficult place to innovate on the internet, ultimately hurting consumers and the information economy that has become an important part of the state’s economy.”
The ABA Journal contacted numerous signatories to the letter, but representatives from these organizations either declined to be interviewed or did not respond.
After the law took effect, Apple CEO Tim Cook published an essay in Time calling for a federal registration run by the FTC, which would give consumers more control to delete and track their data as it is bought and sold.
In February, U.S. Rep. Bobby Rush, D-Ill., introduced the Data Accountability and Trust Act, which, among other things, would accomplish what Cook wrote about. As of publication, the bill had not received a hearing.
Back in Vermont, people are waiting to see what the new law brings to light.
Zach Tomanelli, communications and technology director at Vermont Public Interest Research Group, expects that the law “will provide a base level of understanding” that will inform policymakers whether greater consumer protections are needed.
“It’s a good first step,” he says.
This article ran in the June 2019 issue of the ABA Journal under the headline: "Sunlight in Vermont: State's new consumer protection law regulating companies that buy or sell data could be a harbinger for tech industry"