<img height="1" width="1" alt="" style="display:none" src="https://www.facebook.com/tr?id=799187456795375&amp;ev=PixelInitialized">

Vermont Data Broker Regulation: What You Need to Know

January 21, 2019
By Kirsten Onsgard

Vermont Data Broker RegulationA new law in Vermont that went into effect this month will impose strict standards on how data brokers use and secure consumer data.

Vermont’s Data Broker Regulation requires brokers that handle Vermont consumer data to register with the state and maintain certain security standards. It also bars data brokers from fraudulently acquiring data or using data for fraudulent purposes.

The state passed the law last spring, but the regulation went into effect on Jan. 1, 2019. Data brokers have until the end of January to register with the state.

By understanding how the regulation works, data brokers can ensure compliance and marketers can make certain they are working with trustworthy data sources.

Who does the Vermont Data Broker Regulation Apply To?

The regulation defines a data broker as “a business, or unit or units of a business, separately or together, that knowingly collects and sells or licenses to third parties the brokered personal information of a consumer with whom the business does not have a direct relationship.” If a business collects data about consumers it does not have a relationship with and sells that data, then that company is a data broker.

A data broker is not a company that collects data for its own use. For example, say you are a retailer that surveys customers on their preferences. Then, you use that information to personalize your marketing. You are not a data broker.

A retailer can also sell the data it collects on its own without being a data broker. Only companies that aggregate personal data from third-party sources and then sell that data to other sources are data brokers.

This personal information can include:

  • Name

  • Address

  • Date of birth

  • Mother’s maiden name

  • Personal IDs, such as social security numbers or other government-issued IDs

  • Or any other information that would allow a person to identify the person with some certainty

For the purposes of this regulation, “consumer” refers to Vermont consumers. This means that no matter where a company is located, if it brokers the data of Vermont residents, it must comply.  

I’m a data broker. What do I need to do?

Register with the State. All data brokers that handle Vermont resident data need to register with the state by Jan. 31, 2019 and pay a $100 registration fee. You can find the form here.

Make annual disclosures. The data broker must disclose:

  • Whether it has an “opt out” function, what the opt-out applies to, and whether a consumer can authorize a third party to perform the opt out on the consumer’s behalf

  • Whether it has a “credentialing process” for its data buyers

  • What personal information it has regarding minors, and what opt-out functions it provides for that information

  • The number of “data broker security breaches” the data broker experienced in the previous year and, if known, how many consumers were affected.

The regulation defines a “data broker security breach” as an unauthorized acquisition or a reasonable belief of an unauthorized acquisition of more than one piece of brokered personal information maintained by a data broker. For example, if a user’s first name and birthdate were acquired by an unauthorized party, that would be considered a breach.

Maintain specific security standards. Most data brokers should have basic security standards in place, particularly as global regulations have tightened security requirements over the past few years. But the regulation outlines specific standards that data brokers must consider.

What security standards are required?

Some of the requirements outlined by the Vermont law include:

  • Develop, implement and maintain a comprehensive security program that is in writing

  • Train employees (including temporary and contract employees) and track compliance

  • Have a means for detecting and preventing security system failures

All data brokers should read the full text of the regulation to ensure they have data security best practices in place to comply.

I’m a marketer who relies on data brokers. What should I do?

The role of a brand marketer is not outlined in the law or guidance, but marketers should always ensure they are gathering accurate and secure data from their sources.

Here are a few tips:

  • Ask your data brokers what they are doing to ensure compliance

  • Inquire about data security methods

  • Acquire data according to best practices and avoid purchasing email or postal lists


Marketers rely on data brokers to better personalize content for customers and create a better brand experience. Using accurate and secure data sources will allow marketers to gain trust with their customers.

At TowerData, we understand that customers are wary. We employ best practices for data acquisition and security, and are transparent with our privacy policy. We monitor and comply with global data regulations, including GDPR. Since 2015, TowerData has been certified with the EU-U.S. Privacy Shield Framework, and we are now pursuing ISO-27001 certification.

That’s why dozens of global corporations trust us with their data needs every day.

Share Your Comments