July 6, 2020 by Tim
Two years ago, Vermont became the first state in the nation to enact a so-called Data Broker law, which required companies that collect consumer information for sale or distribution to register with the state. The law also required such data brokers to notify the Vermont Attorney General’s office of any data breaches.
Effective July 1, 2020, Vermont has taken another leading step by expanding the Security Breach Notice Act to include biometric information, such as fingerprints, retina scans, genetic information, and medical records.
Our take: it will definitely be interesting to see what companies register with the state for collecting fingerprints, etc. for sale and distribution! Looking at you, Apple. Of course, not all companies are complying with the law. How many data brokers are there collecting Vermonters’ data? Probably thousands, and yet only 120 firms initially registered when the law first took effect. It’s also important to note that the law only covers third-party data brokers, meaning mostly firms that collect data from outside sources to sell. First-party collectors, such as Google, Facebook, Amazon, and many, many more are currently exempt.
Then there’s the regulatory nightmare that comes with having 50 separate data laws, plus more for D.C. and territories. It’s way past time for us to pass a national data privacy law. Then we might finally be able to feel a little secure.
