The House Commerce and Economic Development Committee has been taking testimony on the bill, H.467. The panel plans to add the bill’s language to S.72, a consumer protection bill that has already passed the Senate.
Data brokers are firms that collect, analyze, package and sell to third parties information about people who are not their customers.
Popular examples are LexisNexis and PeekYou, which journalists and lawyers often use for research. But supporters of the bill say there is an entire other realm of data brokers that produce consumer profiles for criminals.
“Data brokers sell lists of vulnerable individuals to scammers,” said Rep. Bill Botzow, D-Pownal, the chair of House Commerce and the lead sponsor of H.467. “I want to know who they are, because I don’t think that’s right.”
H.467 would require data brokers to register with the Department of Financial Regulation. The bill would also require brokers to submit annual reports to the department. The department or the attorney general could prosecute a company for not registering.
Brokers would also need to have a written consumer identification program designed to make sure the broker has “a reasonable belief that it knows the true identity of any customer purchasing personal information” and that “the customer is not purchasing the information for an illegal purpose.”
Additionally, all public agencies that sell Vermonters’ personal data to third parties, including through requests under the Vermont Public Records Act, would need to keep track of those third parties.
The bill is separate from S.147, which seeks to require Internet service providers to ask for customer permission before selling customers’ personal information. A data broker is an example of a third party that could be seeking that personal information, and data brokers may also sell information to other data brokers.
Data brokers are known for operating in an industry with little regulation and have been accused of selling data to criminals and domestic abusers.
A bill California considered in 2014 to limit data brokers’ activities did not pass, according to Ryan Kriger, the assistant attorney general who spearheaded H.467. Neither did a data broker regulation bill in Illinois.
“The issue here really is that this is an entire industry where many industry actors act in the shadows,” Kriger said. “We have no idea who they are, or what they’re selling, or who they’re selling to, which makes them fairly untouchable from law enforcement or public protection.”
Kriger said requiring data brokers to register with the state would give officials an idea of who is doing business here, and that knowing whether data brokers are following the registration requirement would give an idea of who might be breaking laws.
“I suspect there will be some who do not register, and that will be an indication that these are people who do not want to comply with Vermont, do not want to put the protection of Vermont’s consumers above their other interests,” Kriger said.
Linked to domestic violence, stalking
Erica Olsen, from the National Network to End Domestic Violence, testified in favor of the bill. She said domestic abusers have historically used data brokers to stalk their victims.
“Regulating data brokers who are specifically scouring offline and online sources to collect and then sell personal information about people without their consent is a reasonable step towards increasing privacy and not something that will negatively impact innovation or positive uses of technology,” Olsen testified.
She pointed to a case from 1999 in which she said a man paid “less than $200” to obtain a woman’s date of birth, Social Security number and place of employment. “After getting this information, he drove to her workplace, shot and killed her, and then killed himself,” Olsen said. The victim’s mother sued the company, and they settled out of court in 2004, she said.
“Data brokers use information from both public records and private sources to collect address histories, motor vehicle records, voter registration lists, consumer purchase histories, web browsing activity, and content shared in social media accounts, among other information,” Olsen said.
“When compiled, data brokers are able to package and sell comprehensive and detailed personal information about individuals,” Olsen said. “For victims of abuse, whose privacy is deeply connected to their safety, this information can create a risk of them being located, harassed, assaulted or killed.”
Kriger said he is not personally aware of a specific case in Vermont in which a domestic abuser used a data broker to stalk someone.
Opposition from industry groups
The bill has drawn national opposition from nearly a dozen groups representing data brokers, including the powerful Data and Marketing Association, which opposed the California bill; the State Privacy and Security Coalition; the Internet Association; and the Internet Coalition.
Christopher Oswald, the vice president of advocacy for the Data and Marketing Association, sent Botzow a three-page letter outlining the group’s opposition to H.467. He called the bill “unnecessary, overly broad” and said it would “further complicate the patchwork of state laws and regulations that businesses and nonprofits operating in the digital economy currently face.”
Oswald said the bill’s language to require data brokers to implement customer identification measures “appears to have been inspired by federal anti-money laundering regulations, which apply specifically to financial institutions.” He said those laws are “used for terrorism and other criminal activities” and should not be applied to “consumer marketing data.”
Sarah Lashford, a lobbyist for the Consumer Data Industry Association, testified in opposition to the bill Friday. She called the bill’s regulations “one size fits all,” “unnecessary,” “unwarranted” and “impractical” measures that do not “in any way protect the consumers of Vermont.”
“There is nothing inherently unique to a data broker’s operation that should require state registration,” Lashford said. “There’s no policy reason for requiring a data broker to register because of what they do.”
She said L.L. Bean is an example of a data broker, because the founder used a list of hunting license holders to start a mail-order catalog operation in 1912. She said the same is true for Sears Roebuck & Co., which started in the 1800s as a mail-order business.
“In fact, the state of Vermont would be considered a data broker by the definition of this legislation,” Lashford said. “The state sells motor vehicle information to vendors. Does the state need to register with the Department of Financial Regulation in order to protect its citizens?”
“Businesses buy and sell retail information all the time,” Lashford said. “Retailers, restaurants and even plumbers are not required to have customer identification programs. This is because there is no reason to have a customer ID program to protect consumers. The same is true to data brokers.”
Kriger said those arguments “don’t seem to fall within the bill,” suggesting they stemmed from a “very creative” reading of the legislation.
“The clear language of the bill says that this is about businesses that acquire data about consumers for the purposes of reselling it, or analyzing it and reselling it,” Kriger said. “It exclusively says that if you’re selling your own customers’ data or your own employees’ data, then you’re not a data broker. I’m not clear on how L.L. Bean or Sears Roebuck would be considered a data broker.”
The House Committee on Commerce and Economic Development has scheduled testimony on the issue for Tuesday at 2:15 p.m.
