[A]s a new law regulating data brokers who buy and sell Vermonters’ personal information is set to go into effect in 2019, the state’s attorney general is urging the Legislature to take additional steps to protect citizens’ data privacy.
The Attorney General’s Office is recommending that lawmakers create a new statewide officer position charged with ensuring the government establishes best practices for handling Vermonters’ personal information.
It also suggests the Legislature pass additional regulations protecting the personal information of children who use educational technology in school.
These and other recommendations came in a report released by the office last week, after the data broker bill that passed earlier this year instructed the attorney general to look into whether Vermont should consider expanding policies related to data privacy.
The first in the nation data broker law, which takes effect on Jan. 1, adds new protections for consumers and demands transparency of the third-party companies that buy, sell and collect users’ personal information online.
It explicitly makes data collection for fraudulent purposes illegal and will require third-party brokers to register with the Vermont Secretary of State’s office, and provide information to the public—including whether they have opt-out policies for data collection.
The legislation, which passed in the wake of the massive Equifax data breach last year, also prohibits credit firms from charging consumers fees to freeze their access to credit reports and subsequent fees to lift freezes.
Now, Vermont Attorney General TJ Donovan believes the state needs to “look inward” and get a handle on its own data collection practices.
The report released last week recommends the state establish a “chief privacy officer” to oversee the state’s data collection methods and ensure that Vermont “protects the privacy of its citizens.”
“I think what we have to do in government is get our house in order, figure out what we’re doing with Vermonters’ data and be a leader,” Donovan said Thursday. “And send a message that you can do both—you can be a participant in this new economy while protecting consumers’ privacy.”
The report suggests that the state undertake a “privacy audit’ to determine which state agencies are collecting sensitive personal data about residents, how the state is collecting such data and who is collecting the data from the state.
“I think there’s a big unknown there in terms of what type of data do we obtain, how do we retain it, where does it go, how long do we retain it,” Donovan said.
The role of the chief privacy officer, would be, in part, to advocate for additional privacy protections for citizens, and hear their concerns.
“The State must balance its obligations of openness with making sure that citizens’ data is not being used inappropriately, is only collected when necessary, and is disposed of securely when no longer needed,” the report says. “This may in some cases require amending existing laws or proposing new regulation.”
While the report says Vermont should wait to consider expanding its regulations of the data broker industry until after the new law is enforced, it does recommend lawmakers act immediately to add new restrictions for companies that handle children’s personal information.
The report suggests that Vermont enact a version of a 2016 law passed in California prohibiting education technology companies that operate websites, apps, or online services geared at K-12 students from selling student information or disclosing it for purposes unrelated to education.
“I think we have to make sure that we’re protecting kids and really giving powers to the school district and to parents that kids’ data is protected,” Donovan said.
