Vermont passes first law to crack down on data brokers

While Facebook and Cambridge Analytica are hogging the spotlight, data brokers that collect your information from hundreds of sources and sell it wholesale are laughing all the way to the bank. But they’re not laughing in Vermont, where a first-of-its-kind law hems in these dangerous data mongers and gives the state’s citizens much-needed protections.

Data brokers in Vermont will now have to register as such with the state; they must take standard security measures and notify authorities of security breaches (no, they weren’t before); and using their data for criminal purposes like fraud is now its own actionable offense.

If you’re not familiar with data brokers, well, that’s the idea. These companies don’t really have a consumer-facing side, instead opting to collect information on people from as many sources as possible, buying and selling it amongst themselves like the commodity it has become.

This data exists in a regulatory near-vacuum. As long as they step carefully, data brokers can maintain what amounts to a shadow profile on consumers. I talked with director of the World Privacy Forum, Pam Dixon, about this practice.

“If you use an actual credit score, it’s regulated under the Fair Credit Reporting Act,” she told me. “But if you take a thousand points like shopping habits, zip code, housing status, you can create a new credit score; you can use that and it’s not discrimination.”

And while medical data like blood tests are protected from snooping, it’s not against the law for a company to make an educated guess your condition from the medicine you pay for at the local pharmacy. Now you’re on a secret list of “inferred” diabetics, and that data gets sold to, for example, Facebook, which combines it with its own metrics and allows advertisers to target it.

Oh yes, Facebook does that. Or did do it for years, only ending the practice under the present scrutiny. “When you looked at Facebook’s targeting there were like 90 targets – race, income, housing status — that was all Acxiom data,” Dixon told me; Acxiom is one of the largest brokers.

Data brokers have been quietly supplying everyone with your personal information for a long time. And advertising is the least of its applications: this data is used for informing shadow credit scores, restricting services and offers to certain classes of people, setting terms of loans, and more.

Vermont’s new law, which took effect late last week, is the nation’s first to address the data broker problem directly.

“It’s been a huge oversight,” said Dixon. “Until Vermont passed this law there was no regulation for data brokers. It’s that serious. We’ve been looking for something like this to be put in place for like 20 years.”

Europe, meanwhile, has leapfrogged American regulators with the monumental GDPR, which just entered into effect.

The issue, she said, has always been defining a data broker. It’s harder than you might think, considering how secretive and influential these companies are. When every company collects data on their customers and occasionally monetizes it, who’s to say where an ordinary business ends and data brokering begins?

They fought previous laws, and they fought this one. But Dixon, who along with the companies themselves was part of the state’s hearings to create the law, said Vermont avoided this pitfall.

“The way the bill is written is extremely well thought through. They didn’t worry as much about the definition, but focused on the activity,” she explained. And indeed the directness and clarity of the law are a pleasant surprise:

While data brokers offer many benefits, there are also risks associated with the widespread aggregation and sale of data about consumers, including risks related to consumers’ ability to know and control information held and sold about them and risks arising from the unauthorized or harmful acquisition and use of consumer information.

Consumers may not be aware that data brokers exist, who the companies are, or what information they collect, and may not be aware of available recourse.

This straightforward description of a subtle and widespread problem greatly enabled by technology is a rarity in a world dominated by legislators and judges who regularly demonstrate ignorance on high-tech topics. (You can read the full law here.)

As Dixon pointed out, lots of companies will find themselves encompassed by the law’s broad definition:

“Data broker” means a business, or unit or units of a business, separately or together, that knowingly collects and sells or licenses to third parties the brokered personal information of a consumer with whom the business does not have a direct relationship.

In other words, anyone who collects data second hand and resells it. There are a few exceptions for things like consumer-focused information services (411, for example) but it seems unlikely that any of the real brokers will escape the designation.

With the requirement to register, along with a few other disclosures brokers will be required to make, consumers will be aware of which they can opt out of and how. And if they find themselves the victim of a crime that used broker data — a home loan rate secretly raised because of race, for instance, or a job offer rescinded because of a surreptitiously discovered medical condition — they have legal recourse.

Security at these companies will have to meet a minimum standard, as well as access controls. And data breach rules mean prompt notification if personal data is leaked in spite of them.

It’s a good first step and one that should prove extremely beneficial to Vermonters; if it’s as successful as Dixon thinks it is, other states may soon imitate it.