Vermont passes first first law to crack down on data brokers

INSUBCONTINENT EXCLUSIVE:
While Facebook and Cambridge Analytica are hogging the spotlight, data brokers that collect your information from hundreds of sources and
sell it wholesale are laughing all the way to the bank
But they&re not laughing in Vermont, where a first-of-its-kind law hems in these dangerous data mongers and gives the state citizens
much-needed protections. Data brokers in Vermont will now have to register as such with the state; they must take standard security measures
and notify authorities of security breaches (no, they weren&t before); and using their data for criminal purposes like fraud is now its own
actionable offense. If you&re not familiar with data brokers, well, that the idea
These companies don&t really have a consumer-facing side, instead opting to collect information on people from as many sources as possible,
buying and selling it amongst themselves like the commodity it has become. How to save your privacy from the Internet clutches This data
exists in a regulatory near-vacuum
As long as they step carefully, data brokers can maintain what amounts to a shadow profile on consumers
I talked with director of the World Privacy Forum, Pam Dixon, about this practice. &If you use an actual credit score, it regulated under
the Fair Credit Reporting Act,& she told me
&But if you take a thousand points like shopping habits, zip code, housing status, you can create a new credit score; you can use that and
it not discrimination.& And while medical data like blood tests are protected from snooping, it not against the law for a company to make an
educated guess your condition from the medicine you pay for at the local pharmacy
Now you&re on a secret list of &inferred& diabetics, and that data gets sold to, for example, Facebook, which combines it with its own
metrics and allows advertisers to target it. Oh yes, Facebook does that
Or did do it for years, only ending the practice under the present scrutiny
&When you looked at Facebook targeting there were like 90 targets & race, income, housing status — that was all Acxiom data,& Dixon told
me; Acxiom is one of the largest brokers. Data brokers have been quietly supplying everyone with your personal information for a long time
And advertising is the least of its applications: this data is used for informing shadow credit scores, restricting services and offers to
certain classes of people, setting terms of loans, and more. Vermont new law, which took effect late last week, is the nation first to
address the data broker problem directly. &It been a huge oversight,& said Dixon
&Until Vermont passed this law there was no regulation for data brokers
It that serious
We&ve been looking for something like this to be put in place for like 20 years.& Europe, meanwhile, has leapfrogged American regulators
with the monumental GDPR, which just entered into effect. WTF is GDPR The issue, she said, has always been defining a data broker
It harder than you might think, considering how secretive and influential these companies are
When every company collects data on their customers and occasionally monetizes it, who to say where an ordinary business ends and data
brokering begins They fought previous laws, and they fought this one
But Dixon, who along with the companies themselves was part of the state hearings to create the law, said Vermont avoided this pitfall. &The
way the bill is written is extremely well thought through
They didn&t worry as much about the definition, but focused on the activity,& she explained
And indeed the directness and clarity of the law are a pleasant surprise: While data brokers offer many benefits, there are also risks
associated with the widespread aggregation and sale of data about consumers, including risks related to consumers& ability to know and
control information held and sold about them and risks arising from the unauthorized or harmful acquisition and use of consumer
information. Consumers may not be aware that data brokers exist, who the companies are, or what information they collect, and may not be
aware of available recourse. This straightforward description of a subtle and widespread problem greatly enabled by technology is a rarity
in a world dominated by legislators and judges who regularly demonstrate ignorance on high-tech topics
(You can read the full law here.) As Dixon pointed out, lots of companies will find themselves encompassed by the law broad
definition: &Data broker& means a business, or unit or units of a business, separately or together, that knowingly collects and sells or
licenses to third parties the brokered personal information of a consumer with whom the business does not have a direct relationship. In
other words, anyone who collects data second hand and resells it
There are a few exceptions for things like consumer-focused information services (411, for example) but it seems unlikely that any of the
real brokers will escape the designation. With the requirement to register, along with a few other disclosures brokers will be required to
make, consumers will be aware of which they can opt out of and how
And if they find themselves the victim of a crime that used broker data — a home loan rate secretly raised because of race, for instance,
or a job offer rescinded because of a surreptitiously discovered medical condition — they have legal recourse. Security at these companies
will have to meet a minimum standard, as well as access controls
And data breach rules mean prompt notification if personal data is leaked in spite of them. It a good first step and one that should prove
extremely beneficial to Vermonters; if it as successful as Dixon thinks it is, other states may soon imitate it.