Ride the Lightning

Cybersecurity and Future of Law Practice Blog
by Sharon D. Nelson Esq., President of Sensei Enterprises, Inc.

Vermont Passes First State Law Cracking Down on Data Brokers

June 4, 2018

TechCrunch reported on May 27^th that Vermont has become the first state to pass a law cracking down on data brokers. While Facebook and Cambridge Analytica get much of the notoriety, data brokers abound.

Data brokers in Vermont will now have to register as such with the state; they must take standard security measures and notify authorities of security breaches. Using their data for criminal purposes like fraud is now its own actionable offense.

As long as they tread carefully, data brokers can maintain a shadow profile on consumers. Pam Dixon, director of the World Privacy Forum, says, "If you use an actual credit score, it's regulated under the Fair Credit Reporting Act. But if you take a thousand points like shopping habits, zip code, housing status, you can create a new credit score; you can use that and it's not discrimination."

While medical data like blood tests are protected from snooping, it's not against the law for a company to make an educated guess about your condition from the medicine you buy at the local pharmacy. Now you're on a secret list of "inferred" diabetics, and that data gets sold to, for example, Facebook, which combines it with its own metrics and allows advertisers to target it. Facebook did that for years – under intense recent scrutiny, it has ended the practice. "When you looked at Facebook's targeting there were like 90 targets – race, income, housing status — that was all Acxiom data," Dixon stated. Acxiom is one of the largest brokers.

Data brokers have been supplying everyone with your personal information for a long time. And advertising is the least of its applications: this data is used for calculating shadow credit scores, restricting services and offers to certain classes of people, setting terms of loans, and much more.

The issue, according to Dixon, has always been defining a data broker. It's harder than you might think, considering how secretive and influential these companies are. When every company collects data on their customers and occasionally monetizes it, who's to say where an ordinary business ends and data brokering begins?

This straightforward description of a subtle and widespread problem greatly enabled by technology is a rarity in a world dominated by legislators and judges who regularly demonstrate ignorance on high-tech topics. (You can read the full law here.)

As Dixon pointed out, lots of companies will find themselves encompassed by the law's broad definition:

""Data broker" means a business, or unit or units of a business, separately or together, that knowingly collects and sells or licenses to third parties the brokered personal information of a consumer with whom the business does not have a direct relationship."

In other words, the law applies to anyone who collects data second hand and resells it. There are a few exceptions for things like consumer-focused information services (411, for example) but it seems unlikely that any of the true data brokers will escape the designation.

With the requirement to register, along with a few other disclosures brokers will be required to make, consumers will be aware of which they can opt out of and how. And if they find themselves the victim of a crime that used broker data — a home loan rate secretly raised because of race, for instance, or a job offer rescinded because of a surreptitiously discovered medical condition — they now have legal recourse. Security at these companies will have to meet a minimum standard, as well as access controls. And data breach rules mean prompt notification if personal data is leaked in spite of them.

Data brokers fought the passage of this law as they have fought others. But we need more of them. The European Union, with its new GDPR (General Data Protection Regulation), is way ahead of us in protecting privacy.

E-mail: Phone: 703-359-0700
Digital Forensics/Information Security/Information Technology
https://www.senseient.com
https://twitter.com/sharonnelsonesq
https://www.linkedin.com/in/sharondnelson
https://amazon.com/author/sharonnelson

Sharon D. Nelson, Esq.
President

Subscribe in a Reader

Cookie	Duration	Description
cookielawinfo-checbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Ride the Lightning

Vermont Passes First State Law Cracking Down on Data Brokers

Subscribe for More!

Recent Posts

Listen to the Podcast

Disclaimer