U.S. Vermont Act 171 of 2018 — Data Broker Regulation

Overview

U.S. Vermont Act171 of 2018 — Data Broker Regulation is a state privacy andcompliance law that requires data brokers to register with the stateand adhere to specific data protection and transparency practices.The regulation aims to increase accountability among organizationsthat collect, aggregate, and sell personal information aboutconsumers with whom they have no direct relationship.

Published by theState of Vermont, Act 171 applies to any entity operating as a databroker within the state’s jurisdiction, regardless of physicallocation. The law focuses on privacy governance, disclosure of datacollection practices, the implementation of information securitymeasures, and notification of data breaches that may affect Vermontresidents. It is one of the first laws in the United States tospecifically target data broker activities.

Organizationssubject to Act 171 integrate its requirements into their complianceprograms by registering with the Vermont Secretary of State,developing internal controls to safeguard data, conducting riskassessments, and providing annual disclosures. This regulationsupports overall privacy and cybersecurity risk management efforts,often aligning with broader data protection frameworks such as CCPAor GDPR.

Why it Matters

Vermont Act 171establishes regulatory oversight for data brokers, helpingorganizations build trust and accountability in personal datamanagement practices.

Key benefitsinclude:

•  Increase data handling transparency

Require cleardisclosures about data collection and sharing practices, ensuringindividuals and regulators better understand information handlingactivities.

•  Strengthen consumer privacy protections

Mandate saferprocessing and storage of personal data, reducing the risk of misuseand unauthorized access.

•  Enhance regulatory alignment

Helporganizations structure compliance programs to meet emerging stateand national privacy requirements more efficiently.

•  Improve incident response readiness

Require promptnotification and remediation of security breaches, supporting moreeffective responses to data security incidents.

•  Support responsible data stewardship

Encourageorganizations to adopt stronger governance practices and minimizereputational and regulatory risks related to personal data misuse.

How it Works

The U.S. VermontAct 171 of 2018 — Data Broker Regulation organizes its frameworkaround specific regulatory requirements targeting data brokerpractices, privacy safeguards, and transparency obligations. Itestablishes clear definitions for data brokers, outlines registrationprocedures, and stipulates disclosure mandates concerning datacollection, usage, and security practices.

In practice,organizations that meet the definition of a data broker must assesstheir status, register annually with the Vermont Secretary of State,and implement governance measures to comply with the act. Typicalactivities include developing explicit security controls for personaldata, conducting risk assessments to identify and mitigate privacyrisks, publishing comprehensive data practices disclosures, andmaintaining ongoing compliance monitoring to meet statutoryobligations and support regulatory inspections.

With SmartSuite,organizations can operationalize Vermont Act 171 compliance byleveraging modules for maintaining a control library of statutoryrequirements, documenting data handling practices, and trackingcompliance through centralized registers. Capabilities for policygovernance, evidence collection, and risk management supportcontinuous oversight, while reporting dashboards enable organizationsto demonstrate compliance readiness and transparency.

Key Elements

•  Data Broker Registration Requirements

Specifiesmandatory registration procedures and disclosures for data brokersoperating within Vermont.

•  Information Collection Practices

Outlines thetypes of personal information collected and the methods used by databrokers.

•  Opt-Out and Consent Mechanisms

Describesprocesses allowing individuals to opt out of data collection or saleby data brokers.

•  Security Standards and Safeguards

Establishesrequired measures data brokers must implement to protect collectedinformation from unauthorized access or use.

•  Transparency and Disclosure Obligations

Requires brokersto provide clear public information regarding data handling policiesand business practices.

•  Oversight and Enforcement Provisions

Definesregulatory authority, monitoring activities, and penalties fornon-compliance with the regulation.

Framework Scope

U.S. Vermont Act171 of 2018 — Data Broker Regulation applies to entities engaged inthe collection and sale of personal data about consumers withoutdirect relationships. The regulation governs data broker activities,including data processing systems and personal informationmanagement, and is typically adopted to meet statutory compliance,enhance privacy protection, and support data governance andregulatory assurance programs.

Framework Objectives

U.S. Vermont Act171 of 2018 — Data Broker Regulation establishes requirements tostrengthen data protection and oversight for data brokers.

•  Enhance governance over the collection, processing, and sale ofpersonal data

•  Improve transparency and accountability in data brokeroperations and risk management

•  Promote stronger regulatory compliance with consumer privacy andcybersecurity obligations

•  Support data protection by reducing unauthorized access andsecurity threats

•  Ensure audit readiness through mandatory registration andrequired security controls

•  Safeguard consumer interests by enabling clear disclosure ofdata practices Vermont Act 171 aligns with U.S. privacy regulationslike the California Consumer Privacy Act (CCPA) and theGramm-Leach-Bliley Act (GLBA), focusing specifically on data brokerrequirements. Organizations typically implement Vermont Act 171 toachieve regulatory compliance, particularly when handling personaldata for profiling, marketing, or resale within the state of Vermont.

Common Framework Mappings

Vermont Act 171is commonly mapped to established security and privacy frameworks toensure comprehensive data protection and regulatory alignment,especially for organizations managing sensitive consumer or brokereddata across jurisdictions.

Mappedframeworks include:

CIS CriticalSecurity Controls

CPRA (CaliforniaPrivacy Rights Act)

GDPR (GeneralData Protection Regulation)

ISO/IEC 27001

ISO/IEC 27701

NISTCybersecurity Framework

NIST SP 800-53

PCI DSS

SOC 2

StateRAMP