By: Matthew Jurgensmeier
As the modern era of automated systems and the ubiquity of the internet grows, increasingly more consumer data is collected and stored online. Collected by companies with whom customers interact and scraped from across the internet, this data provides a roadmap for who customers are, what they’ve done online, and what they are likely to do in the future. Some companies use this data to advertise to consumers, while other companies sell it. The companies that scrape and sell data are called data brokers, and the information that they collect is for sale to anyone who is willing to pay. Examples of data brokers include Datalogix, Intelius, and DSA Direct. [For more WJLTA coverage on data brokers, see here.]
Over the last decade, data breaches have become increasingly commonplace. Some of the more prominent recent data breaches include major companies like Yahoo and Target, and even the United States government. When publicly traded companies suffer a data breach, the SEC has released requirements that instructs them to disclose the breach pursuant to the reporting guidelines of the Securities Exchange Act. Private companies, however, are not so compelled. Private companies also may have less of an incentive to disclose these events. In fact, it may behoove them to keep quiet and hope they are not exposed by a security researcher.
When a data broker’s database is breached, there are currently no real legal consequences for the company, except the data they’ve collected loses value. So, what can a consumer do to protect their data? In some cases, consumers can opt-out, meaning that they can take affirmative steps to remove themselves from these databases. Beyond that, operating a disconnected life without an online presence may be the only option, unless consumers live in Vermont. In May of 2018, Vermont passed first-of-its-kind legislation aimed at providing some level of information and control for consumers. This is not a sweeping set of legislation like the California Consumer Privacy Act. Instead it is a rather simple bill designed to make a complex problem more manageable.
Vermont Data Broker Law
Vermont’s 2018 data broker law does a few important things that empower consumers in their battle against the unknown. Among other things, the law:
- Defines the term “Data Broker” as “a business, or unit or units of a business, separately or together, that knowingly collects and sells or licenses to third parties the brokered personal information of a consumer with whom the business does not have a direct relationship;”
- Requires annual registration for data brokers;
- Requires data brokers to establish and maintain certain baseline security standards;
- Establishes new causes of action for misuse of this data and acquisition through fraudulent means;
- Provides consumers with free credit freezes.
Potential Legal Issues
As evidenced by testimony opposing Vermont’s law and possible legal concerns expressed by the Department of Financial Regulation, there may be a few Constitutional hurdles that the State of Vermont may face. These include potential First Amendment, Commerce Clause, and Dormant Commerce Clause issues. A few key concerns are outlined below.
The United States Supreme Court has held that the First Amendment provides broad protections for speech. In a 2001 decision, the Court broadly construed what constitutes speech, stating “if the acts of ‘disclosing’ and ‘publishing’ information do not constitute speech, it is hard to imagine what does fall within that category, as distinct from the category of expressive conduct” (some internal quotation marks omitted). Later, the Court rejected the argument that “dry information, devoid of advocacy, political relevance, or artistic expression” lacks First Amendment protection, even when all that information consists of is marketing data. This rejected argument is likely similar to the argument that Vermont would make now, were this law challenged on the basis of First Amendment protection.
The Commerce Clause grants the federal government, rather than the state governments, the ability to regulate “commerce among the several states,” or interstate commerce. The Vermont law’s notice and registration requirements apply to the sale of the name “personal information” of a “Vermont consumer.” The sale that triggers registration need not take place in the state – even one name or email triggers the obligation to register and provide notices. Indeed, it need not identify a particular consumer at all – it need only be “linkable” to the Vermont consumer. Thus, companies could violate the Commerce Clause by transferring “personal information” even without having any idea to whom the information belonged or their relationship with the State. By regulating out-of-state entities, Vermont may be regulating interstate commerce.
Dormant Commerce Clause
The Dormant Commerce Clause (or “negative commerce clause”) protects against inconsistent legislation arising from the projection of one state’s regulatory regime into the jurisdiction of another state. The critical considerations there are (1) whether the law shifts the cost of regulation into other states or has impacts that fall exclusively or more heavily out-of-state, (2) whether it effectively requires out-of-state commerce to be conducted at the regulating state’s direction; or (3) alters the interstate flow of goods. Legislation that does those things is per se invalid (meaning that the courts do not balance benefits versus burdens, but rather strike the law down).
The breach-notice and data-security provisions would both face very close scrutiny under the Dormant Commerce Clause. The Second Circuit Court of Appeals has held that it is difficult, if not impossible, for a state to regulate internet activities without projecting its legislation into other states. may be particularly so here, where the transactions involve data about Vermonters but most of them very likely occur outside of Vermont.
What can consumers do?
At this point, there is not much consumers can do, although Vice offers a handy opt-out list with useful information. These data brokers operate in the shadows and collect data without customer knowledge. Vermont’s data broker law is a step in the right direction because it gives the government information on how these companies operate. It provides information for people to opt out of data collection and allows them a chance to take control of their data, and is a worthwhile lead for other states to follow.