Vermont’s Data Broker Law establishes operational compliance obligations for organizations that collect and sell consumer data involving individuals with whom the organization does not maintain a direct relationship.
Enacted through House Bill 764 in 2018, Vermont created one of the earliest state-level data broker registration and security governance frameworks in the United States. The law introduces requirements involving annual registration, consumer transparency, operational accountability, security safeguards, and breach reporting obligations applicable to qualifying data broker activities.
The law places significant emphasis on security governance, transparency practices, operational oversight, and documented compliance management involving brokered personal information.
Operational Focus Areas.
Organizations evaluating Vermont data broker compliance obligations should pay particular attention to:
Applicability and direct relationship analysis,
Annual registration requirements,
Consumer disclosure and opt-out practices,
Administrative, technical, and physical safeguard requirements,
Security governance and breach response procedures,
Operational accountability controls, and
Audit-ready documentation practices.
Organizations Commonly Use These Resources To:
Evaluate Vermont data broker applicability,
Operationalize registration and disclosure workflows,
Strengthen information security governance activities,
Coordinate breach response and compliance procedures,
Support audit and regulator response readiness, and
Maintain defensible data broker compliance operations.
Select a compliance area below to access the operational compliance systems relevant to your organization.
