Future Tense

Vermont, California Charging Ahead of Congress on Data Privacy Laws

Vermont's new law regulates data brokers who often do business with social media companies.
Vermont’s new law regulates data brokers who often do business with social media companies. TOBIAS SCHWARZ/AFP/Getty Images

Concerns over data privacy have driven much of the conversation around technology in the first half of 2018, with news of the Cambridge Analytica scandal, the European Union’s General Data Protection Regulation (GDPR), and the hack of Securus Technologies’s location-tracking data.

Federal lawmakers have taken notice and say they are considering legislation to better protect citizens’ data. For example, Sens. Amy Klobuchar and John Kennedy introduced the Social Media Privacy Protection and Consumer Rights Act of 2018 in April, while Rep. Marsha Blackburn has renewed her push for the Browser Act that she initially proposed in 2017. Yet it’s unclear when, or if, any of these bills will get a vote. Rather than waiting for Congress, two states are charging ahead with their own data privacy laws.

Last week, Vermont passed the country’s first law regulating data brokers, which are essentially companies that sell people’s information. Data brokers have been known to keep track of marital statuses, browsing histories, online purchases, debts, housing situations, education credentials, and other personal details, which can be useful for digital advertisers attempting to target a certain demographic, or for insurance companies setting rates for customers. By analyzing this data in aggregate, brokers can then make inferences about even more intimate aspects of a person’s life. As TechCrunch points out, it is technically legal for a data broker to speculate on people’s medical conditions based on their purchases at pharmacies. In fact, Facebook just recently decided to discontinue its practice of buying data from such brokers for targeted advertising in the fallout from the Cambridge Analytica scandal.

Vermont’s new law requires data brokers to register with the government, better inform people on what is being collected and how to opt out, ensure that their security practices are up to date, and notify authorities in the case of a breach. Users can now seek legal recourse against such brokers if the data that they sell leads to illegal discrimination, such as an insurance rate being raised due to race. State regulators also have more legal remedies at their disposal and can bring charges against brokers whose data is used for fraud and other crimes.

Consumers on the other side of the country will likely have the opportunity to vote for similar protections in the fall. The California Consumer Privacy Act has received more than 600,000 signatures in support, which should earn the initiative a spot on ballots in November. The proposed legislation is broader than Vermont’s, as it would apply to all companies that gather data on people. (The Vermont law applies to any business that gathers the data of people with whom it does not have a direct relationship.)

Much like the GDPR, the California Consumer Privacy Act gives users a host of new rights when it comes to controlling their data. People would have the right to demand that companies disclose what information they collect on them, to prevent that data from being sold, and to sue companies that break the law.

Consumer advocates predict that those standards may end up being adopted throughout the country since so many major tech companies are headquartered in California. Various tech trade groups, along with Google, Comcast, and AT&T, have each contributed hundreds of thousands of dollars to oppose the law.