Can I collect personal information from my customers in California in Vermont? What are the requirements?

To collect personal information from customers in California while operating in Vermont, you must comply with both Vermont and California laws regarding the collection and protection of personal information.

Vermont Requirements

Under Vermont law, if you are a personal information protection company, you must obtain a license from the Department of Financial Regulation before engaging in business in the state ^[1.1]. Additionally, you must maintain a place of business in Vermont, appoint a registered agent to accept service of process, and hold at least one annual meeting of your governing body in Vermont ^[1.1]. You must also develop, implement, and maintain a comprehensive information security program that contains administrative, technical, and physical safeguards sufficient to protect personal information ^[1.1].

California Requirements

Under California law, if you collect personal information from California residents, you may be subject to the California Consumer Privacy Act (CCPA) ^[2.4]. The CCPA requires businesses to provide certain notices to California residents regarding the collection, use, and sharing of their personal information ^[2.4]. Additionally, the CCPA grants California residents certain rights with respect to their personal information, including the right to access, delete, and opt-out of the sale of their personal information ^[2.4].

To comply with the CCPA, you must provide California residents with a privacy notice that describes your data collection and sharing practices ^[2.4]. You must also provide California residents with the opportunity to opt-out of the sale of their personal information ^[2.4]. If you sell personal information, you must provide a clear and conspicuous link on your website titled “Do Not Sell My Personal Information” that allows California residents to opt-out of the sale of their personal information ^[2.4].

Furthermore, if you are a financial institution, you must comply with Vermont’s privacy regulations, which require you to provide notice to individuals about your privacy policies and practices, describe the conditions under which you may disclose nonpublic personal information about consumers to nonaffiliated third parties, and obtain consumer consent prior to disclosing that information, subject to certain exceptions ^[2.1]. You must also provide a clear and conspicuous notice to customers that accurately reflects your privacy policies and practices with respect to nonpublic personal information not less than annually during the continuation of the customer relationship ^[3.1].

Finally, if you provide nonpublic personal information to a nonaffiliated third party to perform services for you or functions on your behalf, you must provide the initial notice in accordance with Vermont’s privacy regulations, enter into a contractual agreement with the third party that prohibits the nonaffiliated third party from disclosing or using the information other than to carry out the purposes for which you disclosed the information, and comply with certain requirements for joint agreements for marketing ^[2.3].

In summary, to collect personal information from customers in California while operating in Vermont, you must comply with both Vermont and California laws regarding the collection and protection of personal information, as well as Vermont’s privacy regulations if you are a financial institution.

Source(s):

• [1.1] Qualified personal information protection company
• [2.1] Purpose; Scope; Application; Compliance rules; Exception for Information about Business Customers
• [3.1] Annual Privacy Notice to Customers Required
• [2.3] Exception to Opt In Requirements for Disclosure of Nonpublic Personal Information for Service Providers and Joint Marketing
• [2.4] PRIVACY AND OPT IN NOTICES FOR NONPUBLIC PERSONAL INFORMATION

Jurisdiction

Vermont, California

• Privacy