Can I collect personal information from participants in Vermont? What are the requirements?

To collect personal information from participants in Vermont, you must comply with the Vermont Consumer Protection Rule (VTCR) 21-010-016. The VTCR 21-010-016 regulates the collection, use, and disclosure of nonpublic personal information by financial institutions.

Under VTCR 21-010-016 § 5, financial institutions must provide an initial privacy notice to consumers that describes the categories of nonpublic personal information that the financial institution collects and discloses, as well as the categories of affiliates and nonaffiliated third parties to whom the financial institution discloses nonpublic personal information.

Financial institutions must also provide an opt-in notice under VTCR 21-010-016 § 8 before disclosing nonpublic personal financial information to nonaffiliated third parties. The opt-in notice must explain the consumer’s right to opt in and the methods by which the consumer may exercise that right at any time.

However, there is an exception to the opt-in requirements for disclosure of nonpublic personal information for service providers and joint marketing under VTCR 21-010-016 § 14. Financial institutions may provide nonpublic personal information to a nonaffiliated third party to perform services for the financial institution or functions on the financial institution’s behalf, if the financial institution provides the initial notice in accordance with Section 5, enters into a contractual agreement with the third party that prohibits the nonaffiliated third party from disclosing or using the information other than to carry out the purposes for which the financial institution disclosed the information, including use under an exception in Sections 15 or 16 in the ordinary course of business to carry out those purposes, and for joint agreements for marketing, provides only the consumer’s name, contact information, and own transaction and experience information within the meaning of the federal Fair Credit Reporting Act and the Vermont Fair Credit Reporting Act.

Additionally, financial institutions must comply with the limits on disclosure of nonpublic personal financial information to nonaffiliated third parties under VTCR 21-010-016 § 11. A financial institution may not disclose any nonpublic personal financial information about a consumer to a nonaffiliated third party unless the consumer has authorized the disclosure in writing or electronically.

Therefore, to collect personal information from participants in Vermont, you must provide an initial privacy notice, an opt-in notice, and obtain written or electronic authorization from the consumer before disclosing nonpublic personal financial information to nonaffiliated third parties, unless the exception under VTCR 21-010-016 § 14 applies.

Note that the VTCR 21-010-016 applies specifically to financial institutions. If you are not a financial institution, other laws and regulations may apply.

^{[1.1][1.2][1.5][1.7]}

Source(s):

• [1.1] EXCEPTIONS TO LIMITS ON DISCLOSURES OF NONPUBLIC PERSONAL INFORMATION
• [1.2] Exception to Opt In Requirements for Disclosure of Nonpublic Personal Information for Service Providers and Joint Marketing
• [1.5] PRIVACY AND OPT IN NOTICES FOR NONPUBLIC PERSONAL INFORMATION
• [1.7] Limits on Redisclosure and Reuse of Nonpublic Personal Financial Information

Jurisdiction

Vermont

• Privacy