Can I disclose personal information for a business purpose without complying with CCPA in Vermont? What are the requirements?

Based on the context documents, Vermont has its own data privacy laws and regulations that businesses must comply with. The Vermont data privacy laws are different from the California Consumer Privacy Act (CCPA). Therefore, businesses cannot rely on CCPA compliance to disclose personal information for a business purpose in Vermont.

To disclose personal information for a business purpose in Vermont, businesses must comply with the Vermont data privacy laws and regulations. The requirements for businesses to disclose personal information for a business purpose in Vermont include obtaining a license from the Department of Financial Regulation, developing, implementing, and maintaining a comprehensive information security program, taking all reasonable steps to destroy or arrange for the destruction of a customer’s records containing personal information, and having a fiduciary responsibility to the consumer when providing personal protection services.

According to ^[1.2], a personal information protection company may operate through remote interaction with the individuals entrusting personal information to the company, and there shall be no requirement of Vermont residency or other contact for any such individual to establish such a relationship with the company. Additionally, a personal information protection company may provide elements of personal information to third parties with which the individual seeks to have a transaction, a service relationship, or other particular purpose interaction, subject to applicable fiduciary duties, the terms of any agreement with the individual involved, and any applicable statutory or regulatory provision.

Furthermore, ^[3.2] prohibits the acquisition or use of brokered personal information for the purpose of stalking or harassing another person, committing a fraud, including identity theft, financial fraud, or e-mail fraud, or engaging in unlawful discrimination, including employment discrimination and housing discrimination.

Businesses must also comply with the rules and regulations set forth by the Department of Financial Regulation. The Department may prescribe by rule the timing and manner of reports by a personal information protection company to the Department, and may adopt rules to govern other aspects of the business of a personal information protection company, including its protection and safeguarding of personal information and its interaction with third parties with respect to personal information it holds ^[1.5].

In summary, businesses must comply with the Vermont data privacy laws and regulations to disclose personal information for a business purpose in Vermont. The requirements for businesses to disclose personal information for a business purpose in Vermont include obtaining a license from the Department of Financial Regulation, developing, implementing, and maintaining a comprehensive information security program, taking all reasonable steps to destroy or arrange for the destruction of a customer’s records containing personal information, and having a fiduciary responsibility to the consumer when providing personal protection services. Additionally, a personal information protection company may operate through remote interaction with the individuals entrusting personal information to the company, and may provide elements of personal information to third parties with which the individual seeks to have a transaction, a service relationship, or other particular purpose interaction, subject to applicable fiduciary duties, the terms of any agreement with the individual involved, and any applicable statutory or regulatory provision.

Source(s):

• [1.2] Conduct of business
• [3.2] Acquisition of brokered personal information; prohibitions
• [1.5] Reports; rules

Jurisdiction

Vermont

• Privacy