Ask Reggi Your Question Now

Reggi is the free generative AI assistance for regulatory compliance
Ask a Question

Can I ensure that my company is compliant with expanding privacy protections in Vermont? What are the requirements?

Vermont Privacy Protections

Vermont has enacted privacy protections for consumers under the Vermont Consumer Protection Act (VCPA) and the Vermont Data Broker Regulation. The VCPA requires businesses to provide clear and conspicuous notice to consumers about their data collection and sharing practices. The Vermont Data Broker Regulation requires data brokers to register with the state and disclose certain information about their data collection and sharing practices.

Revised Privacy Notices

Under Vermont law, businesses must provide consumers with initial, annual, and revised privacy notices that include specific information about their data collection and sharing practices [1.3]. Revised privacy notices are required when a business discloses a new category of nonpublic personal information to a nonaffiliated third party, discloses nonpublic personal information to a new category of nonaffiliated third party, or discloses nonpublic personal information about a former customer to a nonaffiliated third party [1.1].

To ensure compliance with Vermont’s privacy protections, businesses should review their privacy notices and update them as necessary to accurately describe their policies and practices. Businesses should also ensure that they are providing revised privacy notices when required by law.

Opt-In Requirements

Under Vermont law, businesses must obtain affirmative consent from consumers before disclosing their nonpublic personal financial information to nonaffiliated third parties [1.1]. However, there are exceptions to this opt-in requirement for disclosures to service providers and for joint marketing agreements [1.5].

Delivering Privacy and Opt in Notices

Businesses must provide any notice that Vermont law requires so that each consumer can reasonably be expected to receive actual notice in writing or, if the consumer agrees, electronically [1.2]. Examples of reasonable expectation of actual notice include hand-delivering a printed copy of the notice to the consumer, mailing a printed copy of the notice to the last known address of the consumer, posting the notice on the electronic site and requiring the consumer to acknowledge receipt of the notice as a necessary step to obtaining a particular financial product or service, or posting the notice on the ATM screen and requiring the consumer to acknowledge receipt of the notice as a necessary step to obtaining the particular financial product or service. Businesses may not reasonably expect that a consumer will receive actual notice of their privacy policies and practices if they only post a sign in their branch or office or generally publish advertisements of their privacy policies and practices, or send the notice via electronic mail to a consumer who does not obtain a financial product or service from them electronically. When businesses are required to deliver an initial privacy notice by Vermont law, they must deliver it according to § 10 [1.2].

Conclusion

To ensure compliance with Vermont’s expanding privacy protections, businesses should review their privacy notices and data sharing practices and update them as necessary to accurately describe their policies and practices. Businesses should also ensure that they are providing revised privacy notices when required by law and obtaining affirmative consent from consumers before disclosing their nonpublic personal financial information to nonaffiliated third parties, unless an exception applies. Additionally, businesses must provide any notice that Vermont law requires so that each consumer can reasonably be expected to receive actual notice in writing or, if the consumer agrees, electronically.

Source(s):
Jurisdiction

Vermont