Can I prioritize privacy compliance to gain a competitive advantage, reduce the possibility of regulatory issues, and help secure valuable partnerships in Vermont? What are the requirements?

Privacy Compliance in Vermont

Yes, prioritizing privacy compliance can provide a competitive advantage, reduce the possibility of regulatory issues, and help secure valuable partnerships in Vermont.

Financial institutions in Vermont are required to comply with the Vermont Consumer Protection Rule VTCR 21-030-004, which governs the treatment of nonpublic personal information about individuals by financial institutions. The regulation requires financial institutions to provide notice to individuals about their privacy policies and practices, describe the conditions under which they may disclose nonpublic personal information about individuals to nonaffiliated third parties, and provide a method for consumers to prevent disclosure of that information, subject to certain exceptions ^[1.1].

To comply with the regulation, financial institutions must provide initial, annual, and revised privacy notices that include specific information about the categories of nonpublic personal information collected and disclosed, the categories of affiliates and nonaffiliated third parties to whom information is disclosed, and the institution’s policies and practices with respect to protecting the confidentiality and security of nonpublic personal information ^[1.3].

Financial institutions must also provide a revised notice before disclosing a new category of nonpublic personal financial information to any nonaffiliated third party, disclosing nonpublic personal financial information to a new category of nonaffiliated third party, or disclosing nonpublic personal financial information about a former customer to a nonaffiliated third party, if that former customer has not given affirmative consent regarding that disclosure ^[1.2].

However, financial institutions may disclose nonpublic personal information to a nonaffiliated third party to perform services for them or functions on their behalf without obtaining opt-in consent from the consumer, provided they provide the initial notice, enter into a contractual agreement with the third party that prohibits the nonaffiliated third party from disclosing or using the information other than to carry out the purposes for which it was disclosed, and provide only the consumer’s name, contact information, and own transaction and experience information within the meaning of the federal Fair Credit Reporting Act and the Vermont Fair Credit Reporting Act for joint marketing agreements ^[3.1].

In summary, prioritizing privacy compliance can help financial institutions in Vermont gain a competitive advantage, reduce the possibility of regulatory issues, and secure valuable partnerships. To comply with the Vermont Consumer Protection Rule, financial institutions must provide initial, annual, and revised privacy notices that include specific information about the categories of nonpublic personal information collected and disclosed, the categories of affiliates and nonaffiliated third parties to whom information is disclosed, and the institution’s policies and practices with respect to protecting the confidentiality and security of nonpublic personal information. Financial institutions must also provide a revised notice before disclosing certain types of nonpublic personal financial information to nonaffiliated third parties, unless the consumer has given affirmative consent, and may disclose nonpublic personal information to a nonaffiliated third party to perform services for them or functions on their behalf without obtaining opt-in consent from the consumer, provided they meet certain requirements.

Source(s):

• [1.1] Purpose, Scope and Compliance
• [1.2] Revised Privacy Notices
• [1.3] Information to be Included in Privacy Notices
• [3.1] Purpose; Scope; Application; Compliance rules; Exception for Information about Business Customers

Jurisdiction

Vermont

• Privacy