Can I store personal information about my customers in Vermont? What are the requirements?

Yes, you can store personal information about your customers in Vermont, but you must comply with the state’s laws and regulations regarding the protection of personal information.

Personal Information Protection Company

If you are a personal information protection company, you must qualify to conduct your business under the terms of Vermont law ^[1.1]. You must also obtain a license from the Department of Financial Regulation before engaging in business as a personal information protection company in Vermont ^[1.1]. Additionally, you must develop, implement, and maintain a comprehensive information security program that contains administrative, technical, and physical safeguards sufficient to protect personal information, and which may include the use of blockchain technology, as defined in 12 V.S.A. § 1913, in some or all of its business activities ^[1.1].

Financial Institutions

If you are a financial institution, you must provide a clear and conspicuous notice to customers that accurately reflects your privacy policies and practices with respect to nonpublic personal information not less than annually during the continuation of the customer relationship ^[2.1][3.1]. You must also deliver the annual privacy notice according to Vermont law ^[3.1]. You do not need to obtain opt-in consent from customers to disclose nonpublic personal information to a nonaffiliated third party to perform services for you or functions on your behalf if you comply with Vermont law ^[2.3].

Conclusion

In summary, you can store personal information about your customers in Vermont, but you must comply with the state’s laws and regulations regarding the protection of personal information. If you are a personal information protection company, you must qualify to conduct your business under the terms of Vermont law, obtain a license from the Department of Financial Regulation, and develop, implement, and maintain a comprehensive information security program. If you are a financial institution, you must provide an annual privacy notice to customers and deliver it according to Vermont law.

Source(s):

• [1.1] Qualified personal information protection company
• [2.1] Purpose; Scope; Application; Compliance rules; Exception for Information about Business Customers
• [3.1] Annual Privacy Notice to Customers Required
• [2.3] Exception to Opt In Requirements for Disclosure of Nonpublic Personal Information for Service Providers and Joint Marketing

Jurisdiction

Vermont

• Privacy