Can I use third-party collaboration tools that collect personal information in Vermont? What are the requirements?

Using Third-Party Collaboration Tools in Vermont

If you are using third-party collaboration tools that collect personal information in Vermont, you must ensure that you comply with the state’s laws and regulations regarding the protection of personal information.

According to Vermont law, a personal information protection company must develop, implement, and maintain a comprehensive information security program that contains administrative, technical, and physical safeguards sufficient to protect personal information ^[1.1]. Additionally, a person shall not acquire or use brokered personal information for the purpose of stalking or harassing another person, committing a fraud, including identity theft, financial fraud, or e-mail fraud, or engaging in unlawful discrimination, including employment discrimination and housing discrimination ^[3.1].

If the third-party collaboration tool collects personal health information, a financial institution shall not disclose nonpublic personal health information about a consumer or customer unless an authorization is obtained from the consumer or customer whose nonpublic personal health information is sought to be disclosed ^[2.3].

However, there are exceptions to the opt-in requirements for disclosure of nonpublic personal information for service providers and joint marketing ^[2.1]. A financial institution may provide nonpublic personal information to a nonaffiliated third party to perform services for the financial institution or functions on the financial institution’s behalf, if the financial institution provides the initial notice in accordance with Section 5, enters into a contractual agreement with the third party that prohibits the nonaffiliated third party from disclosing or using the information other than to carry out the purposes for which the financial institution disclosed the information, including use under an exception in Sections 15 or 16 in the ordinary course of business to carry out those purposes, and for joint agreements for marketing, provides only the consumer’s name, contact information, and own transaction and experience information within the meaning of the federal Fair Credit Reporting Act and the Vermont Fair Credit Reporting Act ^[2.1].

Therefore, if you are using third-party collaboration tools that collect personal information in Vermont, you must ensure that the tool complies with the state’s laws and regulations regarding the protection of personal information. You should also ensure that the tool does not acquire or use brokered personal information for prohibited purposes and that it obtains authorization before disclosing nonpublic personal health information. If the tool is used for joint marketing, the financial institution must provide only the consumer’s name, contact information, and own transaction and experience information, and enter into a contractual agreement with the third party that prohibits the nonaffiliated third party from disclosing or using the information other than to carry out the purposes for which the financial institution disclosed the information.

Source(s):

• [1.1] Qualified personal information protection company
• [2.1] Exception to Opt In Requirements for Disclosure of Nonpublic Personal Information for Service Providers and Joint Marketing
• [3.1] Acquisition of brokered personal information; prohibitions
• [2.3] When Authorization Required for Disclosure of Nonpublic Personal Health Information

Jurisdiction

Vermont

• Privacy