Can I use third-party customer service tools that collect personal information in Vermont? What are the requirements?

Based on the context documents, if you are using third-party customer service tools that collect personal information in Vermont, you must ensure that the tools comply with the Vermont regulations on personal information protection.

Requirements for Personal Information Protection Companies

According to 8 VTST 2453, personal information protection companies must be licensed by the Department of Financial Regulation to conduct business in Vermont. They must also be organized or authorized to do business under the laws of Vermont, maintain a place of business in Vermont, appoint a registered agent to accept service of process and to otherwise act on its behalf in Vermont, and annually hold at least one meeting of its governing body in Vermont, at which meeting one or more members of the body are physically present. Additionally, personal information protection companies must develop, implement, and maintain a comprehensive information security program that contains administrative, technical, and physical safeguards sufficient to protect personal information, and which may include the use of blockchain technology in some or all of its business activities.

Exception to Opt-In Requirements for Disclosure of Nonpublic Personal Information for Service Providers and Joint Marketing

VTCR 21-030-004 § 14 provides an exception to opt-in requirements for disclosure of nonpublic personal information for service providers and joint marketing. The opt-in requirements do not apply when you provide nonpublic personal information to a nonaffiliated third party to perform services for you or functions on your behalf, if you provide the initial notice in accordance with § 5, enter into a contractual agreement with the third party that prohibits the nonaffiliated third party from disclosing or using the information other than to carry out the purposes for which you disclosed the information, including use under an exception in § 15 or § 16 in the ordinary course of business to carry out those purposes, and for joint marketing agreements, you provide only the consumer’s name, contact information, and own transaction and experience information within the meaning of the federal Fair Credit Reporting Act and the Vermont Fair Credit Reporting Act.

Procedures to Safeguard Customer Records and Information

VTCR 21-030-004 § 27 requires every broker-dealer and every investment adviser registered with the Department to adopt policies and procedures that address administrative, technical, and physical safeguards for the protection of customer records and information. These policies and procedures must be reasonably designed to ensure the security and confidentiality of customer records and information, protect against any anticipated threats or hazards to the security or integrity of customer records and information, and protect against unauthorized access to or use of customer records or information that could result in substantial harm or inconvenience to any customer.

Based on the above regulations, if you are using third-party customer service tools that collect personal information in Vermont, you must ensure that the tools comply with the Vermont regulations on personal information protection. You must also provide an initial notice in accordance with § 5, enter into a contractual agreement with the third party that prohibits the nonaffiliated third party from disclosing or using the information other than to carry out the purposes for which you disclosed the information, and ensure that the tools have administrative, technical, and physical safeguards for the protection of customer records and information.

Jurisdiction

Vermont

• Privacy