§ 2451. Definitions
As used in this section:
(1) “Personal information” means data capable of being associated with a particular natural
person, including gender identification, birth information, marital status, citizenship
and nationality, biometric records, government identification designations, and personal,
educational, and financial histories.
(2) “Personal information protection company” means a business that is organized for the
primary purpose of providing personal information protection services to individual
consumers.
(3) “Personal information protection services” means receiving, holding, and managing
the disclosure or use of personal information concerning an individual consumer:
(A) pursuant to a written agreement, in which the person receiving the individual consumer’s
information agrees to serve as a personal information protection company, and which
specifies the types of personal information to be held and the scope of services to
be provided on behalf of the consumer; and
(B) in the best interests and for the protection and benefit of the consumer. (Added 2017, No. 205 (Adj. Sess.), § 2.)
§ 2452. Personal information as the subject of a fiduciary relationship
A personal information protection company that accepts personal information pursuant
to a written agreement to provide personal information protection services has a fiduciary
responsibility to the consumer when providing personal protection services. (Added 2017, No. 205 (Adj. Sess.), § 2.)
§ 2453. Qualified personal information protection company
(a) A personal information protection company shall qualify to conduct its business under
the terms of this chapter, chapter 72 of this title, and applicable rules adopted
by the Department of Financial Regulation.
(b) A person shall not engage in business as a personal information protection company
in this State without first obtaining a license from the Department.
(c) A personal information protection company shall:
(1) be organized or authorized to do business under the laws of this State;
(2) maintain a place of business in this State;
(3) appoint a registered agent to accept service of process and to otherwise act on its
behalf in this State, provided that whenever the registered agent cannot with reasonable
diligence be found at the Vermont registered office of the company, the Secretary
of State shall be an agent of the company upon whom any process, notice, or demand
may be served;
(4) annually hold at least one meeting of its governing body in this State, at which meeting
one or more members of the body are physically present; and
(5) develop, implement, and maintain a comprehensive information security program that
contains administrative, technical, and physical safeguards sufficient to protect
personal information, and which may include the use of blockchain technology, as defined
in 12 V.S.A. § 1913, in some or all of its business activities. (Added 2017, No. 205 (Adj. Sess.), § 2; amended 2019, No. 103 (Adj. Sess.), § 4.)
§ 2454. Name; office
A personal information protection company shall file with the Department of Financial
Regulation the name it proposes to use in connection with its business, which the
Department shall not approve if it determines that the name may be misleading, likely
to confuse the public, or deceptively similar to any other business name in use in
this State. (Added 2017, No. 205 (Adj. Sess.), § 2.)
§ 2455. Conduct of business
(a) A personal information protection company may:
(1) operate through remote interaction with the individuals entrusting personal information
to the company, and there shall be no requirement of Vermont residency or other contact
for any such individual to establish such a relationship with the company; and
(2) subject to applicable fiduciary duties, the terms of any agreement with the individual
involved, and any applicable statutory or regulatory provision:
(A) provide elements of personal information to third parties with which the individual
seeks to have a transaction, a service relationship, or other particular purpose interaction;
(B) provide certification or validation concerning personal information; and
(C) receive compensation for acting in these capacities.
(b) An authorization to provide personal information may be either particular or general,
provided it meets the terms of any agreement with the individual involved and any
rules adopted by the Department of Financial Regulation. (Added 2017, No. 205 (Adj. Sess.), § 2.)
§ 2456. Repealed. 2019, No. 103 (Adj. Sess.), § 5.
§ 2457. Reports; rules
(a) The Department of Financial Regulation may prescribe by rule the timing and manner
of reports by a personal information protection company to the Department.
(b) The Department may adopt rules to govern other aspects of the business of a personal
information protection company, including its protection and safeguarding of personal
information and its interaction with third parties with respect to personal information
it holds. (Added 2017, No. 205 (Adj. Sess.), § 2.)