The Vermont Statutes Online
The Vermont Statutes Online have been updated to include the actions of the 2023 session of the General Assembly.
NOTE: The Vermont Statutes Online is an unofficial copy of the Vermont Statutes Annotated that is provided as a convenience.
Title 8: Banking and Insurance
Chapter 078: Personal Information Protection Companies
§ 2451. Definitions
As used in this section:
(1) “Personal information” means data capable of being associated with a particular natural person, including gender identification, birth information, marital status, citizenship and nationality, biometric records, government identification designations, and personal, educational, and financial histories.
(2) “Personal information protection company” means a business that is organized for the primary purpose of providing personal information protection services to individual consumers.
(3) “Personal information protection services” means receiving, holding, and managing the disclosure or use of personal information concerning an individual consumer:
(A) pursuant to a written agreement, in which the person receiving the individual consumer’s information agrees to serve as a personal information protection company, and which specifies the types of personal information to be held and the scope of services to be provided on behalf of the consumer; and
(B) in the best interests and for the protection and benefit of the consumer. (Added 2017, No. 205 (Adj. Sess.), § 2.)
§ 2452. Personal information as the subject of a fiduciary relationship
A personal information protection company that accepts personal information pursuant to a written agreement to provide personal information protection services has a fiduciary responsibility to the consumer when providing personal protection services. (Added 2017, No. 205 (Adj. Sess.), § 2.)
§ 2453. Qualified personal information protection company
(a) A personal information protection company shall qualify to conduct its business under the terms of this chapter, chapter 72 of this title, and applicable rules adopted by the Department of Financial Regulation.
(b) A person shall not engage in business as a personal information protection company in this State without first obtaining a license from the Department.
(c) A personal information protection company shall:
(1) be organized or authorized to do business under the laws of this State;
(2) maintain a place of business in this State;
(3) appoint a registered agent to accept service of process and to otherwise act on its behalf in this State, provided that whenever the registered agent cannot with reasonable diligence be found at the Vermont registered office of the company, the Secretary of State shall be an agent of the company upon whom any process, notice, or demand may be served;
(4) annually hold at least one meeting of its governing body in this State, at which meeting one or more members of the body are physically present; and
(5) develop, implement, and maintain a comprehensive information security program that contains administrative, technical, and physical safeguards sufficient to protect personal information, and which may include the use of blockchain technology, as defined in 12 V.S.A. § 1913, in some or all of its business activities. (Added 2017, No. 205 (Adj. Sess.), § 2; amended 2019, No. 103 (Adj. Sess.), § 4.)
§ 2454. Name; office
A personal information protection company shall file with the Department of Financial Regulation the name it proposes to use in connection with its business, which the Department shall not approve if it determines that the name may be misleading, likely to confuse the public, or deceptively similar to any other business name in use in this State. (Added 2017, No. 205 (Adj. Sess.), § 2.)
§ 2455. Conduct of business
(a) A personal information protection company may:
(1) operate through remote interaction with the individuals entrusting personal information to the company, and there shall be no requirement of Vermont residency or other contact for any such individual to establish such a relationship with the company; and
(2) subject to applicable fiduciary duties, the terms of any agreement with the individual involved, and any applicable statutory or regulatory provision:
(A) provide elements of personal information to third parties with which the individual seeks to have a transaction, a service relationship, or other particular purpose interaction;
(B) provide certification or validation concerning personal information;
(C) receive compensation for acting in these capacities.
(b) An authorization to provide personal information may be either particular or general, provided it meets the terms of any agreement with the individual involved and any rules adopted by the Department of Financial Regulation. (Added 2017, No. 205 (Adj. Sess.), § 2.)
§ 2456. Repealed. 2019, No. 103 (Adj. Sess.), § 5.
§ 2457. Reports; rules
(a) The Department of Financial Regulation may prescribe by rule the timing and manner of reports by a personal information protection company to the Department.
(b) The Department may adopt rules to govern other aspects of the business of a personal information protection company, including its protection and safeguarding of personal information and its interaction with third parties with respect to personal information it holds. (Added 2017, No. 205 (Adj. Sess.), § 2.)
