Vermont Legislature SmartTranscripts:

[Katie (unidentified member)]: Hello, everybody. Welcome back. Today is still Wednesday, January 14. It's 01:09PM, and this is the House Commerce and Economic Development Committee. We are here this afternoon hearing more testimony on H2-eleven. Emory Rohn, if you could introduce yourself and thank you for joining us.

[Emory Roane (Associate Director of Policy, Privacy Rights Clearinghouse)]: Happily. Yes. My name is Henry Rohn. I'm associate director of policy at Privacy Rights Clearing House. This is my first time testifying. I have some prepared comments and happy to take questions afterwards. Should I just dive right into it?

[Katie (unidentified member)]: That would be great. Thank you.

[Emory Roane (Associate Director of Policy, Privacy Rights Clearinghouse)]: Wonderful. Okay. Well, chair Marco and members of the house committee on commerce and economic development, thank you for the opportunity to testify today. As I said, my name is Emily Rohn. I'm the associate director of policy at Privacy Rights Clearing House. We are a San Diego based consumer privacy advocacy and education nonprofit dedicated to improving privacy for all by expanding access to policy discussions, educational materials, and meaningful rights. Privacy Rights Clearing House was also a proud sponsor of the California's DELETE Act. I wanna start by thanking the committee, not only for the opportunity to testify today, but also to thank this committee specifically for leading the charge when it comes to data broker regulation back in 2017 with h p seven sixty four. I tell everyone I can that data brokers are a national issue impacting every community and every state. California may be leading the pack right now, but it was Vermont that paved the way by creating the country's first data broker registry. In California, we shamelessly and gleefully borrowed that framework almost verbatim the following year. Vermont's early leadership laid important groundwork for where policy is headed now, including California's delete act and the delete request and opt out platform or drop, which is live now and poised to finally make it possible for Californians to have their information deleted from data brokers en masse freely, accessibly, repeatedly in perpetuity. Since their formation, Vermont's data broker registry and other registries like it have had have been essential tools for transparency and research into an industry that is otherwise notoriously opaque. For the first time Vermont from the first time Vermont published a registry, we've been pulling that data down and using it to take a close look at what it can reveal about data broker practices. Over the years, that work has led to a number of notable discoveries about how brokers operate. In that first year, we found broker listings addresses that appeared to be empty stretches of roads, PO boxes, or residential apartments. More broadly, we've repeatedly noted how difficult it can be to ascertain meaningful information about data broker practices from registration documents and even their own websites. What I'm here to talk about today, however, is our 2025 research into what appears to be widespread noncompliance with registration requirements across the states that currently require data broker registration, namely California, Vermont, Texas, and Oregon. Last year, PRC pulled the data broker registries from the now archival California attorney general list as well as the Cal privacy registry, the Vermont registry, Texas registry, and Oregon registry. We then began the work of consolidating those databases into a single dataset so that we can cross reference brokers across each registry. This was a substantial task. We found that data brokers frequently do not use consistent naming across states. Brokers may use different spellings, different subsidiary names, or entirely different names across registries. So matching brokers across registries required using website domains, provided email addresses, name matching techniques, and a layer of manual review. We partnered with the Electronic Frontier Foundation and a team of students from the Harvard Cyber Law Clinic to perform this research and matching. That work culminated in letters to the relevant enforcement agencies alerting them to what appeared to be widespread non registration, and I believe you have a copy of the letter to Vermont in front of you. The central premise of this methodology is simple though. Because these data broker definitions are so similar across states, there's a very high likelihood that if a broker meets the definition in one state, it also meets the requirements in others, assuming it is doing business in those states. The definition generally turns on a broker collecting and selling personal information about consumers with whom it does not have a direct relationship. If a company is willing to identify itself as a broker in one jurisdiction, there's a strong signal that it may have obligations elsewhere as well. Now to be clear, that comparison is not perfect because state's definitions and exemptions are not identical. California and Texas have exemptions for FCRA and GLBA covered entities. Vermont does not. Well done. California's data broker framework is tied to the CCPA definition of covered businesses, which generally exempts nonprofits. Texas also has a narrow nonprofit carve out related to missing and exploited children services. There are some other definitional differences as well, but despite those differences, the core concept is broadly consistent enough that cross registry comparisons are a very useful way to identify likely non registration that warrants scrutiny. Our research produced two primary findings. First, it allowed us to see where brokers are registered and more importantly, where they're not registered. In each registry that we examined, there were hundreds of brokers that were registered elsewhere but missing from that state's registry. That pattern strongly suggests widespread non registration that warrants attention. For Vermont specifically, we identified that across the registries we analyzed, there were 750 unique broker entities and 309 appeared in other registries but did not appear in Vermont's, at least the time we collected the data. A substantial portion of those also disclosed collecting sensitive categories of information in other jurisdictions. Specifically, 199 of those three zero nine brokers indicated that they collect geolocation data and a 179 indicated they collect minors data. Second, it highlighted how enhanced reporting requirements in one state can have a rising tide effect for the others. When one state requires brokers to disclose more detail, cross referencing those disclosures against other registries can help understand help us understand what brokers are doing across the broader ecosystem, even where another state does not require the same disclosures. California has recently expanded the kinds of disclosures that data brokers must make in their annual registration documents, and consumers across the country will be safer because of it. Able to know which brokers sell immigration information or gender identity or expression information, for example, or whether a data broker sells or shares information with foreign actors or federal or state law enforcement agencies. I'm pleased to see that h two eleven includes the same enhanced disclosure requirements and more, which would bring Vermont's registry in line with and in some ways exceed California's new stronger transparency standard. This strengthening would benefit everyone, not only Vermonters and Californians, as we all get the benefit of better visibility into data broker practices. I also wanna highlight something that's happened since we shared this research. In California, the California Privacy Protection Agency or Cal Privacy has taken a strong position as a data broker enforcer and made data broker compliance a visible priority. The agency issued an enforcement advisory in December emphasizing that brokers now must disclose all trade names and websites and that subsidiaries cannot rely on a parent company's registration to cover them. The agency has also publicly described the state broker enforcement strike force and has brought enforcement actions, including actions against brokers that failed to register as required. Finally, I wanna shift focus slightly to talk about drop. The second half, the lead act model alongside the registry and reporting requirements. Transparency is essential, but if our research demonstrates anything, it's that transparency alone does not solve the consumer problem. Manually exercising consumer deletion rights against the shifting mass of seven fifty data brokers and their labyrinthine often cross referencing and cross linking privacy policies is functionally impossible at scale. With hundreds of registered brokers, a market that continues to grow and no obligation to prevent recollection, this quickly becomes an endless task of initiating requests, managing back and forth communications, and waiting forty five to ninety days for responses that often never come. Drop was designed to flip that burden. It is meant to empower Californians to make a single request that then reaches the whole registry to obligate brokers to regularly act on those requests. It is live as of January 1, and deletion obligations will begin this year in August. This matters for the real world reasons consumers in this committee know too well. Now more than ever, people routinely attempt to delete their information only for brokers to say they can't find any matching data, or they're not obligated to delete information for one reason or another, or they delete it and then the same information appears again shortly afterwards because it's been recollected. A centralized mechanism changes the posture of this relationship. It creates a recurring affirmative obligation on the broker side rather than leaving every consumer to individually chase down hundreds of companies one at a time. Drop is a huge deal. It will upend the one-sided relationship between consumers and the data brokers quietly harvest and monetize their information. And it is restricted to Californians. Right now we very much wanna see the state, see other states take this model and replicate it. Vermont is already the state that pioneered the registry framework. Vermont is also well positioned to become the next state to para registry with a scalable deletion mechanism. And in some ways, h two eleven goes further than California by maintaining Vermont's broader scope without the FCRA and GLBA limitations or exemptions that narrow California's law, adding real penalties for filing materially incorrect information. That kind of iteration is how good policy develops. States learn from each other and build on what works, and the result is better protections for consumers everywhere. Thank you again for your time. I'm happy to answer any questions about our research, our methodology, what we've learned from the implementation of the Delete Act and Drop in California. Thank you.

[Monique Priestley (Clerk)]: Questions? Monique? Emily, thank you. I was just curious, in your, the Vermont specific letter of how, Vermont compares to other states. There's, let's see, California and Vermont exclude some insurers, while Texas and Oregon do not. I was just curious if you know anything about the tech it seems like Texas has a pretty from your the ways that it, compares to Texas, it feels like Texas might have a pretty strong bill. I'm just curious how things like exclusions that we have that Texas and Oregon might affect the entities registering or not registering. I'm not sure if you

[Michael Marcotte (Chair)]: can speak to that, but.

[Emory Roane (Associate Director of Policy, Privacy Rights Clearinghouse)]: You know, I I I want to be careful speaking to Texas as well. I'm not as familiar as I am with California's, but I, you know, I do think the the Texas is a a good reminder of just the bipartisan factor that data brokers have. You know, this is not a one-sided issue. Everyone, once they hear about data brokers, want to know more about what they're doing with their information and ideally have a way out of it. It's likely related to the FCRA exemption, which in California exempts entities to the extent that they're already covered by the FCRA and entities to the extent that they are already covered by the GLBA. But that is a shortcoming that isn't found in H two eleven and in Vermont's registry currently. And we certainly are exploring ways of, we say, patching that loophole in California right now. Thank you.

[Herb Olson (Member)]: Thanks very much, Herb Olson, Addison Ford here. And curious about California's enforcement mechanisms around the registry. And, you know, you remarked that there seem to be quite a few companies that registered in one state but not in another. Does California have any mechanism, I guess, to share information with other jurisdictions or sort of collaborating with other states?

[Emory Roane (Associate Director of Policy, Privacy Rights Clearinghouse)]: Do you know that's a good question. I don't know. Think that someone from Cal Privacy is going to be speaking today. It might be a good question for them. We certainly submitted the letter with our appendix that includes all of the non registered brokers from Vermont to Vermont. And, you know, I'm I'm very encouraged by how, you know, aggressive the Cal Privacy Agency has been on data brokers. It's clearly an enforcement priority. As the specific enforcement mechanisms, we it it, you know, originally also mirrored Vermont's as far as a per day violation that accumulates. I think originally Vermont's was capped at $10,000 that California had it capped as well. Those penalties are now uncapped and they were doubled with a delete act of $200 per day for non registration and also $200 per non deletion. And so these stipulated fines are very easy for the enforcing agency to exercise and they very, very quickly accumulate. The Cal privacy has done a number of enforcement actions on non registered brokers already. And those penalties range from tens of thousands to several million dollars.

[Michael Marcotte (Chair)]: Thank you. Questions?

[Unidentified member]: Could you put a little more color on what it would mean to have the FCRA and the GLBA exemptions? What would that, in practice, result like? Would that sort of on the ground be different for consumers every month?

[Emory Roane (Associate Director of Policy, Privacy Rights Clearinghouse)]: Assuming that there's a deletion component as well, is that the question? I mean, now the, know, California the DELETE Act simply does not require entities that are already regulated under the FCRA to register as data brokers and under Vermont.

[Unidentified member]: To register at all.

[Michael Marcotte (Chair)]: Got it.

[Emory Roane (Associate Director of Policy, Privacy Rights Clearinghouse)]: Exactly. In Vermont that exemption does not exist. In California we attempted to limit it. There is, you know, the complication there is that there are FCRA covered entities that, you know, most of their activities are FCRA covered, but also they do non FCRA covered practices too that are a much less above board that are much more like data brokers and have harmful effects. And so the specific language we chose in California to the extent that you are covered by FCRA was an attempt to pull in more FCRA covered entities. But I think there's a a broad concern that GLBA and FCRA exemptions leave open a lot of entities that for all intents and purposes are are acting like data brokers, but aren't being brought under, the registration or deletion obligations.

[Unidentified member]: I see. Thank you.

[Michael Marcotte (Chair)]: Other questions? Okay. Emily, thank you.

[Emory Roane (Associate Director of Policy, Privacy Rights Clearinghouse)]: Thank you. It's been a

[Michael Marcotte (Chair)]: real pleasure.

[Emory Roane (Associate Director of Policy, Privacy Rights Clearinghouse)]: Should I stay on the stream?

[Michael Marcotte (Chair)]: Can if you like. Yes. Yeah. Liz?

[Liz Allen (Attorney, California Privacy Protection Agency)]: Afternoon. Good afternoon. Hi. My name is Liz. I'm an attorney, with the California Privacy Protection Agency. I've been working for the last two years, on DROP. So since the DELETE Act was passed, I've been the lead attorney, implementing, kind of all things from inbox to writing regulations to helping design product and running, on the product itself. I do have a PowerPoint presentation. Do you want me to share? Or is

[Michael Marcotte (Chair)]: Yeah. That'd be great.

[Committee staff/host (technical support)]: Okay. Great. Let's get that going. Let's see. You've seen a small version, I think. Let me try to use it a different way.

[Liz Allen (Attorney, California Privacy Protection Agency)]: How's that? Can everybody see that?

[Michael Marcotte (Chair)]: Yes.

[Liz Allen (Attorney, California Privacy Protection Agency)]: Okay. Great. Let me okay. So and I'm gonna walk through of what California has done over the last few years. And as Emily mentioned, we have launched, so I'll give you a few details about the launch as well and how things are looking at the current moment. So, I'm sure you know California Privacy Protection Agency is the, was established in 2020 and is the only stand alone privacy exclusive regulator in The United States. We've grown a lot in the last, since 2020, and we have teams working on enforcement, on public awareness, on auditing, rule making, policy, and legislation. And I am on the team that run that is implementing and runs the, DELETE Act itself. So as Emery mentioned, of course, we followed in your footsteps by 2019 with the data broker registry, that was first administered by the department by the attorney general and then moved over to Cal privacy when we were, when the data broker when the drop, and data broker delete act passed. The registry, is now is is now tied, of course, to the obligation for data brokers on the registry to delete consumer requests as they come in. And so this is called the accessible deletion mechanism in the law. We have nicknamed it the DROP, which is stands for delete request and opt out platform. And the way DELETE Act is written, if the data broker doesn't have is not a 100% sure, doesn't have a match, they need to then opt the person out of sale or sharing rather than, actively deleting, which is why the opt out, is there. So, this law passed in 2023. We have, we have spent the last two years writing, two sets or two sets of rules on it, including, setting a fee, an annual fee for registration that has gone up substantially since since part of the fee covers the build of the system itself. Right? This year, it's $6,000 per data broker, which covers, like, my role, product manager, in addition to paying for storage and, databases and stuff like that. And this year, as Emily mentioned, he mentioned that we actually passed, the legislature passed another law, SB three sixty one, in the fall, which added a whole slew of other disclosures for data brokers when they're registering. So we've actually had sort of third data broker law passed in the state of California. Enforcement, I know we just had a quick question about that. So the DELETE Act has two main enforcement levers. One is failure to register, which is $200 a day plus unpaid fees plus enforcement costs. These fines tend to range somewhere from like, 30,000 to, I think, higher. I can't remember. Maybe, like, a $100,000. So these are much smaller fines. These are just for failure to register. However, there's another fine, which is for failure to delete consumer personal information. This is statutory, and there's not discretion the way the law is currently written for, our enforcement team. So that is $200 per day per consumer plus enforcement costs. So if we had you know, California has 40,000,000 people, but if we had essentially 1,000,000 people who had signed up for drop and a data broker failed to register and therefore failed to delete those 1,000,000 consumers' information for three hundred sixty five days, you you quickly reach a fine in the billions of dollars. And that is there's no discretion on the enforcement side. So this is a very strong privacy fine and it's meant to be, you know, it's meant to be as strong as it is. And so that is that is it's you know, people talk about it as the, you know, as the strongest enforcement tool in The United States in terms of privacy. We'll see. Obviously, we haven't we haven't enforced anything against it because this part comes into effect June or August 1. So data brokers right now are registering, and they're setting up accounts in drop, and the the obligation to delete comes in comes in up in August. So this is the timeline, the way the our law is drafted, and you'll see that we are now 01/01/2026 where consumers can request to delete their information. And then come August, data brokers need to integrate with our API or manually download to get those consumer lists and then start executing on the deletion requests. So what we built in the last, two years is essentially a CRM, which is just a consumer relationship management, or customer relationship management software plus a database. So we have just kind of a two sided marketplace where consumers are coming in, giving us a very minimal amount of PII. And our system then takes that, hashes that information so we have nothing stored in plain text. We batch it into different lists. So if as a data broker, they create account, they register, and then they can choose which list of identifiers they want. Do you want a list of emails? Do you want a list of phone numbers? Those lists are separated out. Data brokers must pull by by rule, the number of lists that will give them the most number of matches within their own database. So if you, for example, just only sell email lists, you're not gonna select the phone list, and you're not gonna select the VIN. CarVIN is another personal identifier that we collect. So data brokers then pull every minimum every forty five days, maximum once a day. They pull the their deletion lists. And then within their own system, they need to match the list. And if there is a match, then they must delete all personal personal personally identifiable information, including any inferences that they had about that person. So it's not they're not just deleting the email. They're deleting the entire, string. So this is what we've built. And then data brokers, of course, can, then they have to write back their status, so that consumers can come and see, did this data broker delete my information or not? And there's four different statuses that they write back essentially. Like, we've, deleted, opted out, exempted, which we've talked about a little bit. It could be publicly available information, you know, for example, a property record that a data broker has. Or, you know, you could have some CRA data or maybe you're holding it for, you know, to subpoena or litigation hold. Like, all of that would be exempted, or that they could not find the record. So the consumers will see, kind of a result from their request over time. The consumer experience is pretty basic. You essentially verify your eligibility. This law, of course, only applies to California residents. So you confirm your California resident by, through using the California Identity Gateway, which is a tool that's, accessible to all California agencies, to help verify California resident identities. So once you verify that you're a resident, then you can go create your profile, which means, know, kind of putting in the identifiers you want. Maybe you wanna add a couple email addresses. You have a maiden name or something. You can add those. You choose how much information you wanna give us. There's a a minimum. And then you submit your request, and it goes out to all the data brokers on our registry. And you can deselect data brokers if you want. And as new data brokers come in, they are automatically, included. So this is kind of what it looks like if you were to run through it right now. You all shouldn't get in we shouldn't be able to get in because you are Vermont residents, not California residents, but Californians are using this. And we've had over a 100,000 Californians come in and use this tool, already. And so they check residency. This is kind of what their little profile looks like. You can submit a request on behalf of somebody else. So, for example, a child you can you know, I could submit one on behalf of my child or, something like that. Authorized agent can come in and submit a request. Then, you get a drop ID, and, you can check back. You can check the status of your deletion request. You can remove information. You can add information, over time. And then the data broker experience, a little bit more in-depth, but they essentially have to create an account. They register, through the in the drop. They choose their consumer deletion requests. Do they want MAIDs? Because they collect only MAIDs, mobile ad ID, identifiers. They download the the deletion list via API, which is just an automatic way of doing it or manually. So they go in and they, like, download a CSV, Excel file with the information. Because we've used a hash on our side, they have to hash their data, and then they try to match. So, essentially, they've got we provide a scramble of the info, and they see if their list of scrambles, if any of their scrambles match ours. And if it does, that means they delete it. And they also have to maintain a suppression list, of course. So, you know, once we've given provided the deletion request, that's a deletion request that needs to be treated, as a deletion request forever, so you can't the information should never come back into the data. So if they've deleted Loz Allen, I should never be back in their database. I should be maintained as deleted. And then they report the status back to the system. So this is an account creation screen, the registration screen, which for us is 10 steppers long because there we collect a lot of information, from data brokers. They then have a kind of main page that shows how many records and how to change their deletion list, how to check that they've paid, download their previous registrations, etcetera. These are some of the lists that we talked about. You could either you can download them manually, like, CSV, or you can do an API connection, which most data brokers prefer API because it's automatic, like, way to way to execute without having to manually download. And then, of course, they write back their statuses, and they also have to push the deletion list of their suppression list to their subprocessors and contractors. So right now, we are in the midst three or fourteen days into this. We're having consumers come into our system. We do have a ticketing system, a Zendesk ticketing system that kind of helps us, you know, answer questions from data brokers and consumers. So we are registering data brokers currently, and we have consumers coming in as well. In the spring, we're gonna release a sandbox and API integration for data brokers so they can start practicing on our system, essentially. And then, of course, by August 1, anyone who is on our list, last year, there was 540 registered data brokers, maybe five forty one. And all of the all anyone who is registered this year needs to be deleting information, hitting our system, pulling a list, and they have forty five days to delete the information that that they find a match for. And that is the overview. I'm gonna take questions from now. I can also answer questions about from the agency's perspective.

[Michael Marcotte (Chair)]: Thanks, Liz. Katie?

[Katie (unidentified member)]: Thank you, Liz. So I'm assuming this was not an expensive system to develop. So can you ballpark the cost and the time?

[Liz Allen (Attorney, California Privacy Protection Agency)]: Yeah. So in the millions, I actually don't know the final cost, but the way the law is written, this is not bare This is built by data brokers. The law, of course, looks to the do not call registry, which functions the same way. There's an annual fee that covers all the costs of running the do not call registry on the federal level, and that covers the cost of the build. And so our responsibility as as the agency is to set a fee that is reasonable for covering the cost of the of the system, of building it, maintaining it, and that and that fee we've adjusted every year. So last year, it's $6.60 6,600. This year, it's 6,000. You know, when it was just the registry, it was 400. So the but,

[Unidentified member (IT background)]: yeah,

[Liz Allen (Attorney, California Privacy Protection Agency)]: we have a team of engineers that we have contracted with from the California Department of Technology. So there's a lot of people, and this is this is definitely an expensive system in terms of build. But once it's built, you know, it's like, once the pipes are built, this is not gonna be as expensive to run. I mean, we still have database costs. You still have headcount costs, but it's not gonna be as much once it's billed.

[Katie (unidentified member)]: And your brokers register there as well as pull the information that they need to delete from the same location?

[Liz Allen (Attorney, California Privacy Protection Agency)]: Yeah. It's the same exact interface. Yeah. So they've got all their they pay through that interface. They check you they do all their registering. They've got all their past registrations in there, and then that's also where they pull their deletion lists.

[Katie (unidentified member)]: And then one last question. There's an audit every three years of the brokers and whether they're following the law. I'm assuming not just deleting, but all of the Who's doing that audit? Is it within the department there? Is it an independent auditor?

[Unidentified member (IT background)]: Who's doing the audit?

[Liz Allen (Attorney, California Privacy Protection Agency)]: Yeah. Great question. So, yeah, 2028, our audit requirement comes into play. So I'll be writing or the agency will be writing rules about what that will look like and what will be required of data brokers. You'll see we're gonna put out preliminary you know, call for preliminary comments, etcetera, that that kicks off this year. And, we have an audit, division. We have a chief auditor at Cal Privacy, and so, we have also audits required under our other rules and regulations, so cybersecurity audits, and so and risk assessments. And so there is a a person in the division that's going to be kind of dealing with that, but the way the law is written is independent. An independent auditor, it needs to needs to audit every once every three years. And then what exactly what's included in the audit? What does that look like? What do we collect? All of that will be determined in rulemaking this year.

[Katie (unidentified member)]: Said that was

[Liz Allen (Attorney, California Privacy Protection Agency)]: my Okay.

[Katie (unidentified member)]: I said that was my last question, but I just have one other one. The previous person that testified mentioned that the data brokers are changing their names state to state or changing their names on a semi regular basis, was my understanding. Do they have to reregister every time they change their name?

[Liz Allen (Attorney, California Privacy Protection Agency)]: Not currently. They may, but they are not required to update information within certain pieces of information within our registry. They do have to register annually, and they do have to give us all DBAs that are applicable. So, and they have to give us an EIN, which, you know, or TIN, which will help us, like, connect, them as well. And, you know, we will be doing some updates to the rules, and so there's, you know, some things in here are we're debating on our end. We're gonna kind of see how, you know, how does this go, what's working, what's not, and we assume this will be an iterative process because this is a new product that's never been done before. And part of this is trying to figure out how to be most useful to the California, you know, California consumers.

[Katie (unidentified member)]: Great. Well, thank you for leading the way

[Mary Block (Deputy Commissioner of Insurance, Vermont DFR)]: on this. We appreciate it.

[Committee staff/host (technical support)]: Yeah.

[Unidentified member (IT background)]: Oh, I wanted to get back

[Mike Yeagley (National security/privacy advisor; Unplugged board of advisors)]: to enforcement a little bit

[Unidentified member (IT background)]: and just wondering what kind of challenges how are you dealing with offshore data brokers? I work in IT, and I I can't tell you how many times I've had people wanting to get their names pulled, and they say it's a foreign entity. There's nothing we can do about it.

[Liz Allen (Attorney, California Privacy Protection Agency)]: Yeah. I mean, jurisdiction so I don't work on the enforcement team, just to be clear. I'm not I I work on the rulemaking side and the product side. So how our enforcement team is thinking about that, I don't know. That's a known challenge in every area of law in America. How do you, you know, assert jurisdiction over somebody? I mean, the way the law is written, CCPA, like, if you are, you know, in the delete act, like, if you are buying and selling the information of California consumers, like, there is jurisdiction. So what that looks like, how do you how would you haul a Russian, you know, company in? Like, these are these are not things I think about, unfortunately.

[Michael Marcotte (Chair)]: Thanks.

[Herb Olson (Member)]: Yeah. So you thanks very much. It's very helpful to see that all laid out. Sounds like a terrific resource for consumers in California. Couple issues, I think you mentioned that you have a chief auditor within the agency. And I'm wondering what that are the expenses of that auditor and his or her activities. So that is that covered from the I suspect they have a fund of some sort, takes in fees and things like that. Is that how that works in terms of the auditing functions within the agency?

[Michael Marcotte (Chair)]: And then I have a follow-up about

[Liz Allen (Attorney, California Privacy Protection Agency)]: Yeah. Yeah. So the auditor was established it's established actually outside of the DELETE Act because they are they will be dealing with several different audits and assess risk assessments and stuff that are that the agency mandates that I you know, I don't think the entire their entire headcount is covered under the DELETE Act because they are not a DELETE Act specific headcount.

[Herb Olson (Member)]: Okay. That that's fair enough. Yeah. I'd be curious to know how that auditing and, I guess, investigation functions was handled. Related question, you know, we have four other states that are performing a similar registry kind of function. Do you folks have the authority to share information with those other states and, you know, collaborate maybe in terms of

[Michael Marcotte (Chair)]: how you fulfill your role?

[Liz Allen (Attorney, California Privacy Protection Agency)]: Yeah. Yeah. So this, again, is an enforcement question, but they have the enforcement side has announced that they collaborate with other state AGs regularly and that we talk with other enforcers on quite a regular basis. And there are that we have, gosh, two international, I think. Don't quote me on this exactly, but we have international agreements and and national agreements between other AGs where we are sharing information. And I can I can pull those for you, but I don't have them off the top of my head?

[Herb Olson (Member)]: Did you say at the AG level or or or at your your agent agency level?

[Liz Allen (Attorney, California Privacy Protection Agency)]: AG. AG. We're the only privacy agency, so everybody else who's enforcing privacy is under, like, a DOJ or AG.

[Herb Olson (Member)]: Thank you.

[Michael Marcotte (Chair)]: Good questions. Liz, how did you deal with the issues of financial institutions, insurance companies, and their needs for data and to make sure that consumers weren't deleting the data that those institutions need.

[Liz Allen (Attorney, California Privacy Protection Agency)]: Yeah. There so two easy answers. Well, under the CCPA, there are which is so the California like, our main privacy law, a lot of the definitions are pulled over, including the definition for personal information. So those aren't defined in the DELETE Act. They're defined in our comprehensive privacy law. And so under there, there are exceptions for fraud, for, you know, identity verification, for, you know, litigation, etcetera. So under the definition of personal information and under, like, what businesses are you know, qualify as a business under the law, that has been kind of, like, thought through, and those details are in the CCPA. And so there you know, if you are an Experian, for example, or you are doing, you know, identity verification for the DMV or something, that that would be an exception to, the law. And then, of course, the DELETE Act is trying to trying to close a hole, you know, in the way the California system works is that, you know, you this data brokers, by definition, are buying and selling information that is not directly connected. So this not your Spotify account. This isn't your Netflix account. This isn't, you know, the shoes you bought from Nike. This is not this is not information you've directly given to the the business. That's first party data. This is dealing with third party data and inferences created from third party data. And so the this is like a this is not like a consumer's gonna come in and request delete deletion and request their and delete their Spotify account because that is first party data, and that's not what the law covers, and that's not what data brokers are are obligated to delete. It's not the first party data. It's the third party data. So they are buying and selling information that they did not collect themselves.

[Michael Marcotte (Chair)]: Michael? To follow-up on your question, understanding that the first party isn't subject to it, but those financial institutions go out to those data brokers to pull information.

[Liz Allen (Attorney, California Privacy Protection Agency)]: Yeah. Yeah. So if you're covered under GLBI, for example, you're offering your credit card or whatever and you're doing a credit check, like, that is not this is this law is not written. You can't you you can't delete that information. You know, that's not the information that's covered. That's not under this law. Now if you are a if you're a credit card company well, okay. You know? Yeah. So GLBA is an exception under

[Committee staff/host (technical support)]: our law.

[Liz Allen (Attorney, California Privacy Protection Agency)]: So to the extent that the data is covered by GLBA, it is not covered by us. So that is will forever not be able to be deleted under the delete act for good reason. Right? Because you need credit check and you need identity check. In fact, we are using an identity check you know, checker in order to verify somebody's a California resident. So the idea is not to wipe identity verification off the map. That's not, that's not the goal of these of these laws.

[Michael Marcotte (Chair)]: The questions? Liz, thank you very much for joining us. We appreciate it.

[Liz Allen (Attorney, California Privacy Protection Agency)]: Yeah. You're welcome. And we're happy to answer any questions offline as well. And if you wanna talk to our auditor or whatever, we're happy to to facilitate that.

[Michael Marcotte (Chair)]: Great. Thank you. We appreciate that. We got anybody else? Yeah. There's two more. We good. Right there.

[Committee staff/host (technical support)]: And then should yeah. We started playing. Yeah. Okay. Who's next? Mike.

[Michael Marcotte (Chair)]: Mike? You can save the. I'll try

[Mike Yeagley (National security/privacy advisor; Unplugged board of advisors)]: to get you guys back on schedule here. Thank you. Liz, just before you go, I think about Russian data brokers all the time,

[Herb Olson (Member)]: and so

[Unidentified member (IT background)]: we'd like to talk a

[Michael Marcotte (Chair)]: little bit about that.

[Mike Yeagley (National security/privacy advisor; Unplugged board of advisors)]: Chairman Marcotte, my name is Mike Yigley. Nearly ten years ago, delivered a wake up call to the US Special Operations Command and Department of Defense leadership by exposing a classified forward operating base in a war zone, not through a hack or a data breach, but by purchasing data from an advertising tech business. My message to DoD Brass was simple. If a history major from St. Lawrence University could do this from a home office, hostile actors could do it too if they weren't already. Today, I advise the US government on national security risks arising from commercial data systems and surveillance infrastructure, and I serve on the board of advisors for Unplugged, a privacy focused smartphone. I'm here to offer my perspective. It's a bit of an alternative perspective on strengthening and future proofing privacy posture for Vermont. The issue before this committee is control of personal data, a central fault line of modern geopolitics. Today's data ecosystem is dominated by an $8,000,000,000,000 duopoly and a $740,000,000,000 advertising economy engineered to extract behavioral data at scale. That is what they are capitalised to do. A single mobile device is interrogated hundreds of times a day by opaque third party networks that include foreign entities and adversarial actors, none of whom characterize themselves as data brokers. When adversaries use the same data pipelines as advertisers, privacy becomes a national security issue. And when federal policy falls short, as demonstrated by years of missteps surrounding TikTok, states become the front line of defense. And that's why this committee's work matters. When our movements can be tracked, our relationships mapped, our intentions model, we cease to be citizens and become subjects. The question I ask regularly is, who are we subjects of? I evaluate privacy policy from the perspective of adversaries who arbitrage commercially available data to obtain intelligence that would otherwise require high risk operations. Why hack intercept or steal what can be bought? Modern tracking no longer depends on a single identifier like the advertising ID. That function is now replicated through the aggregation of metadata. We discussed that a moment ago. Device characteristics, network behavior, timing, location pattern, and usage signals that when combined allow identity to be inferred with increasing precision. When sensitive information can be purchased, the barrier to exploitation collapses. Capabilities once limited to intelligence services with significant resources are now accessible to anyone with a credit card. This is the structural vulnerability. Commercial data markets turn convenience into access, access into insight, and insight into power, often without the knowledge or consent of the people being observed. This speaks to the metadata fields that people don't even know they need to opt out of in order to prevent their identity from being resolved by somebody they don't even know. This why state policy matters. Vermont cannot control how a foreign intelligence service operates, but it can control whether commercial data markets make their work easier by setting clear limits on identity reconstruction, cross context linkage, and persistent tracking without consent. Vermont can raise the cost of exploitation and restore friction where it belongs. Effective privacy legislation does not need to anticipate every new technique. In fact, as I review various privacy legislations, I am looking for those loopholes for arbitrage. If I can't access the ad ID, I'll look for something else. It needs to regulate outcomes. When the outcome is persistent identification or cross context linkage without consent, the harm is the same regardless of the technical method used or the data field and category. Done correctly, state law becomes a practical countermeasure, reducing exposure, limiting abuse, and protecting Vermonters from risks they never agreed to assume. This reflects a broader shift, and where I would encourage you to think sort of outside the box is moving from regulating data brokers to regulating identity as a capability. The primary risk is no longer the sale of records, but the sale of the ability to continuously recognize, link, and predict individuals across time and context. In the industry, we call this device fingerprinting. Legislation must therefore address the use of metadata for identity to protect citizens from commercial exploitation while simultaneously denying adversarial actors an inexpensive path to intelligence, influence, and interference. In doing so, Vermont's privacy framework serves both consumer protection and national security, reducing the harm home while raising the cost of abuse abroad. Effective privacy regimes do not attempt to enumerate every dataset, data type, or business model. They succeed by clarifying how the law applies as technology evolves. Vermont can do this by emphasizing outcomes and by using its enforcement authority to address identity reconstruction wherever it occurs. Enforcement should remain focused on industrial scale data intermediaries. The Trapp Family Lodge in Stowe, Vermont is not one of them. An effective privacy framework is measured by outcomes. Success is not the number of disclosures filed or notices posted. It is whether harmful practices become harder, rare, and more expensive to sustain. Privacy policy works when identity reconstruction is no longer a scalable business model, when systems designed to persistently identify, link, or track individuals across contexts face clear legal risks, market behavior changes. Services built around covert identity resolution either adapt to consent based models or exit the market. Success also means restoring friction where it belongs. When commercially available data no longer provides a low cost shortcut to intelligence, influence, or surveillance, exploitation becomes harder and abuse less attractive. Privacy is the discipline of a free society. Mr. Chair, that concludes my statement. Thank you for the opportunity to appear before your community. I yield back. Thank you, Mike. Questions?

[Michael Marcotte (Chair)]: So,

[Herb Olson (Member)]: very much, Mr. Yeagley. It seems like you're presenting or suggesting, I can't I think a a different way of looking at data privacy. And I'll confess I have a little difficulty following exactly, you know, what you're recommending. I mean, I get the general terms, the general concept and your goals. But I'm having a little difficulty understanding how that would apply to something that we might do here.

[Mike Yeagley (National security/privacy advisor; Unplugged board of advisors)]: Think about, instead of trying to regulate the way in which we think about data brokers and identity and privacy today, think about how to future proof that in a way where we are you're looking at what are the harms that you seek to prevent. Because industry adversaries will will maneuver around statutes. Statutes are not firewalls. And so if

[Unidentified member (IT background)]: you think

[Mike Yeagley (National security/privacy advisor; Unplugged board of advisors)]: about looking if identify and target the harms that you're most concerned about, then your legislation is future proofed against guys like me looking for those loopholes.

[Herb Olson (Member)]: Yeah. And I think I get that that concept. Picked that up. Like, I'm still struggling a little bit about how you, you know, if you're looking at it from a different perspective and you're trying to identify the harms. I'm I'm just having it'd be nice to see some examples of how that would work out in terms of how that would be descriptive, I guess.

[Michael Marcotte (Chair)]: Sure.

[Monique Priestley (Clerk)]: That's okay. Just wondering if I can maybe help expand Herb's question. I'm wondering if you can help just make the basic connection between how, broker data, puts us at risk, for both entities here, criminals, but also, like, foreign adversaries. Just the the super basic connection between, like, the data that gets scraped and then gets sold and then how that actually is dangerous, I guess. Is that Sure. Yep. Maybe?

[Herb Olson (Member)]: Yeah. That's Okay. That's a

[Unidentified member]: good start.

[Liz Allen (Attorney, California Privacy Protection Agency)]: Okay. Okay.

[Mike Yeagley (National security/privacy advisor; Unplugged board of advisors)]: Yeah. So I I think when I think the the the peril here is, semantic. And when when we think about data brokers, which, you know, they're they are about as popular as cigarette manufacturers were in the nineties. When we think about data brokers, you know, businesses are evolving and and maneuvering around, those categorizations. Like I said, when I purchase data, it's rarely from a data broker. But the outcome, I'm able to maintain compliance with statutes because I'm within the spirit of the law. So I think when you look at how resolve privacy, either as a macro issue or the specific harms, you wanna look at how do how does this this large data intermediary marketplace maneuver, collect, acquire despite policy and statutes. And as a foreign adversary, I'm I'm I am arbitraging policy all day long. And through my various proxies and cutouts, I am I am purchasing data within compliance of wherever that jurisdiction is that I'm purchasing data.

[Herb Olson (Member)]: I try to restate that maybe, see if I understand. You know, the data broker mechanism is simply one way that currently is being used to produce results that might be harmful, I guess. And it sounds like you're suggesting that that might morph at some point

[Michael Marcotte (Chair)]: in the

[Herb Olson (Member)]: future. And so you're better off taking a look at how maybe individual entities might take that brokerage sort of model and use it themselves.

[Michael Marcotte (Chair)]: That is Absolutely. Okay.

[Herb Olson (Member)]: Thank you.

[Mike Yeagley (National security/privacy advisor; Unplugged board of advisors)]: You don't want to limit yourself to regulating the data the data brokers out of business and meantime you've created. Okay.

[Liz Allen (Attorney, California Privacy Protection Agency)]: Thank

[Mike Yeagley (National security/privacy advisor; Unplugged board of advisors)]: you. They've moved. Yes, sir.

[Committee staff/host (technical support)]: Other questions?

[Katie (unidentified member)]: Thank you so much.

[Michael Marcotte (Chair)]: You. You bet.

[Katie (unidentified member)]: Zach Edwards, are you?

[Zach Edwards (Senior Threat Analyst, cybersecurity)]: I am. I'm here. Thank you so much for the time to test today testify today on h two one h two eleven. My name is Zach Edwards. I'm a senior threat analyst at a cybersecurity start up, and I have over 18 of digital experience. This allowed me to become an expert on Internet threats, online advertising systems, and digital privacy. I've been involved in high profile GDPR complaints in Europe, including a successful complaint against the Grindr dating app and a complex complaint against Google's advertising systems. My privacy research and comments have been quoted by dozens of the largest media organizations, and I previously held a SIP US privacy certificate. I also conducted data integrity testing for several years for the nonprofit Internet Internet Safety Labs, helping to test school and kids apps for unsafe data set data transfers and supported a series of privacy complaints in The US. I'm a California resident. I do love Vermont though and have actually vacationed there, and I'm here testifying today on my perspective as a privacy expert and as a technical auditor who reviewed California delete request and opt out platform, drop. And as a consumer who also looks forward to having some of my data automatically deleted from current and new data brokers once the California law goes fully into effect. I'm here today to testify in favor of h two eleven and efforts to pass legislation which makes it easier for consumers to mass delete data from registered data brokers using simple tools. Vermont has approximately 440 registered data brokers. California has 545. We've already heard from other folks about this clash and the challenge and the fact that there may be even more data brokers that need to be registered. Every day, these data brokers are buying and selling sensitive details about you, your family, your friends, and folks in your community. This data powers legitimate fraud and abuse purposes which is important to continue to support. And I support using this data for fraud and abuse purposes, including checks as do most serious folks. But this data also empowers murky enterprise revenue growth schemes and is used for all types of nefarious activities by unscrupulous global actors. As it stands, most folks will never know all the ways their sensitive data is used to make money or target products to them, but it's clear the vast majority of people want more control over this process. And unfortunately, for someone navigating the litany of data brokers, every one of these companies has slightly different opt out deletion processes, and most of them require you to navigate a series of URLs on their websites that only sometimes work. If you spent five minutes every time you needed to manually opt out from all of the data brokers in Vermont, you'd spend over thirty six hours to exercise your privacy rights. No one has time for that. The global data broker industry wins when people can't opt out because it takes too long or plain just doesn't work. If you want to see an industry created opt out tool, just head over to your adchoices.com and see how many clicks it takes for you to find the web or app opt out process. And then once you run their tool, scroll through the vendors that you've attempted to opt out from, and you should see always a number of vendors who are noticed being unsuccessful. And this type of broken opt out functionality has existed for years, likely over a decade. And once again, that's your adchoices.com. When you let at when you let the big data industry manage their own data deletion process, surprisingly, it never works as expected, and they can never quite figure out how to get it right. I'm sure folks aren't terribly surprised by this weaponized incompetence. The state of California decided to do something to make it easier for our citizens to exercise our rights to request data brokers delete our information and while we're still in the ramp up period, the platform is working and and over 100,000 people have used it successfully. I spent the first few days after the California drop tool was released, extensively testing it and sharing feedback both privately and publicly. I can confidently say this system is cutting edge And for folks located in California, this is the most effective way to get our name and sensitive details off data broker risk list. I know some folks are always concerned with how data brokers work, where in order to opt out, you need to share your personal information. But the way it really works, data brokers already have this information. And the best way for people to reclaim some of their privacy rights is mass requesting the deletion of this data via the the data broker deletion processes. But this process is easier said than done. For most folks, if you want to have someone help bulk delete your data, you'll have to trust fall in some way to remove yourself from this ecosystem. Now in California, this trust fall where you have to provide some details in order to get them deleted was covered in a previous presentation. But California uses two options for the California residency verification process, and this is very important. They use secure, which is an enterprise for profit KYC vendor, or login.gov, the federal system. Now neither option is perfect. Login.gov, data going to a federal agency has absolute risks for certain individuals, and using a for profit company also has risks or concerns for some organizations. The process that I would prefer to see as an option would allow to verify residency via physical mail, and this is something that's been done by big tech companies like Facebook for their political advertising program. And it's one way to allow people to verify that they're eligible to use a tool based on residency requirements without needing to share their data with third party KYC vendors. So I'd strongly recommend Vermont looks at ways to improve the residency verification process that California implemented, and I believe this is the only place where California could have done better. But within California's tool, can spend multiple names, multiple emails, phones, car VIN numbers, and if you had them active, mobile advertising IDs. And this process takes about ten minutes for most folks, and really this is a huge difference between what it would take to do it manually. We're still in the ramp up process here to do the California drop tool, but this new evolution of private right privacy rights is exactly what we should be seeing. Easy tools for consumers, simple requirements for data broker businesses, and a clear process that can be double checked after it goes live. The California Delete Act appears to be modeled here in this proposed bill and that's a good thing. I hope all legislators here in Vermont will continue to support common sense privacy frameworks and look for solutions that make it easier for citizens to opt out from the hundreds of current data brokers and the litany of new brokers who show up in any given month. It's an uphill battle to monitor this ecosystem, and we shouldn't be forcing regular folks to navigate this mess in order to get the privacy they should be easily afforded. I just wanna thank everybody today for your work on important privacy legislation that has a real chance to make a positive impact for folks in Vermont. I'm happy to answer any questions. Best of luck with your work.

[Michael Marcotte (Chair)]: Thank you, Zach. Questions? Hi,

[Unidentified member (IT background)]: Zach. Thank you so much. I'm curious to hear more about this physical mail verification. We sometimes, being a very rural state, have issues with getting mail to residents and consumers. So I'm wondering, do you have any other thoughts about potential alternatives for verifying residency?

[Zach Edwards (Senior Threat Analyst, cybersecurity)]: Absolutely. So I think you need to give folks multiple options. And, really, as you've mentioned, rural mail delivery is challenging. And, also, some folks may be without a home, unhoused populations, folks who have PO boxes that may have trouble with certain types of mail. There's many scenarios where mailing may not work, and that's why having maybe the login.gov, the federal solution, or even the for profit vendor as a backup is great. And giving someone that option to say, okay. I either wanna use that federal system or I'm comfortable with this for profit KYC vendor. And personally, I use the for profit KYC vendor. Totally legitimate, great company, but not everyone feels the same way. And so having that third option where you say, hey. I don't want the federal government involved. Don't want a for profit vendor. I just want you to mail me a simple code. And once I receive it, I'll be able to input that in the system to verify that I received that mail at that specific address. And none of these processes are perfect. So I could come up with a dozen ways that someone could trick each of these systems, that really is for a different conversation. But I I think giving folks the options is really what I'm urging.

[Mary Block (Deputy Commissioner of Insurance, Vermont DFR)]: Thank you.

[Zach Edwards (Senior Threat Analyst, cybersecurity)]: Thank you.

[Michael Marcotte (Chair)]: Alright. Thank you very much. Appreciate Take your

[Zach Edwards (Senior Threat Analyst, cybersecurity)]: care, everybody.

[Michael Marcotte (Chair)]: Okay. Think yeah. I'll okay. So that concludes testimony on h two eleven for today. I will now bring in Department of Financial Regulation, Deputy Commissioner Block, and Joe Wilson there patiently waiting for us. Monique Priestley, go over the Right here. Carrie, you can join us too. Thank you. Sorry for that cold run.

[Mary Block (Deputy Commissioner of Insurance, Vermont DFR)]: No problem. Five minutes to chill in the hallway.

[Michael Marcotte (Chair)]: Thank you for joining us this afternoon. We'd like to have you go over the data report with us and like to understand much of it. Started reading out, I guess, through the whole thing, but It's long. There's a lot that I think you can do already. Are there any legislative fixes that you need as well? Okay.

[Mary Block (Deputy Commissioner of Insurance, Vermont DFR)]: Alright. So for the record, Mary Block, I'm the deputy commissioner of insurance for the Department of Financial Regulation. So I thought I'd do sort of an overview, and then maybe if you we can either talk about specific questions that people might have specific areas that people might have questions on and so forth. But hopefully, broad overview first, and then we can drill down where we need to. So, the report was a result of a charge given to us by you in Act 32 of 2023. And we were required to look at a broad range of topics related to the auto insurance industry: labor rates, appraisal practices, insurer control over repair work, direct repair programs, consumer disclosures, regulation 79.2, which is the primary regulation that's used to regulate in this area, betterment, aftermarket parts, complaints, and pricing and availability impacts. Big. What we did to get there, is we sent a large request for information to the insurers asking for procedures. We sent a set of interrogatories to ask specific questions to get at some of the issues. We did interviews. We did a survey of the auto repair shops, and asked them questions that if they were willing to answer. We engaged a contract actuary and a contract examination firm. Primarily the examination firm was to look through the thousands of pages of documents that we got from the insurers. We did interviews with a whole bunch of related parties. CAPA, which is a certification firm for organization for aftermarket parts, appraisers, aftermarket parts distributors, vendors that sell systems that both the insurers and the shops use to do estimates, all kinds of parties like that. We had two town hall meetings that consumers were able to come in and speak at. We also asked for written comments from consumers if they were interested in sending us some. We engaged the NAIC to do a review of state laws in the area. We did our own review of state laws in the area. We looked at nine fifty complaints that were relevant to the study over a period of about five years. Talked to other state regulators that are struggling with the same issue, looked through our own regulations, and then did a boatload of data analysis. Took about a dozen department staff and two sets of summer interns to plow through this, who get a lot of credit for doing a lot of the grunt work. So I think it helps if we set the stage a little bit about the environment we're operating in, right? Vermont is lucky. We have a very healthy and competitive auto insurance market. We have over 70 insurers in that marketplace. And we have usually our rates are in the bottom five across the country. Honestly, that doesn't really matter to consumers, right? Every time your rate goes up, you feel it in your pocket, regardless of where we are, relatively speaking. I feel it in my pocket. But we know that individual increases are painful. You know, we have also historically had some of the lowest uninsured motorist rates in the country. Our rates have started to inch up a little bit over the last few years, Not out of line with how they're inching up nationally. So it's an issue that's across the country where people are finding it more and less and less affordable to get insurance. And availability becomes an issue because it's not affordable. Regulation in this area, as I said before, is primarily a section of the Unfair Trade Practices Act that governs claims settlement practices, and then a corresponding regulation, Regulation 70 nine-two, which outlines fair claims settlement practices. 70 nine-two is based on one, a couple NAIC model laws that are used in other states. But there's some clarity lacking. When you read through the study, you can see there's clarity lacking in areas. There's also a few Vermont state court cases that have looked at this issue, issues around labor rates and repairs and so forth. The problem with court cases, right, is they're very specific to the facts of that particular issue. So they are very much based on the policy language that they were looking at at the time. But they lay out that insurers cannot unilaterally decide what they're going to pay. They have to pay in line with the policy language, and they have to pay the cost of the damages. Problem is, what's the cost of the damages? And that's where always where the argument comes in, right? So Other states have tried to fix this problem. Many have implemented some of the NAIC model updates. Some have made additional disclosure requirements, other clarifying regulations. Very few have stringent, I won't say it's four or five, have requirements around OEM parts, so original issue parts, original equipment parts versus aftermarket parts. A number have requirements on disclosure, but not requirements to use original equipment parts. The state of Massachusetts has tried now three times to figure out the labor rate issue. They finished their third study at the end of this year and issued a report. They still failed to come to a consensus about how to deal with labor rates. If you get through our report and you want to read another one, their report has seven appendices with seven different ideas for how to set labor rates. And so it is definitely a thorny issue. As far as all of the parties that are sort of impacted by this, consumers are definitely they lack a clear understanding of what their rights are for a lot of reasons. Don't read their policies. A lot of people don't read their policies. I would bet there are people at this table who haven't read their policies. They need clear identification of what their rights are and what they aren't. Are What in their policy that might be important to them. They also need tools to sort of figure out how how to answer their questions when they do have questions. They do demand speed and ease of use when it comes to buying policies and getting claims settled. So that sometimes that is sort of diametrically opposed to understanding your policy, getting a quality claims settlement, and all of those things. So there's sort of competing forces there, because people want it faster than they want it now. Shops are struggling for a lot of reasons as well. There are tight labor markets, increased costs for repairs, other business expenses that are going up, like health insurance that we're talking about in this very building, rent, all kinds of things, property taxes, delays in the supply chain, difficult interactions with insurers, obviously. And the complexity of repairs on cars is getting more and more. It is becoming increasingly difficult for the small neighborhood shop to be able to handle all of the repairs that need to be done in this environment. Insurers are having problems too. They're struggling to keep the premiums down, so they're attractive, while they're facing the same costs. But they also have additional pressures like the rise in medical claims costs when they have bodily injury claims. They also face additional higher costs for all of this technology that's in cars. Some of the more common conversations lately are around, everybody used to take for granted your no deductible glass coverage on your car, Because glass coverage only to replace a windshield, it used only used to be 200 or $300. Now it's $1,500 to $2,000 because of all the technology that's embedded in that window. They have obviously risk of rising litigation costs. They have their own labor market issues, and we're seeing where they're having trouble hiring people, particularly appraisers and adjusters. And obviously they have those consumer demands for online, virtual, and get it done fast. So that's sort of where we're at. Nobody's happy. Overall, we don't think, based on the study, we didn't think that there was any sort of intentional misconduct in the part of the insurers or collusion going on. Are they getting it right all the time? No. Are there things that we can clarify? Yes. But most of the time, we're not seeing intentional bad action. We do believe there's a lot of pressures to everybody and a lot of competing interests and nobody's happy. There is a need to make updates. We believe that we can make a number of updates to Regulation 70 nine-two to address a lot of these areas. Part of those updates will come from the NAIC model. Part of them we'll steal from other states, and part we'll have to write out of whole cloth because they're areas that just haven't been really addressed by anybody else. But one of the primary sort of underpinnings of enforcement and good enforcement for an insurance department is having a standard to enforce to. So in some areas we need to build the standard before we can build the enforcement. Labor rates is one of those areas. Right? We need to give the insurers guidelines for what those expectations are so that we can then test to those guidelines and say, this is over the line. Nope, you're good here and so forth. And that'll help everybody sort of get it right. We don't think that now is the time for legislation sort of on the extreme side, like mandating labor rates, mandating certified aftermarket parts, and I can talk a little about why certification is somewhat problematic. But we do think that we can make some changes that will definitely have an impact. We also think that there's a number of steps we can do to help consumers. There are a number of states that have developed what are loosely called Consumer Bill of Rights that provide them information on exactly what their rights are. They could be handed out as a page. We've talked about, can we put it in as the next page after the deck page in your insurance policy? Does it get handed out at the time of claim? Both. Insurance policies on the auto market are usually purchased every six months. So could potentially, if it's left at the deck page, get that every six months. And it would just be there to remind you of where you can push and where within your policy you don't have that right. So, I mean, we think there's a whole lot of stuff in here, but we think that many of the concerns can be addressed through regulation. And then we see sort of how that plays out. We do more enforcement. We monitor the complaints as we continue to do. But I think the complaint tells us where the pain points are. The studies tell us where there isn't consistency. So the information we got from the insurers, the information we got from the shops tells us where the inconsistencies are and where there's room for clarification, so that we eliminate those inconsistencies. For consumers, like I said, we talked about the Bill of Rights. We've also thought about we need to update our website, I'll be perfectly honest. It's aged, and so we can definitely build some tools to help consumers answer those questions. Our consumer services department is there to answer those questions. We get thousands of inquiries a year just to answer questions. But creating something for them to go be able to do it themselves certainly can't hurt. So that's the big picture, and happy to talk through sort of the sections, but I think that sort of lays out our overall view of the situation. You can pester me with questions.

[Katie (unidentified member)]: I just wanna understand what updating your rules entails from the timeline So and how all of that

[Mary Block (Deputy Commissioner of Insurance, Vermont DFR)]: obviously the timeline, it'll take a little bit. We'll have to go through each section. Once you get a chance to go through the report, I would say in most sections of the report, we think there's something that we could do in seventy nine-two to clarify. So for example, in the labor rate section, we'd be anticipating putting guidelines in there for what's an acceptable way, not to tell them exactly how to calculate labor rates, but what are the kinds of criteria they need to be using to determine objectively what labor rates should be in Vermont, and how to document that so that we can test that. We've also looked at things like, talked about things like, if they say a labor rate is X and the consumer is at a shop that wants $20 an hour more than that, giving the option to say to the consumer, here's the three or four more shops that will do this at our rate if you want to go there, and give that consumer information and require that they make that offer. So putting guidelines like that in there to tell them more explicitly how to go about addressing this issue. This is guidelines for the insurers? The insurers. Yes. Putting more work on the small businesses, right?

[Katie (unidentified member)]: Most of these repair shops are small businesses. And I just want to make sure

[Mary Block (Deputy Commissioner of Insurance, Vermont DFR)]: that's for the insurer, so they know how to assess what's a reasonable rate, right? Because, honestly, not all shops are perfect. And actually, if you read the Massachusetts study, there are some comments in there in some of the options for setting rates from shops themselves who say not all shops are worth the same amount and should be getting paid the same amount. They don't know the same skills, they don't know the same technology, they don't know the same training. And so providing them with some guidance about how they need to go about and figure out objectively what a rate might be. And then they put that in their files, they have it, they know. And if somebody challenges it, there's documentation there that shows how insurers have thought about making that decision. Not, let me put my finger in the wind and see what I think the policy is. Because unfortunately when we talked to them, most of them did not have sort of a specific policy for how they do that. And that's not a defensible way to be. So I would say in almost every section, is a suggestion, there's an entire section on betterment, for example, in the NAIC model that is not in our rule, that we could look at, pull whole cloth out of there and use. There's language in there's an NAIC model on aftermarket parts that has specific disclosure language for the use of aftermarket parts. So there are a lot of places where I would say, like I said, in almost every section, there's probably something that we will do in Regulation 79 to clarify what's already there, so it's more understandable, or to add things that we haven't covered because we haven't looked in this depth to try to sort that out.

[Unidentified member (IT background)]: Did you all cover the cost of replacing a car these days for insurers? Is that driving any increased rates and things?

[Mary Block (Deputy Commissioner of Insurance, Vermont DFR)]: Increased premiums are definitely going up because the cost of cars is going up and the cost of repairs cars is going up. Right? Everything is going up. I don't think there's anything we touch these days that isn't going up. But the technology in cars definitely drives up that repair cost because it is far more unlikely today that you have a fender bender and you don't touch something on the car, if it's a newer car, that has some piece of electronic equipment in it. There's a camera, or there's a sensor, or there's something. So the line between auto body repair and mechanical repair is getting blurrier and blurrier. And a lot of those I know a lot of shops don't have the the ability to make those repairs. They farm that out to a mechanical repairer, and, you know, those costs just keep escalating.

[Michael Marcotte (Chair)]: Thank you. You think so you talked about, you know, a shop that may charge over and above what the insurance company may pay for a rate, but so they may give the customer other places where they could go, but is there could that also cause an insurance company to try to steer somebody towards an inferior body shop that's doing that makes the repairs at the rates that the insurer wants to pay, and they don't come out very well.

[Mary Block (Deputy Commissioner of Insurance, Vermont DFR)]: So, I mean, there is the question of steering. One of the things that there is a section in 79.2 right now that addresses if an insurer tells an individual to go to a particular shop. I think we need some clarification of where the line is between directing and nudging and where we would draw that line. Because there's liability. If you tell the insured they have to go here, the insurer is on the hook under Regulation 79 for those repairs. So we need to figure out a way to provide guidance that says, if you make an offer of three or four shops and they choose one, that's different than if you say, Well, there's only one shop in your neighborhood that does this, so you should go there or we're not gonna we have to figure out sort of where we're gonna draw that line. Because, yeah, it's a it's sort of a sliding scale. And, you know, obviously, there's games that can be played on both sides. I mean, one one difficulty and I know we're talking about small businesses, but one difficulty that is faced by the insurers is how to know if the rate the shop is charging is the right rate, right? Because I think we quote, there's an article in there, and I think the Massachusetts report mentions it as well, that not all shops actually know how they decide what their rate is. They sort of back into it. There's no it's not like you know, the big shops obviously have accountants and they they don't do all the the work to figure out the market and what the market can bear and what they need. You know, some of these small shops, it's it's tough for an insurer to know, is this a real rate or is this just something that they, well, this sounds like what I need to to to make my money? And so that makes it a little bit more difficult too because there isn't that insurers are used to massive rate regulation. They're dealing with parties that are not subject to that, and and so it's a it it it's an interesting dynamic.

[Michael Marcotte (Chair)]: It's hard to know also how some shops have invested in equipment and others haven't.

[Unidentified member]: Yes, so

[Mary Block (Deputy Commissioner of Insurance, Vermont DFR)]: they may be worth more.

[Unidentified member (IT background)]: Question about state lines. I know for some vehicles, say a Tesla, if you're in Southern Vermont, you may not have a service center near you. So you would have to go to New York or Massachusetts. How do you deal with that?

[Mary Block (Deputy Commissioner of Insurance, Vermont DFR)]: Unfortunately, we don't have any control over what New York or Massachusetts is going to charge for rates. New York is probably higher. Oddly enough, Massachusetts is lower because they had some rate suppression for a few years. They had a fixed rate at one point. The insurer is going to have to try to A lot of the insurers operate in multiple states, so they have intelligence about this if they're over a state line. But some of the smaller ones aren't going to have that kind of intelligence. The national ones certainly will. And we're a little state, but maybe we can influence how things are done in states as well.

[Michael Marcotte (Chair)]: That would be reflected in your premium, wouldn't it, if you bought a Tesla?

[Mary Block (Deputy Commissioner of Insurance, Vermont DFR)]: Oh yeah, they'd try to price that in. Yeah, they would try to price that in. And some of those cars, electric cars in particular, from my understanding, when they're in an accident, they're a lot heavier. And the damage that they can inflict on another vehicle can be substantial. So if they're at fault, that's something else that the insurers have to bake into the premium.

[Michael Marcotte (Chair)]: One of the other issues think we heard last year, I saw in the report, car rental. Yep. And you only have x amount of days, but the body shop can't get the parts, and so people wind up getting stuck because they have no vehicle, the vehicle is not active.

[Mary Block (Deputy Commissioner of Insurance, Vermont DFR)]: Yeah, I mean, for a first party claim, rental is something you've decided when you purchased your policy. Making sure people understand they're making that decision is a different thing. For a third party claim, we push back on the insurers because the definition is what's reasonable. And what was reasonable during the pandemic, for example, is different than what's reasonable today because of the inability to get repairs done during the pandemic. So that's more flexible. But when you buy your policy, decide how much rental coverage you want. And so that's a much more defined

[Michael Marcotte (Chair)]: thing. Yeah. And maybe that's something that needs to be explained better too by agents if you're going through an agent.

[Mary Block (Deputy Commissioner of Insurance, Vermont DFR)]: That's the problem. Right? A lot of people do buy their auto insurance in particular online and don't use an agent. I

[Unidentified member (IT background)]: look so you mentioned

[Unidentified member]: uninsured and underinsured motorist coverage.

[Mary Block (Deputy Commissioner of Insurance, Vermont DFR)]: I was talking about uninsured.

[Unidentified member]: Uninsured. Okay. So uninsured motorist coverage, my understanding is most people have $100,000 coverage. Is there any kind of regulation directing what an insurance company, is it their default, offer?

[Mary Block (Deputy Commissioner of Insurance, Vermont DFR)]: So the default, I believe, is equal to Well, there's a minimum. So the state has a minimum. I can't remember what it is off the top of my head. 20. 20, yeah. The defaults are usually the minimum or equal to what you've selected for your comprehensive coverage, for example.

[Michael Marcotte (Chair)]: There's nothing

[Unidentified member]: that increases that minimum over time. It's just whatever we're seeing.

[Mary Block (Deputy Commissioner of Insurance, Vermont DFR)]: Right, and our minimum, honestly, is almost the highest in the country, I believe. It's close to the top. When I was talking about uninsured motorists before, actually, I was talking about literally talking about the rate of people who have no coverage. And those rates sort of indicate who can't afford coverage, because we have a residual market for people who have trouble getting coverage. We don't have a lot of policyholders in that market. So people who are uninsured either have chosen to not buy insurance either because they just don't care or because they can't afford it. It's no longer available to them because they can't afford it.

[Michael Marcotte (Chair)]: Any questions? K. So recommendation, we'll let you do your Let us taking Yep. How that goes Yep. With that.

[Mary Block (Deputy Commissioner of Insurance, Vermont DFR)]: We'll see if we can right the ship. I don't think we can right the ship completely, just to be honest. I have regulatory authority over some things, but not everything.

[Katie (unidentified member)]: We're talking about a market that most people don't have to interact with many times in their life, And so there's a lot of opaqueness and there's a lot that people get into where they just have no understanding. And so then there's going to

[Mary Block (Deputy Commissioner of Insurance, Vermont DFR)]: be And it's stressful. Because now you're without your transportation. So, we are in a market. This is a market that is designed to be conflict within. And so, yes, you can't fix it completely. If you see things that you can do that. And we can certainly make, hopefully, educate consumers. We can put the information out there. We can't force them to read it. But we can certainly, hopefully, educate, provide tools if they want to ask questions. And of course, they can always call

[Michael Marcotte (Chair)]: Well, yes.

[Mary Block (Deputy Commissioner of Insurance, Vermont DFR)]: I had a couple of nieces when they were young.

[Michael Marcotte (Chair)]: Mary, thank you.

[Mary Block (Deputy Commissioner of Insurance, Vermont DFR)]: You're welcome.

[Michael Marcotte (Chair)]: Chittenden, Joe, thank you again for coming in. Appreciate the report. I know it was a lot of hard work, so I think it was time.

[Mary Block (Deputy Commissioner of Insurance, Vermont DFR)]: Learn more about auto repair than I ever thought I would know. I had to ask my husband some questions at times.

[Michael Marcotte (Chair)]: Thank you. We're on the floor at three, and we don't have anything after the floor, so question? Caucus is a whole lot here. Is it a public Oh, yeah. Yeah. I forgot about that.

[Unidentified member]: The Addison General election. Yeah.

[Katie (unidentified member)]: I have a fifty day voting today, though.

[Unidentified member]: It's still brisk.

[Michael Marcotte (Chair)]: In February. Oh, so go Tomorrow, we start our walk through of 06:48 with the DFR bill. So we'll see Joe again tomorrow.

[Committee staff/host (technical support)]: Okay.

[Michael Marcotte (Chair)]: We'll do the walk through, then we'll take custody in the afternoon. That'll be out of date tomorrow. That's the DFR bill. So so get plenty of time to get to the floor. It will be there on time. Caucus in the hole after, and you're free to go.