Meetings
Transcript: Select text below to play or share a clip
[Michael Marcotte (Chair)]: Good afternoon, everyone. This is the Vermont House Committee on Commerce and Economic Development. It is Wednesday, 01/28/2026 at 01:35 in the afternoon. So we are going to have a walk through on the amendment to h two eleven. We're not relating to data brokers and personal information. We have our legislative council, Rick Segal with us. Rick? Good afternoon.
[Rick Siegel (Legislative Counsel, Office of Legislative Counsel)]: Rick Siegel with the office of legislative council. So we're looking at draft 2.2 of the amendment to 11. Mr. Chair, since we just did a walkthrough of the amendment, was it last week? I thought I'd through the changes from the last amendment. Sounds good. Okay.
[Michael Marcotte (Chair)]: But you want to take us through the whole thing? I don't necessarily.
[Rick Siegel (Legislative Counsel, Office of Legislative Counsel)]: I see my time is not thirty minutes, Anna Grace. Is that roughly? Okay. So, yeah, I have highlighted the areas that have changed since the last committee draft. Let's get to that first change.
[Michael Marcotte (Chair)]: I should share my screen. I
[Rick Siegel (Legislative Counsel, Office of Legislative Counsel)]: am popped up on cold medicine, that's why I may be a little bit out of it, but I apologize in advance if I had these huge brain meltdowns because Yeah. Okay. So section 2,431 was actually not in the last amendment because it wasn't being amended. So currently in statute, this is prohibiting acquisition of certain broker personal information. No changes to that specific part of the statute. What we've done here, we meaning this amendment, is kind of removing a fortune that was 24, I can't get the exact number that it was before. There was a credentialing section towards the end of the bill.
[Unidentified Committee Member]: It was twenty four
[Rick Siegel (Legislative Counsel, Office of Legislative Counsel)]: forty six C. It's on the last page of of the last amendment. That exact language has been moved to twenty four thirty one because when I looked at it, I thought it made more sense in this section. So again, this applies to the acquisition of brokered personal information. The change is adding there's a technical change email, ruin the hyphen, adding subsection B data brokers. So, would be just applicable data brokers. So, again, language was in the last bill, just moving it. I will read it. So, we're all on the same page. A data broker shall maintain reasonable procedures designed to ensure that the brokered personal information it discloses is used for a legitimate and legal purpose. The procedures shall require that prospective users of the brokered personal information identify themselves, certify the purposes for which the information is sought, and certify that the information shall be used for no other purpose. A data broker shall make a reasonable effort to verify the identity of a new prospective user and the user certified by the prospective user prior to furnishing the user broker personal information. A data broker shall not furnish brokered personal information to any person if it has reasonable grounds for believing that the brokered personal information will not be used for a legitimate and legal purpose. Any questions about that?
[Michael Marcotte (Chair)]: Language anywhere else in in other jurisdictions, or is it still language? That I don't know.
[Rick Siegel (Legislative Counsel, Office of Legislative Counsel)]: I can get back to you on that.
[Michael Marcotte (Chair)]: And I'm assuming the courts know what legitimate
[Unidentified Committee Member]: purposes are.
[Rick Siegel (Legislative Counsel, Office of Legislative Counsel)]: I mean, it it would be there's not a term of art of what that is. It would be up to the data broker to argue that the reason that it disclosed it was for legitimate purpose, and it'd be up to the decider to determine if that indeed was a legitimate legal purpose.
[Unidentified Committee Member]: The plain language does, we're saying the data broker needs to know what the purpose of the data they're selling is going to be to the person they're selling it to. I guess that's not really plain language.
[Rick Siegel (Legislative Counsel, Office of Legislative Counsel)]: Sure, disclosing selling, right.
[Unidentified Committee Member]: To understand.
[Michael Marcotte (Chair)]: Trying to know your customer.
[Rick Siegel (Legislative Counsel, Office of Legislative Counsel)]: And just so we're on the same page as well, this does tie to enforcement. So there is already enforcement in this section for the AG. So that again doesn't change. But if a data broker were to violate this portion of the section, there would be enforcement available to an AG through the Consumer Protection Act, which would also give consumers the right to hold the data brokers accountable. So no changes to the notice of security breaches. The data broker security breaches. I do no changes there. I do want to
[Michael Marcotte (Chair)]: I talked to Todd Baylor with
[Rick Siegel (Legislative Counsel, Office of Legislative Counsel)]: the AG's office. I think he's coming in Friday. There may be a few proposals that they want to kind of update to ensure that they it meets their standards, but just kinda foreshadowing there. Rick, that includes DFRs thing too. Right? That this I'm not sure if they're gonna Okay.
[Monique Priestley (Clerk)]: Default. There also was a request to make sure that we update brief stuff with DFR. So the AGM DFR have been talking. So yeah. Let's see. Came in towards the end when Rick was trying to wrap this up. So yeah.
[Rick Siegel (Legislative Counsel, Office of Legislative Counsel)]: Those changes are not in this amendment. Skip to page 23 is the next change. 23 is the September 5. This is the data brokers main section of the statute end of the bill. Again, last time we kind of reconfigured this when they must register. So the committee kind of wanted to go to the thirty days. You must register not later than thirty days after you become a data broker in the state. Because right now, it's Jan thirty one. So right now, if you begin operating as a data broker on February 1, you wouldn't have to register until the following January 31 of the next year. This would remove that loophole. You would have to register thirty days after you begin meeting the definition of a data broker. And then once annually thereafter on or before July 1 of each year. Some of this is from the Secretary of State's office. They like some of this language. July 1 was their choice for fiscal year, I assume. The registration fee, 900 from $100 is the current statutory fee. Subdivision 3 is new. This was a proposal from the AG's office about a bond. The charitable solicitations section in the Consumer Protection Act requires a bond That if you actually conduct one of these charitable solicitation programs, you have to basically pay a bond of $20,000 to conduct this charitable solicitation. So the idea there is to kind of move that over to this data brokers part of the law and that if you're a data broker, you'd also have to maintain a bond of $20,000 that would cover any liability that may arise under the subchapter.
[Michael Marcotte (Chair)]: Are there any other requirements for registration or licenses? I'm not aware of You know, the when the.
[Rick Siegel (Legislative Counsel, Office of Legislative Counsel)]: It's a good question. I I'm not aware, but I didn't look. This is a pretty
[Michael Marcotte (Chair)]: quick, you know, the FR statute somewhere. Can talk to Maria about that.
[Unidentified Committee Member]: So this is so this is this is a requirement for being a data broker for the $20,000,000 bond? 20,000. Oh, 20,000. Okay. Sorry. I thought I heard 20,000,000. I may
[Rick Siegel (Legislative Counsel, Office of Legislative Counsel)]: have said 20,000,000. Did not
[Unidentified Committee Member]: say that.
[Monique Priestley (Clerk)]: She is a little high.
[Unidentified Committee Member]: I'm not trying to give a But okay. Makes me feel a little bit better.
[Rick Siegel (Legislative Counsel, Office of Legislative Counsel)]: And that is the same amount from the charitable solicitation.
[Monique Priestley (Clerk)]: Okay.
[Rick Siegel (Legislative Counsel, Office of Legislative Counsel)]: It is up to discussion if you want it or if you want to increase it, decrease it.
[Monique Priestley (Clerk)]: Maybe Rick's on the fee. So the fee was so basically, the SOS was saying they felt comfortable with the range of, like, $7.50, 800, 900. They chose the upper ends California. So and that's in absence of, like, the original one that we reviewed says that they could set the fee, but that's, like, not something the committee and and anybody wanted to do. So to have a static fee, it was the upper end of their scale just to set in California, it's 6,600. So that's just a starter base eventually the mechanism piece gets into being talked about and studied.
[Michael Marcotte (Chair)]: Dan, we'll put that in and we'll leave it up to ways and things. Do
[Rick Siegel (Legislative Counsel, Office of Legislative Counsel)]: you think ways and means would chime in on a bond? Actually, legitimate question. Don't know.
[Michael Marcotte (Chair)]: They may chime in, but it
[Rick Siegel (Legislative Counsel, Office of Legislative Counsel)]: wouldn't be the state revenue until it was actually acted upon, and then, anyway. Out of my purview.
[Unidentified Committee Member]: They said only fees, not fines or anything else. Would think the bond is more of a fine, not a fee.
[Rick Siegel (Legislative Counsel, Office of Legislative Counsel)]: They may still have an opinion. Just kind of That's an insurance product. Yeah.
[Michael Marcotte (Chair)]: Insurance type product.
[Rick Siegel (Legislative Counsel, Office of Legislative Counsel)]: The next change is on page 26. This is again, this is the registration portion, what the data broker must provide during the registration. So subdivision G, electronic copy of the data brokers bond, which is a new requirement. So they must upload the certificate to ensure that they got the bond. And their current privacy policy is something else the secretary of state wanted a copy of that. Subdivision I, a link to a page on the data brokers website that pursuant to a subsection that I will talk about in a second, allows a consumer to request a data broker delete the personal brokered information of the consumer and informs consumers about the rights of the consumers to opt out of the collection of the consumers personal broker information. And all that information is the same as last time. Basically, the parameters to opting out for data collection. Case subsection B, the penalty section. The fines have not been changed from the last amendment. It is still $200 a day if they don't register. If they provide incorrect information or if they sorry, if they don't provide all the information and they are notified by the Secretary of State that they're missing it and they still don't update it within thirty days, it's $1,000 per day. Again, is the bond, right? The bond comes into play here. If they don't follow the registration instructions, that bond would be potentially taken by the state. No changes to the materially incorrect information. That's 25,000 per day. 1,000 per day if they don't correct it. Subsection C is new. This is the right to delete information. A consumer has the right to have the consumers brokered personal information deleted by data broker. A data broker shall maintain a link on its website where consumer can request that the data broker delete the consumers brokered personal information. A data broker may deny a consumer's request to delete the brokered personal information to the extent that the retention of the information is required by law or is required to comply with a civil criminal or regulatory inquiry investigation subpoena summons by a federal state municipal or other government authority. Or the broker personal information is used by a consumer reporting agency to furnish a consumer report. Some of this was in the last amendment, but the sections knew some I highlight highlight.
[Monique Priestley (Clerk)]: It's it's the while this section's new, it's like it as you'll see later, the the deletion mechanism itself, like, turns into a study. So that's why so in the meantime, the secretary of SAG wanted to provide a way that there was, a a middle step for people to do while they wait for the study and the mechanism. So that's why this is outside of that. Yeah.
[Michael Marcotte (Chair)]: Hey. And if you look there, that requirement for retention of the broker personal information required by law, etcetera, etcetera, is that information then, you know, not available to be distributed to anybody who asks, and it has to be reserved, but only for those legal purposes? Or this is in limbo?
[Rick Siegel (Legislative Counsel, Office of Legislative Counsel)]: Or So that's well, I think this may be addressed coming up where the how that information is treated. It must be kept separate from other data. That's what you're getting at. Yeah. That's that is what I'm getting. Yeah. So that that is in here. But let me let's make sure. There's more. Right. So BI, the credit report, then 2I, necessary to investigate, establish, exercise, prepare for or defend a legal claim strictly necessary to fulfill a specific legal requirement on behalf of the business to which the data broker is bound by a written contract to fulfill that legal requirement or used to prevent detect protect against or respond to security incidents identity theft fraud harassment or to preserve the technical integrity or physical security of a system of systems or investigate report or prosecute those responsible for any such action?
[Unidentified Committee Member]: So a company that taps into data brokers
[Michael Marcotte (Chair)]: Oh, no. Go back. Okay.
[Unidentified Committee Member]: You want this one? Yep. So a company that goes that that taps into data brokers specifically to detect fraud, that's that they can keep the data broker can keep the information. Is that what that means or no? What do you mean by taps into? Maybe just So in business, companies tap into data brokers to prevent fraud, to do a myriad of different things. Legal businesses that are good, reputable businesses. So I'm curious if that is the it's an exemption for those type of transactions where you're pulling in data to prevent fraud. Looks like
[Rick Siegel (Legislative Counsel, Office of Legislative Counsel)]: exactly what it's meant to exclude. Right? I mean, I think three would also potentially cover that. Again, tap into, I'm not quite sure if that's an agreement or if it's just a temporary use of a service. But four, I would maybe hear from someone in that industry if you want to make sure, but that to me would cover that type of use as exempt from this bill. Subdivision three, brokered information retained pursuant to two shall be separated or segregated from data used for any other purpose, deleted immediately upon the expiration of the legal or contractual requirement, and not use, sold, share, or process for any other purpose. That would Just what I want
[Michael Marcotte (Chair)]: to Okay. So,
[Rick Siegel (Legislative Counsel, Office of Legislative Counsel)]: again, this is as Rutland previously said, this is new, but as you're gonna see, the deletion mechanism has been removed from the bill. So this is kind of a middle ground. The state is not going to facilitate that necessarily directly, but the consumer would have the right to have that information deleted by the data broker. There is some facilitation with program to NSIS in the state. Back to your list. Subsection D, the Secretary of State shall create and maintain a publicly accessible page on its website that provides consumers with the following. A downloadable spreadsheet of data brokers that have registered with the state, along with the information a data broker provides during registration pursuant to subsection A. It's a lot of stuff, right? Especially if this bill were to pass as written, are a lot of things that they're entering into that registration template. Two, a link to a page on each registered data broker's website that allows a consumer to delete the consumer's personal, gosh, broker personal information pursuant to C1, which we just talked about. An email or letter template intended for a consumer to use to send to a data broker who has not deleted the consumer's brokered personal information, and four, any additional information about the rights consumers have pursuant to the subchapter. So they currently have a webpage, the executive state for data brokers. And you can pull up the list of data brokers that have registered. So that technology exists, however, and they have confirmed they could do this, make it a downloadable spreadsheet for consumers to basically access. Then you could either If you're a consumer and you see there are 600 How many data brokers are there? In the state?
[Monique Priestley (Clerk)]: Was it 8,600? Oh, in the state?
[Rick Siegel (Legislative Counsel, Office of Legislative Counsel)]: In the state?
[John Davison (EPIC)]: Yeah. 600?
[Rick Siegel (Legislative Counsel, Office of Legislative Counsel)]: A 100. So the consumer would have to click on those links, but it is something the secretive state could administer and be pretty just easy to upload the spreadsheet and the consumer could download it.
[Michael Marcotte (Chair)]: Do you have any language in there that make sure that tells the data broker that has to be a very simple, easy way of doing it so that
[Unidentified Committee Member]: The language, they have to have it all on one page.
[Rick Siegel (Legislative Counsel, Office of Legislative Counsel)]: So the current, it's on page 26 of the goal. Allows the consumer to request that a data broker delete the information. That's where you can like add in. If you wanna be more prescriptive, it must be how would how would you wanna word that? Right? Up to you all. How do word that that that section? Keep going. Alright. So we're done with the data broker portion of that section. So we removed the accessible deletion mechanism. That was a fairly large section. We removed. Yeah. 2448 24468. We removed the fund. There was a data brokerage registry fund, you may remember, that was created. But that fund was mostly going to fund the deletion mechanism. So, what we have done here is basically take the verbiage that created the mechanism and turn it into a study. So, the Secretary of State shall study the feasibility of bam, bam, bam. These were things in statute previously that were going to be in statute previously. And happy to read this again, but this is what was in the bill last time. It must provide all these features for consumers to access and then data brokers to access it, then actually delete the information. The new language is two, and this is the fund. So, study the idea of utilizing a fund to hold monies received for these transactions and to disperse for the purpose of supporting and offsetting the costs of the accessible deletion mechanism. B is just a reporting that they would have a report, enter a report in November, on a report in 12/01/2027. So, a little bit under two years, year and a half, once this passes, if it were to pass for them to conduct the study on the feasibility of that.
[Michael Marcotte (Chair)]: Do we is there anything in the language that tells the data broker notify the consumer if they can't delete their their information, reasons for it? Hope so.
[Rick Siegel (Legislative Counsel, Office of Legislative Counsel)]: Because that language is new. Subsection c. Right here. Yeah. They they may deny it, but but if there's no response back to the consumer, that the consumer must be notified. So
[Michael Marcotte (Chair)]: so if you think about the process, so we go online, we want them to delete, and then we expect it's gonna be deleted, and then find out it's not. Seems to me there should be a check back with consumer. Yes. We deleted it or no. We didn't. Here's the reason why. You did, if it
[Unidentified Committee Member]: was deleted on data Well, search, is that
[Rick Siegel (Legislative Counsel, Office of Legislative Counsel)]: there's more ways you could do it. I'd want to hear from the data brokers to see what they would, if there is a common practice, what that common practice is. Is it a saying we received a request and we'll notify you when it's done? Or is it just, is there not really a typical practice here for that? I don't know. But you could obviously, in statute, you can make it whatever you want. Right?
[Michael Marcotte (Chair)]: Yeah. I I'm I'm I'm
[Rick Siegel (Legislative Counsel, Office of Legislative Counsel)]: I got three things up ahead of once.
[Michael Marcotte (Chair)]: Just below that, there was a think I we were talking about, but we didn't give you a whole lot of guidance about how to make it simple for the consumer to indicate that they wanted something to get. And websites lot allow you thinking of subscribing it. Sometimes you can just click one button and it doesn't. And other times, I think it's been noted, you've got to go through another step. I don't know whether it's feasible to, in that subdivision to to talk about the leading in a single consumer action or or voice to that thing. Right? And I don't know where that but I think that gets that click saying you wanna delete, and that indicates the concern is Well But then you
[Rick Siegel (Legislative Counsel, Office of Legislative Counsel)]: the state would facilitate that? Is that your
[Michael Marcotte (Chair)]: Well, it's it's in the context of the spreadsheet. Right? Right. And you get to line or whatever that is that particular company and the consumer said you wanna delete. I suppose this Locking. That's Yeah.
[Rick Siegel (Legislative Counsel, Office of Legislative Counsel)]: That gets complicated. Okay. Just technologically because of that. That's kind of what the deletion mechanism was gonna be. Yeah. That you deregister with the state. And so they ensure you are who you say you are. And then that gives that a proper trust that this is Herb Olson of Starsborough. And then they have that connection. And then the state kind of facilitates that deletion. Here, have 400 data brokers, 400 different websites. The state wouldn't be able to manage all these different They couldn't be one button, is that what I'm trying
[Michael Marcotte (Chair)]: to say? It would be 400 buttons. Well, for each line. But in each line, could I'm gonna betray my ignorance too. Yeah. Before. Alright. I just did.
[Monique Priestley (Clerk)]: This is really like, so I think that the the thing you're asking for, like, Rick said is, like, an easy way for the consumer to do that. That is the deletion mechanism, but the secretary of state and AG said, like, timing wise, money wise, they're not sure what that is going to look like. So they ask kind of as a consolation in the meantime to do this type of thing where it is a more manual process for the person, but giving them the rights to be deleted, which they don't currently have. And
[Michael Marcotte (Chair)]: so
[Monique Priestley (Clerk)]: this is just like a stop gap.
[Michael Marcotte (Chair)]: In order for the consumer to request deletion, they'll be giving someone
[Monique Priestley (Clerk)]: They have to, like, click on yeah. They'll have, like, a page, and they'll have to click on a link to go to the opt out mechanism. So it a manual thing for right now with the hopes that they'll do a feasibility study, know the cost, know how long it's gonna take, come back. Exception, basically.
[Unidentified Committee Member]: I guess I just wonder, Herb, if you're trying to say, while we're in this in between world, how do we ensure that it's the simplest for the constituents possible in this form? It's not going to be a single bucket for 400 or however many, we also don't want every one of those 400 data brokers to take you through six pages in order to be able to delete your data. I don't know if there's a way to write that. That's the intent. I
[Rick Siegel (Legislative Counsel, Office of Legislative Counsel)]: see the intent. But someone's got to do the work, either it's the state or the consumer. The data brokers, they can be
[Unidentified Committee Member]: It's what we deal with when we try to opt out of a service that we've been enrolled in is incredibly complicated. And this is not even a service that we've been enrolled in.
[Michael Marcotte (Chair)]: So
[Unidentified Committee Member]: we don't want it to be that. We don't want it to be, call this number, they're not open right now, call back or go to this page. Oh, no, go to that page.
[Michael Marcotte (Chair)]: Well, think about the
[Rick Siegel (Legislative Counsel, Office of Legislative Counsel)]: do not do not not call registry. That's been somewhat successful. And that was the federal thing that took a while, but eventually worked. So this is maybe the same idea that you have all these commercial entities that have your information and it would take some collaboration to make it work.
[Unidentified Committee Member]: I think you're thinking about it very differently. Because we're not saying an individual shouldn't have to go to all 400. That's, yes, that would be great. But we understand we're not there. But within every single time you go to one broker, and you say, delete my data, how many steps can that broker be allowed to put you through?
[Rick Siegel (Legislative Counsel, Office of Legislative Counsel)]: I did not see that, thank you for clarifying.
[Michael Marcotte (Chair)]: Yeah, it's like when you sign up for a service, it's easy to do, should be just as easy, get out of that service, And generally it's not.
[Rick Siegel (Legislative Counsel, Office of Legislative Counsel)]: Again, I don't know if
[Michael Marcotte (Chair)]: it's practical, but in that line to that specific company, and there's a bunch of information about what they do, I guess, You know, if you had simply an email address to the company that the consumer could click on and say, you know, delete this. I don't see this, but I think that's, you know, company by company, but something that they could notify the data broker integration board.
[Rick Siegel (Legislative Counsel, Office of Legislative Counsel)]: Something you can add language that, as chair was saying, as easy as possible. There's some language, feel like we've used it before, that's been proposed, not in this bill, but a different bill that would maybe get at the idea that it should be as simple for the consumer as possible. I can work on that.
[Monique Priestley (Clerk)]: And we do have that language in the comprehensive bill circuit for the opting out language. Yeah.
[Rick Siegel (Legislative Counsel, Office of Legislative Counsel)]: For data privacy? Mhmm. Okay. Yeah. And the last part was the effective date. That hasn't changed 07/01/2026.
[Michael Marcotte (Chair)]: Thank you. Good afternoon, Matt.
[Matt Schwartz (Consumer Reports)]: Hello, everyone. Can you hear me?
[Michael Marcotte (Chair)]: We can.
[Matt Schwartz (Consumer Reports)]: Okay, great. Chair Marcotte, members of the committee, thank you for inviting me to testify today. It's great to see some familiar faces, some new ones as well. And happy Data Privacy Day. This is a great way to celebrate. My name is Matt Schwartz. I'm a policy analyst with Consumer Reports based in Washington, DC. We strongly support H211. Consumer Reports is an independent nonprofit, and nonpartisan organization. We work with consumers to create a fair and just marketplace. We have 6,000,000 members spread across every state in The US, including Vermont. For years, we've advocated at the federal and state levels for the passage of data privacy legislation that's as workable and protective as consumers as possible. Data privacy is a top concern for CR members. It's becoming even more so as more of the products that we review and we use in our lives become connected to the digital world. Before I discuss elements of the bill itself, I think it's important to understand why this legislation is so important to begin with and why an organization like Consumer Reports cares so deeply about it. It really comes down to this. Data brokers are increasingly weaponizing people's personal data against them in ways that are impossible to anticipate and leave consumers very little recourse once they realize it. Data brokers are entities that aggregate extensive dossiers on virtually every single American that include thousands of data points, including extremely granular information about our behavior, as well as inferences about individuals based off of this existing information. This information is then sold and resold, often for marketing, but for a variety of other purposes as well, which erodes consumers' basic expectation of privacy in the process. I have three quick stories to illustrate the types of harms that really make this legislation so important to pass. The first story comes from The New York Times' reporting around a year or so ago, where they found that major car companies like GM and Ford were secretly collecting and sharing people's driving behavior, which included information about how hard they braked, how fast they accelerated, and the precise geolocation information with data brokers. The data brokers then shared this information with insurance companies, who in some cases raised people's premiums based off of this information that consumers never knew that they allowed their car company to share with data brokers in the first place. Nobody should have to pay more because a third party secretly collected and shared their information, and that's exactly what happened in this instance. The second story is about the ubiquitous sale of our location data. There's a whole marketplace of data brokers that specialize in collecting and selling our every move, which is collected from the GPS trackers on our phones and includes visits to sensitive locations like reproductive health facilities, political rallies, religious facilities, and more. This information is collected and shared as often as every three seconds, and it doesn't take a huge leap to understand how this information being available to anyone with a credit card can put people at risk and enable stalkers, law enforcement, and others to track people down. Third, it's important to understand how even more run of the mill data broker activities can put consumers at risk. Data brokers use their digital dossiers on consumers to make incredibly invasive inferences about them. Data brokers sell lists of consumers that are sorted into categories like rural and barely making it, or credit crunched city families. In one recent story, a data broker was selling lists of people battling Alzheimer's disease. These lists are a gold mine for payday lenders, scammers, and other third parties that wish to target particularly susceptible consumers for scammy financial products. That's why we're so glad to see this committee consider H. Two eleven, which would provide Vermonters with more control over how their personal data is collected by data brokers and would at least provide them the ability to delete it. This legislation makes a number of critical improvements to Vermont's existing data broker registry to ensure that it captures how data brokers really operate in today's economy. This includes updating the definition of direct relationship and brokered personal data. For example, many data brokers don't actually collect your first and last name as an identifier, but instead, they collect device level identifiers, such as your mobile advertising ID, which is associated with your phone. And the current definition of brokered personal information under law arguably does not include this information, even though it's one of the most common ways that data brokers collect data about us. This update ensures that this loophole is closed, and Vermont stays up to date with other states' data broker laws, such as California. The most critical aspect of this legislation is the creation of a centralized platform to allow consumers to delete their personal information from all of the registered data brokers in the state in a single action. Data brokers, by their very nature, exist in the shadows, and most consumers don't know who they are or if they've collected their data. And even if they did, the process of individually deleting your data from each data broker would be next to impossible. There needs to be a better way than that. California's DELETE Act provides a very promising model to give consumers more control. And we were very supportive of the earlier draft of this legislation that included a universal deletion mechanism that was modeled on it. That said, we understand that it's much more complicated than simply snapping your fingers and making a deletion mechanism appear in Vermont. We know that conversations between the Secretary of State and California officials are ongoing to determine what types of technological know how can be shared to potentially make that process easier. But at the very least, consumers should have a legal right to delete their information from data brokers, even if it's the old fashioned way. That's what this legislation currently does. And so long as there's a commitment to eventually getting to a system that can streamline the deletion process for consumers, we're supportive. Finally, I want to add that the latest version of the bill that you just walked through includes several common sense exemptions to ensure that the subset of data broker activities that do actually serve the public interest can continue. For example, nobody wants consumers to be able to delete their credit score from credit reporting agencies. And data brokers that are helping insurance companies or banks comply with know your customer obligations should be allowed to continue to do so. But the key here is to ensure that any exemptions don't swallow the rule. Data brokers should be exempted from deleting the subset of data that's used for those important purposes, but should not be exempt as entire entities. That's what these latest round of exemptions do. Ultimately, this legislation is about deleting the invasive marketing profiles of consumers that nobody's consented to. Vermont consumers deserve these protections, and we're hopeful that they can move forward this session. Thanks for inviting me again, and I'm happy to answer any questions that you might have.
[Michael Marcotte (Chair)]: Thank you, Matt. Questions? Okay. Thank you very much. No questions at this point? Steve? Hi, Steve.
[Steve (data broker industry professional)]: Hi, folks. Thanks for inviting me. I appreciate the opportunity to speak on this topic. I'm here representing a couple of decades of experience in the data broker industry at various different data brokers. I currently work for a company that builds software in support of nonprofits. And I just I welcome the opportunity to give you some some unvarnished perspectives from somebody who's walked more than a few miles and in data broker shoes over the years. I think I'll first say that I think it's great that Vermont is refreshing your your data broker regulations and your laws. It's been many years since Vermont passed the first one and the industry has changed a lot since then. The one there are a few things that I would really bring to your attention that I would I would encourage you to examine and, and really be as diligent about as you possibly could. And the first is to just think about that there are there's some data in my opinion that just don't need to be commercialized, they just don't need to be monetized. I've built a lot of products over the years in the data industry that made 10s and 10s of millions of dollars for customers and my employers. And by and large, we didn't need some of the data that many brokers say that they do. Now, for example, we didn't need anybody's precise geolocation, we didn't need information about people under the age of 18. We didn't need data about people's race, religion, any of those things that are on, I would say, of a union set of lists that across different states they've identified as the category of sensitive personal data. Those just don't need to be monetized at all. I don't even believe that they should be collected, but let alone brokered. It's just not necessary for the industry to succeed. And if you have folks who are are are telling you otherwise, I would encourage you to reach out to me and we can have that conversation because I know that it's not true because I succeeded without them for better part of twenty years. The other thing I would encourage you to consider as you're moving through this legislation is the nature of who qualifies as a data broker. And this is something of a broken record for me. And that is that there's what I call first party data brokers and third party data brokers. And the person who just spoke, I agree with a lot of what he says around the third party data broker industry. There are frankly, there are bad actors there. Know, without getting into specifics, you don't move through that industry for years and years without dealing with some people that are frankly a little unsavory. That's just the truth. However, there are also third party brokers that are doing their best to stay above board, follow the rules, color inside the lines. And the truth is data brokering is not going anywhere. We need to put constraints around it. We need to design limitations on how as a civilization we want people's data to be treated. But data is going to be bought and data is going to be sold. It's woven deeply into the fabric of commerce at this point, and it's not going away. So that's why I'm really encouraged that states like Vermont are taking another look at how those constraints are going to work. Those are the third party brokers, right? The people with whom the consumer doesn't have a direct relationship. And that's what most people think of when they think of data brokering, because that's how it's sort of been defined in the zeitgeist of social media and elsewhere. But I would wager to say my paycheck against against yours, that the majority of data that gets brokered in in the economy happens with what I call first party data brokers. And those are companies that through some way, shape or fashion have secured some form consent or permission from the consumer to sell various parts of their data. And for a long time now, decades, that the nature of that consent has served as sort of an all access all pass to go ahead and broker that data. And I'm here to tell you that I think that needs to stop. That some things just should not be allowed to be consented to, right? If you go back to those sensitive personal data, that's one group where I'm sorry, there's just there's no consent that says you should be able to sell the data a 14 year old child. That's just it's just wrong. We all know it's wrong. So let's stop doing it. There are also first party data brokers that then have what I call the affiliate partner and subsidiary networks, these vast networks, where people are selling, buying, trading data about each other. And if you ever really want to understand exactly how distributed and vast that is, go ahead and in say someplace, for example, if you ever go to Europe with your phone, open up your phone, and rather than just accepting the cookies, go through and look at exactly how many organizations your data is going to go through, you will see literally 1000s on any given spot. That's not unique to Europe. That is in fact definitely happening here as well. And all of that would operate under this banner of consent would be those first party data brokers. I don't believe it should matter. And that's why I'm excited when I heard about things like a legitimate purpose in your legislation. I think that should be the thing upon which your regulatory focus pivots is what is the data being used to do? Forget about whether some 19 year old said yes to something on their phone. That's just not good enough. It's just not. What should be good enough is society saying, hey, look, there's certain things you don't get to do with data and certain things you do. And I don't really care what somebody clicked on on the website. I just don't. Because again, a lot of those things, the data industry doesn't need them to to succeed. I didn't need them. And there's nothing special about me. So there are some things that I really encourage you to think through as you as you as you talk this issue out. And the first is, which data just are a hard pass? No, the answer is no, you don't get to monetize them in Vermont. There's a list of those that's easily accessible. My home state of Oregon has a pretty good list of sensitive personal data, you could use that as a proxy to begin with. And the other is who counts as a broker, I strongly encourage you to expand that definition as much as you reasonably can to accomplish as many businesses that are buying and selling data about people as you can. Because otherwise, what's going to happen is the data brokering itself, you're going to squeeze the balloon from an economic standpoint. And what will happen is a lot of the third party data brokers, they'll hyper specialize, which is happening a little bit already. And then the first party data brokers will take up the slack. And they will be outside the purview of data broker regulation, which in many cases is already the case. California has kind of done a bit of like a head fake in that direction where they say if you have any third party data about someone that was not data you got directly from the consumer is not a bad start, but it's only a start. And I'd encourage you to just sort of take that logical next step and say look first party third party doesn't matter. Some things you don't get to monetize. And if you're if you're brokering data you're a data broker. Right? It doesn't matter. It it doesn't matter what kind of house you're selling. If you're selling a house, you're a real estate broker. Just because I gave you permission to sell my house, doesn't mean you're not a real estate broker. Quite the opposite. So, I'd encourage you to think of data the same way. And then the very last thing I would really encourage all of you to think about is I see that the accessible deletion mechanism was I'm gonna call it downshifted into a study to see how that would work. So long as the nature of the information that consumers are able to provide is broad enough, right, so that you can provide, say, a number of your different email addresses to the state and a number of your different physical addresses and a few different phone numbers. As long as you've got a broad enough input data set, it is very achievable for data brokers to use that input and take someone out of the system. I know because I was the guy who built those four systems. It is absolutely achievable. Now, what you can't do is say, only input one email address, because then you're going to get a lot of brokers saying, well, we can't find Steve at, you know, stevebroker dot com. We don't have him and they'll be telling you the truth. You've got to collect a broad array of data from from consumers. And if you do that, then just about any broker worth their salt is going be able to find that person, resolve to them as an entity, take their profile and put it on a shelf. You don't want them to delete it. Deletion is a bit of a misnomer. You need to take it out of production Because if they literally deleted it, it's gonna come back around next time they get a new pile of data coming in, because they're building new data every week, every month, and you need them to keep that data so that when they rebuild their database, Steve doesn't come back in even though he deleted himself. So those are the things I would really encourage you to focus on. Those are the things that if you have any questions about how it sort of works under the hood and behind the scenes, I'm very willing to answer those questions. And with that, I'll yield back whatever the rest of my time is.
[Michael Marcotte (Chair)]: Thanks, Steve. Appreciate that.
[Monique Priestley (Clerk)]: Yeah. Thanks, Steve. I have a question. I was so because of the committee assistance around, like, the people kind of the mechanism, the stop gap that we have with having the list of the opt out links on the secretary of state's, like, broker listing and having to click each of those. And then the concern about the number of clicks and things it would take. I was just curious if you could, like, speak a little bit about your experience seeing, like, different dark patterns or multiple pages or things like that that that we might need to consider if if we are gonna use that as a stop gap?
[Steve (data broker industry professional)]: So dark patterns are a legitimate concern in that regard. Some of the less savory brokers will will probably make it a bit of a point and click jungle if if allowed to do so. But it but it doesn't need
[Michael Marcotte (Chair)]: to
[Steve (data broker industry professional)]: be. There are definitely quick and easy ways for people to show up, provide their email address, and then the the the email address or whatever the best input is for for that broker could be a street address, could it may it be a social number, although I don't really think there's a need to collect those so much. And then from that single point of information, the consumer should be able to get a confirmation that says, yes, Steve, we see you, And we're gonna send you an email to validate your deletion request. I get that email. I click on, yeah, I want you to take me out. Done. It really is that simple. It's not. It doesn't have to be a huge onerous task. And and a lot of brokers have already set that exact same process up. I set one up that same way. So this would not be something that would be, you know, a brand new requirement that they've never seen before. They've already done this in other states. So I think in that intervening period where you haven't set up your own deletion mechanism yet, telling brokers they have to, you know, let someone put in their information and get an opt out signal in, you know, less than three clicks, for example, is a perfectly reasonable thing to ask.
[Monique Priestley (Clerk)]: Steven, another question. Do you see anything, especially with the exemption section we had to add or in general? I know just questions I've gotten on a hallway and things like that. I'm curious if you see any interruption that this would cause when it comes to, like, banks, insurance companies. In particular, like, trying to conduct, especially, like, identity checks and just kind of the average course of
[Unidentified Committee Member]: business of Yeah. I mean,
[Steve (data broker industry professional)]: there there are are exemptions that are valid to make sure that the economy is chugging along. That's that's definitely true. For example, I think that, you know, creating an exemption for very specific and I think needs to be pretty well defined fraud checks because fraud is an umbrella that that sometimes gets spread out over things that are not necessarily fraud prevention. So you need to be very careful on how that gets operationalized either in the statute or the regulation. But I don't agree with and have not really seen a specific use case by use case need for what's called entity level exemption, where if if you you work for an organization and they have a lot of data, and just because some part of that organization is subject to, for example, GLBA or FCRA, that doesn't mean the entire organization should be exempt from the entire statute. That just just doesn't hold water from an operational standpoint because in businesses that have these these large amounts of data, very typically, very typically, the operations of those businesses will be carved out into various departments or teams that focus on one thing or the other. They'll be focused on FCRA products. They'll be focused on anti fraud products. They'll be focused on marketing products. And to exempt all of that because one team has a need, it's just it's just not logical. It's just not defensible. It's I I think of it as if, you know, the guy on the street question, if you got if you stop the guy on the street corner and you said, should everybody get a free pass because there's one legitimate exemption on one of seven teams, you don't have to know anything about the industry to know that that doesn't make sense. So no, I do believe there should be pointed and specific exemptions for economic activity that that we can't have come to a halt. But but that's not the but that's not a good enough reason to just give an entire business a free pass in every way. That just doesn't hold water and it's just not how data gets productized.
[Michael Marcotte (Chair)]: Questions? Great. Steve, thank you very much. You're welcome. John? Good afternoon.
[John Davison (EPIC)]: Good afternoon. Thank you for the opportunity to testify in support of h two one one. My name is John Davison. I am the deputy director and director of enforcement at the Electronic Privacy Information Center or EPIC. EPIC is an independent nonprofit research organization in Washington DC. We were established in 1994 to protect privacy, freedom of expression, and democratic values in the information age, and we have long advocated for adoption of robust privacy laws at both the state and the federal level. Like Matt, I wanna wish everyone a happy data privacy day, which is observed annually on the January 28. I think it's appropriate that this hearing is occurring on the global celebration of data protection and the fundamental right to privacy because what better way to honor the importance of privacy rights than by considering legislation to enshrine those rights into law. EPIC deeply appreciates the work that the committee has undertaken on h two one one. Vermont has long been a leader, of course, in reining in the out of control data broker industry. However, we do urge the committee to retain the accessible deletion mechanism from the previous draft of the bill as it represents the next critical step in imposing accountability and enforceable limits on the companies that prey on some of our most sensitive personal information. There's really every reason to think that an accessible deletion mechanism that operates like a do not call list will be a broadly popular one. We actually just heard yesterday from California's California Privacy Protection Agency, Cal Privacy, that the analogous delete request and opt out platform or drop mechanism has received a 191,000 consumer sign ups in less than a month of existence. And that is really quite staggering even for a state of California size given that the data broker industry often operates in the shadows in a way that is unseen and unknown to many consumers. But brokers pose a threat to us all through the vast range and depth and scale of the personal data sets and products that they market. For example, data brokers facilitate stalking and harassment by selling addresses and location data, a trade which poses special risks to domestic abuse survivors who are seeking to avoid their abuser their abusers. Excuse me. And as a result of that, survivors may avoid seeking legal services that require personal information, thereby limiting access to necessary support. Data brokers compile and sell information such as immigration status, and employment history that can be used to discriminate against immigrants, denying them jobs, housing, credit, and other opportunities. And at the same time, agencies like ICE and CBP purchase extensive personal data on immigrants from brokers for use in enforcement campaigns. As recently as last week, ICE issued an official request for information on how big data providers can, quote, directly support investigations activities. Data brokers also pose a well documented threat to national security. In 2023, Duke University researchers found that data brokers sell sensitive data about active duty military members, veterans, and their families for as little as 12ยข per record. A 2024 investigation discovered that data brokers sold location data, which could be used to track the location of service members stationed at US military bases around the world. And data brokers create a heightened risk of violence to public officials by selling data points like home addresses, names of close relatives, phone numbers, and location data. Last year, court documents showed that the gunman charged with assassinating Minnesota state representative Melissa Horton and her husband and shooting state senator John Hoffman and his wife had first consulted online people search websites to find their home addresses. These are just a few examples of how a largely unregulated data broker industry can harm Vermonters. These examples reflect a broader truth. Our personal data can be a powerful weapon in the hands of the highest bidder, depriving us of our privacy, our safety, our peace of mind, and our control. Establishing a centralized accessible deletion mechanism would dramatically shift that balance in the favor of the public, giving Vermonters an easy one stop way to restore control over a key part of the personal data trade. While Epic continues to support the adoption of robust comprehensive data protection legislation that would impose strong data minimization requirements and largely eliminate the need for opt outs, establishing a central and accessible deletion mechanism would be a major step forward for privacy and data protection even on its own. I wanted to appear today here to convey our enthusiastic support of h two one one, but unfortunately, the latest draft of the bill represents, in our view, a missed opportunity to adopt that accessible deletion mechanism and relies on a significantly weakened and more cumbersome broker by broker deletion system. Although the draft does establish a right to have information deleted, which is something we certainly support, it puts the onus back on the individual to manage deletion requests one by one, which can be exceptionally time consuming, expensive, or both. We support h two one one to the extent that it brings Vermonters one step closer to the accessible deletion mechanism that this bill originally contemplated and that some of their fellow citizens already enjoy. But again, we do urge you to restore that provision today and not miss this opportunity. Data brokers certainly aren't biding their time. I thank you again for the time the opportunity to testify, and I welcome any questions you may have. Thanks.
[Michael Marcotte (Chair)]: Thank you, John. Any questions? Monique?
[Monique Priestley (Clerk)]: John, I was just wondering hopefully, this is a very quick question to ask you on the spot. But I was wondering, so are you open with things like the stocking and tracking service members and things like that? But I think from public tours and stuff I've been doing of trying to I was wondering if you can speak a little bit to the kitchen table type of ways that data broker data is used, especially in surveillance pricing and discriminatory pricing and things like that, where it's used for things like insurance rates or it's used for things like their grocery store prices or, you know, stuff like I'm just wondering if you could talk a little bit about that economic impact to the individual person based on broker info.
[Steve (data broker industry professional)]: Yeah. I think I think
[John Davison (EPIC)]: Matt alluded to some of this, and I appreciate the question. It is absolutely part of of the ecosystem that retailers are relying on to set prices in ways that, you know, really aren't obvious to the consumer based on data that may or may not be accurate and in ways that are unseen typically to the consumer. Prices are being increased based on the the retailer's expectation as to what you'll pay, you know, something that's calculated based often on data broker purchase data sets and the use of data broker tools. And so it really does hit consumers in the wallet in addition to all of the safety and privacy and of sort peace of mind concerns that brokers raise.
[Unidentified Committee Member]: Thanks.
[Monique Priestley (Clerk)]: John, do you see anything in the bill that would interrupt kind of the the business of the entities that we that are doing, like, proper use of broker data that we need to continue, like the identity verification, insurance, day to day insurance operations and things like that. I'm trying to echo your question. You're not asking over and over again.
[Unidentified Committee Member]: I've stated over and over what I've stated and it's not being addressed, and that's okay.
[Monique Priestley (Clerk)]: No, still trying to get it addressed. No, no,
[Unidentified Committee Member]: I know. It's not being addressed, it is what it is. So I've given up. Would
[John Davison (EPIC)]: you mind restating the question? I I apologize. I I'm not sure which one we're referring back to.
[Monique Priestley (Clerk)]: Can you ask your original question?
[Unidentified Committee Member]: The problem that I'm having with this is that it's going to affect financial institutions that use this and rely on this data. And I know that everybody keeps on saying that, Oh, it's going to be fine. But I feel like the people that are saying that have not used the data to do things. And you talked, I think you said $0.12 right? Did you say $0.12 for someone's data? Somebody said that. Somebody said it was $0.12 to purchase someone's data. And $0.12 to purchase that data and being able to do things with that from an organization that is regulated by whatever organization or whatever regulation entity there is, that cuts down at the bottom line cost of processing. And that makes everybody else better off. You have cheaper rates when people are able to use that data for stuff or whatever. And I just, I feel like this is not addressing that issue. And that's okay. I mean, I'm perfectly fine with, it is what it is.
[John Davison (EPIC)]: I mean, a couple of thoughts on that. Think first, I think this is at least the accessible deletion mechanism that was contemplated under the prior draft, maybe now is is subject to a study rather than being established outright. That is it is an opt out mechanism. It is something consumers have control over. They can decide whether to opt out or not. And I think if if companies are of the mind that this data is necessary to permit you know, to provide discounts to make it more affordable for consumers, I think that's a case they can make to consumers, and consumers can decide for themselves whether they want their data to be part of that ecosystem. This is not a hard stop on on data brokerage. It is an opt out mechanism that that consumers can choose to use or not.
[Unidentified Committee Member]: But the issue at hand is that the data becomes untrustworthy. And I think that's where the exception to having those organizations being able to access that is why I think it's important. And that's, like I said, it's all good.
[Michael Marcotte (Chair)]: Herb? Okay. So, Dean, Herb Olson, are there do other states have exemptions from regulated industries or not?
[John Davison (EPIC)]: There are In
[Michael Marcotte (Chair)]: terms of the in terms of the deletion fund?
[John Davison (EPIC)]: I I believe the the California Delete Act has an exemption for data covered by the Fair Credit Reporting Act and the GLBA and possibly a handful of other statutes, HIPAA. One there there are others. I can't recall them all off the top of my head, but this is this is something that exists, at least in principle and other
[Michael Marcotte (Chair)]: frameworks. Thank you.
[Unidentified Committee Member]: John,
[Michael Marcotte (Chair)]: thank you very much.
[John Davison (EPIC)]: Thank you all.
[Michael Marcotte (Chair)]: Do you want this to talk today? No. He he Okay. You know what you're doing? Good afternoon. Good afternoon.
[Thomas Weiss (Montpelier resident, civil engineer)]: I am Thomas Weiss, a resident of Montpelier and a civil engineer. And I do have a letter with some recommendations on your Internet site. I'm not gonna show it on the screen, but if you wanna follow along that way, you can or you can just listen to me however you wish to. These comments are based on draft 1.2. I hadn't seen the the new one, so there'll be some potential changes. It's been a while since I have testified on data brokers and data privacy. I testified in support of the original data broker bill, which became act one seventy one in 2018. I see h two eleven as continuing that work and is advancing the ability of Vermonters to control the uses and distribution of their personal data and as addressing some of the deficiencies that had not been addressed by the original data broker act. One of my concerns then and still is is that data elements, as I call them, might be protected in one subchapter of chapter 62 and not in another. I figure if a data element is worth protecting in one subchapter, it's worth protecting in all of them. The legislature made has made significant strides in this regard over the years since the data broker bill was passed. H two eleven proposes succeeding the long list of data elements for brokered personal information with a description of the characteristics of brokered personal information, and thus, we don't have to keep adjusting the list as technology changes, and I think this will be a benefit. The first data broker, I found dismaying, and it proved points made during some of the testimony on act one seventy one. There were so many data brokers that it would take an inordinate amount of time for me or any individual to keep track of them and figure out which allowed opt outs and the conditions the data broker imposed in order to in order to opt out. Then we heard this year that data brokers change identities so that even keeping track of them is difficult. We opt out for one data broker. It changes itself into another business. We have to start over, I guess. So I appreciate the addition of the accessible deletion mechanism to make it easier to give consumers more control over the use of their data, and this is a change having been, as one of the previous witnesses said I think he said use the word downgraded to a study. If it gets downgraded to a study, I would hope it gets up implemented really quickly. The introduction of a second section on notices of data breaches can cause some confusion. The original section twenty four thirty five is for data collectors and covers personally identifiable information and login credentials. The new one is in section twenty four thirty six, and that's for data brokers and covers brokered personal information. We need to remember that a data broker is also a data collector by the definitions. When a data broker has data breach that involves both personally identifiable information, data collectors, and brokered personal information, does the data broker have to follow both sets of notice requirements or just one? I believe that all the listed elements of personally identifiable information meet the new definition of brokered personal data. So my comments recommended a way to make it clear that all the elements of personally identifiable information also meet the proposed revision to the definition of brokered personal information. So a data broker need to only follow the notice provisions for data's broker security breach. The definition of a direct relationship has some potential ambiguities that I ask you to consider and resolve. I do make some recommendations. One example is the recordings of this committee that are posted on YouTube. The only way I can see them, I believe, is to go to the YouTube site. Does that mean that I have a direct relationship with YouTube even though I have never posted anything on YouTube, even though I don't have a contract to use them? I think it should not, making any data that YouTube collects on me broker personal information. One of my concerns with the original data broker act and subsequent bills is that definitions are not uniform throughout chapter 62. I noticed that there are some definitions in subchapter six that are duplicated in h two eleven's subchapter one, and I was busy doing other things in this building when subchapter six was act was added, and I didn't catch it. So definitions in subchapter six apply only to that subchapter, whereas the definitions in subchapter one apply to all of chapter 62. So I suggest that definitions that are in subchapter six that are the same as proposed to be added to subchapter one be deleted from subchapter six and let them be covered in subchapter one. Also, there are some definitions in subchapter six that define terms. One of them is affiliate. Somebody mentioned that earlier today, which that word is also used in other subchapters of chapter 62. So I suggest moving them up to subchapter ones that they do apply to every time that word is used within the within the bill or the statute because I'm optimistic that you're going to pass this bill this year. So I appreciate, again, that h two eleven proposes that data brokers register within thirty days of collecting data on Vermonters instead of the year that it takes under the current statute. However, I think they ought to register before they start working with Vermonters data. Most professionals, including me as a professional engineer, have to register before we can start practicing. I suggest that that could be applied to data brokers as well. I appreciate the credentialing section. I understand it's actually been moved into into a different section, but I suggest that you add a requirement that the prospective user is false is registered as a data broker as one of the things that the data broker who's selling the data has to check on. So it'd be added the selling data broker would have to check check that. And, anyway, there's two parts. One relates to the user and one relates to the data broker, and I think it should be added to both of those subsections. And I so the right to delete has caught me by surprise, so I don't have any comments on it now, but I might have comments later after I've looked at it. And the last item, I have reviewed the amendments that I had proposed in 2018 when the original data broker bill was being created. Many have been addressed either in act one seventy one in subsequent bills and now in h two eleven. Unfortunately, some of the more significant have not been addressed. The crime of data trafficking was not created. Some of the speakers before me referred to it in different ways. Data just shouldn't be brokered. It would be the crime of data trafficking would be for information too sensitive to be sold or transferred, information that should only be directly obtained from a consumer. There is no prohibition on the repurposing of data from the purpose for which it was originally created, and one of the other witnesses didn't use those words, but he expressed that that idea. And there are still too many paths for consumers never to be notified of data breaches, and also the delay between the time of the data breach when the consumer is notified is too long. I have an enclosure to the letter, about a two page letter and a five page enclosure, which provides specific recommendations that I believe will improve h two eleven by strengthening Vermonter's control over the use and distribution of their personal data. I ask that you find the recommendations in the enclosure have merit and that you incorporate them into h two eleven, and I thank you for listening to my testimony today.
[Michael Marcotte (Chair)]: Any questions? Thank you very much. You're welcome. So why don't we take take a few minutes to take a break and do that clear. I'm sure it's a little bit more.