Meetings
Transcript: Select text below to play or share a clip
[Rep. Michael Marcotte (Chair)]: Good afternoon, everyone. This is the Vermont House Committee on Commerce and Economic Development. It is Tuesday, 03/10/2026 at 01:05 in the afternoon. So this afternoon, we are starting with h 11. Again, an act relating to data brokers and personal information. So we have our legislative counsel with us, Rick Siegel. Good afternoon, Rick. Thank you for joining us. Good afternoon. Kirk Sagal with the Office of Legislative Counsel. I thought the cookie was for me, I'm glad I waited for the cookie when I walked in right here. I found someone who's looking for me to And you didn't eat it? Didn't eat it.
[Kirk Sagal (Office of Legislative Counsel)]: No, I'm glad I didn't, that's out of respect.
[Rep. Michael Marcotte (Chair)]: You should never know.
[Kirk Sagal (Office of Legislative Counsel)]: Exactly. Oh, would you was that not left there by you? He would have known it wasn't you that they hit. You all would have said something. I like you. You don't want to be talking. Okay. So we're looking at draft 5.1 of H2.11. I'm going to share here in a second. The changes from I believe 4.1 was the last draft that I did a walk through. So the changes are in yellow and I figured I'd go in just chronological order of those changes. Okay, so the first change is in the definitions and we're on page eight. In the last draft, may remember BFR requested the definition of personally identifiable information. This was this definition is used in these And the change was to open up that definition to not require the first name and last name and just require that those data points that are listed below. They testified and you heard additional testimony that that may not be the best idea. While the language is in yellow, that is current statutory language. I'm showing you all that we are reverting back to the current statutory language, but there is so it still means, I think it's first or first name or first initial and last name in combination with one of the following data elements. The new language is that subject to the exception in Subdivision C of the subdivision that you can assign. So you still must have the consumer's first name or first initial and last name along one of these data elements to be a security breach notification. However, at the very bottom on page 10, personally identifying information does not require a consumer's first name or first initial and last name if any of the data elements contained in an AI-seven. It's sufficient to clean up or consumer, attempt to clean up and that is all these elements of social security number, driver's license, and so forth. This was suggested by DFR. Apparently Georgia has a similar way of regulating their Data Breach Security Notice Act. Here, this does give DFR and the agency some leeway in whether or not to move forward with a violation of the act. I haven't answered your question because it's not
[Jamie Renner (Vermont Attorney General’s Office)]: Well, actually, this has to be do you understand what the difference is between personally identifiable information and personal information, which comes up in the context of the definition of broker, personal information.
[Kirk Sagal (Office of Legislative Counsel)]: Broker, personal information. So personal information is not a term in this Broker, personal information, and personally identifiable information are two different definitions. Brokered personal information, it's a good question. Brokered and let me also clarify, this definition of PII is just used in the Data Proof Security Notice Act. Okay. This does not really affect I mean, brokers are subject to that act, but for the most part, this is just specific to that Security Breach Notice Act.
[Jamie Renner (Vermont Attorney General’s Office)]: So the Broken Personal Information definition is in there because it's needed to apply to the broker the data brokerage award requirements. Okay.
[Kirk Sagal (Office of Legislative Counsel)]: But they are different. So it's still a good question because I think others may have the same question. So the broker personal information is, it means, scroll down, and this hasn't changed from the bill as we walked through last time, any information that is linked or reasonably linkable alone or in combinations of their information to an identified or identifiable individual or to an advice that identifies or is linked to one or more identified or identifiable individuals. So that could be your address, right? That could be that's not PII. PII is more sensitive information like your social like your privacy sensitive. Does that make sense?
[Jamie Renner (Vermont Attorney General’s Office)]: Yeah. Yeah. I think so.
[Kirk Sagal (Office of Legislative Counsel)]: So I'll put it this way. A a breach of broken information does not necessarily invoke the security breach the act. If they invoke the data broker, security breach of the act is also in this bill, but that's not your personally right.
[Jamie Renner (Vermont Attorney General’s Office)]: Okay. Yeah, that I let me look. Yes, I get that. Let me look at it.
[Kirk Sagal (Office of Legislative Counsel)]: Shall I continue? Okay, so we are in the definition section still moving past PII on page 10. Okay, on page 13 this is in the definition of sale. So adding in, because the word affiliate is used in sale, defining affiliate, other data privacy logs, and S71 and the data privacy rule includes the definition of affiliate. So it's requested that the bill define affiliate. It means a legal entity that shares common branding with another legal entity or controls or is controlled by or is under common control with an individual entity. So because the word control is used, again, other bills do this too, so defining control, it means ownership of or the power to vote more than 50% of the outstanding shares of any class of voting security of the company, control in any manner over the election of a majority of directors or of individuals exercising similar functions, or the power to exercise controlling influence over the management of the company. Is controlling it's written Roman numeral three. Controlled means the power to exercise control means. Is controlling influence again? I think if you look at one, more than 50% is kind of a catchall saying that your company is structured in some other way, that the bill is not clarified, that if you have this power to influence management, you clearly have more than 50%, but happy to entertain. This is the language from the other data privacy policy, so happy to entertain that change, but have not had that one come up before.
[Jamie Renner (Vermont Attorney General’s Office)]: So the C, Gilead means blah, blah, blah, that shares common branding with or control. So you could be an affiliate if you meet the control. What's the common branding? What's that?
[Kirk Sagal (Office of Legislative Counsel)]: So it would be, it's not defined. So it would be you know, maybe a subsidiary, a company that shares similar logo, similar name. They sound the same, the same. It's meant to avoid a this gets come up in this committee where you sell your company to a third party to avoid the law, avoid following the law, if that makes sense. So in this case, that's what this is trying to avoid is that an affiliate is someone that has a similar branding or is controlled by
[Jamie Renner (Vermont Attorney General’s Office)]: But they don't meet the control test? Well, or
[Kirk Sagal (Office of Legislative Counsel)]: it's either. So you could be both, which is fine. Right. But yeah, it's either or. And again, is just for sale. This is just how point of sale is defined. This is not those wartime used throughout the building anyway, so this is just for the definition of sale. Okay, moving on, we are now on page 15, This is section 2,431, some changes to the disclosure requirements of data purpose. So this subsection B disclosure was in the previous version, but it's been revamped like it's been rekind of shuffled, so I'll read the entire subsection. Disclosure. A data broker shall maintain procedures that require prospective users of the data brokers' appropriate birth information to identify themselves, state the purposes for which the information is sought, and certify that the information shall be used for no other purpose. Shall prior to disclosing broker personal information to a prospective user and pursuant to Submission one of the subsection, make a reasonable effort to verify the identity of the prospective user of the information, and review the user stated purposes for which the information is sought, and shall not disclose broker personal information to a prospective user if the data broker has reasonable grounds for believing that the information will be used to violate state or federal law or will not be used for the purposes stated by the user pursuant to the subsection. What was the line three there? So furnish, my understanding that's a it's not a term of art necessarily, but the Fair Credit Reporting Act uses that term and to avoid confusion. Disclose is more I think commonly used just to show, display, provide. Any other questions about subsection B? Okay, moving on to page 20. This is the security breach notes that DFR requested, I think they testified to this, that under current enforcement, they are limited to enforcing this against entities that are unlicensed or registered with DFR. And apparently there are times where these entities are not registered and they're acting unlicensed in the state. But if they're regulated by DFR, they conduct visits in a way that would make them regulated by DFR, that would allow GFR to enforce the Security Breachment Act, so changing licensed or registered with to regulated by. And I believe also the other portions of the bill referenced regulated by it, so it makes sense to match those up. That they are actually regulated by or that they should be regulated by whether they are or not? Well, that they are, right? So that this entity that has caused this data breach may not be registered with the state for good or bad, Maybe they're not following the law. However, they are regulated because of what they do in the state because they handle financial information and that would make them longer. Going to page 27, a big change, we're going to the word and. I'll explain that here in a second. It's just we're adding subdivision five, so getting rid of the word and, but I don't hide anything. Going The to be removed and it's going to
[Rep. Michael Marcotte (Chair)]: be really important. I'm not going to highlight it
[Kirk Sagal (Office of Legislative Counsel)]: because I'm excuse you or something. On page 30, we're at the end here, Subdivision 4, The Secretary of State's office requested subdivision I, again page 30, it was linked and David Hall came to test Brian's preferred that it be a URL, which means they don't have to make sure the link works, that it's just a URL, a set of characters that link to a website or to a webpage. You. Page http:: then that's the URL. So I will say that does remove their responsibility to ensure it works, right? So a data broker could change their website, their domain, right? And then the link's not going to work, but that's not the Secretary of State's responsibility. Okay, here is the and on page 31. So adding back the word and on line four, and then adding, this was a replete from the segregated state again, five, amend. So a data broker shall amend an existing registration. The data broker has with the segregated state if required by the section or by the state upon the payment of an administrative fee of $100. I don't know if the if y'all talked about what the fee should be. I I so they're they're welcome to change that, but right now, it's it's just not on. Okay, this language was added because, if you're down here on page 32, the bill several times requires a data broker to amend their registration, so it wasn't clear that the Secretary of State had to provide that ability, so now we have that ability and now we cross reference it that pursuant to that subdivision, that if you omit information, if you do not provide the URL of your deletion system, then you have to provide that through an amendment. The other change is on line six. The words discovery and or previously it was just receiving, and I believe again it was the Secretary of State that requested that it not just be their responsibility, that if the data broker discovers like, oh, we forgot to include the URL, they have to do that. Same thing on lines 13 through 15, this is if they file materially incorrect information that you must file an amendment after you discover or receive notification that there is incorrect information. Page 37. This is the consumer wide web page.
[Jamie Renner (Vermont Attorney General’s Office)]: Can you just go back a couple of things? And we've probably been over this, but I because I when I somehow the memory cells fail. On page 35 at the top.
[Kirk Sagal (Office of Legislative Counsel)]: 35 at the top. Okay. Yeah. So let me know why. That's
[Jamie Renner (Vermont Attorney General’s Office)]: it. So these are exemptions.
[Kirk Sagal (Office of Legislative Counsel)]: Exemptions from having to delete. Yes.
[Jamie Renner (Vermont Attorney General’s Office)]: Correct. Doing And this calculation. Is an example of that a bank or an insurance company or not? Well, maybe, maybe not.
[Kirk Sagal (Office of Legislative Counsel)]: So we've got reference 20Four-thirtyEight-6B. So let's look at that. Oh, okay.
[Jamie Renner (Vermont Attorney General’s Office)]: All right. Dirty. Right, that's the definition.
[Kirk Sagal (Office of Legislative Counsel)]: So it means a consumer that has intentionally interacted with a business for the purpose of accessing Oh, so you'll see all those on page four and then on page five. Accessing, purchasing, using, requesting, or obtaining information about the business's products or services. The consumer does not have a direct relationship with the business if the purpose of the consumer's engagement is to exercise a consumer rights or for the business to verify the consumer identity. A business does not have a direct relationship with consumer simply because the business collects brokered personal information directly from the consumer, the consumer must intend to interact with the business. If business is still a data broker and does not have a direct relationship with the consumer as to the broker's personal information, the business sells by the consumer that it collects outside of a first party interaction. So your question was if a bank would be For example. Yeah. So are you saying that the bank is processing the information on behalf of the data broker?
[Jamie Renner (Vermont Attorney General’s Office)]: Well, going to thirty two or something, I think it was talking about data brokers sales.
[Kirk Sagal (Office of Legislative Counsel)]: Process solely in the data brokers' capacity as a process into your business. Okay, so sorry, so the consumer, let's say It's service to a business with bank. With bank A. And bank A has this data broker processing whatever it needs to have processed. So yes, because the consumer has that direct relationship with the balance sheet and if that data broker is processing that data solely. So that's a really important word. Yeah, that's how I read it, and it's got it that's very specific.
[Jamie Renner (Vermont Attorney General’s Office)]: No, I understand, thank you.
[Kirk Sagal (Office of Legislative Counsel)]: Going back down to page 37, this is the consumer rights web page provided by the Secretary of State's office replacing link again with URL. So I have three highlighted because I removed three or four, which was secretary of state providing a form that consumers can use to send or some kind of letter template that they can send to the data broker if data broker does not delete their information. Think David Hall testified that would be difficult because food situation is different and didn't feel like one tablet would be sufficient for consumers to download. So that was when it was fun.
[Jamie Renner (Vermont Attorney General’s Office)]: Sorry to ask you a question here. I'm looking at the enforcement, not the new language, the enforcement. Do I take it from that that the attorney general's only enforcement authority, making sure that the data broker is complying with this subject or whatever, is a court action? Maybe there's something else somewhere else that there's other remedies.
[Kirk Sagal (Office of Legislative Counsel)]: So the question is whether the AG has just what you're seeing here, that paragraph.
[Jamie Renner (Vermont Attorney General’s Office)]: Because usually they have investigation, you know, other types of pieces of the puzzle in terms of how they force. So I'm gonna
[Kirk Sagal (Office of Legislative Counsel)]: I can see this one pulled the subchapter here. Okay. Because most of the sections have enforcement in them. I want to make sure that I've given an accurate answer as to what they have enforcement up here because it could be that that's it, but I want to make sure. Make sure it hits screen.
[Rep. Michael Marcotte (Chair)]: So
[Kirk Sagal (Office of Legislative Counsel)]: this is the Title IX Chapter 62, this is where the Data Broker regulation is, and we are looking at section
[Jamie Renner (Vermont Attorney General’s Office)]: 24.6.
[Kirk Sagal (Office of Legislative Counsel)]: Okay. So currently it's 2446 annual registration. So correct for the registration piece, they just has this enforcement mechanism, which is to get the, you know, because they owe these penalties, right? If the data brokers are not paid, it's not registered, they have that information, right?
[Jamie Renner (Vermont Attorney General’s Office)]: Yeah, I'm thinking about the obligations to delete or not delete or whatever, the new stuff that we're adding into the application. Oh, there we go.
[Kirk Sagal (Office of Legislative Counsel)]: So this is why I pulled the the the chapter because this is sub chapter five, which is let's go back up. So for this whole data perfection chapter, there's two sections currently,
[Rep. Michael Marcotte (Chair)]: thousand four hundred twenty six and two thousand four forty seven.
[Kirk Sagal (Office of Legislative Counsel)]: So for this sub chapter, all this says chapter. I wanna make sure that's correct. They have enforcement. This time I need to double check them anyway because Okay. They do have enforcement. Yeah, know that's true. So if they wanted to, you know, conduct an investigation, they would have the authority.
[Jamie Renner (Vermont Attorney General’s Office)]: Around Yep. Whether data broker was properly compliant with the requirements for maintaining data and deletion all that stuff.
[Kirk Sagal (Office of Legislative Counsel)]: Back to the bill. Just about it, the last change is in the study. You may remember that the Secretary of State is going to be a study that will review the feasibility of this deletion mechanism. Be changed at the very end. The date for their interim report I think was July 2027, not it's December 2027 because their final report is due December 2028. And then an appropriation, I think there's a request that they have a consultant help them with this study. So the appropriation, which is not currently in the bill, you all can tell you what you want if you want to do that. So some some kind of amount is or is not appropriated to fund the cost of this consultant. And the effective date, again, of the secretary's wanted some time to build this registration system update would be 01/01/2027.
[Rep. Michael Marcotte (Chair)]: Any questions for Rut? Thank you, Rut.
[Kirk Sagal (Office of Legislative Counsel)]: I'll hang around for a little bit. So you guys know. Okay. I do have someone to go to.
[Rep. Michael Marcotte (Chair)]: Matt?
[Matt Schwartz (Consumer Reports)]: Hello. Good afternoon. Members of the committee, thank you for inviting me to testify again today. My name is Matt Schwartz. I'm a policy analyst with Consumer Reports based in Washington, D. C. Consumer Reports continues to strongly support H-two 11. As a reminder, CR is an independent nonprofit and nonpartisan organization that works with consumers to create a fair and just marketplace. We have 6,000,000 members spread across every state in The US, including Vermont. I primarily want to focus my comments today on the new exemptions contemplated by Section 2,446 of the bill, not any of the new amendments discussed today, which I think we're all good with. One of the top themes that I heard last week was the discussion of kind of entity level or data level exemptions versus the use case based exemptions that are currently in the legislation, and particularly how they relate to financial institutions. So to me, giving consumers the choice to erase personal information that's collected by data brokers and used by financial institutions and insurance companies to make important decisions about our lives is actually one of the strongest overall arguments for this bill. If a financial institution wants to pull a credit report information from a data broker to help underwrite a loan, That should be no problem. The bill currently exempts credit reporting agencies who furnish credit reports to others, recognizing the fact that there are already strong consumer rights available under FCRA. I don't think anybody involved here really thinks that consumers should be able to erase their credit report. That's definitely not the intent. But data broker data that isn't credit reporting information is almost entirely unregulated currently. That means there's none of the consumer rights that are associated with FCRA, including the right to access this information, the right to notice when you receive an adverse decision against you, and the right to dispute inaccurate information. It was for those very reasons that during the last administration, the Consumer Financial Protection Bureau had actually begun a rulemaking to bring all data brokers entirely under the auspices of FCRA and provide folks with those consumer rights. But that rulemaking has since been abandoned, and it doesn't appear that data brokers are going to be regulated in a comprehensive way, at least at the federal level anytime soon. That is a problem because data broker information is of wildly varying quality and can come from just about anywhere. That includes social media posts, could be outdated public records info. And oftentimes, it's just inferred, or in other words, guessed by data brokers. As I think you heard from Ariel Garcia at Check My Ads a few weeks back, this can often lead to junk data profiles about people. In one recent study, data brokers only correctly predicted an individual's gender 26.5% of the time. That's far worse than the benchmark of simply guessing it. And by definition, consumers had no say over this information being collected in the first place, so it only seems reasonable that they should at least have the ability to delete it, and especially if it's going to influence important financial decisions being made against them or about them. I think Ryan Krieger brought this example up during his testimony last week. But there are clear examples of how these practices can work against consumers. Last year, major car companies like GM and Ford were caught secretly collecting and sharing consumers' driving behavior information, including their precise geolocation information, with data brokers. Those data brokers then share the information with insurance companies, who in some cases raise consumers' premiums on the basis of that information. If consumers want to allow a physical widget in their car to track their driving behavior for insurance purposes, that's one thing. But data brokers are quietly collecting this information about us, and we have absolutely no say in it. If it weren't for The New York Times reporting on this, nobody would have even realized. Again, the use of unregulated data broker data for financial decision making is actually one of the main justifications for this bill, as well
[Kirk Sagal (Office of Legislative Counsel)]: as the
[Matt Schwartz (Consumer Reports)]: CPB's abandoned proposed rules. That's not to say that all uses of data brokers by financial institutions should be prohibited. The bill currently includes broad exemptions for fraud prevention, identity verification, and to comply with existing legal requirements. It also completely exempts data brokers who act as processors or service providers for other businesses. The key to those exemptions, though, is that they're backstopped by a purpose limitation provision, which clarifies that any information that is retained pursuant to those exempted purposes have to be separated from other data broker data, for example, of the marketing insights that a data broker might have about you, and can't be used, sold, shared, processed for any other purpose. I think that covers a major issue with data brokers, which is that they often claim that they can't delete any information about people because some of the information that they have is used for a regulated purpose. Instead, H. Two eleven would give wide latitude for data brokers to retain information for purposes like fraud prevention or security, but then would at least ensure that that information can't be sold behind consumers' backs or used for unexpected secondary purposes. And that seems like a fair trade off to me. The second topic I wanted to cover relates to the argument that we should just copy the California DELETE Act's exemption structure. I was involved in the push for that legislation, and I'm very proud of the DELETE Act, but the exemptions are one of its weakest points. As you heard from so many others, the California DELETE Act was passed as an amendment to CCPA, California's comprehensive privacy law. As such, it borrows from CCPA's exemptions entirely, and that does unfortunately create a number of problems stemming from the fact that those exemptions were primarily drafted with consumer facing businesses and not data brokers in mind. So as an example of that, one of the exemptions in CCPA states that data brokers shall not be required to complete a deletion request if personal data is reasonably necessary to provide a good or service requested by the consumer. But by definition, we're saying that data brokers do not directly interact with consumers and thus are never providing goods and services directly requested by consumers. And so there's a number of exemptions like those that create ambiguity, I think, at best. At worst, they potentially open up large loopholes. And while I understand why California took the approach that it did, Vermont does not have a comprehensive privacy law to reference back to. And I think that's an opportunity and not a drawback. The committee has the opportunity to narrowly tailor the exemptions here to reflect the ways that data brokers actually use personal data and not be beholden to a set of preexisting exemptions that were meant to serve a related but ultimately different purpose of protecting first party businesses. For the same reasons I'd be wary of the argument that we don't need this legislation because the comprehensive privacy proposal in S-seventy one is coming to this committee and also creates a deletion right. Again, the exemptions in S-seventy one are not tailored to the data broker business model, and they would be overly broad if they were applied to them. And also, it's by no means a sure thing that the comprehensive privacy bill is actually going to pass this year, so I'd be wary of placing all of the eggs in a single basket when we have a chance to regulate data brokers with this bill. Even if S-seventy one and this bill both pass, though, I don't believe it's going to cause conflicts since the provisions implementing the deletion right in H-two 11 appear to be directly pulled from S-seventy one. And so the only difference would be that H. Two eleven would create a narrower set of exemptions for data brokers, which, as we just talked about, I think there's a solid public policy basis for doing so. And so I'll wrap it up there. Thanks again for inviting me, and I'm happy to answer any questions.
[Rep. Michael Marcotte (Chair)]: Thanks, Matt. Any questions for Matt? Okay. Great. Thank you.
[Matt Schwartz (Consumer Reports)]: Thanks.
[Rep. Michael Marcotte (Chair)]: Chris, did you wanna have anything to weigh in on at this point? Yes. Jamie?
[Jamie Renner (Vermont Attorney General’s Office)]: Nothing further from him, mister chairman.
[Rep. Michael Marcotte (Chair)]: Thank you.
[Kirk Sagal (Office of Legislative Counsel)]: Naomi.
[Naomi Hopkins (First American Title)]: Good afternoon. Good afternoon, everyone. Good afternoon, Chairs, members of the committee. My name is Naomi Hopkins, and I'm an employee of First American Title. We actively support 70 Vermont small businesses and Title agents with underwriting tools, training and technology. We appreciate the opportunities to provide testimony on H-two 11. We support thoughtful privacy protections and have successfully operated in numerous states that have enacted comprehensive privacy and data broker frameworks. Our goal today is to ensure this bill is clear, workable and does not unintentionally disrupt Vermont's real estate and mortgage markets. First, with respect to subsection three, we have a structural concern. The current exclusion language conflicts with the bill's definition of sale. As drafted, if a company sells publicly available information, it is not considered a sale. However, the definition of publicly available information excludes information made available for sale. This creates a circular definition. In effect, publicly available information is excluded unless it is sold. But again, if it is sold, it is no longer publicly available information. That internal inconsistency creates compliance uncertainty and exposes companies to regulatory risk simply for operating databases built from public records. This matters in a very practical way. First American operates title plants and real property databases comprised of publicly recorded land records. These systems aggregate and organize land records and searchable platforms that are made available to title companies, lenders and other financial institutions to facilitate home sales and refinances. The function is not marketing. It is essential to ensuring efficient, affordable real estate transactions in Vermont. Financial institutions and insurers are among the most heavily regulated custodians of consumer information in the country. We operate under comprehensive federal privacy frameworks, including the Gramm Leach Lilly Act, the Fair Credit Reporting Act, and state insurance privacy laws. These laws already require notice, safeguards limits on data sharing and consumer rights. These sectors are also subject to regular examination by federal and state regulators who enforce compliance with privacy and data security obligations. If these systems are treated as data broker activity subject to hop outs or operational restrictions, the impact will
[Kirk Sagal (Office of Legislative Counsel)]: be
[Naomi Hopkins (First American Title)]: significant. Time, regulatory burdens and uncertainty could cause companies to reconsider maintaining these systems the same way in Vermont, which would directly increase closing costs, lengthy transaction timelines, and in a worst case scenario, impair ability to ensure title, which is a fundamental requirement for most mortgage transactions. Second, with respect to subsections two and four, our concern is practical and consumer focused. In certain instances, companies like First American combine publicly reported land record information with limited transaction specific and fraud prevention data obtained through lawful business relationships and governed by existing federal privacy protections. This information is not used for consumer marketing or profiling. Rather, it is used to help lenders, real estate professionals and appraisers verify identities, detect anomalies, prevent wire fraud, assess transaction risk, evaluate property, detect market changes, and ensure property transfers are valid and insurable. If portions of those records must be deleted upon request, it can create gaps that weaken fraud prevention systems. Equally important is property valuation and market analytics. Lenders, insurers and investors depend on comprehensive ownership and transaction data sets to assess the risk, determine value and ensure market stability. Incomplete data undermines underwriting integrity and increases systemic risk. These tools are fundamentally fraud preventive and market stabilizing. They allow us to identify suspicious activity before money changes hands, reduce fraudulent conveyances, and prevent downstream claims that ultimately increase costs across the housing system. When fraud is prevented early, when fraud succeeds, cost drives with higher premium litigation, delayed clothing and in some cases direct financial loss. Should H2 11 unintentionally restrict the ability to operate real property databases or combine public land record data with transaction based fraud safeguards, the result will not be greater safety. It will be slower transaction, higher compliance and increased real estate expenses for Vermont homeowners. At the same time, it would limit access to legitimate fraud prevention infrastructure and increased fraud. Bad actors gravitate towards jurisdictions where verification systems are weakened or fragmented and Vermont residents would ultimately bear the consequences in higher costs. Importantly, Vermont would not be charting new territory by adopting a clear carve out. States including California, Colorado, Connecticut, Delaware, Indiana, Iowa, Kentucky, Montana, New Hampshire, New Jersey, Oregon, Tennessee, Texas, and Virginia have adopted privacy laws or data broker registration requirements. Each of those states includes a clear blanket carve out for publicly available information within the definition of personal information. That model provides clarity while preserving privacy protection, and we respectfully encourage you to follow that. At a minimum, we request removal or clarification of exclusions two, three and four to eliminate the circular definition and ensure that publicly recorded land records and legitimate real estate transaction tools are not unintentionally served into personal data obligations. Our intent is simple, ensure privacy protections coexist with an efficient, affordable and fraud resistant housing market in Vermont. Thank you very much for your consideration.
[Unidentified Committee Member]: Questions? Thank you. Yeah, so I think and we also just transparently for everybody, we're speaking at lunch to try to navigate this. There's red lines that the intent of this bill is not to block the fraud protection identity verification type of stuff. And I guess two things. So one is, like, page 34, line 16, that, like, that whole subsection where it's saying, like, it's exempting information used to prevent, detect, protect again, respond to security incidents, identity theft, fraud, harassment, blah blah blah. So that is the hope was that that covers the business uses that you're explaining. So happy to dive in there for sure. And I think just to explain to the committee, sale pieces is that the publicly available information that is taken from, say, Secretary of State's office or DMV records or whatever is publicly available land records, that information then is sold by People Search. That is the trying to capture publicly available information then being taken from public records and then basically owned and sold to people like Spokio and that kind of stuff. That is what we're trying to protect. So that's an instance of something we're trying to protect. So happy to work offline for this for sure. Sure.
[Naomi Hopkins (First American Title)]: 100% appreciate that. Yeah.
[Unidentified Committee Member]: Did get red lines that were different than what was just read. Happy to go over that.
[Naomi Hopkins (First American Title)]: Yeah. Okay, great. Yeah,
[Jamie Renner (Vermont Attorney General’s Office)]: Yeah, that would be helpful to get something in writing. Both the sale issue and the exemption issue. Curious though, there's a provision around the deletion issues. There's an exception for broker traditional information is processed solely in the data broker's capacity to process it to a business with which the consumer has direct relationship. Why doesn't that cover your situation?
[Naomi Hopkins (First American Title)]: Can you ask that question one more time, please?
[Jamie Renner (Vermont Attorney General’s Office)]: Oh yeah, sure. So it starts earlier on page 34, and it talks about date of birth or may deny a consumer's request to delete. It's sent that the brokered personal information is processed solely in the data broker's capacity as a process to a business with which the consumer has a direct relationship. So I was kind of thinking, well, the bank, for example, well, yeah, bank, think about a mortgage lender, and they have direct relationship with the consumer, and I'm wondering whether your service, it falls within that sort of idea or concept of a process or if the business has a direct relationship with the consumer.
[Naomi Hopkins (First American Title)]: So I'll give a small answer and I would love to get back to with a bigger answer, but significant. But if you think of titles for instance, the chain of custody through a title, there could be someone in the middle that had custody of this particular title that is not selling or purchasing at this time and if they request deletion then that middle part of the record is deleted and we don't know what happened in those years.
[Jamie Renner (Vermont Attorney General’s Office)]: The middle timeline.
[Naomi Hopkins (First American Title)]: Correct.
[Jamie Renner (Vermont Attorney General’s Office)]: Thank you.
[Naomi Hopkins (First American Title)]: Oh, absolutely.
[Rep. Michael Marcotte (Chair)]: Questions from the audience? Thank you.
[Naomi Hopkins (First American Title)]: Thank you, everyone.
[Kirk Sagal (Office of Legislative Counsel)]: Alex?
[Rep. Michael Marcotte (Chair)]: Yeah,
[Jamie Renner (Vermont Attorney General’s Office)]: he had another committee. Oh, okay.
[Rep. Michael Marcotte (Chair)]: Why don't we take a short break?
[Kirk Sagal (Office of Legislative Counsel)]: When the
[Rep. Michael Marcotte (Chair)]: system