Vermont Attorney General TJ Donovan was elected in 2016 and is the 26th attorney general of the state. Donovan has many years of experience representing the government, having served as an assistant district attorney in Philadelphia and as a Vermont state attorney for Chittenden County for 10 years. As attorney general, he has taken an active role in advocating for consumers’ rights with respect to privacy and data security by engaging with the community on issues of concern and weighing in on state legislation governing data brokers, among other initiatives. Here, Donovan talks about Vermont’s leadership in data privacy and security regulation and how he and his fellow attorneys general play an important part in shaping the field.
The Privacy Advisor: Your office, in coordination with the Vermont Department of Public Service, held a series of open hearings with the purpose of discussing proposals for privacy legislation that would protect state residents. Hearings included discussions of telecommunications privacy, the role of a state chief privacy officer, and restrictions on data brokers. Several organizations participated and submitted comments in these proceedings. Do you think these hearings were successful in engaging the community and relevant stakeholders, and how have they affected your policy initiatives?
Donovan: When we hold open forums as we did over the past two summers all over the state, advocates representing all corners of the privacy ecosystem attend: consumer advocates, civil rights advocates, industry representatives, privacy attorneys, and representatives of individual businesses. Members of the general community also attend.
We listened carefully, and our report to the legislature was greatly informed by these hearings. We heard that Vermont was not as up to speed as other states in protecting student privacy, so we recommended a law modeled on California’s Student Online Privacy Information Protection Act. We heard that consumers aren’t sure what the state is doing with their data, so we recommended that a study and report be done on that question. We also asked the legislature to consider creating a chief privacy officer position.
The Privacy Advisor: Vermont is at the forefront of regulating data brokers, chiefly by enacting Vermont’s Data Broker Regulation Legislation, Act 171, which went into full effect Jan. 1, 2019. The law, which you supported, eliminates fees associated with credit security freezes; outlaws fraudulent acquisition of data or acquisition of data for purposes of stalking, harassment, ID theft or discrimination; clarifies minimum data security requirements for commercial actors; and imposes requirements on data brokers that include annual registration with the attorney general and disclosure of practices related to the collection, storage or sale of consumers’ personal information, along with consumers’ ability to opt out and any data breaches experienced. How do you expect data brokers’ practices to change now that the law has gone into effect, and why was it important to enact this legislation now?
Donovan: Simply shedding sunlight and transparency on this industry has the effect of changing troubling behaviors, such as trading in information like the home addresses of police officers.
For example, we actually had a company report that they did not collect the information of children under 18, only to realize that they, in fact, were selling this information when it was pointed out by a journalist. The company immediately took steps to change these practices, which they stated were not in line with their policies.
The Privacy Advisor: Vermont’s data broker law provides for enforcement by the attorney general pursuant to the state’s unfair and deceptive acts and practices law. Private citizens may also pursue civil action under credit reporting laws. What are your views on how private rights of action may interact with your enforcement authority?
Donovan: Vermont’s Consumer Protection Act contains a strong private right of action that permits recovery of attorney’s fees, damages or consideration and exemplary damages of up to three times the consideration paid. The private right of action exists so that all Vermonters can be protected under the law, regardless of whether our office is able to help.
The Privacy Advisor: Recently, you reached a $264,000 settlement with a company that exposed the Social Security numbers of 660 Vermont residents by failing to secure an Excel spreadsheet relating to the state health exchange. The company failed to comply with the Vermont Security Breach Notice Act and inform the attorney general’s office and affected individuals within the act’s prescribed timeframes. What is your opinion on proposals for a federal breach law that would harmonize state laws and impose consistent requirements on entities that experience breaches?
Donovan: I support a federal breach law that offers at least as much protection as current state laws, allows enforcement by state attorneys general, and allows enforcement in state court. The business community and the public would benefit from a single standard, a single point of reporting, and consistency across the nation.
The Privacy Advisor: In August 2018, you joined a bipartisan group of 29 state attorneys general in sending a letter to the U.S. Federal Trade Commission emphasizing the role that attorneys general play in consumer protection, particularly in regard to the protection of personal information and data. The FTC is in the midst of a series of public hearings on “Competition and Consumer Protection in the 21st Century.” How does your office work in tandem with the FTC’s privacy protection efforts? What is your vision of a successful future partnership?
Donovan: Our office has a history of working together with the FTC in privacy actions. For example, we led the multi-state enforcement action involving Ashley Madison in coordination with the FTC. We also frequently share ideas and confer with our colleagues at the commission. With these collaborations, the FTC’s resources and technical and economic expertise are a complement to our better understanding of the facts “on the ground” and a more direct connection with our constituencies and their needs. Our offices will continue to work together on privacy, consumer protection and antitrust matters.
The Privacy Advisor: The EU General Data Protection Regulation, which went into effect last year, has already had a dramatic effect on compliance obligations for U.S.-based companies that are subject to its extraterritorial reach. Starting with California, some U.S. states are considering their own rigorous data privacy legislation, which could result in “mini-GDPRs” and an expansion of the many different laws with which companies need to comply. How do you view this trend, and what do you see as the enforcement role of attorneys general in this context?
Donovan: The GDPR is, of course, comprehensive across all industries, implements meaningful protections, and has real teeth with penalties of up to 4% of a company’s global revenue. I am watching closely to see how the GDPR plays out. As for our state’s role, we will focus on enforcing our own state laws and those federal laws under which we have authority, like HIPAA.
The Privacy Advisor: In December 2018, you announced that Vermont is launching a working group to study blockchain technology. What is the state’s motivation for focusing on fin tech, and how can attorneys general participate in fostering innovation in this area?
Donovan: I am always excited by a public-private partnership. Our working group to study blockchain technology consists of state agencies, stakeholders and industry experts. We are collaborating to explore the opportunities of blockchain, as well as the potential impacts on consumer protection, including data privacy and economic development.
Photo by Patrick Bald on Unsplash