Data brokers have been operating in the dark for years. If you\u2019re interested in digital privacy, the fact that your information is regularly traded by hundreds of secretive companies will come as no surprise. What\u2019s less clear is who these organisations are, what information they store, and who exactly they\u2019re working with. Thanks to a new state law in Vermont, companies trading in the third-party data of residents must register with the state. The resulting registry gives us a rare, passing glance into a thriving economy that operates mostly under the radar, and often with little oversight.Data brokers have been silently providing businesses with your information for a long time. Advertising is just one of many functions: this data is used for shaping the terms of personal loans, restricting services to certain demographics, informing shadow credit scores, and much more. Until now, these practices have existed in a regulatory near-vacuum; as long as brokers stepped carefully, they could maintain what amounts to a comprehensive shadow profile of unwitting consumers.Implemented in January of 2019, Vermont\u2019s new law marks the first piece of legislation governing this murky industry \u2013 and the first of its kind to address the problem directly. So far, 121 companies have been registered, shedding light on an expansive and diverse array of companies from the obscure and relatively unknown to the quiet giants of the data industry.The record of active organisations includes branches of the data giant Experian, people search engines like Spy Dialer and Spokeo, and a variety of smaller organizations that range in purpose from helping landlords vet tenants to delivering advertising prospects to the insurance industry.Having faced strong opposition in the legislature last year, the law has since won the approval of consumer advocates who argue it\u2019ll help normal people understand who\u2019s collecting their data and what can be done to opt-out.Illuminating as it may be, the registry and the entities recorded therein represent a miniscule portion of the wider data economy. The law only affects third-party data handlers \u2013 those trafficking in the data of those with whom they have no association \u2013 as opposed to \u2018first-party\u2019 data handlers like Facebook, Google or Amazon, which harvest data directly from their users.Having set a precedent, Vermont has paved the way for state legislators to take the lead in data privacy regulation. Many anticipate the subsequent introduction of improved federal privacy protections in coming years. This article will explore the implications of this forecast for concerned consumers and data privacy professionals, as well as the consequences for organisations reliant on third-party data sources.The problem with data brokersIf you\u2019re not familiar with the industry, it\u2019s no accident. Data brokers typically eschew all things consumer-facing and opt instead to harvest information on people in secret, trading it amongst themselves like the valuable asset it has become.These companies encroach on the privacy of millions by harvesting and monetizing personal data without consumer knowledge or consent. Worse still, many fail to securely store this sensitive information, inevitably leading to data breaches like Equifax that put millions at risk of identity theft, stalking, fraud and other dangers for years to come.By scraping public records, buying or licensing data rights, third-party brokers can assemble billions of detailed consumer profiles with thousands of classifications per individual. Often used to build audiences for targeted advertising, it\u2019s not difficult for companies to determine if you\u2019re pregnant, where you\u2019ve been, what medicine you take and even how you interact with your smartphone. It can be used to identify the quality of your lifestyle, and even to establish your eligibility for a job opening.Like the brokers themselves, the dangers here can be difficult to identify. Aside from the inherent risk of\u00a0simply aggregating and storing all of this data, thorough (and often flawed) consumer profiling can lead to discrimination based on income or race in what essentially amounts to technological redlining.\u00a0Troves of personal data are flowing to political parties attempting to\u00a0influence voting behavior as well as government agencies\u00a0tracking potential suspects. Meanwhile, people-search websites can provide a wealth of information ready to be exploited by\u00a0doxxers, stalkers and abusers.While the data brokerage industry has its advantages, there are fundamental risks involved in the blanket aggregation and sale of consumer data. This activity often infringes on an individual\u2019s right to know and control the information stored about them, as well as the risks arising from the unauthorized or fraudulent acquisition of information. Many consumers may not be aware that these companies exist, what information they collect and what recourse there is if they wish to opt-out.Inside the consumer protection billVermont\u2019s law seeks to protect consumers from data brokers through four distinct mechanisms:Security. Companies must adopt industry-standard protective measures and comprehensive data security programs with administrative, technical, and physical safeguards.Transparency. Brokers must register annually with the state. If a process for opting-out of data collection, retention or sale is provided, they must disclose it. They must specify whether they require credentials from their purchasers, and notify authorities of any security breaches.No fraudulent collection. Data brokers may not collect personal information by fraudulent means, or for the purpose of fraud, harassment or discrimination. Buying or using data for criminal purposes is now its own actionable offense, though the bill doesn\u2019t set any standards for how brokers must vet buyers and their intentions.Free credit freezes. Credit freezes are an important way for consumers to protect themselves from the fallout of a data breach. Vermont\u2019s law bars credit agencies from charging consumers fees for this protection.Though it\u2019s set to undergo various amendments in the coming months, the law doesn\u2019t yet require data brokers to disclose who\u2019s in their databases, what data they collect or who buys it. Nor does it require brokers to give consumers access to their own data, or even the ability to opt-out of collection altogether. You can read the full bill here.What does this mean for enterprise security?The bill has been meticulously written to reduce the potential for circumvention. Rather than focusing on specific definitions \u2013 which could be exploited or avoided \u2013 policymakers focused on the activity and behavior of the companies in question. This means that lots of companies \u2013 not just those that identify as brokers \u2013 will find themselves affected by the law\u2019s broad definition.\u201c\u2018Data broker\u2019 means a business, or unit or units of a business, separately or together, that knowingly collects and sells or licenses to third parties the personal information of a consumer with whom the business does not have a direct relationship.\u201dIn simpler terms, any organisation that collects data second-hand and sells it on will be obligated to comply. This leaves little room for any legitimate brokers to escape the designation. If other states look to model future legislation on Vermont\u2019s bill, it\u2019s likely that many companies across the country \u2013 broker or otherwise \u2013 will find themselves forced into compliance.As affected businesses begin to register and disclose key information for the first time, consumers will be able to identify which processes they can exclude themselves from and how. If they\u2019re ever the victim of a crime involving brokered data, they now have legal recourse.Data security and access controls at every affected organisation will have to be vetted to ensure they meet a minimum standard. New rules governing data breaches mean authorities must be promptly notified if any personal data is leaked in spite of these increased security measures. This has broad implications for security standards across organisations nationwide if Congress \u2013 or any other states \u2013 choose to model future legislation on Vermont\u2019s trailblazing bill.Next stepsNow that the first registrations are in, officials and advocacy groups are planning to review the listed companies to get a better sense of who\u2019s operating in the industry, how accommodating they are to consumers who wish to opt-out, and whether any further regulation is necessary.Though it\u2019s a good first step, there are several rules that are still on the wish list for the privacy-conscious in Vermont and around the country. Under the current law, a consumer can only learn which brokers are operating in the state, as well as a few general facts about those operations. There is nothing appealing to a consumer\u2019s \u201cright to know\u201d \u2013 that is, what information is harvested, how it was obtained, and to whom it is sold. Similarly, there is no legislation obligating companies to provide the ability to opt-out.Furthermore, the bill does not require any form of consumer consent for the collection or sale of personal information. This is especially concerning when considering biometric data, and the ability of organizations to collect or sell this information without active and informed consent. While minimum security standards are a strong \u2013 if long overdue \u2013 addition, consumers are still unable to access and review what data is stored, or bring legal action against companies that violate the law.Tips for opting-outGiven their typical obscurity, it can be difficult to know where to begin the process of opting-out \u2013 assuming the option exists. It\u2019s likely most consumers will have to contact each organization individually through whatever opt-out systems can find.Unfortunately, U.S. law does little to regulate most companies that deal in data, leaving consumers with few guarantees. Eventually, we might see additions like the right-to-know, right-to-be-forgotten and other protections granted to citizens of the European Union under the General Data Protection Regulation (GDPR). For now, there is relatively limited recourse for those looking to shield themselves from the brokerage industry.Contact each company individually. To remove yourself from a specific database, consult the filing history of the companies listed in the new registry. This will provide details from the company on how to opt-out \u2013 provided they allow you to. There are various online guides listing common opt-out procedures which may be useful here.Report violations. If you\u2019re worried about how an organisation is collecting or managing your data, you can\u00a0file a complaintwith the Federal Trade Commission (FTC). In recent years, the FTC has issued millions of dollars in\u00a0penalties\u00a0over unlawful behavior by data brokers and credit agencies.Manage online behavior. Though it\u2019s not ideal, limited federal regulation means it\u2019s often up to the individual to police their online behaviour to minimise the amount of data leaked. You can limit your data loss by adjusting your privacy settings, deleting unnecessary applications, using tools like a VPN or script-blocker and restricting what you post online.One small step...Vermont\u2019s law offers plenty to celebrate for those concerned about information security. It\u2019s the first legislation by any American state to force data mining out of the shadows, and undoubtedly begins the process of regulating data brokers on a larger scale. It illustrates the opportunities available for state legislators to take the lead in protecting consumer privacy, and demonstrates why Congress must not hastily enact a weak privacy law that pre-empts stronger legislature on the state-level.That being said, in many ways, these regulations are more symbolic than substantive. Many have argued that the law establishes inconsistent restrictions on data use by third-parties in comparison to those imposed on first-party data handlers. The law still leaves search engines, telecoms and social networking services relatively untouched. This means that some of the businesses most closely associated with controversies around personal data are still outside the purview of the law, even if they sell access to consumer data.Though small in its direct impact, Vermont\u2019s law is undoubtedly significant for the future of consumer privacy and information security in the US. Other states are likely to look to Vermont as they begin to shape their own approaches to data regulation.If similar legislation proliferates across the country, it\u2019s likely to have huge implications for large enterprises and security professionals everywhere as organizations look to ensure compliance. It\u2019s possible the federal government will pass its own\u00a0data privacy legislation\u00a0in coming years \u2013 something that\u2019s been backed both by privacy groups seeking comprehensive protections and by industry leaders looking to avoid the cost of compliance with 50 different state policies. However these laws eventually\u00a0take shape, data compiled through Vermont\u2019s registration scheme is bound to influence both federal and state lawmakers in years to come.