Citizen Portal
Sign In

Committee hears support for H.211, which would pair a data‑broker registry with an automated deletion platform

House Commerce & Economic Development Committee · January 15, 2026

Loading...

AI-Generated Content: All content on this page was generated by AI to highlight key points from the meeting. For complete details and context, we recommend watching the full video. so we can fix them.

Summary

Witnesses described 2025 cross‑registry research showing likely nonregistration by hundreds of data brokers, detailed California’s Delete Act and DROP platform as an operational model, and urged Vermont to adopt H.211’s expanded disclosure, deletion and penalty provisions. No vote was taken.

Privacy advocates, technical auditors and a national‑security consultant told the House Commerce & Economic Development Committee on Wednesday that H.211 — which would expand data‑broker disclosures and pair Vermont’s registry with a scalable deletion mechanism — could help Vermonters reclaim personal information that brokers routinely buy and sell.

Emery Rhone, identified in the transcript as the associate director of policy at Privacy Rights Clearinghouse, described research consolidating registries from California, Vermont, Texas and Oregon. "We found brokers frequently do not use consistent naming across states," the witness said, and reported the cross‑registry comparison identified roughly 750 unique broker entities overall and 309 that appeared in other registries but not in Vermont. Of those 309, the witness said 199 disclosed collecting geolocation data and 179 disclosed collecting data about minors. "When one state requires brokers to disclose more detail, cross‑referencing those disclosures against other registries can help us understand what brokers are doing across the broader ecosystem," the witness added.

Representatives of California’s enforcement agency described how that state’s Delete Act and its Delete Request and Opt‑Out Platform (DROP) operate in practice and urged Vermont to consider a similar, integrated system. An attorney from the California Privacy Protection Agency said DROP lets a California resident verify state residency, create a deletion profile with email, phone, vehicle identification number or other identifiers, then submit a single request that goes to all registered brokers. Data brokers must register, pull hashed deletion lists on a recurring cadence, attempt matches and report status back to the platform. The witness said the system had more than 100,000 user requests during rollout.

On enforcement and deterrence, the California presenter described statutory civil remedies in that state, including a $200 per‑day penalty for failure to register or failure to delete consumer personal information and a separate statutory framework for audits beginning in 2028. "There is no discretion on the enforcement side" for the statutory nondeletion fine as currently written, the presenter said, illustrating how fines can accumulate rapidly for large numbers of unremoved consumer records.

A national‑security witness, Mike Yeagley, urged lawmakers to design Vermont law to be "future proof" against evolving tactics that allow identity reconstruction from metadata and cross‑context linkage. "When our movements can be tracked, our relationships mapped, our intentions modelled, we cease to be citizens and become subjects," he said, arguing outcomes‑based prohibitions on identity reconstruction would raise the cost of exploitation by adversaries.

Zach Edwards, a technical auditor who tested California’s DROP, testified in favor of H.211 and urged Vermont to provide multiple residency‑verification options. Edwards said California has about 545 registered brokers compared with roughly 440 in Vermont and that DROP’s centralized deletion tool dramatically reduced the time required for effective deletion compared with manual opt‑out processes.

Committee members asked technical and implementation questions — including whether FCRA and GLBA exemptions narrow registrations, how states share enforcement information, and how offshore brokers can be handled in enforcement — and presenters described limits and ongoing coordination steps. The committee closed testimony on H.211 without taking a vote and moved to other agenda items.

Why it matters: Data brokers collect and resell third‑party information that often includes sensitive categories and location signals; witnesses said a combined registry and deletion platform can increase transparency and give consumers a practical way to request mass deletions.

Next steps: The committee concluded the day’s testimony on H.211; no formal action was recorded during the hearing.