New Jersey retail establishments who collect electronic data by scanning personal identification cards must comply with the “Personal Information and Privacy Information Act” that Governor Chris Christie signed into law on July 21, 2017.

The Act, which goes into effect three months after enactment, places restrictions on the collection, storage and use of personal information that is obtained by scanning cards such as a person’s driver’s license or other government issued identification card. The Act:

  • limits the information collected by scanning a person’s identification card to “the person’s name, address, date of birth, the State issuing the identification card, and identification card number”;
  • allows retailers’ to scan identification cards for one or more of the following eight permitted purposes, and no others:
    • to verify the authenticity of the identification card or to verify the identity of the person if the person pays for goods or services with a method other than cash, returns an item, or requests a refund or an exchange;
    • to verify the person’s age when providing age-restricted goods or services to the person;
    • to prevent fraud or other criminal activity if the person returns an item or requests a refund or an exchange and the business uses a fraud prevention service company or system;
    • to prevent fraud or other criminal activity related to a credit transaction to open or manage a credit account;
    • to establish or maintain a contractual relationship;
    • to record, retain, or transmit information as required by State or federal law;
    • to transmit information to a consumer reporting agency, financial institution, or debt collector to be used as permitted by three federal statutes; or
    • to record, retain, or transmit information by a covered entity governed by the “Health Insurance Portability and Accountability Act of 1996” (HIPAA) and certain regulations;
  • prohibits retailers from retaining information obtained only to:
    • verify the authenticity of the identification card or to verify the identity of the person if the person pays for goods or services with a method other than cash, returns an item, or requests a refund or an exchange; or
    • to verify the person’s age when providing age-restricted goods or services to the person;
  • requires any information obtained by scanning identification cards to be “securely stored”, and requires any breach of the security of such information to be reported to the State Police and any affected person in accordance with NJ statutes on data breaches involving personal information;
  • prohibits retailers from selling or disseminating any information obtained by scanning identification cards, except in one very narrow circumstance; and
  • imposes penalties on retailers who violate the Act and allows aggrieved persons to bring a suit for damages caused by a violation of the Act.

The Act does not specify the practices that are required to “securely store” the information, leaving that to be determined on a case-by-case basis if and as breaches occur. However, retailers should be aware that there are cybersecurity laws and regulations that impose more specific requirements in other contexts and jurisdictions, as well as evolving technical standards and practices, to which the courts and regulators may look for guidance to delineate the measures required to comply with this aspect of the Act.