State laws governing the collection and use of personal information continue to proliferate. The latest comes from New Jersey, which on July 21, 2017, signed into law legislation that restricts a merchant’s ability to collect personal data of shoppers and share such data with third parties. New Jersey’s Personal Information Privacy and Protection Act permits retailers to scan an identification card only for certain purposes—such as verifying the consumer’s identity—and requires retailers to store such data securely. Further, a retailer may not share the data with a third party unless the retailer discloses its data-sharing practices to the consumer.

The law is particularly notable because it creates a private cause of action for any person aggrieved by a violation. Merchants are subject to civil penalties of $2,500 for the first offense and $5,000 for subsequent offenses.

New Jersey is one of several states that has taken a greater interest in the regulation of consumer privacy. For example, on June 27, 2017, the Illinois legislature passed the Geolocation Privacy Protection Act, which would prohibit parties from collecting, retaining, or disclosing geolocation information without first obtaining customer consent. That law is now sitting on the governor’s desk awaiting signature. Illinois also is considering the Right to Know Data Transparency and Privacy Protection Act, which would require companies to disclose the parties with whom they share customers’ personal data.

Similarly, California is considering internet privacy legislation that would prohibit an internet service provider (ISP) from using, disclosing, selling, or sharing customer personal information except when the customer has given opt-in consent that can be revoked at any time. The California bill mimics FCC broadband privacy regulations that were finalized towards the end of President Obama’s administration but that Congress and the Trump administration repealed in April before the rules became effective.

In the perceived absence of significant new federal regulation on privacy issues, states have taken a greater interest in consumer privacy. Recent activity in California, Illinois, and New Jersey underscore that companies need to keep an eye on compliance with state law, which continues to be a significant source of privacy regulation.