On July 21, 2017, New Jersey Governor Chris Christie signed into law the Personal Information and Privacy Protection Act (the “Act”). The Act limits the purposes for which retail establishments may lawfully scan a person’s government-issued identification card, such as a driver’s license. It also limits the data that can be collected from such scanning and how these data can be retained and used.

Data That Can Be Collected

When scanning a person’s ID card, a retail establishment can only collect the person’s name, address, birthdate, ID card number, and the jurisdiction that issued the card.

Valid Purposes of ID Scanning

A retail establishment is allowed to scan an ID card for only eight purposes. These include to:

  1. Verify the identity of a person or validity of an ID card if a person does not pay in cash, returns an item, or requests a refund or exchange;
  2. Verify the age of someone seeking age-restricted goods or services;
  3. Prevent fraudulent returns or exchanges if the business uses a “fraud prevention service company or system”;
  4. Prevent fraud relating to a transaction to “open or manage a credit account”;
  5. “Establish or maintain a contractual relationship”;
  6. “Record, retain, or transmit information as required” by law;
  7. Convey information to a financial institution, debt collector, or consumer reporting agency that will be used in accordance with the Fair Credit Reporting, Gramm-Leach-Bliley, or Fair Debt Collection Practices Acts; and
  8. “Record, retain, or transmit information by a covered entity” governed by Health Insurance Portability and Accountability Act rules.

Data Retention and Use

If a retail establishment scans an ID card pursuant to one of the first two purposes above, it cannot retain the data collected. It may retain data collected pursuant to the remaining six purposes, but such data must be “securely stored.” Further, if the data are compromised by a breach, the entity may need to report the breach to affected persons and the New Jersey State Police under New Jersey’s data breach notification law.

In addition, except as the Act otherwise permits, a retail establishment may not “sell or disseminate to a third party any information obtained” in accordance with the Act for any purpose. So, a retail establishment may not share or sell such data for “marketing, advertising, or promotional activities.” However, the Act does allow an “automated return fraud system” to issue a “reward coupon to a loyal customer.”

Penalties

The Act imposes a $2,500 civil penalty for a first violation and a $5,000 civil penalty for each violation thereafter. In addition, an affected person may sue the retail establishment for damages.

Conclusion

The Act will take effect on October 1, 2017. Retail establishments operating in New Jersey should ensure that they come into compliance with this new law, and establishments elsewhere should be on the lookout for similar legislation in other jurisdictions.