As reported on the Privacy & Information Security Law blog, on September 15, 2016, the New Jersey Senate unanimously approved a bill that seeks to limit retailers’ ability to collect and use personal data contained on consumers’ driver and non-driver identification cards. The bill, known as the Personal Information and Privacy Protection Act, must now be approved by the New Jersey Assembly.
Under the bill, retail establishments may scan an individual’s identification card (i.e., use an electronic device capable of deciphering, in an electronically readable format, information electronically encoded on the identification card) only for the following purposes:
- to verify the authenticity of the identification card or to verify the identity of the person if the person pays for goods or services with a method other than cash, returns an item, or requests a refund or an exchange;
- to verify the person’s age when providing age-restricted goods or services to the person;
- to prevent fraud or other criminal activity if the person returns an item or requests a refund or an exchange and the business uses a fraud prevention service company or system;
- to establish or maintain a contractual relationship;
- to record, retain or transmit information as required by state or federal law;
- to transmit information to a consumer reporting agency, financial institution or debt collector to be used as permitted by the Fair Credit Reporting Act, the Gramm-Leach Bliley Act and the Fair Debt Collection Practices Act; or
- to record, retain or transmit information by a covered entity governed by the medical privacy and security rules pursuant to the Health Insurance Portability and Accountability Act of 1996.
The bill also would limit the types of information that retailers could scan from an individual’s identification card to name, address, date of birth, the state issuing the identification card and the identification card number. In addition, the bill (1) places limitations on retaining the relevant information; (2) imposes a data security requirement; (3) reiterates retailers’ obligation under New Jersey’s data breach notification law to notify affected residents and the relevant New Jersey regulator in the event of any breach of the security of the information; and (4) prohibits retailers from selling the relevant information to third parties.