On June 25, 2015, the New Jersey Assembly passed A.3946, the Personal Information and Privacy Protection Act, which aims to restrict the purposes for which a retailer may scan a customer’s identification card.8 The legislation would prohibit “retail establishments” from scanning a person’s identification card, except (1) to verify a person’s identity or the authenticity of the card when the customer pays with a method other than cash, returns or exchanges an item, or requests a refund; (2) for age verification prior to a sale of age-restricted goods or services; (3) for fraud prevention during a refund, return, or exchange, if the business uses a fraud prevention company or service; (4) to form a contractual relationship; (5) when required by state or federal law; (6) to send information to consumer reporting agencies, financial institutions, or debt collectors as permitted by federal law; or (7) for compliance with the Health Insurance Portability and Accountability Act (“HIPAA”).
Under the bill, retailers would not be permitted to retain information collected for age and identity authentication purposes. Moreover, the bill would require that data collected for other purposes must be stored securely. In the event of a breach of security of this data, retailers would be required to notify the Division of State Police and affected individuals, pursuant to New Jersey’s data breach notification statute. Retailers would be not allowed to share information collected pursuant to this statute with third parties for any purpose. The Senate has not yet acted on the bill.