On July 21, 2017, Governor Chris Christie signed into law Senate Bill No. 1913 known as the “Personal Information and Privacy Protection Act.” The Act regulates how retail establishments can collect and store information from consumers’ driver’s licenses and other identification cards, and allows for civil penalties and a private cause of action for damages for violations of the Act.
The bill was introduced in March 2016 by twelve sponsors and, after revisions relating to retail credit transactions, unanimously passed the Assembly and Senate in June 2017. The law will take effect on October 1, 2017.
The Personal Information and Privacy Protection Act applies only to “retail establishments.” The Act provides that retail establishments are permitted to scan identification cards only for eight enumerated purposes. The permitted purposes are to: (1) verify the authenticity of the card or identity of the person; (2) verify age where required; (3) prevent fraudulent returns if the establishment uses a fraud prevention service or system; (4) prevent fraud related to a credit or deferred payment account; (5) establish or maintain a contractual relationship; (6) obtain information required by law; (7) transmit information to a consumer reporting agency, financial institution or debt collector; or (8) record medical information as required under HIPAA.
“Scanning” is defined as the accessing of electronically encoded information from the card by use of a barcode reader or other electronic device. An identification card is defined as a driver’s license or non-driver photo identification card issued by New Jersey, or similar cards issued by other states. Importantly, the information to be collected by scanning cards is limited in the Act to name, address, date of birth, issuing state and card number.
After addressing the “purpose” under which an establishment can scan identification cards, the Act goes on to address the “retention” of that information. First, the Act prohibits the retention of information obtained for purposes of verifying the authenticity of a card or the identity or age of a person. Information obtained for any other purpose permitted under the Act, noted above in sections 3 through 8, may be retained as long as it is “securely stored” and any data breach must be reported to the New Jersey State Police in accordance with N.J.S.A. 56:8-163. The Act prohibits the “selling or disseminating” of any data collected except dissemination for the purposes allowed in sections 3 through 8.
The Act provides for a civil penalty, to be collected by the Attorney General of the State, of $2,500 for a first violation and $5,000 for each violation thereafter. The Act does not identify whether each collection, retention or dissemination constitutes an individual violation for each person involved. Most importantly, the Act creates a private cause of action in the New Jersey Superior Court for any person “aggrieved by a violation” of the Act to allow that person to recover “damages.” The Act is silent as to whether a class action on behalf of a large number of aggrieved persons is contemplated.
There are certain ambiguities in the Act which may require judicial resolution. A “retail establishment” is not defined. Most likely this will be interpreted by the New Jersey courts as any establishment offering good or services to consumers. By including a permitted use relating to medical information, it is clear that medical providers are also considered “retail establishments” for purposes of the Act. The prohibitions contained in the Act are applicable to the “scanning” of identification cards by reading the bar code. It does not appear to address the common practice of copying or imaging the front and back of a card. With respect to the storage of information, the Act does not define “secure” storage and is silent with respect to any encryption requirement. Moreover, the permitted use relating to establishing or maintaining a “contractual relationship” is not delineated and could arguably be read broadly to allow the collection of information for any number of reasons. But, it appears as if the intent of this provision is to address circumstances resulting in an ongoing contractual relationship between a retailer and a customer, not merely a single transaction. Finally, although on its face the Act permits the “selling or dissemination” of data, it must be done so to advance one of the purposes enumerated in sections 3 through 8. None of these sections, however, reference circumstances which could involve selling of data for profit, thus all selling of data is arguably prohibited under the Act.
Any New Jersey retailer that asks for a consumer’s identification card as part of its normal business practices should pay careful attention to the provisions of the Act. Retailers should be careful to make sure their systems are compliant and do not lift any other information off of the card other than name, address, date of birth, issuing State and card number. Following the collection of such information, authenticity or identity information should be immediately destroyed, and all other data kept secure and disseminated to third parties only for the limited purposes referenced in the Act. With the passage of the Act, New Jersey joins a group of many other states throughout the U.S. that restricts the collection, use and retention of digital information from driver’s licenses and other identification cards.