The New Jersey “Personal Information and Privacy Protection Act” was signed into law on July 21, 2017 by Governor Chris Christie and will be effective November 1, 2017.
The law restricts the way retail establishments may collect and use the personal information contained in the electronic data embedded in identification cards, such as driver’s licenses. The law responds to concerns raised by reports related to how businesses use and store personal information obtained from scanned driver’s licenses.
The law lists the purposes for which a retail establishment may scan a person’s identification card as follows:
- To verify the authenticity of the card or to verify the age or identity of the person if he or she pays for goods or services with a method other than cash, returns an item or requests a refund or an exchange;
- To verify the person’s age when providing age-restricted goods or services;
- To prevent fraud or other criminal activity in the case of merchandise return or exchange via fraud prevention service company or system;
- To establish or maintain a contractual relationship;
- To record, retain or transmit information as required by state or federal law;
- To transmit information to a consumer reporting agency, financial institution or debt collector to be used as permitted by federal law; or
- To record, retain or transmit information by a covered entity governed by medical privacy and security rules established pursuant to federal law.
The information that businesses may collect is limited to the person’s name, address, date of birth, the state of issuance and the identification card number. In addition, the law requires that any information collected must be securely stored and in the event of a breach, the affected person and the state police must be notified.
A violation of the law will result in a civil penalty of $2,500 for the first offense and $5,000 for any subsequent violation. The law also provides for a private right of action in Superior Court to recover damages.