New Jersey Adopts Personal Information and Privacy Protection Act Restricting Retailers’ Right to Request and Retain Customer Information
On Friday, July 21, 2017, New Jersey enacted the Personal Information and Privacy Protection Act (the “Act”) limiting retailers’ right to scan and retain “identification card” information for a credit transaction. For purposes of the Act, an “identification card” includes a driver’s license, a probationary license, a non-driver photo identification card or other similar card issued by a state or the District of Columbia. The Act will take effect on October 1, 2017.
To be clear, retailers1 can “card” a customer by asking for an identification card, reviewing the information on the face of the card, and returning the card to the customer. For retailers that have barcode readers installed at their registers, retailers can scan the barcode on the identification card to review and capture data about the card holder. This Act limits the circumstances under which a retailer can scan and/or store that data electronically.
Under the Act, retailers can only scan a customer’s identification card for the following limited purposes:
- To verify that the person presenting the card is indeed the person to whom the card was issued in non-cash transactions (e.g. credit transactions, returns, refunds or exchanges);
- To verify the age of the person (e.g. when purchasing alcohol or tobacco or other age restricted items);
- To prevent fraud or other criminal activity in the context of product returns and/or refund transactions and/or to open a credit account;
- To record, retain or transmit information where required by law;
- To report information to consumer reporting agencies, financial institutions or debt collectors (where permitted under certain federal legislation); or
- To record, retain or transmit information by a covered entity under HIPAA.
It is important to note that if the retailer is scanning the card only for the purpose of verifying the card presenter’s identity or age (items 1 and 2 above), then the retailer cannot retain the information. Further, if permitted by the Act to store the data, Retailers can only retain the following information from identification cards: name, address, date of birth, state issuing the card and card number.
Further, if information is permitted to be retained, the information must be securely stored; and if the retailer experiences a breach which allows the data to be compromised, then the breach must be reported to law enforcement and the impacted individual.
The Act proscribes retailers from selling or otherwise disseminating to any third-party information collected from these identification cards, including for marketing, advertising or promotional purposes.
Retailers who fail to comply with the Act face civil fines,and may be subject to private causes of actions by persons whose information is misused or compromised.
Retailers that permissibly retain identification card information pursuant to the Act must be mindful that in addition to being subject to this Act, they are also subject to the privacy laws of New Jersey and/or other states that may have issued the identification cards from which data is being gathered. These statutes include specific mandates regarding how long such data can be retained, how such data must be destroyed and to whom, how and when notification must be provided in the event the systems retaining the gathered data are breached.
To understand the mandates of the various states’ statutes as well as federal privacy laws and regulations that may come to bear, we encourage retailers to contact us before they elect to scan and retain data from identification cards, even when otherwise permitted to do so under this Act.
1 The Act broadly defines a retailer (or retail establishment) as any place of business where merchandise is exposed or offered for sale at retail to members of the consuming public.