In enacting the Personal Information and Privacy Protection Act (S-1913), New Jersey joins a growing minority of states with so-called “swipe laws.” New Jersey’s law generally aligns with swipe laws in the approximately one-third of other states with such laws, limiting the purposes and type of information a retailer may scan and retain from identification cards. However, New Jersey goes a step further than most in specifying data storage requirements and requiring notification directly to the consumer when ID information is compromised.
As of October 1, 2017, retailers will only be permitted to scan customers’ drivers’ licenses or other identification cards for specific purposes and can only collect certain data from those scans.
Retailers may scan ID cards to:
- verify authenticity of the card
- verify identity of the person if the person does not pay with cash, returns an item, or requests a refund or exchange
- verify a customer’s age when buying age-restricted goods or services
- prevent fraud or other criminal activity if the person returns an item or requests a refund or an exchange and the business uses a fraud prevention service company or system.
Additional permitted uses pertain to retailers’ state and federal reporting requirements, including transmitting information to a consumer reporting agency, financial institution or debt collector under the various federal credit statutes, and to an entity as permitted under HIPAA.
Limits on data
When scanning, retailers may only collect the person’s name, address, date of birth, the state issuing the identification card, and the identification card number.
The legislation also imposes new restrictions on the retention, storage, and dissemination of information gathered through ID scans. Retailers are prohibited from retaining customer information when a customer pays with a method other than cash, returns an item or requests a refund or exchange, or when purchasing age-restricted goods or services. For any permitted retention of identification card data, retailers are required to “securely store” this data and report any security breaches to the Division of State Police in the Department of Law and Public Safety, as well as notify “any affected person.” Retailers are further barred from selling or disseminating this information for any purpose, including marketing and advertising. Retailers that violate the law face fines as well as the potential for lawsuits brought by “any person aggrieved by a violation.”