On July 21, 2017, New Jersey adopted the “Personal Information and Privacy Protection Act.”
According to the law, retailers may scan an ID card only under certain circumstances. By “scanning” the law means to access the barcode or any other machine-readable section of the card “with an electronic device capable of deciphering, in an electronically readable format, information electronically encoded on the identification card.”
The Act provides a list of allowed purposes, which include:
(1) to verify the identification card’s authenticity or the identity of the person (allowed only if the person pays with a method other than cash, returns an item, or requests a refund or an exchange);
(2) to verify the person’s age when required by law;
(3) to prevent fraud or other criminal activity;
(4) to establish or maintain a contractual relationship;
(5) to record, retain, or transmit information as required by State or federal law;
(6) to transmit information to a consumer reporting agency, financial institution, or debt collector; or
(7) to record, retain, or transmit information by a covered entity governed by the applicable medical privacy and security rules.
Even if the retailer is authorized to scan the card, the information collected shall be limited to the person’s name, address, date of birth, the State issuing the identification card, and identification card number.
In any event, the retailer shall never retain information obtained pursuant to points (1) and (2) above. The Act doesn’t specify after how long an information is deemed “retained”.
The information retained shall be securely stored, and any security breach promptly reported.
The Act expressly prohibits retailers to transfer the information to any third party.
Finally, the Act creates a private right of action for damages and establishes a civil penalty of $2,500 for a first violation and $5,000 for any subsequent violation.