February 5, 2023

Volume XIII, Number 36

Error message

  • Warning: Undefined variable $settings in include_once() (line 135 of /var/www/html/docroot/sites/default/settings.php).
  • Warning: Trying to access array offset on value of type null in include_once() (line 135 of /var/www/html/docroot/sites/default/settings.php).

February 03, 2023

Subscribe to Latest Legal News and Analysis

February 02, 2023

Subscribe to Latest Legal News and Analysis

New Jersey to Regulate Retailers’ Scanning or Swiping of Licenses and ID Cards

On October 1, New Jersey will join a growing number of states that regulate a retailer’s scanning or swiping of driver’s licenses or state-issued identification (ID) cards, including the storage of information that the retailer obtains. On July 21, New Jersey Governor Chris Christie signed the New Jersey Personal Information and Privacy Protection Act (PIPPA) into law. We take a look at PIPPA and highlights what this new law means for retailers with stores in New Jersey.

The New Law

PIPPA applies to retail establishments in New Jersey and limits the scanning of an ID card, except for specific purposes. Under PIPPA, retailers can only scan an ID card in order to do any of the following:

  1. Verify the authenticity of the ID card, or verify the identity of the person if the person pays with a method other than cash, returns an item, or requests a refund or exchange

  2. Verify age for age-restricted goods

  3. Prevent fraud or other criminal activity if the person returns an item or requests a refund or exchange, and the business uses a fraud prevention service company or system

  4. Prevent fraud or other criminal activity related to a credit transaction to open or manage a credit account

  5. Establish or maintain a contractual relationship

  6. Record, retain, or transmit information as required by federal or state law

  7. Transmit information to a consumer reporting agency, financial institution, or debt collector to be used as permitted under the Fair Credit Reporting Act, Gramm-Leach-Bliley Act, or Fair Debt Collection Practices Act, or as otherwise required by law

  8. Record, retain, or transmit information by a covered entity governed by the medical privacy and security rules under the Health Insurance Portability and Accountability Act (HIPAA)

For any of these purposes, a retailer may only collect name, address, date of birth, state of issuance, and ID card number. This means that if there is other information on the ID card (such as height, weight, eye color, and hair color), it may not be collected through the scan.

In addition to the scanning restrictions, PIPPA imposes fairly restrictive requirements on the types of information that the retailer can store. Information collected for the purposes of (1) and (2) above cannot be retained by the retailer or used for any purpose in the future. Any information collected pursuant to (3) through (8) above must be securely stored, and any security breach must be reported to state police and the individuals whose data was stolen.

Violations and Litigation Risks

Violations of the law can result in a civil penalty of $2,500 for a first violation and $5,000 for any subsequent violation, payable to the state. PIPPA also permits an action by “aggrieved” persons for actual damages. This means that PIPPA may be enforced through private right of action, class action, or a suit under the New Jersey Truth-in-Consumer Contract, Warranty, and Notice Act (which prohibits sellers from offering any contract or displaying any sign or notice that violates “clearly established” law). In addition, where a data breach results in theft of information stored from an ID card, there is also the risk that a retailer could face class action lawsuits alleging that it failed to “securely store” the data under PIPPA.

Practical Implications

Retailers doing business in New Jersey have just two months to comply with PIPPA before it goes into effect on October 1. Retailers that currently scan or swipe driver’s licenses or state-issued ID cards in their New Jersey stores should revisit their scanning policies and procedures to confirm that any scanning falls within one of PIPPA’s purposes described above. Retailers also should carefully evaluate what information is collected and stored from ID cards to confirm that they are in compliance with the new law.

Copyright © 2023 by Morgan, Lewis & Bockius LLP. All Rights Reserved.National Law Review, Volume VII, Number 214

About this Author

Gregory Parks, privacy and cybersecurity lawyer, Morgan Lewis

Gregory T. Parks counsels and defends retail companies and other consumer facing clients in matters related to privacy and cybersecurity, class actions and Attorney General actions, consumer protection laws, loyalty and gift card programs, retail operations, payment mechanisms, product liability, waste management, shoplifting prevention, compliance, antitrust, and commercial disputes. If it is important to a retail company, Greg makes it his business to know it. He handles all phases of litigation, trial, and appeal work arising from these and other areas. Greg is the co...

Kristin M. Hadgis, Morgan Lewis, Litigation attorney

Kristin M. Hadgis represents businesses in complex commercial, class action, retail, and product-related litigation in US state and federal courts, including appeals. She represents clients in a wide range of industries, including financial services, retail, pharmaceutical and medical device, with particular emphasis on the unique issues facing retailers and other consumer-facing companies. Kristin also focuses her practice on privacy and data security matters, and regularly advises and represents clients in connection with these issues.

Richard Rosenblatt, Morgan Lewis, employment litigation lawyer

Richard G. Rosenblatt has a diverse practice, handling wage and hour class and collective action matters, restrictive covenant and trade secrets litigation, employee benefits litigation, and a full panoply of discrimination, retaliation, contract and common law claims on behalf of employers in courts, arbitral tribunals and agencies around the US. He also represents and counsels employers on unfair labor practices, mass picketing, employment and severance agreements, and employee manuals and policies.

Drew Cleary Jordan, Morgan Lewis Law Firm, Litigation Lawyer

Drew Cleary Jordan is part of a team of litigation lawyers who provide services in a wide range of areas including business and corporate disputes, corporate investigations and criminal defense, environmental, international arbitration, patent and trademark, securities, toxic tort, and product liability. Prior to joining Morgan Lewis, Drew served as a law clerk to Judge Danny C. Reeves in the US District Court for the Eastern District of Kentucky for a two-year term.