On October 1, New Jersey will join a growing number of states that regulate a retailer’s scanning or swiping of driver’s licenses or state-issued identification (ID) cards, including the storage of information that the retailer obtains. On July 21, New Jersey Governor Chris Christie signed the New Jersey Personal Information and Privacy Protection Act (PIPPA) into law. We take a look at PIPPA and highlights what this new law means for retailers with stores in New Jersey.

The New Law

PIPPA applies to retail establishments in New Jersey and limits the scanning of an ID card, except for specific purposes. Under PIPPA, retailers can only scan an ID card in order to do any of the following:

1. Verify the authenticity of the ID card, or verify the identity of the person if the person pays with a method other than cash, returns an item, or requests a refund or exchange

2. Verify age for age-restricted goods

3. Prevent fraud or other criminal activity if the person returns an item or requests a refund or exchange, and the business uses a fraud prevention service company or system

4. Prevent fraud or other criminal activity related to a credit transaction to open or manage a credit account

5. Establish or maintain a contractual relationship

6. Record, retain, or transmit information as required by federal or state law

7. Transmit information to a consumer reporting agency, financial institution, or debt collector to be used as permitted under the Fair Credit Reporting Act, Gramm-Leach-Bliley Act, or Fair Debt Collection Practices Act, or as otherwise required by law

8. Record, retain, or transmit information by a covered entity governed by the medical privacy and security rules under the Health Insurance Portability and Accountability Act (HIPAA)

For any of these purposes, a retailer may only collect name, address, date of birth, state of issuance, and ID card number. This means that if there is other information on the ID card (such as height, weight, eye color, and hair color), it may not be collected through the scan.

In addition to the scanning restrictions, PIPPA imposes fairly restrictive requirements on the types of information that the retailer can store. Information collected for the purposes of (1) and (2) above cannot be retained by the retailer or used for any purpose in the future. Any information collected pursuant to (3) through (8) above must be securely stored, and any security breach must be reported to state police and the individuals whose data was stolen.

Violations and Litigation Risks

Violations of the law can result in a civil penalty of $2,500 for a first violation and $5,000 for any subsequent violation, payable to the state. PIPPA also permits an action by “aggrieved” persons for actual damages. This means that PIPPA may be enforced through private right of action, class action, or a suit under the New Jersey Truth-in-Consumer Contract, Warranty, and Notice Act (which prohibits sellers from offering any contract or displaying any sign or notice that violates “clearly established” law). In addition, where a data breach results in theft of information stored from an ID card, there is also the risk that a retailer could face class action lawsuits alleging that it failed to “securely store” the data under PIPPA.

Practical Implications

Retailers doing business in New Jersey have just two months to comply with PIPPA before it goes into effect on October 1. Retailers that currently scan or swipe driver’s licenses or state-issued ID cards in their New Jersey stores should revisit their scanning policies and procedures to confirm that any scanning falls within one of PIPPA’s purposes described above. Retailers also should carefully evaluate what information is collected and stored from ID cards to confirm that they are in compliance with the new law.