February 19, 2018

February 16, 2018

Subscribe to Latest Legal News and Analysis

New Jersey to Regulate Retailers’ Scanning or Swiping of Licenses and ID Cards

On October 1, New Jersey will join a growing number of states that regulate a retailer’s scanning or swiping of driver’s licenses or state-issued identification (ID) cards, including the storage of information that the retailer obtains. On July 21, New Jersey Governor Chris Christie signed the New Jersey Personal Information and Privacy Protection Act (PIPPA) into law. We take a look at PIPPA and highlights what this new law means for retailers with stores in New Jersey.

The New Law

PIPPA applies to retail establishments in New Jersey and limits the scanning of an ID card, except for specific purposes. Under PIPPA, retailers can only scan an ID card in order to do any of the following:

  1. Verify the authenticity of the ID card, or verify the identity of the person if the person pays with a method other than cash, returns an item, or requests a refund or exchange

  2. Verify age for age-restricted goods

  3. Prevent fraud or other criminal activity if the person returns an item or requests a refund or exchange, and the business uses a fraud prevention service company or system

  4. Prevent fraud or other criminal activity related to a credit transaction to open or manage a credit account

  5. Establish or maintain a contractual relationship

  6. Record, retain, or transmit information as required by federal or state law

  7. Transmit information to a consumer reporting agency, financial institution, or debt collector to be used as permitted under the Fair Credit Reporting Act, Gramm-Leach-Bliley Act, or Fair Debt Collection Practices Act, or as otherwise required by law

  8. Record, retain, or transmit information by a covered entity governed by the medical privacy and security rules under the Health Insurance Portability and Accountability Act (HIPAA)

For any of these purposes, a retailer may only collect name, address, date of birth, state of issuance, and ID card number. This means that if there is other information on the ID card (such as height, weight, eye color, and hair color), it may not be collected through the scan.

In addition to the scanning restrictions, PIPPA imposes fairly restrictive requirements on the types of information that the retailer can store. Information collected for the purposes of (1) and (2) above cannot be retained by the retailer or used for any purpose in the future. Any information collected pursuant to (3) through (8) above must be securely stored, and any security breach must be reported to state police and the individuals whose data was stolen.

Violations and Litigation Risks

Violations of the law can result in a civil penalty of $2,500 for a first violation and $5,000 for any subsequent violation, payable to the state. PIPPA also permits an action by “aggrieved” persons for actual damages. This means that PIPPA may be enforced through private right of action, class action, or a suit under the New Jersey Truth-in-Consumer Contract, Warranty, and Notice Act (which prohibits sellers from offering any contract or displaying any sign or notice that violates “clearly established” law). In addition, where a data breach results in theft of information stored from an ID card, there is also the risk that a retailer could face class action lawsuits alleging that it failed to “securely store” the data under PIPPA.

Practical Implications

Retailers doing business in New Jersey have just two months to comply with PIPPA before it goes into effect on October 1. Retailers that currently scan or swipe driver’s licenses or state-issued ID cards in their New Jersey stores should revisit their scanning policies and procedures to confirm that any scanning falls within one of PIPPA’s purposes described above. Retailers also should carefully evaluate what information is collected and stored from ID cards to confirm that they are in compliance with the new law.

Copyright © 2018 by Morgan, Lewis & Bockius LLP. All Rights Reserved.


About this Author


Gregory T. Parks is a partner in Morgan Lewis's Litigation Practice, with a focus on commercial, privacy and consumer matters for retailers, financial services organizations, and other businesses. Mr. Parks counsels and represents clients in a wide variety of matters, including consumer class actions, data privacy class actions, privacy and data security compliance, litigation involving retailers, disputes arising from mergers and acquisitions, contract and indemnification matters, and fraud lawsuits.

Kristin M. Hadgis, Morgan Lewis, Product Liability Litigation Lawyer, Government Investigations Attorney

Kristin M. Hadgis represents businesses in complex commercial, class action, retail, and product liability litigation in US state and federal courts, including appeals. She also advises clients that are the targets of government investigations and counsels them on risk management strategies. Although she has represented clients in many industries, much of Kristin’s work focuses on companies in the retail, financial services, pharmaceutical, and medical device industries.

In the healthcare industry, Kristin’s experience includes representing multinational pharmaceutical companies in attorney general litigation in state and federal courts, as well as in federal and state investigations, and defending a medical device manufacturer against product liability claims involving drug and insulin pumps and pacemakers. In the financial services sector, she has represented a national financial services company in consumer actions brought by state attorneys general and individuals, and a national insurance company in a federal investigation.

Richard G. Rosenblatt, Employers' Attorney, Morgan Lewis Law firm

Richard G. Rosenblatt is a partner in Morgan Lewis's Labor and Employment Practice with offices in both Princeton and Philadelphia. Mr. Rosenblatt's practice focuses on the representation of employers in a variety of labor and employment-related matters in state and federal courts, and before numerous state and federal agencies, including the Equal Employment Opportunity Commission, the National Labor Relations Board, the New Jersey Division on Civil Rights and the Pennsylvania Human Relations Commission. He also frequently handles labor arbitrations and workplace investigations.

Drew Cleary Jordan, Morgan Lewis Law Firm, Litigation Lawyer

Drew Cleary Jordan is part of a team of litigation lawyers who provide services in a wide range of areas including business and corporate disputes, corporate investigations and criminal defense, environmental, international arbitration, patent and trademark, securities, toxic tort, and product liability. Prior to joining Morgan Lewis, Drew served as a law clerk to Judge Danny C. Reeves in the US District Court for the Eastern District of Kentucky for a two-year term.

While attending Fordham University School of Law, Drew served as a notes and...