Oregon ID Scanner Privacy Law – House Bill 2371

4/17/2020

(See Link at the bottom for the entire act)

AN ACT Relating to privacy of identification documents.

Be It Enacted by the People of the State of Oregon:

SECTION 1.

The Legislative Assembly finds that:
(1) Oregon recognizes the importance of protecting the confidentiality and privacy of an individual′s personal information contained in driver licenses, driver permits and identification cards.
(2) Machine-readable features found on driver licenses, driver permits and identification cards are intended to facilitate verification of age or identity, not to facilitate collection of personal information about individuals nor to facilitate the creation of private databases of transactional information associated with those individuals.
(3) Easy access to the information found on driver licenses, driver permits and identification cards facilitates the crime of identity theft, which is a major concern in Oregon.

SECTION 2.

(1) As used in this section:(a) “Driver license” means a license or permit issued by this state or any other jurisdiction as evidence of a grant of driving privileges.(b) “Identification card” means the card issued under ORS 807.400 or a comparable provision in another state.(c) “Personal information” means an individual′s name, address, date of birth, photograph, fingerprint, biometric data, driver license number, identification card number or any other unique personal identifier or number.(d) “Private entity” means any nongovernmental entity, such as a corporation, partnership, company or nonprofit organization, any other legal entity or any natural person.(e) “Swipe” means the act of passing a driver license or identification card through a device that is capable of deciphering, in an electronically readable format, the information electronically encoded in a magnetic strip or bar code on the driver license or identification card.

(2) Except as provided in subsection (6) of this section, a private entity may not swipe an individual′s driver license or identification card, except for the following purposes:
(a) To verify the authenticity of a driver license or identification card or to verify the identity of the individual if the individual pays for a good or service with a method other than cash, returns an item or requests a refund.
(b) To verify the individual′s age when providing an age-restricted good or service to any person about whom there is any reasonable doubt of the person′s having reached 21 years of age.
(c) To prevent fraud or other criminal activity if an individual returns an item or requests a refund and the private entity uses a fraud prevention service company or system.
(d) To transmit information to a check services company for the purpose of approving negotiable instruments, electronic funds transfers or similar methods of payment.

3) A private entity that swipes an individual′s driver license or identification card under subsection (2)(a) or (b) of this section may not store, sell or share personal information collected from swiping the driver license or identification card.

(4) A private entity that swipes an individual′s driver license or identification card under subsection (2)(c) or (d) of this section may store or share the following information collected from swiping an individual’s driver license or identification card for the purpose of preventing fraud or other criminal activity against the private entity:
(a) Name;
(b) Address;
(c) Date of birth; and
(d) Driver license number or identification card number.

(5)(a) A person other than an entity regulated by the federal Fair Credit Reporting Act, 15 U.S.C. 1681 et seq., who receives personal information from a private entity under subsection (4) of this section may use the personal information received only to prevent fraud or other criminal activity against the private entity that provided the personal information.

(b) A person who is regulated by the federal Fair Credit Reporting Act and who receives personal information from a private entity under subsection (4) of this section may use or provide the personal information received only to effect, administer or enforce a transaction or prevent fraud or other criminal activity, if the person provides or receives personal information under contract from the private entity.

(6)(a) Subject to the provisions of this subsection, a private entity that is a commercial radio service provider that provides service nationally and that is subject to the Telephone Records and Privacy Protection Act of 2006 (18 U.S.C. 1039) may swipe an individual’ driver license or identification card if the entity obtains permission from the individual to swipe the individual′s driver license or identification card.

(b) The private entity may swipe the individual′s driver license or identification card only for the purpose of establishing or maintaining a contract between the private entity and the individual. Information collected by swiping an individual′s driver license or identification card for the establishment or maintenance of a contract shall be limited to the following information from the individual:
(A) Name;
(B) Address;
(C) Date of birth; and
(D) Driver license number or identification card number.

(c) If the individual does not want the private entity to swipe the individual′s driver license or identification card, the private entity may manually collect the following information from the individual:

(A) Name;
(B) Address;
(C) Date of birth; and
(D) Driver license number or identification card number.

(d) The private entity may not withhold the provision of goods or services solely as a result of the individual requesting the collection of the following information from the individual through manual means:
(A) Name;
(B) Address;
(C) Date of birth; and
(D) Driver license number or identification card number.

(7) A governmental entity may swipe an individual′s driver license or identification card only if:
(a) The individual knowingly makes the driver license or identification card available to the governmental entity;
(b) The governmental entity lawfully confiscates the driver license or identification card;
(c) The governmental entity is providing emergency assistance to the individual who is unconscious or otherwise unable to make the driver license or identification card available;
or
(d) A court rule requires swiping of the driver license or identification card to facilitate accurate linking of court records pertaining to the individual.

(8) In addition to any other remedy provided by law, an individual may bring an action to recover actual damages or $1,000, whichever is greater, and to obtain equitable relief, if equitable relief is available, against an entity that swipes, stores, shares, sells or otherwise uses the individual′s personal information in violation of this section. A court shall award a prevailing plaintiff reasonable costs and attorney fees. If a court finds that a violation of this section was willful or knowing, the court may increase the amount of the award to no more than three times the amount otherwise available.

(9)Any waiver of a provision of this section is contrary to public policy and is void and unenforceable.
Passed by House April 14, 2009
Repassed by House June 15, 2009

…………………………………………………………………..
Secretary of State
Enrolled House Bill 2371 (HB 2371-B)
https://olis.leg.state.or.us/liz/2009R1/Downloads/MeasureDocument/HB2371/Enrolled

 

 

The act can be found at https://olis.leg.state.or.us/liz/2009R1/Downloads/MeasureDocument/HB2371/Enrolled 

Should the link not be active, a hard copy can be of the current act (4/20/2020) can also be uploaded HERE.

Return to Summary of States with ID Scanner Affirmative Defense

?>
Shopping cart0
There are no products in the cart!
Continue shopping
0