New Jersey passed the Personal Information and Privacy Protection Act (S-1913) on July 21, 2017.New Jersey’s law generally aligns with about a third of other states that have such laws, limiting the purposes and type of information a retailer may scan and retain from identification cards and goes further in specifying data storage requirements and requiring notification directly to the consumer when ID information is compromised.

Permissible uses

As of October 1, 2017, retailers will only be permitted to scan customers’ drivers’ licenses or other identification cards for specific purposes and can only collect certain data from those scans.

Retailers may scan ID cards to:

  • verify authenticity of the card
  • verify identity of the person if the person does not pay with cash, returns an item, or requests a refund or exchange
  • verify a customer’s age when buying age-restricted goods or services
  • prevent fraud or other criminal activity if the person returns an item or requests a refund or an exchange and the business uses a fraud prevention service company or system.

Additional permitted uses pertain to retailers’ state and federal reporting requirements, including transmitting information to a consumer reporting agency, financial institution or debt collector under the various federal credit statutes, and to an entity as permitted under HIPAA.

Note: This article is only a reference and you should consult local legal console before scanning drivers licenses in your state.  This information intended to serve as legal advice.

Limits on data

When scanning, retailers may only collect the person’s name, address, date of birth, the state issuing the identification card, and the identification card number.

The legislation also imposes new restrictions on the retention, storage, and dissemination of information gathered through ID scans. Retailers are prohibited from retaining customer information when a customer pays with a method other than cash, returns an item or requests a refund or exchange, or when purchasing age-restricted goods or services. For any permitted retention of identification card data, retailers are required to “securely store” this data and report any security breaches to the Division of State Police in the Department of Law and Public Safety, as well as notify “any affected person.” Retailers are further barred from selling or disseminating this information for any purpose, including marketing and advertising. Retailers that violate the law face fines as well as the potential for lawsuits brought by “any person aggrieved by a violation.”