Permissible uses
As of October 1, 2017, retailers will only be permitted to scan customers’ drivers’ licenses or other identification cards for specific purposes and can only collect certain data from those scans.
Retailers may scan ID cards to:
- verify authenticity of the card
- verify identity of the person if the person does not pay with cash, returns an item, or requests a refund or exchange
- verify a customer’s age when buying age-restricted goods or services
- prevent fraud or other criminal activity if the person returns an item or requests a refund or an exchange and the business uses a fraud prevention service company or system.
Additional permitted uses pertain to retailers’ state and federal reporting requirements, including transmitting information to a consumer reporting agency, financial institution or debt collector under the various federal credit statutes, and to an entity as permitted under HIPAA.
Note: This article is only a reference and you should consult local legal console before scanning drivers licenses in your state. This information intended to serve as legal advice.
Limits on data
When scanning, retailers may only collect the person’s name, address, date of birth, the state issuing the identification card, and the identification card number.
The legislation also imposes new restrictions on the retention, storage, and dissemination of information gathered through ID scans. Retailers are prohibited from retaining customer information when a customer pays with a method other than cash, returns an item or requests a refund or exchange, or when purchasing age-restricted goods or services. For any permitted retention of identification card data, retailers are required to “securely store” this data and report any security breaches to the Division of State Police in the Department of Law and Public Safety, as well as notify “any affected person.” Retailers are further barred from selling or disseminating this information for any purpose, including marketing and advertising. Retailers that violate the law face fines as well as the potential for lawsuits brought by “any person aggrieved by a violation.”
The above text was sourced from https://www.consumerproductslawblog.com/2017/08/new-jersey-passes-new-drivers-license-swiping-law/
The text below was sourced from https://legiscan.com/NJ/text/S1913/id/1419389
SENATE, No. 1913
STATE OF NEW JERSEY
217th LEGISLATURE
INTRODUCED MARCH 10, 2016
Sponsored by: Senator DAWN MARIE ADDIEGO District 8 (Atlantic, Burlington and Camden)
Co-Sponsored by: Senator Beck
SYNOPSIS
“Personal Information and Privacy Protection Act”; restricts collection and use of personal information by retail establishments for certain purposes.
CURRENT VERSION OF TEXT
As reported by the Senate Community and Urban Affairs Committee on June 16, 2016, with amendments.
An Act concerning the collection of certain personal information and supplementing Title 56 of the Revised Statutes.
Be It Enacted by the Senate and General Assembly of the State of New Jersey:
- This act shall be known and may be cited as the “Personal Information and Privacy Protection Act.”
- a. For the purposes of this section:
“Identification card” means a driver’s license, issued pursuant to R.S.39:3-10, a probationary license, issued pursuant to section 4 of P.L.1950, c.127 (C.39:3-13.4), a non-driver photo identification card, issued pursuant to section 2 of P.L.1980, c.47 (C.39:3-29.3), or any similar card issued by another state or the District of Columbia for purposes of identification or permitting its holder to operate a motor vehicle.
“Scan” means to access the barcode or any other machine-readable section of a person’s identification card with an electronic device capable of deciphering, in an electronically readable format, information electronically encoded on the identification card.
- A retail establishment shall scan a person’s identification card only for the following purposes:
(1) to verify the authenticity of the identification card or to verify the identity of the person if the person pays for goods or services with a method other than cash, returns an item, or requests a refund or an exchange;
(2) to verify the person’s age when providing age-restricted goods or services to the person;
(3) to prevent fraud or other criminal activity if the person returns an item or requests a refund or an exchange and the business uses a fraud prevention service company or system;
(4) to establish or maintain a contractual relationship;
(5) to record, retain, or transmit information as required by State or federal law;
(6) to transmit information to a consumer reporting agency, financial institution, or debt collector to be used as permitted by the federal “Fair Credit Reporting Act,” 15 U.S.C. s.1681 et seq., “Gramm-Leach-Bliley Act,” 15 U.S.C. s.6801 et seq., and the “Fair Debt Collection Practices Act,” 15 U.S.C. s.1692 et seq.; or
(7) to record, retain, or transmit information by a covered entity governed by the medical privacy and security rules pursuant to Parts 160 and 164 of Title 45 of the Code of Federal Regulations, established pursuant to the “Health Insurance Portability and Accountability Act of 1996,” Pub.L.104-191.
c. Information collected by scanning a person’s identification card pursuant to subsection b. of this section shall be limited to the person’s name, address, date of birth, 1the State issuing the identification card,1 and identification card number.
d. (1) No retail establishment shall retain information obtained pursuant to paragraphs (1) and (2) of subsection b. of this section.
(2) Any information retained by a retail establishment pursuant to paragraphs (3) through (7) of subsection b. of this section shall be securely stored, and any breach of the security of the information shall be promptly reported to the Division of State Police in the Department of Law and Public Safety and any affected person, in accordance with section 12 of P.L.2005, c.226 (C.56:8-163).
(3) No retail establishment shall sell or disseminate to a third party any information obtained pursuant to this section for any purpose, including marketing, advertising, or promotional activities, except dissemination as permitted by paragraphs (3) through (7) of subsection b. of this section 1; provided, however, that nothing in this subsection shall be construed to prevent an automated return fraud system from issuing a reward coupon to a loyal customer1.
- a. Any person who violates the provisions of this act shall be subject to a civil penalty of $2,500 for a first violation and $5,000 for any subsequent violation. The penalty prescribed in this section shall be collected in a civil action by a summary proceeding pursuant to the “Penalty Enforcement Law of 1999,” P.L.1999, c.274 (C.2A:58-10 et seq.).
b. In addition to the penalties described in this section, any person aggrieved by a violation of this act may bring an action in Superior Court to recover damages.
- This act shall take effect on the first day of the third month next following the date of enactment.
Note: This article is only a reference and you should consult local legal console before scanning drivers licenses in your state. This information intended to serve as legal advice.