NJ Seeks to Protect Consumer Data with Personal Information Privacy and Protection Act

Francis X. Riley, III
Saul Ewing LLP
Contact
LinkedIn
Facebook
X
Send
Embed

Saul Ewing LLP

Summary

A recently enacted New Jersey law restricts retailers from collecting and using personal information gleaned from driver’s licenses and other identification cards. The law, which will take effect October 1, 2017, is meant to crack down on the risk of data breaches and the sale of consumer information to marketers.

Under the Personal Information Privacy and Protection Act, retailers can only scan customers’ identification cards for certain purposes, including to verify the authenticity of the card or a consumer’s identity or age, and the information that they can collect from these scans is limited to the person’s name, address, date of birth, the state the identification card was issued in, and the identification card number. Additionally, the law requires retailers to securely store this data and report any security breaches in accordance with the state’s notification law, and prohibits them from sharing the information with marketers or other third parties that are unknown to consumers.

Retailers are still able to scan shoppers’ identification to verify their identity if the shopper is not paying with cash, or if they return an item or request a refund or exchange. They can also do so to verify consumers’ age when they’re purchasing age-restricted goods or services or in an attempt to prevent fraud or other criminal activity in the case of a merchandise return or exchange or in the context of a credit transaction to open or manage a credit account. Retailers can also scan IDs to record, retain or transmit information as required by state or federal law; to transmit information to a consumer reporting agency, financial institution or debt collector pursuant to laws such as the Fair Credit Reporting Act, Gramm-Leach Bliley Act, and the Fair Debt Collection Practices Act; to establish or maintain a contractual relationship; and to record, retain or transmit information by a covered entity governed by medical privacy and security rules. However, businesses cannot retain information related to how the person paid for the goods, if they returned an item or if they requested a refund, and they cannot store ages if an ID is scanned when purchasing an age-restricted item. Additionally, the limited information that retailers are allowed to retain from these scans must be “securely stored,” and any security breach of the information must be reported to any affected person and the New Jersey State Police.

Violation of the new law carries civil penalties of $2,500 for a first offense and $5,000 for any subsequent misstep. The Act allows for “any person aggrieved by a violation” to bring an action in Superior Court to recover damages.

 

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Saul Ewing LLP | Attorney Advertising

Written by:

Saul Ewing LLP
Saul Ewing LLP
Contact
more
less

PUBLISH YOUR CONTENT ON JD SUPRA NOW

  • Increased visibility
  • Actionable analytics
  • Ongoing guidance

Saul Ewing LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide