On July 21, 2017, New Jersey Governor Chris Christie signed into law a bill that places new restrictions on retailers’ collection and use of information collected when a customer’s identification (ID) card is scanned. The Personal Information and Privacy Protection Act (the Act) (we previously analyzed this bill, here) takes effect on October 1, 2017, and permits retailers to scan a person’s ID card for the following limited purposes:
- To verify authenticity of the ID card or identity of the person (1) if the person is paying for goods or services in a method other than cash, or (2) if the person is returning an item or (3) if the person requests a refund or exchange;
- To verify the person’s age when providing age-restricted goods or services;
- To prevent fraud or other criminal activity if the person returns an item or requests a refund or an exchange and the business uses a fraud prevention service;
- To prevent fraud or other criminal activity related to a credit transaction to open or manage a credit account;
- To establish or maintain a contractual relationship;
- To record, retain, or transmit information as required by state or federal law;
- To transmit information to a consumer reporting agency, financial institution, or debt collector, to be used as permitted by the Fair Credit Reporting Act, Gramm-Leach-Bliley Act, or the Fair Debt Collections Practices Act; and
- To record, retain or transmit information by a covered entity governed by HIPAA.
Significantly, the Act prohibits retailers from selling or disseminating to third parties the information that they obtain from scanning ID cards, for almost any purpose, including marketing, advertising or promotional activities. The one exception to this rule is where a retailer’s automated return fraud issues a reward coupon to a loyal customer. We note the Act does not explain what an automated return fraud system is, thus, retailers should assess the extent to which they collect information from scanning ID cards and ensure that such information is excluded from what is shared with third parties.
The Act also prohibits retailers from saving the scanned information, when the scanned information is used solely to (1) verify the authenticity of the ID card, (2) verify the identity of a person who is making a non-cash payment, is returning an item, or is seeking a refund or exchange, or (3) verify a person’s age in an age-restricted transaction.
If any of the scanned information is saved, it must be “securely stored.” Although the Act does not define “secure” storage, the New Jersey Identity Theft Prevention Act (N.J.S.A. 56:8-161 et seq.) (N.J. ID Theft Law) provides some guidance. Under that statute, the unauthorized access of personal information is not considered a “breach” where the information is encrypted or rendered unreadable (N.J.S.A. 56:8-161). This suggests that at minimum, secure storage might require encrypting or using some other technology to render the scanned information unreadable, or anonymizing it to be disassociated with any person.
The Act also covers data breach reporting requirements. It requires retailers to “promptly” report any breach of the security of the scanned information to the New Jersey State Police and any “affected persons” in accordance with the N.J. ID Theft Law, which already includes a reporting obligation to the State Police any time a business must notify a New Jersey resident of a breach of his or her personal information. While the Act does not define “prompt” reporting, the timing for reporting breaches of scanned information likely mirrors the requirement imposed by the N.J. ID Theft Law — the most expedient time possible without unreasonable delay (N.J.S.A. 56:8-163).
The Act also expands the scope of information subject to breach reporting obligations. The existing N.J. ID Theft Law limits the “personal information” that triggers reporting obligations, if breached, to “an individual’s first name or first initial and last name linked with any one or more of the following data elements: (1) Social Security number; (2) driver’s license number or state identification card number; or (3) account number or credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account” (N.J.S.A. 56:8-161). The Act similarly includes the person’s name, state issuing the ID card, and ID card number; but also adds her address and date of birth.
The Act provides for $2,500 in penalties for the first violation and $5,000 for any subsequent action, and expressly permits a private right of action. There is no cap on penalties.
Retailers who do business in New Jersey should evaluate their compliance with the Act’s new requirements well in advance of October 1, 2017, when the law takes effect. It is unclear if the Act applies solely to retailers who have brick and mortar stores in New Jersey. The Act refers to “retail establishments” but does not define what a retail establishment is. But, because the Act addresses scanning ID cards, it is hard to imagine how ID cards could be scanned anywhere else but a physical location. This includes: (1) evaluating the extent to which they scan customers’ ID Cards and whether and to what extent the scanned information is saved, (2) ensuring that they do not share information scanned from customers’ ID cards with third parties, (3) evaluating the security used (including encryption, redaction, anonymization, and other physical, technical and administrative safeguards) to protect such information, if any is stored, and (4) evaluating their incident response programs for expansion of breach reporting obligations, particularly in light of the expanded scope of personal information imposed by the new law.
If you have questions about your incident response plan or how to evaluate your business’ security programs and procedures, please contact Cinthia Motley, 312-849-1972, firstname.lastname@example.org or Nora Wetzel, 415-627-3478, email@example.com.