If you are a retailer with locations in New Jersey, you will need to review your procedures in anticipation of a new law effective October 1, 2017.
New Jersey Governor Chris Christie has signed the Personal Information Privacy and Protection Act (we can now add #PIPPA to the alphabet soup of privacy acronyms.....), which limits the ability of retailers to collect PII scanned from customer driver's licenses and identification cards and restricts the usage of any PII collected for the purposes identified in the Act.
Within recent years, retailers have commonly started a practice of scanning the barcodes on customer ID cards to verify the authenticity of an ID presented, verify identity when credit cards are used, or to prevent and control fraudulent merchandise return practices (or to identify consumers who abuse return policies).
Under PIPPA, retailers will only be permitted to scan ID cards to:
- Verify the card's authenticity or the person's identity, if the customer pays for goods or services with a method other than cash; returns an item; or requests a refund or exchange.
- Verify the customer's age when providing age-restricted goods or services to the customer.
- Prevent fraud or other criminal activity if the person returns an item or requests a refund or an exchange and the retailer uses a fraud prevention company or service.
- Establish or maintain a contractual relationship.
- Record, retain, or transmit information as required by state or federal law.
- Transmit information to a consumer reporting agency, financial institution, or debt collector to be used as permitted by federal laws, including the Fair Credit Reporting Act, Gramm-Leach-Bliley Act, and Fair Debt Collection Practices Act.
- Record, retain, or transmit information by a covered entity under HIPAA and related regulations.
PIPPA prohibits retailers from sharing the information with marketers or other third parties that are unknown to consumers. It is unlikely that an online privacy notice describing sharing of scanned ID information with third parties would comply with PIPPA. In-store notice of any such practices will likely be required.
The big "however" in this legislation is the restrictions on retention of the information when collected for the permitted purposes. Under PIPPA businesses cannot retain information related to how the customer paid for the goods, whether the customer returned an item or requested a refund, and cannot store ages. Retailers will only be permitted to collect the customer's name, address, and date of birth; the issuing state; and the ID card number. Any of this information collected from scanned ID cards Is required to be "securely stored" and PIPPA makes it clear that any security breach of this information is subject to New Jersey's data breach notification law and must be reported to any affected individual and the New Jersey State Police.
And there are penalties. PIPPA provides civil penalties of $2,500 for a first offense, and $5,000 for any subsequent offices. Further the law allows for "any person aggrieved by a violation" to bring an action in NJ Superior Court to recover damages.