On July 21, New Jersey Governor Chris Christie signed into law the Personal Information Privacy Protection Act (PIPPA) (S. 1913), which limits the circumstances under which “retail establishments” (retailers) can collect and use information obtained by scanning the state-issued identification cards of customers.
The new law limits the ability of retailers to scan the barcode or other machine-readable section of a customer’s ID to the following eight purposes:
-
To verify the authenticity of the card or the identity of the person;
-
To verify age when providing age-restricted goods and services;
-
To prevent fraud or other criminal activity if the person returns an item or requests a refund or an exchange;
-
To prevent fraud or other criminal activity related to a credit transaction to open or manage a credit account;
-
To establish or maintain a contractual relationship;
-
To record, retain, or transmit information as required by law;
-
To transmit information to a consumer reporting agency, financial institution, or debt collector; and
-
To record, retain, or transmit information by a covered entity governed by the medical privacy and security rules under the Health Insurance Portability and Accountability Act.
The new law limits the types of information that retailers may collect when scanning pursuant to one of these eight purposes to the customer’s name, address, date of birth, the state issuing the ID, and the ID card number. Moreover, retailers are prohibited from retaining information gathered pursuant to purposes 1 and 2 (verification of authenticity and age). Information collected pursuant to the other authorized purposes must be “securely stored,” and any breach must be reported to state police and to affected individuals (in accordance with New Jersey’s data breach notification law). Finally, retailers are prohibited from selling or disseminating information collected through scanning of IDs to any third party, except as permitted by the statute.
The plain language of the statute limits the scope of PIPPA to the “scanning” of state-issued identification cards, and “scanning” is defined as accessing “the barcode or any other machine-readable section of a person’s identification card with an electronic device capable of deciphering, in an electronically readable format, information electronically encoded on the identification card.” The term “retail establishments” is not defined.
The law is scheduled to take effect on October 1, 2017.