On July 21, 2017, Governor Chris Christie signed the Personal Information Privacy and Protection Act (S-1913) (the “Act”) into law, further enhancing the protections afforded to consumers who make retail credit card purchases in New Jersey. As technology has evolved, many retailers rely on electronic barcode scanners to review and capture information on customers’ driver’s licenses and other forms of identification. The Act addresses these new technologies by:
- Restricting the type of personal information that retailers may collect and retain from consumers’ identification cards to name, address, date of birth, identification card number, and the state in which the card was issued;
- Limiting the purposes for which retailers may use personal information obtained from consumer identification cards (e.g. age verification);
- Reiterating retailers’ breach reporting obligations under New Jersey’s breach notification law;
- Requiring retailers to securely store the limited information it is permitted to retain after electronically scanning the bar codes on consumers’ identification cards; and
- Prohibiting retailers from disclosing or selling such information to third parties unless otherwise permitted to do so by the statute.
The Act carries civil penalties of $2,500 for first-time offenders, $5,000 for repeat offenders. In addition, the law allows consumers to bring a private right of action against retailers in connection with violations of the statute. While retailers that simply “card” customers (e.g. manually view identification cards) are not subject to the Act, it is important to note that their data handling practices may trigger liability under other applicable state laws (e.g. data destruction laws).
The Personal Information Privacy and Protection Act, which becomes effective on October 1, 2017, represents an important step in protecting consumer information in the context of retail transactions. First, the Act’s purpose limitation and security provisions will minimize the likelihood and impact of a data breach by substantially reducing the amount of sensitive data elements that retailers collect, store, transmit to third parties, and requiring extra layers of security to protect the limited information retailers now may retain. Second, by prohibiting the unauthorized sale of consumer information for marketing, advertising, or promotional activities, the Act will give consumers more control over their personal information. As technological advances continue to impinge on the privacy rights of consumers, it is likely that other states will enact similar legislation to ensure that the use of emerging technologies does not allow businesses to capture and use consumer information in a manner that is inconsistent with the purposes for which such information was originally collected and communicated to consumers at the point of sale.