Sponsored by:
Assemblyman JOSEPH A. LAGANA
District 38 (Bergen and Passaic)
Assemblyman PAUL D. MORIARTY
District 4 (Camden and Gloucester)
Co-Sponsored by:
Assemblywoman Rodriguez-Gregg and Assemblyman Howarth
SYNOPSIS
“Personal Information and Privacy Protection Act”; restricts collection and use of personal information by retail establishments for certain purposes.
CURRENT VERSION OF TEXT
As introduced.
An Act concerning the collection of certain personal information and supplementing Title 56 of the Revised Statutes.
Be It Enacted by the Senate and General Assembly of the State of New Jersey:
1. This act shall be known and may be cited as the “Personal Information and Privacy Protection Act.”
2. a. For the purposes of this section:
“Identification card” means a driver’s license, issued pursuant to R.S.39:3-10, a probationary license, issued pursuant to section 4 of P.L.1950, c.127 (C.39:3-13.4), a non-driver photo identification card, issued pursuant to section 2 of P.L.1980, c.47 (C.39:3-29.3), or any similar card issued by another state or the District of Columbia for purposes of identification or permitting its holder to operate a motor vehicle.
“Scan” means to access the barcode or any other machine-readable section of a person’s identification card with an electronic device capable of deciphering, in an electronically readable format, information electronically encoded on the identification card.
b. A retail establishment shall scan a person’s identification card only for the following purposes:
(1) to verify the authenticity of the identification card or to verify the identity of the person if the person pays for goods or services with a method other than cash, returns an item, or requests a refund or an exchange;
(2) to verify the person’s age when providing age-restricted goods or services to the person;
(3) to prevent fraud or other criminal activity if the person returns an item or requests a refund or an exchange and the business uses a fraud prevention service company or system;
(4) to establish or maintain a contractual relationship;
(5) to record, retain, or transmit information as required by State or federal law;
(6) to transmit information to a consumer reporting agency, financial institution, or debt collector to be used as permitted by the federal "Fair Credit Reporting Act," 15 U.S.C. s.1681 et seq., “Gramm-Leach-Bliley Act,” 15 U.S.C. s.6801 et seq., and the "Fair Debt Collection Practices Act," 15 U.S.C. s.1692 et seq.; or
(7) to record, retain, or transmit information by a covered entity governed by the medical privacy and security rules pursuant to Parts 160 and 164 of Title 45 of the Code of Federal Regulations, established pursuant to the “Health Insurance Portability and Accountability Act of 1996,” Pub.L.104-191.
c. Information collected by scanning a person’s identification card pursuant to subsection b. of this section shall be limited to the person’s name, address, date of birth, and identification card number.
d. (1) No retail establishment shall retain information obtained pursuant to paragraphs (1) and (2) of subsection b. of this section.
(2) Any information retained by a retail establishment pursuant to paragraphs (3) through (7) of subsection b. of this section shall be securely stored, and any breach of the security of the information shall be promptly reported to the Division of State Police in the Department of Law and Public Safety and any affected person, in accordance with section 12 of P.L.2005, c.226 (C.56:8-163).
(3) No retail establishment shall sell or disseminate to a third party any information obtained pursuant to this section for any purpose, including marketing, advertising, or promotional activities, except dissemination as permitted by paragraphs (3) through (7) of subsection b. of this section.
3. a. Any person who violates the provisions of this act shall be subject to a civil penalty of $2,500 for a first violation and $5,000 for any subsequent violation. The penalty prescribed in this section shall be collected in a civil action by a summary proceeding pursuant to the "Penalty Enforcement Law of 1999," P.L.1999, c.274 (C.2A:58-10 et seq.).
b. In addition to the penalties described in this section, any person aggrieved by a violation of this act may bring an action in Superior Court to recover damages.
4. This act shall take effect on the first day of the third month next following the date of enactment.
STATEMENT
This bill establishes the “Personal Information and Privacy Protection Act” (PIPPA). The bill places restrictions on the way retail establishments may collect and use the personal information contained in the electronic data embedded in identification cards, such as driver’s licenses.
Businesses commonly engage in the practice of “scanning” the barcodes on identification cards for the purposes of verifying the authenticity of the card, verifying a consumer’s age and identity, and preventing fraudulent merchandise return practices. Current identity theft law only provides that a consumer and the State Police must be notified in the case of a security breach related to a computerized record of personal information.
This bill sets forth the purposes for which identification cards may be scanned by retail establishments and describes the information that may be gathered by scanning. Under the bill, a retail establishment may scan a person’s identification card only for the following purposes:
(1) to verify the authenticity of the card or to verify the age or identity of the person in certain circumstances;
(2) to prevent fraud or other criminal activity, in the case of merchandise return or exchange, via a fraud prevention service company or system;
(3) to establish or maintain a contractual relationship;
(4) to record, retain, or transmit information as required by State or federal law;
(5) to transmit information to a consumer reporting agency, financial institution, or debt collector to be used as permitted by federal law; or
(6) to record, retain, or transmit information by a covered entity governed by medical privacy and security rules established pursuant to federal law.
Information that may be collected is limited to the person’s name, address, date of birth, and identification card number. The bill also specifies that any information collected, which is permitted to be retained by a retail establishment, must be securely stored and any security breach of the information must be reported to any affected person and the State Police in compliance with current law.
A violation of the amended bill’s provisions will result in a civil penalty of $2,500 for a first offense and $5,000 for any subsequent offense. Additionally, the bill provides that any person aggrieved by a violation may bring an action in Superior Court to recover damages