In March 2016, the New Jersey Senate introduced a Bill that was unanimously approved on September 15, 2016, which restricts the collection and use of personal information by retailers for certain purposes. The Bill was modified and approved by the Assembly and Senate in June 2017. On July 21, 2017, Governor Chris Christie signed into law Senate Bill 1913, the Personal Information and Privacy Protection Act (the “Act”), which significantly restricts the collection and use of personal information by retail establishments. The Act, which becomes effective on October 1, 2017, significantly limits the purposes for which retail establishments may collect and use personal information, such as scanning a customer’s government-issued identification card. Retailers commonly scan customers’ identification cards to confirm the legitimacy of a credit card transaction or to ensure that a customer who may be attempting to purchase alcohol is at least 21 years of age.
Retailers are only permitted to collect a customer’s name, address, birth date, identification card number, and the jurisdiction that issued the customer’s identification card. Under the Act, a retailer is permitted to scan an identification card for the following eight purposes:
1. To verify the identity of a person or validity of an identification card if a person does not pay in cash, returns an item, or requests a refund or exchange;
2. To verify the age of someone seeking age-restricted goods or services;
3. To prevent fraudulent returns or exchanges if the business uses a “fraud prevention service company or system;”
4. To prevent fraud relating to a transaction to “open or manage a credit account;”
5. To “establish or maintain a contractual relationship;”
6. To “record, retain, or transmit information as required” by law;
7. To convey information to a financial institution, debt collector, or consumer reporting agency that will be used in accordance with the Fair Credit Reporting, Gramm-Leach-Bliley, or Fair Debt Collection Practices Acts; and
8. To “record, retain, or transmit information by a covered entity” governed by the Health Insurance Portability and Accountability Act.
If a retailer scans an identification card pursuant to one of the first two purposes above, the retailer is prohibited from retaining the data collected. A retailer may store data collected pursuant to the remaining six items enumerated above but the data must be “securely stored.” Note, retailers with a permissible use under the Act are strictly prohibited from the selling or disseminating customer information that is procured by scanned identification cards.
In the event of a data breach relating to customer personal identifying information, the Act requires retailers to report the breach to the New Jersey State Police and comply with the breach response guidelines provided under the New Jersey Identity Theft Prevention Law. The Act does not define what constitutes “secure” storage. However, New Jersey’s data breach notification laws provide that personal information that is encrypted or rendered unreadable is not generally subject to New Jersey’s Identity Theft Prevention Law’s breach response requirements. This is particularly relevant because the New Jersey Identity Theft Prevention Law is the only New Jersey statute which imposes an affirmative obligation on companies that possess or control customer personal identifying information. As such, encryption, or rendering data unreadable, may constitute “secure” storage for purposes of the Act. Retailers who violate the Act are subject to a $2,500 civil penalty for a first violation and a $5,000 civil penalty for every subsequent violation. Problematically, the Act does not state whether each instance of collection, retention or dissemination of information constitutes an individual violation. As such, it is unknown whether a penalty is imposed per identification card that is scanned or per prosecution for violating the Act.
Lastly, the Act creates a cause of action for any person “aggrieved by a violation,” which will allow such an aggrieved person to recover damages. This represents what appears to be the first law that allows customers to raise a private claim against a retailer for misuse or failure to reasonably protect personal data.
It is imperative that retailers review and modify their incident response plans as necessary in light of the expanded breach reporting obligations as well as assess the security that is used to secure customers’ information.
Peter Fu is an attorney in Cooper Levenson’s Business & Tax and Cyber Risk Management practice groups. He concentrates his practice on sales and use tax, enterprise risk management, and commercial transactions. Peter is licensed to practice law in New Jersey and Florida. Peter may be reached at 609.572.7556 or via e-mail at pfu@cooperlevenson.com.
Michael Salad is an attorney in Cooper Levenson’s Business & Tax and Cyber Risk Management practice groups. He concentrates his practice on estate planning, business transactions, mergers and acquisitions, tax matters and cyber risk management. Michael holds an LL.M. in Estate Planning and Elder Law. Michael is licensed to practice law in New Jersey, Florida and the District of Columbia. Michael may be reached at 609.572.7616 or via e-mail at msalad@cooperlevenson.com.
