Bill Stems from Concerns About Information Collected When Driver’s License is Scanned
Legislation Assembly Democrats Joseph Lagana and Paul Moriarty sponsored to help protect sensitive consumer information was signed into law on Friday.
The law (S-1913/A-2794), called the “Personal Information and Privacy Protection Act,” was prompted by recent reports about the personal information that is collected when a driver’s license is scanned and how businesses use and store that information.
“Consumers should not have to worry about their personal information possibly ending up in the wrong hands every time they go shopping,” said Lagana (D-Bergen/Passaic). “Technological advances have made it harder to protect our privacy. This law will help ensure that businesses are only scanning driver’s licenses under certain circumstances and that only certain information is stored.”
“As consumers, we often hand over personal information without thinking twice about what it’s being used for, or worse, how it can be used against us,” said Moriarty (D-Camden/Gloucester). “This law helps give consumers more control over their personal information, while allowing companies to collect just enough information to complete transactions and prevent fraudulent activity.”
The law restricts the way retail establishments may collect and use the personal information contained in the electronic data embedded in identification cards, such as driver’s licenses.
Businesses commonly engage in the practice of scanning the barcodes on identification cards for purposes of verifying the authenticity of the card, verifying a consumer’s age and identity and preventing fraudulent merchandise return practices. Current identity theft law only provides that a consumer and the state police must be notified in the case of a security breach related to a computerized record of personal information.
As amended, the law allows a retail establishment to scan a person’s identification card to prevent fraud or other criminal activity related to a credit transaction to open or manage a credit account.
The law sets forth the purposes for which identification cards may be scanned by retail establishments and describes the information that may be gathered by scanning. Under the law, a retail establishment may scan a person’s identification card only for the following purposes:
– to verify the authenticity of the card or to verify the identity of a person if he or she pays for goods or services with a method other than cash, returns an item or requests a refund or an exchange;
– to verify the person’s age when providing age-restricted goods or services;
– to prevent fraud or other criminal activity in the case of merchandise return or exchange via a fraud prevention service company or system;
– to establish or maintain a contractual relationship;
– to record, retain or transmit information as required by state or federal law;
– to transmit information to a consumer reporting agency, financial institution or debt collector to be used as permitted by federal law; or
– to record, retain or transmit information by a covered entity governed by medical privacy and security rules established pursuant to federal law.
Information that may be collected is limited to the person’s name, address, date of birth, the state of issuance and the identification card number. The law also specifies that any information collected, which may be retained by a retail establishment, must be securely stored and any security breach of the information must be reported to any affected person and the state police in accordance with current law.
A violation of the law’s provisions would result in a civil penalty of $2,500 for a first offense and $5,000 for any subsequent offense. Additionally, the law provides that any person aggrieved by a violation may bring an action in Superior Court to recover damages.