Can you scan an ID in New Jersey?
New Jersey law governs a retailer’s ability to scan IDs and to retain information obtained from a scan.
Overview of New Jersey ID Scanning Laws
A retailer can scan IDs only for the following purposes:
- To verify the authenticity of an ID or the identity of a person if the person (a) pays for goods/services with a method other than cash, (b) returns an item, or (c) requests a refund/exchange.
- To verify the person’s age in providing age-restricted goods/services.
- To prevent fraud/criminal activity if the person returns an item or requests a refund/exchange and the retailer uses a fraud prevention service company/system.
- To prevent fraud/criminal activity related to opening/managing a credit account.
- To establish/maintain a contractual relationship.
- To record/retain/transmit information required by laws.
- To transmit information to credit reporting agencies/financial institutions/debt collection agencies.
- For HIPAA purposes.
Scanning must be limited to the following information: name, address, date of birth, issuing state, and ID number. Information scanned via (1) or (2) above cannot be retained. Information scanned for other purposes—(3) through (8) above—must be “securely stored” and any breach must be reported to the authorities and affected individuals.
Penalty: Civil penalty of $2,500 for a first violation and $5,000 for any subsequent violation. Affected individuals can sue to recover damages.
ID Scanning for Loyalty Enrollment in New Jersey
A retailer is likely allowed to scan IDs for enrolling customers in its loyalty program as it would be for “establishing/maintaining a contractual relationship,” as long as information scanned and retained is limited as set forth above.
ID Scanning for Credit Application in New Jersey
A retailer is likely allowed to scan IDs for “opening/managing a credit account,” as long as information scanned and retained is limited as set forth above.
ID Scanning for Check Acceptance in New Jersey
A retailer is likely allowed to scan IDs for accepting checks; however, retaining information obtained from the scan is likely not allowed.
ID Scanning for Refunds in New Jersey
A retailer is likely allowed to scan IDs for issuing refunds. To the extent the retailer uses a fraud prevention service company/system, it may also retain information obtained from the scan for the purpose of preventing fraud/criminal activity.
ID Scanning for Customer Pickup in New Jersey
A retailer is likely not allowed to scan IDs of customers picking up purchased merchandise.
ID Scanning for Access Control in New Jersey
New Jersey law applies to “retail establishments,” presumably designed to protect consumers; therefore, a business might be allowed to scan IDs of, for instance, truck drivers delivering goods to distribution centers.
Does New Jersey offer affirmative defense for ID scanning?
New Jersey Personal Information & Privacy Act.
1. This act shall be known and may be cited as the “Personal Information and Privacy Protection Act.”
2“Credit” means the right granted by a creditor to a debtor to defer payment of debt, or to incur debt and defer its payment, or to purchase property or services and defer payment therefor.2
“Identification card” means a driver’s license, issued pursuant to R.S.39:3-10, a probationary license, issued pursuant to section 4 of P.L.1950, c.127 (C.39:3-13.4), a non-driver photo identification card, issued pursuant to section 2 of P.L.1980, c.47 (C.39:3-29.3), or any similar card issued by another state or the District of Columbia for purposes of identification or permitting its holder to operate a motor vehicle.
“Scan” means to access the barcode or any other machine-readable section of a person’s identification card with an electronic device capable of deciphering, in an electronically readable format, information electronically encoded on the identification card.
A retail establishment shall scan a person’s identification card only for the following purposes:
- to verify the authenticity of the identification card or to verify the identity of the person if the person pays for goods or services with a method other than cash, returns an item, or requests a refund or an exchange;
- to verify the person’s age when providing age-restricted goods or services to the person;
- to prevent fraud or other criminal activity if the person returns an item or requests a refund or an exchange and the business uses a fraud prevention service company or system;
- to prevent fraud or other criminal activity related to a credit transaction to open or manage a credit account;
- to establish or maintain a contractual relationship;
- to record, retain, or transmit information as required by State or federal law;
- to transmit information to a consumer reporting agency, financial institution, or debt collector to be used as permitted by the federal “Fair Credit Reporting Act,” 15 U.S.C. s.1681 et seq., “Gramm-Leach-Bliley Act,” 15 U.S.C. s.6801 et seq., and the “Fair Debt Collection Practices Act,” 15 U.S.C. s.1692 et seq.; or
- to record, retain, or transmit information by a covered entity governed by the medical privacy and security rules pursuant to Parts 160 and 164 of Title 45 of the Code of Federal Regulations, established pursuant to the “Health Insurance Portability and Accountability Act of 1996,” Pub.L.104-191.
Information collected by scanning a person’s identification card pursuant to subsection b. of this section shall be limited to the person’s name, address, date of birth, 1the State issuing the identification card,1 and identification card number.
d. (1) No retail establishment shall retain information obtained pursuant to paragraphs (1) and (2) of subsection b. of this section.
(2) Any information retained by a retail establishment pursuant to paragraphs (3) through 2[(7)] (8)2 of subsection b. of this section shall be securely stored, and any breach of the security of the information shall be promptly reported to the Division of State Police in the Department of Law and Public Safety and any affected person, in accordance with section 12 of P.L.2005, c.226 (C.56:8-163).
(3) No retail establishment shall sell or disseminate to a third party any information obtained pursuant to this section for any purpose, including marketing, advertising, or promotional activities, except dissemination as permitted by paragraphs (3) through 2[(7)] (8)2 of subsection b. of this section 1; provided, however, that nothing in this subsection shall be construed to prevent an automated return fraud system from issuing a reward coupon to a loyal customer1.
3. a. Any person who violates the provisions of this act shall be subject to a civil penalty of $2,500 for a first violation and $5,000 for any subsequent violation. The penalty prescribed in this section shall be collected in a civil action by a summary proceeding pursuant to the “Penalty Enforcement Law of 1999,” P.L.1999, c.274 (C.2A:58-10 et seq.).
Approved July 2017.
F. A fantasy sports operator shall:
- use commercially reasonable practices to prohibit the sharing of statistical information with third parties that could affect a fantasy sports activity until that information is publicly available;
- adopt procedures to ensure that any prohibited participant does not participate in fantasy sports activities;
- adopt procedures to ensure that a fantasy sports participant is at least 18 years of age;