New Jersey Shopper Privacy Bill Sent to Governor

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By John Herzfeld

A bill to protect the privacy of shoppers’ personal data embedded in identification-card bar codes scanned by retail businesses passed the New Jersey legislature and is awaiting action by Gov. Chris Christie (R).

The state Assembly approved the Personal Information and Privacy Protection Act ( A2794/S1913) unanimously June 22, following unanimous approval by the state Senate June 15. Christie’s office has a policy against commenting on pending legislation, so his intentions aren’t known.

The bill, which was triggered by 2015 news reports of consumer complaints against stores scanning driver’s licenses and retaining the data, would set seven purposes for which that would be allowed—including verification of identity, age, or authenticity. Under the bill, retailers may retain the personal data but are required to store it securely. Any security breach would trigger reports to the affected consumers and the state police.

The bill would limit the information collected to name, address, date of birth, state of issuance, and identification card number, and also prohibit sharing the information with third parties for marketing, advertising, or promotions.

It remained unclear, however, how much additional security the bill would provide.

“At first blush, this seems to be a business protection law disguised as a consumer protection law,” Adam Levin, a former director of the New Jersey Division of Consumer Affairs, told Bloomberg BNA June 23. “It seems to allow every merchant, if they want, to scan a driver’s license for almost any transaction,” Levin said.

The retail sector “has been a sieve” for personal information, and the information allowed under the New Jersey bill would be enough for hackers “to launch a serious phishing attack,” Levin, chairman of the CyberScout LLC consulting firm in New York, said in a phone interview.

Mitch Feather, who runs the Creative Associates data security consulting firm in Madison, N.J., told Bloomberg BNA June 23, that the impact of the bill would “be nil” for New Jersey businesses already in compliance with a host of state and federal privacy laws.

Cost of Doing Business

Businesses commonly scan the bar codes on identification cards to verify the authenticity of the card, check the consumer’s age and identity, and prevent fraudulent merchandise returns, the bill’s sponsors said while announcing the Assembly passage.

Those practices would be permitted and scanning the bar codes would also be allowed to establish or maintain a contractual relationship.

Violators of the bill’s provisions would face a $2,500 civil penalty for a first offense and $5,000 for any subsequent offense. They may also face court actions to recover damages.

Those fines may be just the cost of doing business compared with, for instance, a Massachusetts law that sets a $5,000 fine for each name in a data base that has been breached, Levin said. Allowing court actions for damages also sounds good, but it is difficult for consumers to win those cases, which can be time-consuming and cumbersome, Levin said.

To contact the reporter on this story: John Herzfeld in New York at jherzfeld@bna.com

To contact the editor responsible for this story: Donald Aplin at daplin@bna.com

For More Information

Full text of the bill is available at http://src.bna.com/qab.

Copyright © 2017 The Bureau of National Affairs, Inc. All Rights Reserved.

Request Bloomberg Law: Privacy & Data Security