If you are a retailer with locations in New Jersey, you will need to review your procedures in anticipation of a new law effective October 1, 2017. 

New Jersey Governor Chris Christie has signed the Personal Information Privacy and Protection Act (we can now add #PIPPA to the alphabet soup of privacy acronyms…..), which limits the ability of retailers to collect PII scanned from customer driver’s licenses and identification cards and restricts the usage of any PII collected for the purposes identified in the Act.

Within recent years, retailers have commonly started a practice of scanning the barcodes on customer ID cards to verify the authenticity of an ID presented, verify identity when credit cards are used, or to prevent and control fraudulent merchandise return practices (or to identify consumers who abuse return policies).

Under PIPPA, retailers will only be permitted to scan ID cards to:

  • Verify the card’s authenticity or the person’s identity, if the customer pays for goods or services with a method other than cash; returns an item; or requests a refund or exchange.
  • Verify the customer’s age when providing age-restricted goods or services to the customer.
  • Prevent fraud or other criminal activity if the person returns an item or requests a refund or an exchange and the retailer uses a fraud prevention company or service.
  • Establish or maintain a contractual relationship.
  • Record, retain, or transmit information as required by state or federal law.
  • Transmit information to a consumer reporting agency, financial institution, or debt collector to be used as permitted by federal laws, including the Fair Credit Reporting Act, Gramm-Leach-Bliley Act, and Fair Debt Collection Practices Act.
  • Record, retain, or transmit information by a covered entity under HIPAA and related regulations.

PIPPA prohibits retailers from sharing the information with marketers or other third parties that are unknown to consumers.   It is unlikely that an online privacy notice describing sharing of scanned ID information with third parties would comply with PIPPA.  In-store notice of any such practices will likely be required.

The big “however” in this legislation is the restrictions on retention of the information when collected for the permitted purposes.  Under PIPPA businesses cannot retain information related to how the customer paid for the goods, whether the customer returned an item or requested a refund, and cannot store ages.   Retailers will only be permitted to collect the customer’s name, address, and date of birth; the issuing state; and the ID card number.    Any of this information collected from scanned ID cards Is required to be “securely stored” and PIPPA makes it clear that any security breach of this information is subject to New Jersey’s data breach notification law and must be reported to any affected individual and the New Jersey State Police.

And there are penalties.   PIPPA provides civil penalties of $2,500 for a first offense, and $5,000 for any subsequent offices.   Further the law allows for “any person aggrieved by a violation” to bring an action in NJ Superior Court to recover damages.


The Senate Commerce Committee released this morning its majority staff report, A Review of the Data Broker Industry: Collection, Use, and Sale of Consumer Data for Marketing Purposes, on the practices data brokers use to collect and sell personal information of consumers and how those practices affect the privacy of hundreds of millions of Americans.  The Committee held a hearing on the substance of the report this afternoon.

The Committee, chaired by Senator John D. Rockefeller IV, examined  representatives of the Federal Trade Commission, the data brokering industry and privacy advocates on the industry practices itemized in the staff report.  The staff report and a report published by the Government Accountability Office earlier this year, Information Resellers:  Consumer Privacy Framework Needs to Reflect Changes in the Technology and Marketplace, both highlight the absence of any general federal statute that gives consumers the right to know what information is collected and shared about them and for what purposes.

The Committee staff report finds data brokers collect massive amounts of detailed health, financial, political and consumption information on hundreds of millions of consumers, and use this information to assemble packages of contact information for consumers that fit specific profiles, which are then sold to advertisers.  The growth of this industry is illustrated by the fact that one data broker reported to the staff that it has multi-sourced data on more than 700 million individuals worldwide.  Another reported that its database includes almost every U.S. household, while a third claimed that it has data points for more than 80% of all U.S. consumer email addresses.

During the Senate hearing this afternoon, Senator Rockefeller stated that the staff investigation is continuing.  He said that the Committee he is putting several of the largest data brokers “on notice” that the Committee intends pursue answers to its questions about their practices, implying that he would use the Committee’s subpoena power if necessary.

Tech Daily Dose reports on the House of Representatives’ entry into the federal privacy legislation act.

The Consumer Privacy Protection Act of 2011 specifically would:

• Require covered entities to notify consumers that their personally identifiable information as defined in the bill may be used for a purpose unrelated to the transaction.

• Require entities to notify consumers of any material change in their privacy policy.

• Require covered entities to establish a privacy policy with respect to the collection, sale, disclosure for consideration, or use of the consumer’s information and such policy be made easily available for consumers.

• Require an entity to provide consumers the opportunity to preclude the sale or disclosure of their information to any organization that is not an information-sharing partner.

• Provide for a Federal Trade Commission (FTC) approved five-year self-regulatory program and prescribes requirements for a self-regulatory consumer dispute resolution process.

• Require the FTC to presume that an entity is in compliance with this Act if it participates in an approved self-regulatory program.

• No private right of action.

• Full state preemption.


FTC Chairman Jon Leibowitz, Jessica Rich, deputy director of the FTC’s Bureau of Consumer Protection, and Edward Felten, the FTC’s incoming chief technologist, held a press conference earlier this afternoon on the Consumer Privacy Report.   Alex Howard at Gov20 was blogging the press conference live — read it here.


Written by Jillian Collins

The Federal Trade Commission has weighed in as part of the Department of Commerce’s public comment process on privacy and security issues. According to the FTC’s comment, consumers trusting that their personal information will be safeguarded is essential to the success of e-commerce, and innovation is essential to ensuring privacy in the fast-paced, ever-changing world of the Internet economy. The topic of innovation and internet privacy controls has been, and continues to be, one of the FTC’s “highest consumer protection priorities for more than a decade,” according to the comment.

In the comment, the FTC laid out several aspects of its privacy program. The agency led nearly 30 enforcement cases challenging business practices that allegedly failed to secure consumers’ personal information and made efforts at educating consumers and businesses about privacy and security in an online world. The FTC also has several policy initiatives including promoting self-regulation in online behavioral advertising and participates in international privacy programs. The agency hosted several privacy roundtables and plans to public privacy and security proposals for public comment later this year.

Related links:

During the holiday season, many organizations are soliciting donations of old cell phones to be repurposed. This is an excellent way to “reuse, reduce, and recycle” and puts those useless (to you) items to use in a positive way, but please remember — important and private data reside in your cell phone’s internal memory, even if your phone has a removable SIM card. PINs, passwords and other critical information are often stored in a cell phone’s memory. The more mobile apps you use, the more important it is for you to ensure that you wipe the cell phone internal memory before donating, trading-ins or selling.

Some tips –
1) Don’t forget to remove the SIM card!
2) Call logs, photos, memos, and other information might reside in the phone’s internal memory, and are often difficult to delete if you rely on the phone’s manual (and who keeps those, anyway??). The folks at ReCellular – a cell phone recycling service – have a great solution called The Cell Phone Data Eraser. It lets you choose the brand and model number of your phone, and then displays the precise commands you need to delete every piece of data from it. The ReCellular website is http://www.recellular.com/recycling/data_eraser/default.asp. If you can’t find the info you need here, most cell phone manuals are available online at the manufacturer website for download.

If you think you can circumvent the privacy threat by sending your phone back to your service provider, you could be mistaken. According to one report, a Cingular customer who received a refurbished phone as a replacement for one that malfunctioned found the new phone was filled with the previous owner’s private data, including account numbers, user names, and passwords. In December, an old BlackBerry sold at a McCain campaign garage sale for 20 dollars was found to be preloaded with a mountain of Republican donor information, emails, and more.

Don’t let this discourage you from turning those paperweights back into useable technology for folks who need it — just take some extra time to protect your personal information.

Happy Holidays!

The FTC kicks off the first in a series of “roundtable” discussions to explore privacy challenges posed by 21st technology and business practices that collect and use consumer data. Today’s roundtable is being held in Washington, DC, and will focus on data collection, use and retention, consumer expectations of privacy, online behavioral advertising, information brokers and a discussion surrounding existing regulatory frameworks.

The event is being streamed live at the FTC website.

Smart Grid technology enables electric utilities to use communications and computing technology to glean consumer electric usage patterns to facilitate more efficient network management. It’s been identified by the FCC as a promising way to use broadband to promote energy efficiency, reduce greenhouse gas emissions, and encourage energy independence.

These consumer electric usage patterns could conceivably do far more…. For example, marketing firms may find valuable market penetration data in consumer electric usage patterns and law enforcement could use information about electricity usage to pinpoint potential sites of criminal activity. Basically, the very characteristics that make smart grid information valuable to environmental efforts may also have serious implications for consumer privacy and are attracting the interest of regulators here in the U.S. and elsewhere.

Specifically, the FCC has sought comment by October 2, 2009 on the issue of how strong privacy and security requirements can be satisfied in deploying smart grid technology without stifling innovation.

The Colorado Public Utilities Commission just closed a comment period last week on the following issues and the comments received on these questions may help to further inform the debate at the national level:

1. What concerns surrounding the collection and analysis of detailed electricity usage information should the CPUC consider as it establishes policies governing access to and use of this information?
2. What, if any, are the trade-offs between protecting privacy and promoting innovation with regards to smart grid technology?
3. Should detailed electricity usage information be protected? If so, how?
4. How do constitutional or statutory protections impact the use of consumers’ detailed electricity usage information collected as part of smart grid initiatives? What protections should be put in place even if not covered by constitutional or statutory provisions?
5. What are the necessary components of effective privacy regulation of consumer electricity usage patterns? For example, should disclosure of consumer information to third-parties be on an opt-in or an opt-out basis, or should the consent-requirement depend on the nature of the party receiving the information?
6. How much information about consumer electricity usage do electric utilities and “edge service providers” require to facilitate more efficient network management, load forecasting, asset management, bill control, demand-side load management, efficiency consulting, energy savings contracting, etc.?
7. How do privacy regulations affect electric utilities and “edge service providers” in their efforts to provide enhanced electricity management services?
8. Who “owns” customer information?
9. What should be a utility’s obligation to “unbundle” metering in homes and businesses?