75th OREGON LEGISLATIVE ASSEMBLY--2009 Regular Session
NOTE: Matter within { + braces and plus signs + } in an
amended section is new. Matter within { - braces and minus
signs - } is existing law to be omitted. New sections are within
{ + braces and plus signs + } .
LC 1702
A-Engrossed
House Bill 2371
Ordered by the House April 8
Including House Amendments dated April 8
Ordered printed by the Speaker pursuant to House Rule 12.00A (5).
Presession filed (at the request of House Interim Committee on
Consumer Protection for American Civil Liberties Union)
SUMMARY
The following summary is not prepared by the sponsors of the
measure and is not a part of the body thereof subject to
consideration by the Legislative Assembly. It is an editor's
brief statement of the essential features of the measure.
Restricts situations in which private { + and governmental + }
entities may { - read - } { + swipe + } or store information
{ - that is electronically retrieved - } from individual's
driver license, driver permit or identification card.
A BILL FOR AN ACT
Relating to privacy of identification documents.
Be It Enacted by the People of the State of Oregon:
SECTION 1. { + The Legislative Assembly finds that:
(1) Oregon recognizes the importance of protecting the
confidentiality and privacy of an individual's personal
information contained in driver licenses, driver permits and
identification cards.
(2) Machine-readable features found on driver licenses, driver
permits and identification cards are intended to facilitate
verification of age or identity, not to facilitate collection of
personal information about individuals nor to facilitate the
creation of private databases of transactional information
associated with those individuals.
(3) Easy access to the information found on driver licenses,
driver permits and identification cards facilitates the crime of
identity theft, which is a major concern in Oregon. + }
SECTION 2. { + (1) As used in this section:
(a) 'Driver license' means a license or permit issued by this
state or any other jurisdiction as evidence of a grant of driving
privileges.
(b) 'Identification card' means the card issued under ORS
807.400 or a comparable provision in another state.
(c) 'Personal information' means an individual's name, address,
date of birth, photograph, fingerprint, biometric data, driver
license or identification card number or any other unique
personal identifier or number.
(d) 'Private entity' means any nongovernmental entity, such as
a corporation, partnership, company or nonprofit organization,
any other legal entity or any natural person.
(e) 'Swipe' means the act of passing a driver license or
identification card through a device that is capable of
deciphering, in an electronically readable format, the
information electronically encoded in a magnetic strip or bar
code on the driver license or identification card.
(2) A private entity may not swipe an individual's driver
license or identification card, except for the following
purposes:
(a) To verify the authenticity of a driver license or
identification card or to verify the identity of the individual
if the individual pays for a good or service with a method other
than cash, returns an item or requests a refund.
(b) To verify the individual's age when providing an
age-restricted good or service to any person about whom there is
any reasonable doubt of the person's having reached 21 years of
age.
(c) To prevent fraud or other criminal activity if an
individual returns an item or requests a refund and the private
entity uses a fraud prevention service company or system.
(d) To transmit information to a check services company for the
purpose of approving negotiable instruments, electronic funds
transfers or similar methods of payment.
(3) A private entity that swipes an individual's driver license
or identification card under subsection (2)(a) or (b) of this
section may not store, sell or share personal information
collected from swiping the driver license or identification card.
(4) A private entity that swipes an individual's driver license
or identification card under subsection (2)(c) or (d) of this
section may store or share the name, address, date of birth,
driver license number or identification card number collected
from swiping the driver license or identification card for the
purpose of preventing fraud or other criminal activity against
the private entity.
(5) A person who receives personal information from a private
entity under subsection (4) of this section may use the personal
information received only to prevent fraud or other criminal
activity against the private entity that provided the personal
information.
(6) A governmental entity may swipe an individual's driver
license or identification card only if:
(a) The individual knowingly makes the driver license or
identification card available to the governmental entity;
(b) The governmental entity lawfully confiscates the driver
license or identification card; or
(c) The governmental entity is providing emergency assistance
to the individual who is unconscious or otherwise unable to make
the driver license or identification card available.
(7) In addition to any other remedy provided by law, an
individual may bring an action to recover actual damages or
$1,000, whichever is greater, and to obtain equitable relief, if
equitable relief is available, against an entity that swipes,
stores, shares, sells or otherwise uses the individual's personal
information in violation of this section. A court shall award a
prevailing plaintiff reasonable costs and attorney fees. If a
court finds that a violation of this section was willful or
knowing, the court may increase the amount of the award to no
more than three times the amount otherwise available.
(8) Any waiver of a provision of this section is contrary to
public policy and is void and unenforceable. + }
----------