Oregon Revised Statutes Chapter 807 § 807.750 — Restrictions on swiping driver licenses or identification cards

Restrictions on swiping driver licenses or identification cards. (1) As used in this section: (a) “Driver license” means a license or permit issued by this state or any other jurisdiction as evidence of a grant of driving privileges. (b) “Financial institution” has the meaning given that term in ORS 706.008. (c) “Identification card” means the card issued under ORS 807.400 or a comparable provision in another state. (d) “Personal information” means an individual’s name, address, date of birth, photograph, fingerprint, biometric data, driver license number, identification card number or any other unique personal identifier or number. (e) “Private entity” means any nongovernmental entity, such as a corporation, partnership, company or nonprofit organization, any other legal entity or any natural person. (f) “Swipe” means the act of passing a driver license or identification card through a device that is capable of deciphering, in an electronically readable format, the information electronically encoded in a magnetic strip or bar code on the driver license or identification card. (2) Except as provided in subsection (6) of this section, a private entity may not swipe an individual’s driver license or identification card, except for the following purposes: (a) To verify the authenticity of a driver license or identification card or to verify the identity of the individual if the individual pays for a good or service with a method other than cash, returns an item or requests a refund. (b) To verify the individual’s age when providing an age-restricted good or service to any person. (c) To prevent fraud or other criminal activity if an individual returns an item or requests a refund and the private entity uses a fraud prevention service company or system. (d) To transmit information to a check services company for the purpose of approving negotiable instruments, electronic funds transfers or similar methods of payment. (e) To collect information about the individual for the purpose of processing an application for a deposit account or loan for the individual, if the private entity is a financial institution. (f) To enable a pharmacist, pharmacy technician or intern, as those terms are defined in ORS 689.005, to submit information to the electronic system described in ORS 475.230 for the purpose of transferring a drug containing pseudoephedrine or ephedrine or a salt, isomer or salt of an isomer of pseudoephedrine or ephedrine without a prescription from a practitioner to a person who is 18 years of age or older. (3) A private entity that swipes an individual’s driver license or identification card under subsection (2)(a) or (b) of this section may not store, sell or share personal information collected from swiping the driver license or identification card. (4) A private entity that swipes an individual’s driver license or identification card under subsection (2)(c) or (d) of this section may store or share the following information collected from swiping an individual’s driver license or identification card for the purpose of preventing fraud or other criminal activity against the private entity: (a) Name; (b) Address; (c) Date of birth; and (d) Driver license number or identification card number. (5)(a) A person other than an entity regulated by the federal Fair Credit Reporting Act, 15 U.S.C. 1681 et seq., who receives personal information from a private entity under subsection (4) of this section may use the personal information received only to prevent fraud or other criminal activity against the private entity that provided the personal information. (b) A person who is regulated by the federal Fair Credit Reporting Act and who receives personal information from a private entity under subsection (4) of this section may use or provide the personal information received only to effect, administer or enforce a transaction or prevent fraud or other criminal activity, if the person provides or receives personal information under contract from the private entity. (6)(a) Subject to the provisions of this subsection, a private entity that is a commercial radio service provider that provides service nationally and that is subject to the Telephone Records and Privacy Protection Act of 2006 (18 U.S.C. 1039) may swipe an individual’s driver license or identification card if the entity obtains permission from the individual to swipe the individual’s driver license or identification card. (b) The private entity may swipe the individual’s driver license or identification card only for the purpose of establishing or maintaining a contract between the private entity and the individual. Information collected by swiping an individual’s driver license or identification card for the establishment or maintenance of a contract shall be limited to the following information from the individual: (A) Name; (B) Address; (C) Date of birth; and (D) Driver license numbe