California ID Scanning Laws & Regulations

Overview of California ID Scanning Laws and Regulations

Can you scan IDs in California?

Yes, however, California law does contain some regulations related to ID scanning and retention of information from a scanned ID. These laws vary by use case and industry. We’ve included a summary of the relevant laws and regulations below. California law allows businesses to scan IDs and to retain or use information obtained from scans for the following purposes:

• To collect or disclose personal information required for reporting, investigating, or preventing fraud, abuse, or material misrepresentation
• To verify age or authenticity of IDs
• To comply with a legal requirement to record, retain, or transmit that information
• To transmit information to payment verification companies, provided that only the name and ID number can be used or retained by the payment verification companies

Broadly, California has some of the most stringent consumer protection and privacy laws in the country under the CCPA. Although the CCPA is not directly related to ID verification, many of these laws remain relevant to relying parties as they govern how they must treat consumer data and personally identifiable information (PII).

Can you store the information from a scanned ID in California?

The regulations surrounding retention of PII from a scanned ID vary by use case and industry in California.

Does California offer affirmative defense for ID scanning?

There is no mention of affirmative defense in California laws related to ID scanning.

Which businesses in California should scan IDs?

No business in California is required to scan IDs. However, several types of California businesses will see improved workflow efficiency by choosing to electronically scan IDs.

Full Text of California Regulations Related to ID Scanning

Amended by Stats. 2014, Ch. 569, Sec. 1. Effective January 1, 2015.

1798.90.1.  (a) (1) A business may swipe a driver’s license or identification card issued by the Department of Motor Vehicles in any electronic device for the following purposes:

• (A) To verify age or the authenticity of the driver’s license or identification card.
• (B) To comply with a legal requirement to record, retain, or transmit that information.
• (C) To transmit information to a check service company for the purpose of approving negotiable instruments, electronic funds transfers, or similar methods of payments, provided that only the name and identification number from the license or the card may be used or retained by the check service company.
• (D) To collect or disclose personal information that is required for reporting, investigating, or preventing fraud, abuse, or material misrepresentation.

Provides that a business shall not retain or use any of the information obtained by that electronic means for any purpose other than as provided above. (Civil Code Section 1798.90.1(a)(3).)

Provides that a business swiping a driver’s license or DMV-issued ID card for any other purpose is subject to a misdemeanor punishable by up to one year in county jail, a fine of up to $10,000, or both. (Civil Code Section 1798.90.1.)

Defines “business” as a proprietorship, partnership, corporation, or any other form of commercial enterprise. (Civil Code Section 1798.90.1.)

Alcohol Regulations

Summary

It is illegal for California businesses to sell or provide alcoholic beverages to anyone under the age of 21. The business is not required to check the purchasers’ ID, but they can create their own policies that require the purchaser show their ID.

Selling alcohol to a minor is a misdemeanor, but selling alcohol to a minor that results in death or serious bodily harm carries a minimum of 6 months in prison and is also a civil offense.

Businesses can confiscate fake IDs, but must provide a receipt and turn the ID over to local law enforcement within 24 hours.

Serving alcoholic beverages

California Business & Professions Code, Division 9: Alcoholic Beverages

For the purpose of preventing the violation of Section 25658, any licensee, or his or her agent or employee, may refuse to sell or serve alcoholic beverages to any person who is unable to produce adequate written evidence that he or she is over the age of 21 years. A licensee, or his or her agent or employee, may seize any identification presented by a person that shows the person to be under the age of 21 years or that is false, so long as a receipt is given to the person from whom the identification is seized and the seized identification is given within 24 hours of seizure to the local law enforcement agency that has jurisdiction over the licensed premises. A licensee, his or her agent or employees decision to not seize a license shall not create any civil or criminal liability.

Any person who sells, gives, or furnishes to any person under the age of 21 years any false or fraudulent written, printed, or photostatic evidence of the majority and identity of such person or who sells, gives or furnishes to any person under the age of 21 years evidence of majority and identification of any other person is guilty of a misdemeanor.

Entry to bars and licensed premises

Section 25665 of the California Alcoholic Beverage Control

Any licensee under an on-sale license issued for public premises, as defined in Section 23039, who permits a person under the age of 21 years to enter and remain in the licensed premises without lawful business therein is guilty of a misdemeanor. Any person under the age of 21 years who enters and remains in the licensed public premises without lawful business therein is guilty of a misdemeanor and shall be punished by a fine of not less than two hundred dollars ($200), no part of which shall be suspended.

Alcohol delivery

If a licensee relies on a third-party online service to pick up and deliver an alcoholic beverage to a customer, and that third-party service delivers the beverage to a minor, the licensee has violated section 25658, is subject to discipline against its license, and its employees may be subject to arrest and criminal prosecution. This is so no matter what assurances the delivery service may have provided to the licensee.

Tobacco and Nicotine Regulations

Summary

Customers must be 21 years or older to purchase tobacco products, e-cigarettes, e-vapor products, or any paraphernalia or instrument designed for smoking or ingesting tobacco or tobacco products. Sellers of any of these products, including paraphernalia, must check the identification of all purchasers that appear to be under 30 years old. Sellers must decline a sale if the customer is underage, has no photo ID, the photo ID contains no date-of-birth, or the photo ID has expired.

Retail sales of tobacco products, e-cigarettes and e-vapor products

California Tabacco 21 Law

Restricted products

Any substance containing or derived from tobacco leaf or nicotine, including, but not limited to cigarettes, cigars, pipe tobacco, snuff, chewing tobacco, dipping tobacco, or any other products prepared from tobacco intended for human consumption in any manner (e.g., smoked, ingested, heated, chewed, absorbed, inhaled, snorted, sniffed). Restricted products also include electronic devices that deliver nicotine or other vaporized liquids including but not limited to electronic cigarettes, cigars, pipes, or hookah. Restricted Products also include any component, part, accessory, instrument, or paraphernalia designed for the smoking, ingestion, or inhalation of Restricted Products.

Acceptable forms of identification

A valid document issued by a federal, state, county, or municipal government, or subdivision or agency thereof, including, but not limited to, a motor vehicle operator’s license, a registration certificate issued under the federal Selective Service Act, or an identification card issued to a member of the Armed Forces which contains the name, date, birth, description, and photograph of the individual.

Fines/Penalties

Any person, firm or corporation that sells, gives, or in any way furnishes to another person who is under the age of 21 years any Restricted Product is subject to: (1) a civil penalty between $400 and $600 for the first offense, (2) a civil penalty between $900 to $1,000 for the second offense within a 5 year period, (3) a civil penalty between $1,200 to $1,800 for a third offense within a 5 year period, (4) a civil penalty between $3,000 and $4,000 for a fourth offense within a 5 year period, or (5) a civil penalty between $5,000 and $6,000 for a fifth or subsequent offense within a 5 year period.

Personal information collection

Summary

Businesses collecting personal information must inform the consumer of the categories of personal information being collected and the purposes for which it will be used. Consumers must be offered an opt-out for the sale of their information to a third party.

Collection of personal information from the scan of an ID

California SB 41, Genetic Information Privacy Act

Existing law, the California Consumer Privacy Act of 2018, provides various protections to a consumer with respect to a business that collects the consumer’s personal information, including biometric information such as the consumer’s deoxyribonucleic acid (DNA). The act requires a business that collects a consumer’s personal information to, at or before the point of collection, inform the consumer as to the categories of personal information to be collected and the purposes for which the information will be used, and grants to a consumer the right to opt-out of the sale of the consumer’s personal information by the business to a third party.

Existing law also prohibits the disclosure by a health care service plan of the results of a test for a genetic characteristic to a third party in a manner that identifies or provides identifying characteristics of the person to whom the test results apply, except pursuant to a written authorization to do so.

This bill would establish the Genetic Information Privacy Act, which would require a direct-to-consumer genetic testing company, as defined, to provide a consumer with certain information regarding the company’s policies and procedures for the collection, use, maintenance, and disclosure, as applicable, of genetic data, and to obtain a consumer’s express consent for collection, use, or disclosure of the consumer’s genetic data, as specified.

California A 1130

Revises the Information Practices Act of 1977 to add protections for specified unique biometric data and government issued identification numbers.

Amending code sections 1798.29, 1798.81.5, and 1798.82 

California A 25 Related to Consumer Privacy (CCPA)

Signed by the Governor, 10/11/2019

(1) Existing law, the California Consumer Privacy Act of 2018, beginning January 1, 2020, grants consumers various rights with regard to their personal information held by businesses, including the right to request a business to disclose specific pieces of personal information it has collected and to have information held by that business deleted, as specified. The act requires a business to disclose and deliver the required information to a consumer free of charge within 45 days of receiving a verifiable consumer request from the consumer. The act prohibits a business from requiring a consumer to create an account with the business in order to make a verifiable consumer request.

This bill would provide an exception to that prohibition by authorizing a business to require authentication of the consumer that is reasonable in light of the nature of the personal information requested in order to make a verifiable consumer request. However, the bill would authorize a business to require a consumer to submit a verifiable consumer request through an account that the consumer maintains with the business if the consumer maintains an account with that business.

Assembly Bill No. 784, Relating to Consumer Privacy | Signed by the Governor, 10/11/2019

Grants consumers various rights with regards to their personal information held by businesses, including the right to request a business to disclose specific pieces of information. The act generally provides for its enforcement by the Attorney General, but also provides for a private right in certain circumstances. The bill excludes “publicly available information” from the definition of “personal information.”

California Code A 1564 | Signed by the Governor, 10/11/2019

Grants consumers various rights with regards to their personal information held by businesses, including the right to request a business to disclose specific pieces of information. The act generally provides for its enforcement by the Attorney General, but also provides for a private right in certain circumstances. The bill excludes “publicly available information” from the definition of “personal information.”

Amending code section 1798.130    

California Consumer Privacy Act of 2018

Assembly Bill 947 – Amendments relating to sensitive personal information to the Consumer Privacy Act of 2018

Passed Assembly 09/05/23; Enrolled and presented to Governor 09/12/23; Approved by Governor 10/8/23; Chaptered by Secretary of State 10/08/23.

The California Consumer Privacy Act of 2018 (CCPA) grants to a consumer various rights with respect to personal information, as defined, that is collected by a business, as defined, including the right to direct a business that collects sensitive personal information about the consumer to limit its use of the consumer’s sensitive personal information to that use which is necessary to perform the services or provide the goods reasonably expected by an average consumer who requests those goods or services, to perform certain other services, and as authorized by certain regulations. The CCPA defines “sensitive personal information to mean personal information that reveals, among other things, a consumer’s racial or ethnic origin, religious or philosophical beliefs, or union membership. The California Privacy Rights Act of 2020, approved by the voters as Proposition 24 at the November 3, 2020, statewide general election, amended, added to, and reenacted the CCPA.

This bill would define “sensitive personal information” for purposes of the CCPA to additionally include personal information that reveals a consumer’s citizenship or immigration status.

The California Privacy Rights Act of 2020 authorizes the Legislature to amend the act to further the purposes and intent of the act by a majority vote of both houses of the Legislature, as specified.

This bill would declare that its provisions further the purposes and intent of the California Privacy Rights Act of 2020.

California Governor Jerry Brown signed one of the toughest data privacy laws in the nation. The new law, California Consumer Privacy Act of 2018, has been compared to the European Union’s General Data Protection Regulation (GDPR), and goes into effect in 2020. While the California Consumer Privacy Act of 2018 doesn’t have the exact same provisions as GDPR, it’s close enough in many respects. That includes giving consumers the right to know how their data is used, why it’s being collected, and also to bar companies from selling the data.

According to the California Consumer Privacy Act website, the new law (which was called AB 375) gives residents of California the most comprehensive consumer privacy rights in the entire country. Specifically, the new law gives residents:

• The right to know all data collected by a business on you;
• The right to say no to the sale of your information;
• The right to delete your data;
• The right to be informed of what categories of data will be collected about you prior to its collection, and to be informed of any changes to this collection;
• Mandated opt-in before sale of children’s information (under the age of 16);
• The right to know the categories of third parties with whom your data is shared;
• The right to know the categories of sources of information from whom your data was acquired;
• The right to know the business or commercial purpose of collecting your information;
• Enforcement by the Attorney General of the State of California;
• The private right of action when companies breach your data, to make sure these companies keep your information safe.

Secondhand Goods & Pawn Shop Regulations

Summary

California pawn shops and secondhand goods resellers are required to gather information from a government-issued ID at the time of purchase. This information must be synced to the statewide platform.

CA Bus & Prof Code § 21630

Adds Sections 21627.5 and 21630 to the California Business and Professions Code. Repeals and amend various sections relating to Secondhand Goods would define “CAPSS” as the California Pawnbroker and SecondhandDealer System, which is the single, statewide, and uniform electronic reporting system operated by the Department of Justice. It eliminates the requirement that a secondhand dealer send reports on paper forms.

a) Every junk dealer and every recycler shall set out in the written record required by this article all of the following:

The place and date of each sale or purchase of junk made in the conduct of his or her business as a junk dealer or recycler.

• One of the following methods of identification:
• The name, valid driver’s license number and state of issue or California- or United States-issued identification card number.
• The name, identification number, and country of issue from a passport used for identification and the address from an additional item of identification that also bears the seller’s name.
• The name and identification number from a Matricula Consular used for identification and the address from an additional item of identification that also bears the seller’s name.
• The vehicle license number, including the state of issue, of any motor vehicle used in transporting the junk to the junk dealer’s or recycler’s place of business.
• The name and address of each person to whom junk is sold or disposed of, and the license number of any motor vehicle used in transporting the junk from the junk dealer’s or recycler’s place of business.
• A description of the item or items of junk purchased or sold, including the item type and quantity, and identification number, if visible.
• A statement indicating either that the seller of the junk is the owner of it, or the name of the person he or she obtained the junk from, as shown on a signed transfer document.
• Any person who makes, or causes to be made, any false or fictitious statement regarding any information required by this section, is guilty of a misdemeanor.

(c) Every junk dealer and every recycler shall report the information required in subdivision (a) to the chief of police or to the sheriff in the same manner as described in Section 21628.

California Civil Code Section 1185, Proof & Acknowledgement of Instruments

Approved by Governor and Chaptered by the Secretary of State as Chapter 762; 09/28/2016.

Amends Section 1185 of the Civil Code to authorize a notary public to accept a valid passport from the applicant’s county of citizenship, or a valid consular identification document issued by a consulate from the applicant’s country of citizenship, as proof of identity. It also eliminates the requirement that the passport be stamped by the United States Citizenship and Immigration Services of the Department of Homeland Security.

Bill # S 997

Approved by Governor and Chaptered by the Secretary of State as Chapter 491; 09/22/2016.

Amends Section 1185 of the Civil Code and adds an identification card issued by a federally recognized tribal government to the list of documents acceptable for [notaries public] identification purposes.