Can you scan IDs in California?

California law regulates a business’s ability to scan IDs and to retain information obtained from a scan. 

California has some of the most stringent consumer protection and privacy laws in the country under the CCPA.

Summary of California ID Scanning Laws

California law allows businesses to scan IDs and to retain or use information obtained from scans for the following purposes:

• To verify age or authenticity of IDs
• To comply with a legal requirement to record, retain, or transmit that information
• To transmit information to payment verification companies, provided that only the name and ID number can be used or retained by the payment verification companies
• To collect or disclose personal information required for reporting, investigating, or preventing fraud, abuse, or material misrepresentation.

Does California offer affirmative defense for ID scanning?

There is no mention of affirmative defense in California laws related to ID scanning.

Full California Code As Related to ID Scanning

Amended by Stats. 2014, Ch. 569, Sec. 1. Effective January 1, 2015.

1798.90.1.  (a) (1) A business may swipe a driver’s license or identification card issued by the Department of Motor Vehicles in any electronic device for the following purposes:

(A) To verify age or the authenticity of the driver’s license or identification card.

(B) To comply with a legal requirement to record, retain, or transmit that information.

(C) To transmit information to a check service company for the purpose of approving negotiable instruments, electronic funds transfers, or similar methods of payments, provided that only the name and identification number from the license or the card may be used or retained by the check service company.

(D) To collect or disclose personal information that is required for reporting, investigating, or preventing fraud, abuse, or material misrepresentation.

Provides that a business shall not retain or use any of the information obtained by that electronic means for any purpose other than as provided above. (Civil Code Section 1798.90.1(a)(3).)

3) Provides that a business swiping a driver’s license or DMV-issued ID card for any other purpose is subject to a misdemeanor punishable by up to one year in county jail, a fine of up to $10,000, or both. (Civil Code Section 1798.90.1.)

4) Defines “business” as a proprietorship, partnership, corporation, or any other form of commercial enterprise. (Civil Code Section 1798.90.1.)

California Business & Professions Code, Division 9: Alcoholic Beverages

For the purpose of preventing the violation of Section 25658, any licensee, or his or her agent or employee, may refuse to sell or serve alcoholic beverages to any person who is unable to produce adequate written evidence that he or she is over the age of 21 years. A licensee, or his or her agent or employee, may seize any identification presented by a person that shows the person to be under the age of 21 years or that is false, so long as a receipt is given to the person from whom the identification is seized and the seized identification is given within 24 hours of seizure to the local law enforcement agency that has jurisdiction over the licensed premises. A licensee, his or her agent or employees decision to not seize a license shall not create any civil or criminal liability.

Any person who sells, gives, or furnishes to any person under the age of 21 years any false or fraudulent written, printed, or photostatic evidence of the majority and identity of such person or who sells, gives or furnishes to any person under the age of 21 years evidence of majority and identification of any other person is guilty of a misdemeanor.

California SB 41, Genetic Information Privacy Act

Approved by Governor  October 06, 2021. Filed with Secretary of State  October 06, 2021

Existing law, the California Consumer Privacy Act of 2018, provides various protections to a consumer with respect to a business that collects the consumer’s personal information, including biometric information such as the consumer’s deoxyribonucleic acid (DNA). The act requires a business that collects a consumer’s personal information to, at or before the point of collection, inform the consumer as to the categories of personal information to be collected and the purposes for which the information will be used, and grants to a consumer the right to opt-out of the sale of the consumer’s personal information by the business to a third party.

Existing law also prohibits the disclosure by a health care service plan of the results of a test for a genetic characteristic to a third party in a manner that identifies or provides identifying characteristics of the person to whom the test results apply, except pursuant to a written authorization to do so.

This bill would establish the Genetic Information Privacy Act, which would require a direct-to-consumer genetic testing company, as defined, to provide a consumer with certain information regarding the company’s policies and procedures for the collection, use, maintenance, and disclosure, as applicable, of genetic data, and to obtain a consumer’s express consent for collection, use, or disclosure of the consumer’s genetic data, as specified.

California A 1130

Signed by the Governor, 10/11/2019

Revises the Information Practices Act of 1977 to add protections for specified unique biometric data and government issued identification numbers.

Amending code sections 1798.29, 1798.81.5, and 1798.82 

California A 25 Related to Consumer Privacy (CCPA)

Signed by the Governor, 10/11/2019

(1) Existing law, the California Consumer Privacy Act of 2018, beginning January 1, 2020, grants consumers various rights with regard to their personal information held by businesses, including the right to request a business to disclose specific pieces of personal information it has collected and to have information held by that business deleted, as specified. The act requires a business to disclose and deliver the required information to a consumer free of charge within 45 days of receiving a verifiable consumer request from the consumer. The act prohibits a business from requiring a consumer to create an account with the business in order to make a verifiable consumer request.

This bill would provide an exception to that prohibition by authorizing a business to require authentication of the consumer that is reasonable in light of the nature of the personal information requested in order to make a verifiable consumer request. However, the bill would authorize a business to require a consumer to submit a verifiable consumer request through an account that the consumer maintains with the business if the consumer maintains an account with that business.

Assembly Bill No. 784, Relating to Consumer Privacy

Signed by the Governor, 10/11/2019

Grants consumers various rights with regards to their personal information held by businesses, including the right to request a business to disclose specific pieces of information. The act generally provides for its enforcement by the Attorney General, but also provides for a private right in certain circumstances. The bill excludes “publicly available information” from the definition of “personal information.”

Amending code section 1798.140    

California Code A 1564

Signed by the Governor, 10/11/2019

Grants consumers various rights with regards to their personal information held by businesses, including the right to request a business to disclose specific pieces of information. The act generally provides for its enforcement by the Attorney General, but also provides for a private right in certain circumstances. The bill excludes “publicly available information” from the definition of “personal information.”

Amending code section 1798.130    

California Consumer Privacy Act of 2018

Assembly Bill 947 – Amendments relating to sensitive personal information to the Consumer Privacy Act of 2018

Passed Assembly 09/05/23; Enrolled and presented to Governor 09/12/23; Approved by Governor 10/8/23; Chaptered by Secretary of State 10/08/23.

The California Consumer Privacy Act of 2018 (CCPA) grants to a consumer various rights with respect to personal information, as defined, that is collected by a business, as defined, including the right to direct a business that collects sensitive personal information about the consumer to limit its use of the consumer’s sensitive personal information to that use which is necessary to perform the services or provide the goods reasonably expected by an average consumer who requests those goods or services, to perform certain other services, and as authorized by certain regulations. The CCPA defines “sensitive personal information to mean personal information that reveals, among other things, a consumer’s racial or ethnic origin, religious or philosophical beliefs, or union membership. The California Privacy Rights Act of 2020, approved by the voters as Proposition 24 at the November 3, 2020, statewide general election, amended, added to, and reenacted the CCPA.

This bill would define “sensitive personal information” for purposes of the CCPA to additionally include personal information that reveals a consumer’s citizenship or immigration status.

The California Privacy Rights Act of 2020 authorizes the Legislature to amend the act to further the purposes and intent of the act by a majority vote of both houses of the Legislature, as specified.

This bill would declare that its provisions further the purposes and intent of the California Privacy Rights Act of 2020.

California Governor Jerry Brown signed one of the toughest data privacy laws in the nation. The new law, California Consumer Privacy Act of 2018, has been compared to the European Union’s General Data Protection Regulation (GDPR), and goes into effect in 2020. While the California Consumer Privacy Act of 2018 doesn’t have the exact same provisions as GDPR, it’s close enough in many respects. That includes giving consumers the right to know how their data is used, why it’s being collected, and also to bar companies from selling the data.

According to the California Consumer Privacy Act website, the new law (which was called AB 375) gives residents of California the most comprehensive consumer privacy rights in the entire country. Specifically, the new law gives residents:

• The right to know all data collected by a business on you;
• The right to say no to the sale of your information;
• The right to delete your data;
• The right to be informed of what categories of data will be collected about you prior to its collection, and to be informed of any changes to this collection;
• Mandated opt-in before sale of children’s information (under the age of 16);
• The right to know the categories of third parties with whom your data is shared;
• The right to know the categories of sources of information from whom your data was acquired;
• The right to know the business or commercial purpose of collecting your information;
• Enforcement by the Attorney General of the State of California;
• The private right of action when companies breach your data, to make sure these companies keep your information safe.

California Business & Professions Code – Secondhand Goods

Approved by Governor and Chaptered by the Secretary of State as Chapter 762; 09/29/2016

Adds Sections 21627.5 and 21630 to the California Business and Professions Code. Repeals and amend various sections relating to Secondhand Goods would define “CAPSS” as the California Pawnbroker and SecondhandDealer System, which is the single, statewide, and uniform electronic reporting system operated by the Department of Justice. It eliminates the requirement that a secondhand dealer send reports on paper forms.

Also eliminating the requirement that the Department of Justice develop, and secondhand dealers and coin dealers use, descriptive categories in their reports of acquired tangible personal property. Instead, requiring the Department of Justice to accept the plain text property descriptions commonly recognized and utilized by the pawn and secondhand dealer industries. While authorizing a secondhand dealer to utilize an article field descriptor provided by the Department of Justice, if using the article field descriptor would, in whole or in part, populate the property description. And prohibits the Department of Justice, chiefs of police, and sheriffs from requiring secondhand dealers to report any additional information other than that which is required by these provisions.

California Civil Code Section 1185, Proof & Acknowledgement of Instruments

Approved by Governor and Chaptered by the Secretary of State as Chapter 762; 09/28/2016.

Amends Section 1185 of the Civil Code to authorize a notary public to accept a valid passport from the applicant’s county of citizenship, or a valid consular identification document issued by a consulate from the applicant’s country of citizenship, as proof of identity. It also eliminates the requirement that the passport be stamped by the United States Citizenship and Immigration Services of the Department of Homeland Security.

Bill# S 997 – Approved by Governor and Chaptered by the Secretary of State as Chapter 491; 09/22/2016.

Amends Section 1185 of the Civil Code and adds an identification card issued by a federally recognized tribal government to the list of documents acceptable for [notaries public] identification purposes.

California Civil Code Section 1798, Relating to Computerized Data & Breaches

Approved by Governor and Chaptered by the Secretary of State as Chapter 337; 09/13/2016.

Amends Sections 1798.29 and 1798.82 of the Civil Code and requires a person or business conducting business in California that owns or licenses computerized data, which contains personal information, to disclose a breach of the security of the data, to residents whose personal information was, or is reasonably believed to have been encrypted and if believed to have been, acquired by an unauthorized person before or after the breach of security of the data.

California Business & Professions Code, Chapter 9: Secondhand Goods

(a) Every junk dealer and every recycler shall set out in the written record required by this article all of the following:

(1) The place and date of each sale or purchase of junk made in the conduct of his or her business as a junk dealer or recycler.

(2) One of the following methods of identification:

(A) The name, valid driver’s license number and state of issue or California- or United States-issued identification card number.

(B) The name, identification number, and country of issue from a passport used for identification and the address from an additional item of identification that also bears the seller’s name.

(C) The name and identification number from a Matricula Consular used for identification and the address from an additional item of identification that also bears the seller’s name.

(3) The vehicle license number, including the state of issue, of any motor vehicle used in transporting the junk to the junk dealer’s or recycler’s place of business.

(4) The name and address of each person to whom junk is sold or disposed of, and the license number of any motor vehicle used in transporting the junk from the junk dealer’s or recycler’s place of business.

(5) A description of the item or items of junk purchased or sold, including the item type and quantity, and identification number, if visible.

(6) A statement indicating either that the seller of the junk is the owner of it, or the name of the person he or she obtained the junk from, as shown on a signed transfer document.

(b) Any person who makes, or causes to be made, any false or fictitious statement regarding any information required by this section, is guilty of a misdemeanor.

(c) Every junk dealer and every recycler shall report the information required in subdivision (a) to the chief of police or to the sheriff in the same manner as described in Section 21628.

(Amended by Stats. 2012, Ch. 300, Sec. 1. (AB 1583) Effective January 1, 2013.)

The California Age-Appropriate Design Code Act.

Effective July 1, 2024.

(b) A business that provides an online service, product, or feature likely to be accessed by children shall not take any of the following actions:

(1) Use the personal information of any child in a way that the business knows, or has reason to know, is materially detrimental to the physical health, mental health, or well-being of a child.

(2) Profile a child by default unless both of the following criteria are met:

(A) The business can demonstrate it has appropriate safeguards in place to protect children.

(B) Either of the following is true:

(i) Profiling is necessary to provide the online service, product, or feature requested and only with respect to the aspects of the online service, product, or feature with which the child is actively and knowingly engaged.

(ii) The business can demonstrate a compelling reason that profiling is in the best interests of children.

(3) Collect, sell, share, or retain any personal information that is not necessary to provide an online service, product, or feature with which a child is actively and knowingly engaged, or as described in paragraphs (1) to (4), inclusive, of subdivision (a) of Section 1798.145, unless the business can demonstrate a compelling reason that the collecting, selling, sharing, or retaining of the personal information is in the best interests of children likely to access the online service, product, or feature.

(4) If the end user is a child, use personal information for any reason other than a reason for which that personal information was collected, unless the business can demonstrate a compelling reason that use of the personal information is in the best interests of children.

(5) Collect, sell, or share any precise geolocation information of children by default unless the collection of that precise geolocation information is strictly necessary for the business to provide the service, product, or feature requested and then only for the limited time that the collection of precise geolocation information is necessary to provide the service, product, or feature.

(6) Collect any precise geolocation information of a child without providing an obvious sign to the child for the duration of that collection that precise geolocation information is being collected.

(7) Use dark patterns to lead or encourage children to provide personal information beyond what is reasonably expected to provide that online service, product, or feature to forego privacy protections, or to take any action that the business knows, or has reason to know, is materially detrimental to the child’s physical health, mental health, or well-being.

(8) Use any personal information collected to estimate age or age range for any other purpose or retain that personal information longer than necessary to estimate age. Age assurance shall be proportionate to the risks and data practice of an online service, product, or feature.