Can you scan IDs in Texas?

Texas law regulates a business’s ability to scan IDs and to retain information obtained from a scan. 

Overview of Texas ID Scanning Laws

Texas Transportation Code § 521.126 prohibits accessing, using, compiling, or maintaining a database of electronically readable information derived from IDs except under the following circumstances:

• For a law enforcement or governmental purpose
• Information can be accessed and used by a financial institution or a business (i) for verifying identification of an individual, (ii) for check payment verification, or (iii) for providing such information, for the purpose of administering a transaction initiated by the ID holder, to a check services company or fraud prevention services company governed by the Fair Credit Reporting Act
• Information can be compiled and included in a database by a financial institution if consent (separately documented, explaining the compilation or database in at least 14-point bold type, and signed) is obtained
• Information can be accessed, used, compiled, or included in a database by a hospital to provide health care services to the individual

Businesses selling alcohol or tobacco are expressly authorized to access electronically readable information on IDs for purposes preventing unlawful sales or establishing an affirmative defense against a charge of unlawful sale.

Under Texas Business & Commerce Code § 503.001, a person may not capture a biometric identifier of an individual for a commercial purpose unless the person: 1) informs the individual before capturing the biometric identifier, and 2) received the individual’s consent to capture the biometric identifier. For these purposes,  “biometric identifier” means a retina or iris scan, fingerprint, voiceprint, or record of hand or face geometry.

Under Texas Business & Commerce Code § 501.101, a merchant who requires a consumer returning merchandise to provide an ID is allowed to use the information obtained solely for identification purposes if the consumer does not have a receipt and the consumer is seeking a cash, credit, or store credit refund.  Information so obtained can be used to monitor, investigate, or prosecute fraudulent return of merchandise.  All such information must be destroyed at the expiration of six months from the date of the last transaction. 

A hotel can access and use (but cannot compile) electronically readable information from an ID for purposes of identity verification.  In other words, a hotel can scan a guest’s ID to verify the guest’s identity but cannot go one step further to store information obtained from the scan. 

Tex. Transp. Code 521.126(b) prohibits a business from accessing or using, or compiling or maintaining a database of, electronically readable ID information for any purpose not expressly authorized.  Note:  Tex. Transp. Code 521.126(b) prohibits a Texas business from maintaining a database of ID information to administer refunds, but appears to allow, for the purpose of administering a transaction initiated by the ID holder such as a refund request, scanning of IDs for the purpose of providing information so obtained to a check services company or fraud prevention services company governed by the Fair Credit Reporting Act.

Does Texas offer affirmative defense for ID scanning?

Yes.

Texas Transportation Code. Title &. Chapter 521. Driver’s Licenses & Certificates

(a)  The department may not include any information on a driver’s license, commercial driver’s license, or personal identification certificate in an electronically readable form other than the information printed on the license and a physical description of the licensee.

(b)  Except as provided by Subsections (d), (e), (e-1), (g), (i), (j), and (n), and Section 501.101, Business & Commerce Code, a person commits an offense if the person:

(1)  accesses or uses electronically readable information derived from a driver’s license, commercial driver’s license, or personal identification certificate; or

(2)  compiles or maintains a database of electronically readable information derived from driver’s licenses, commercial driver’s licenses, or personal identification certificates.

(c)  An offense under Subsection (b) is a Class A misdemeanor.

(d)  The prohibition provided by Subsection (b) does not apply to a person who accesses, uses, compiles, or maintains a database of the information for a law enforcement or governmental purpose, including:

1. (1)  an officer or employee of the department carrying out law enforcement or government purposes;
2. (2)  a peace officer, as defined by Article 2.12, Code of Criminal Procedure, acting in the officer’s official capacity;
3. (3)  a license deputy, as defined by Section 12.702, Parks and Wildlife Code, issuing a license, stamp, tag, permit, or other similar item through use of a point-of-sale system under Section 12.703, Parks and Wildlife Code;
4. (4)  a person acting as authorized by Section 109.61, Alcoholic Beverage Code;
5. (5)  a person establishing the identity of a voter under Chapter 63, Election Code;
6. (6)  a person acting as authorized by Section 161.0825, Health and Safety Code; or
7. (7)  a person screening an individual who will work with or have access to children if the person is an employee or an agent of an employee of a public school district or an organization exempt from federal income tax under Section 501(c)(3), Internal Revenue Code of 1986, as amended, that sponsors a program for youth.

(e)  The prohibition provided by Subsection (b)(1) does not apply to a financial institution or a business that:

(1)  accesses or uses electronically readable information for purposes of identification verification of an individual or check verification at the point of sale for a purchase of a good or service by check; or

(2)  accesses or uses as electronically readable information a driver’s license number or a name printed on a driver’s license as part of a transaction initiated by the license or certificate holder to provide information encrypted in a manner:

(A)  consistent with PCI DSS Standard 3.4 to a check services company or fraud prevention services company governed by the Fair Credit Reporting Act (15 U.S.C. Section 1681 et seq.) for the purpose of effecting, administering, or enforcing the transaction; and

(B)  that does not involve the sale, transfer, or other dissemination of a name or driver’s license number to a third party for any purpose, including any marketing, advertising, or promotional activities.

(e-1)  The prohibition provided by Subsection (b) does not apply to:

(1)  a check services company or a fraud prevention services company governed by the Fair Credit Reporting Act (15 U.S.C. Section 1681 et seq.) that, for the purpose of preventing fraud when effecting, administering, or enforcing the transaction:

(A)  accesses or uses as electronically readable information a driver’s license number or a name printed on a driver’s license; or

(B)  compiles or maintains a database of electronically readable driver’s license numbers or names printed on driver’s licenses and periodically removes the numbers or names from the database that are at least four years old; or

(2)  a financial institution that compiles or maintains a database of electronically readable information, if each license or certificate holder whose information is included in the compilation or database consents to the inclusion of the person’s information in the compilation or database on a separate document, signed by the license or certificate holder, that explains in at least 14-point bold type the information that will be included in the compilation or database.

(f)  A person may not use information derived from electronically readable information from a driver’s license, commercial driver’s license, or personal identification certificate to engage in telephone solicitation to encourage the purchase or rental of, or investment in, goods, other property, or services.

(g)  If authorized by the executive or administrative head of a maritime facility as defined in the Maritime Transportation Security Act of 2002 (46 U.S.C. Section 70101 et seq.), or of a port, port authority, or navigation district created or operating under Section 52, Article III, or Section 59, Article XVI, Texas Constitution, a person may access, use, compile, or maintain in a database electronically readable information derived from a driver’s license, commercial driver’s license, or personal identification certificate to secure the facility or port.  The information may be used only to:

1. (1)  identify an individual;
2. (2)  provide official credentials for an individual;
3. (3)  track or limit the movement of an individual on facility property;
4. (4)  establish a secure database of visitors to the facility;
5. (5)  access the information at terminal and gate operations of the facility; or
6. (6)  conduct other security or operational activities as determined by the executive or administrative head.

(h)  Except as provided by Section 418.183, Government Code, the electronically readable information derived from a driver’s license, commercial driver’s license, or personal identification certificate for the purposes of Subsection (g) is confidential and not subject to disclosure, inspection, or copying under Chapter 552, Government Code.

(i)  The prohibition provided by Subsection (b) does not apply to a health care provider or hospital that accesses, uses, compiles, or maintains a database of the information to provide health care services to the individual who holds the driver’s license, commercial driver’s license, or personal identification certificate.  If an individual objects to the collection of information under this subsection, the health care provider or hospital must use an alternative method to collect the individual’s information.

(j)  Except as otherwise provided by this subsection, a health care provider or hospital may not sell, transfer, or otherwise disseminate the information described by Subsection (i) to a third party for any purpose, including any marketing, advertising, or promotional activities.  A health care provider or hospital that obtains information described by Subsection (i) may transfer the information only in accordance with the rules implementing the federal Health Insurance Portability and Accountability Act of 1996 (Pub. L. No. 104-191).  A business associate, and any subcontractor of the business associate who receives the transferred information, may use the information only to service or maintain the health care provider’s or hospital’s database of the information.

(k)  Repealed by Acts 2015, 84th Leg., R.S., Ch. 1261 , Sec. 8, eff. January 1, 2016.

(l)  For the purposes of this section, “financial institution” has the meaning assigned by 31 U.S.C. Section 5312(a)(2).

(m)  In this section, “health care provider” means an individual or facility licensed, certified, or otherwise authorized by the law of this state to provide or administer health care, for profit or otherwise, in the ordinary course of business or professional practice, including a physician, nurse, dentist, podiatrist, pharmacist, chiropractor, therapeutic optometrist, ambulatory surgical center, urgent care facility, nursing home, home and community support services agency, and emergency medical services personnel as defined by Section 773.003, Health and Safety Code.

(n)  The prohibition provided by Subsection (b) does not apply to the nonprofit organization administering the Glenda Dawson Donate Life-Texas Registry under Section 692A.020, Health and Safety Code, or an organ procurement organization, tissue bank, or eye bank, as those terms are defined by Section 692A.002, Health and Safety Code, for the purpose of scanning the individual’s information on the individual’s driver’s license, commercial driver’s license, or personal identification certificate to register the individual as an anatomical gift donor.  Before transmitting information scanned under this subsection, the nonprofit organization, organ procurement organization, tissue bank, or eye bank shall:

(1)  notify the individual of the registry’s purpose and the purposes for which the information will be used;

(2)  require the individual to verify the accuracy of the information; and

(3)  require the individual to affirm consent to make an anatomical gift through the individual’s use of the individual’s electronic signature.

Texas Alcohol and Beverage Code – Title 4 – Sec. 106.03. Provisions relating to age.

(a)  A person commits an offense if with criminal negligence he sells an alcoholic beverage to a minor.
(b)  A person who sells a minor an alcoholic beverage does not commit an offense if the minor falsely represents himself to be 21 years old or older by displaying an apparently valid proof of identification that contains a physical description and photograph consistent with the minor’s appearance, purports to establish that the minor is 21 years of age or older, and was issued by a governmental agency.  The proof of identification may include a driver’s license or identification card issued by the Department of Public Safety, a passport, or a military identification card.
(c)  An offense under this section is a Class A misdemeanor.
(d)  Subsection (b) does not apply to a person who accesses electronically readable information under Section 109.61 that identifies a driver’s license or identification certificate as invalid.

Texas Alcoholic Beverage Code § 109.61. Use of certain electronically readable information

 A person may access electronically readable  information on a driver’s license, commercial driver’s license, or identification certificate for the purpose of complying with this code or a rule of the commission, including for the purpose of preventing the person from committing an offense under this code.

(b)  A person may not retain information accessed under this section unless the commission by rule requires the information to be retained.  The person may not retain the information longer than the commission requires.
(c)  Information accessed under this section may not be marketed in any manner.
(d)  A person who violates this section commits an offense.  An offense under this section is a Class A misdemeanor.
(e)  It is an affirmative defense to prosecution under this code, for an offense having as an element the age of a person, that:
(1)  a transaction scan device identified a license or certificate as valid and the defendant accessed the information and relied on the results in good faith;  or
(2)  if the defendant is the owner of a store in which alcoholic beverages are sold at retail, the offense occurs in connection with a sale by an employee of the owner, and the owner
had provided the employee with:
  (A)  a transaction scan device in working condition;  and                 
  (B)  adequate training in the use of the transaction scan device.     

Texas Business & Commerce Code – Sec. 503.001. Capture or use of Biometric Identifiers.

(a) In this section, “biometric identifier” means a retina or iris scan, fingerprint, voiceprint, or record of hand or face geometry.

(b) A person may not capture a biometric identifier of an individual for a commercial purpose unless the person:

(1) informs the individual before capturing the biometric identifier; and

(2) receives the individual’s consent to capture the biometric identifier.

(c) A person who possesses a biometric identifier of an individual that is captured for a commercial purpose:

(1) may not sell, lease, or otherwise disclose the biometric identifier to another person unless:

(A) the individual consents to the disclosure for identification purposes in the event of the individual’s disappearance or death;

(B) the disclosure completes a financial transaction that the individual requested or authorized;

(C) the disclosure is required or permitted by a federal statute or by a state statute other than Chapter 552, Government Code; or

(D) the disclosure is made by or to a law enforcement agency for a law enforcement purpose in response to a warrant;

(2) shall store, transmit, and protect from disclosure the biometric identifier using reasonable care and in a manner that is the same as or more protective than the manner in which the person stores, transmits, and protects any other confidential information the person possesses; and

(3) shall destroy the biometric identifier within a reasonable time, but not later than the first anniversary of the date the purpose for collecting the identifier expires, except as provided by Subsection (c-1).

(c-1) If a biometric identifier of an individual captured for a commercial purpose is used in connection with an instrument or document that is required by another law to be maintained for a period longer than the period prescribed by Subsection (c)(3), the person who possesses the biometric identifier shall destroy the biometric identifier within a reasonable time, but not later than the first anniversary of the date the instrument or document is no longer required to be maintained by law.

(c-2) If a biometric identifier captured for a commercial purpose has been collected for security purposes by an employer, the purpose for collecting the identifier under Subsection (c)(3) is presumed to expire on termination of the employment relationship.

(d) A person who violates this section is subject to a civil penalty of not more than $25,000 for each violation. The attorney general may bring an action to recover the civil penalty.

(e) This section does not apply to voiceprint data retained by a financial institution or an affiliate of a financial institution, as those terms are defined by 15 U.S.C. Section 6809.

Texas Business and Commerce Code. Sec. 501.1011
Sales Receipt Containing Driver’s License Number Prohibited

A person may not print an individual’s driver’s license number on a receipt that evidences payment for a sale of goods or services and is provided to the individual.

Texas Business and Commerce Code. Sec.505.001. Protection of driver’s license and social security numbers

(a)  A merchant or a third party under contract with a merchant who requires a consumer returning merchandise to provide the consumer’s driver’s license or social security number may use the number or numbers provided by the consumer solely for identification purposes if the consumer does not have a valid receipt for the item being returned and is seeking a cash, credit, or store credit refund.
(b)  A merchant or a third party under contract with a merchant may not disclose a consumer’s driver’s license or social security number to any other third party, including a merchant, not involved in the initial transaction.
(c)  A merchant or a third party under contract with a merchant may use a consumer’s driver’s license or social security number only to monitor, investigate, or prosecute fraudulent return of merchandise.
(d)  A merchant or a third party under contract with a merchant shall destroy or arrange for the destruction of records containing the consumer’s driver’s license or social security number at the expiration of six months from the date of the last transaction.

Texas Act SB 97. Relating to the sale of e-cigarettes to minors.

(d)AAIt is a defense to prosecution under Subsection (a)(1) that the person to whom the cigarette , e-cigarette, or tobacco product was sold or given presented to the defendant apparently valid proof of identification.