U.S. ID Scanning Laws by State: Rules, Restrictions & Requirements (Updated Guide 2026)

ID Scanning Laws by State - The Ultimate Guide
  • by Danielle Dixon
  • Last Updated On July 14, 2026

Selling age-restricted items like alcohol, tobacco, or cannabis means navigating a constantly shifting legal landscape.

While using an ID scanner is a great way to catch sophisticated fakes and eliminate human error, there is no single nationwide rule governing the technology.

Before introducing scanners to your checkout lines, you must understand your local regulations.

Different states have strict regulations on whether you can legally store customer data, and you must know how to handle shoppers who refuse the scan.

This blog cuts through the legal jargon to give you a clear look at your rights and compliance responsibilities.

  • ID scanning laws vary by state, so it is important for businesses to know the rules in their area before using ID scanning technology.
  • Most states allow ID scanning for purposes such as verifying someone’s age, preventing fraud, and complying with the law.
  • The rules for storing information from scanned IDs also differ by location. If you store this information without permission, you could get in trouble for violating the rules.
  • You may need to obtain permission from individuals before scanning their IDs, especially if you are using methods such as facial recognition or fingerprint scanning.
  • There are also rules about sharing ID information with companies, which can create more work for businesses to ensure they protect people’s privacy and comply with the rules.

ID Scanning Laws: A Quick Overview

ID Scanning Laws: A Quick Overview

In most cases, you aren’t required to scan driver’s licenses. However, a few states do require mandatory ID scans in certain cases. They include:

  • Nevada requires ID scans for tobacco and cannabis sales.
  • Missouri requires ID scans for cannabis sales.
  • Illinois requires ID scans at dispensaries (both to enter and purchase) and for online tobacco sales.
  • Utah requires ID scans for alcohol sales and to enter bars / nightclubs.
  • In Pennsylvania, ID scanning is required for alcohol sales.
  • Michigan requires ID scans for online tobacco sales.

Several states do require ID scanning technology for transactions like check cashing, pawn exchanges, scrap metal sales, notary public services, currency exchange, the sale of cold/flu medicine, and controlled substances.

I. Can I Legally Scan IDs?

In most cases, yes — businesses in the United States can use ID scanning technology for legitimate purposes such as age verification, fraud prevention, and compliance. However, there is no single nationwide law governing ID scanning, and requirements vary by state.

States differ in what data can be collected from an ID scan, whether it can be stored, and how long it can be retained. Most allow ID scanning when used for lawful business purposes, but privacy and data handling rules vary widely.

For example, New Hampshire places unusually strict limits on the electronic storage and retention of driver’s license and ID data, requiring authorization for certain uses under state law.

In addition, Maryland has a bill under consideration that would restrict the collection or retention of data obtained through ID scanning technology in certain contexts, reflecting a broader trend toward increased privacy regulation.

II. Consent Laws and ID Scanning

In most cases, the business isn’t required to inform the customer before performing a scan. However, consent is required if biometric information will be collected like:

  • Fingerprint
  • Image scan

In these cases, the business would need a notification waiver to collect and store this sensitive data. Ultimately, review your state’s consent requirements prior to implementing ID scanning.

III. Affirmative Defense and ID Scanning Laws

Several states protect businesses that scan IDs under “affirmative defense” laws.

In these states, using an ID scanner offers businesses legal protection if they unknowingly sell to a minor despite a seemingly valid ID. The scan acts as proof that the business took “reasonable” precautions to prevent an underage sale.

For example, if an underage guest at a bar was using a fake ID and it passed an ID scan, the business could be potentially protected from fines and lawsuits (in certain cases and for the sale of certain products). These laws vary by state.

For example, in Arizona, affirmative defense relates to alcohol sales. States with affirmative defense laws with ID scanning include:

  • Arizona
  • Connecticut
  • Nevada
  • New York
  • North Carolina
  • Ohio
  • Oregon
  • Pennsylvania
  • Rhode Island
  • Texas
  • Utah
  • West Virginia

Distinctive ID Features by State

In the USA, all the IDs must comply with the federal REAL ID Act standards. And there are a couple of states out there that have their unique features that tell them apart.

State Features
Illinois High-line fine-pattern guilloche, ultraviolet (UV)-printed secondary photo, color-shifting ink.
New York Embedded ghost image, either a US flag with a radio frequency identification (RFID) chip or gold star, Statue of Liberty silhouette.
Georgia UV-reactive features, star marking, raised birthday lettering.
California UV‑reactive golden bear and star, transparent window showing birthdate, raised signature texture.
Florida Micro-line background patterns, ghost images, tactile date of birth.
Arizona Laser‑etched tactile areas, optically variable inks that shift when tilted.
Texas Laser‑engraved ghost image, optically variable color‑shifting seal, tactile birthdate text.

Federal Regulations Impacting ID Scanning

The practice of scanning IDs – whether it’s a driver’s license, state ID card, or passport – has become a routine part of modern business operations.

From verifying age at a bar to confirming a customer’s identity for a bank transaction, the use of ID scanners is widespread.

1. Digital Identity Act

While no single federal “Digital Identity Act” exists to comprehensively regulate ID scanning, the concept is woven into several legislative discussions and proposals aimed at creating a more secure and privacy-respecting digital ecosystem.

These discussions focus on standards for digital identity verification, security protocols, and consumer rights.

2. Consumer Protection Act

While not a specific “Consumer Protection Act” in this context, various federal laws like the Federal Trade Commission Act, empower the FTC to regulate unfair or deceptive business practices.

The FTC has a keen interest in how companies handle consumer data, including information collected from an ID scan.

3. Drivers Privacy Protection Act (DPPA)

The Drivers Privacy Protection Act (DPPA) is a key federal law that directly impacts how businesses handle driver’s license information.

Originally enacted to prevent the resale of personal information by DMVs, its principles extend to private entities.

The DPPA generally restricts access to, and use of personal information contained on a driver’s license.

4. Fair Credit Reporting Act (FCRA)

The Fair Credit Reporting Act (FCRA) regulates the collection and use of consumer credit information.

While an ID scan isn’t a credit check, if the data is used in a way that impacts a person’s eligibility for credit, insurance, or employment, the FCRA could apply.

5. Gramm-Leach-Bliley Act (GLBA)

The Gramm-Leach-Bliley Act (GLBA) is a federal law primarily for financial institutions. It mandates that these institutions protect the privacy of customer financial information.

When a bank or other financial entity uses an ID scanner for KYC (Know Your Customer) purposes, the data collected from that scan falls under the purview of GLBA.

States with Strict ID Scanning Laws

States Leading the Way with Strict ID Verification Laws

While federal laws provide a baseline, many states have enacted their own, often more stringent, scanner laws by state.

These laws dictate everything from what data can be collected to how long it can be stored.

1. California (CA Civil Code § 1798.90.1)

California’s law is a prime example of strict ID scanning regulation.

It prohibits businesses from retaining data collected from a swipe or scan of a California driver’s license or ID card, except in specific, legally defined circumstances.

2. Texas (TX Business & Commerce Code § 503.001)

Texas law restricts the use of information from a driver’s license or ID card.

It prohibits businesses from storing, selling, or transmitting the data and explicitly states that a business cannot require a scan as a condition of a transaction unless a specific statute or regulation permits it.

3. Illinois (Biometric Information Privacy Act – BIPA implications)

Illinois’s Biometric Information Privacy Act (BIPA) is one of the most significant state privacy laws in the country.

While not a direct ID scanning law, its implications are massive. If an ID scan captures biometric data—such as a facial scan for comparison—it could fall under BIPA.

4. New York (NY General Business Law § 399-dd)

New York law specifically regulates the use of credit card information and personal data from ID cards.

It prohibits businesses from swiping or scanning an ID card unless for a specific, legally defined purpose, such as age verification, and restricts the storage and sale of the information.

5. Washington (WA Rev. Code § 19.182)

Washington’s law, similar to California’s, restricts the collection and retention of data from driver’s licenses.

It specifies that personal information from an ID cannot be stored unless authorized by law or with the individual’s consent, and only for a purpose specified at the time of collection.

Data Storage, Retention & Sharing Rules

Scanning an ID to verify age is simple but saving or sharing that data triggers strict legal responsibilities.

State privacy laws dictate exactly how you must secure this information and who can access it.

Failing to follow these guidelines exposes your business to heavy compliance penalties and data breach of liabilities.

Storage Limitations

Swiping an ID is legal. Holding on to the information is not. There are laws, such as California Civil Code Section 1798.90.1, that make this very clear.

These laws say that businesses cannot store information obtained from scanning an ID unless a law permits it, and it applies to their particular business.

Retention Period Rules

When a state lets you store ID data for compliance or verification, you are on schedule.

Many places require that any stored data be permanently deleted as soon as the main reason for the scan is complete.

This time limit can be as short as 24 hours or as long as a couple of weeks, depending on the laws.

Third-Party Sharing Restrictions

The law is very strict about keeping information from driver’s licenses.

You cannot use this information to make lists of people selling things to, or to see what your customers are doing, or to make ads that’re just for them, without their consent in writing.

The only thing you can use this information for now is to check someone’s identity and age.

Third-Party Access and Usage Restrictions

Consent Requirements for ID Scanning

When you scan a customer’s ID to verify age, you must follow data privacy regulations. Most laws require you to get the customer’s permission, since some people might not want their ID scanned, so you have to offer them an alternative.

Explicit vs. Implied Consent

When you hand a driver’s license to a clerk, it is like you are saying it is okay to check your age.

If a store uses special machines that can recognize your face, that is not enough. The store needs to obtain your permission clearly.

This means the customer has to sign a paper or click a button indicating they agree before the store can use the face recognition system on the customer’s driver’s license.

The customer needs to give permission to the store to use the customer’s driver’s license with the face recognition machine.

Signage Requirements in Stores

You can’t just spring a scanner on shoppers at the counter. Many places need signs at the store entrance or the cash register.

These signs must say that you have to scan to buy things like tobacco or alcohol. Having signs helps customers know what to expect and keeps the checkout line moving.

Digital Consent in Mobile Apps

When you sell age-restricted products like alcohol or tobacco through a delivery app or a rewards app, you need to get permission from the person buying it in some way.

The phone or tablet will not let the app use the camera or scan a barcode until the person using it says it is okay.

Your app has to tell the person why you need to scan something, what information you are going to review, and how you are going to keep it secure.

The person has to tap a button to say it is okay before the app will work.

Opt-Out Rights in Some States

Privacy frameworks in states like California and Washington protect a consumer’s right to opt out of data scanning.

If a customer objects to the electronic scanner, your store needs a compliant backup plan.

Clerks must be trained to immediately perform a visual check of the physical card to confirm the birthdate, rather than forcing a digital scan.

Technology Compliance in ID Scanning Systems

When you buy an ID scanner, it is not about the hardware. You need to make sure your ID scanner and the computer system it connects to are reliable enough to protect your business.

Your business needs to comply with technology and security regulations to avoid getting in trouble with the law. Your ID scanner and computer system must be up to date with the latest technology and security standards.

POS System Requirements

Your ID scanning software should work well with your Point of Sale (POS) system, not as a tool. When the setup is compliant, it uses automated age checks.

This means the POS terminal stops the checkout process for items that require age checks, like alcohol, tobacco, or cannabis, until an ID is scanned successfully.

The system must also handle data on the device or through a secure local network. This keeps consumer data safe. Prevents vulnerable logs from being created outside the system.

Identity Verification Accuracy Requirements

Verification Accuracy Requirements

We cannot just look at a driver’s license to see if it is real or not. We need to use machines to check the barcode on the back of US driver’s licenses.

These machines have to be able to read the PDF417 barcode. To stop people from using licenses that look real, the machine should also check the front of the license and compare it to the information in the barcode. The machine should use something called Optical Character Recognition to do this.

It checks for things like expiration dates on US driver’s licenses. Make sure everything matches up. If something does not match, the machine will let us know about fake US driver licenses.

Integration with Compliance Platforms

An effective ID scanner acts as a reliable audit trail for law enforcement and liquor control boards.

Your system needs to integrate directly with regulatory compliance platforms to document that your business consistently performs its due diligence.

If your business ever faces an enforcement check, your platform can securely retrieve encrypted metadata logs to prove that a real, technology-backed age check took place, which is vital for asserting an affirmative defense.

Key Components of ID Scanning Laws

No matter the jurisdiction, there are several common themes that run through all ID scanner regulations. Understanding these is key to developing a compliant business practice.

Consent requirements

A foundational principle of many ID scanning laws is the requirement for informed consent.

Businesses often need to inform the individual what data is being collected, why, and how it will be used. In some cases, like with BIPA, this consent must be in writing.

Data retention rules

Laws often specify how long a business can keep the data collected from an ID scan.

Many jurisdictions mandate that the data must be deleted immediately after its purpose is served, such as after a successful age-verification.

Businesses must have a clear data destruction policy to ensure they don’t hold information longer than legally permitted.

Prohibited uses

All laws have specific prohibitions. This could be against using ID scan data for marketing purposes, selling the data to third parties, or creating a database of customers without their explicit, informed consent.

Penalties for non-compliance

The penalties for violating these laws can be severe, ranging from civil lawsuits and hefty fines to criminal charges.

Some laws, like BIPA, even allow for private rights of action, enabling individuals to sue for damages, which can lead to large class-action lawsuits.

State-Wise ID Scanning Compliance Table (U.S.)

ID scanning laws vary across the United States, especially when it comes to consent, data storage, and retention requirements.

The table below gives a high-level look at how each state generally handles compliance.

State Status Consent Required Data Storage Rule Risk Level Primary Use Case
Alabama Allowed No Minimal restrictions Low Retail, Alcohol
Alaska Allowed No General compliance Low Retail
Arizona Allowed No Secure storage allowed Low Retail, Hospitality
Arkansas Allowed No Basic verification only Low Retail
California Restricted Yes Strict privacy laws (CCPA) High Retail
Colorado Restricted Yes Data minimization required High Retail
Connecticut Restricted Yes Limited retention rules High Retail
Delaware Allowed No Moderate safeguards Low Retail
Florida Allowed No General safeguards Low Retail, Hospitality
Georgia Allowed No Minimal restrictions Low Retail
Hawaii Restricted Yes Strong privacy controls High Retail
Idaho Allowed No Minimal regulation Low Retail
Illinois Restricted Yes Biometric restrictions apply High Retail, Finance
Indiana Allowed No Standard compliance use Low Retail
Iowa Allowed No General safeguards Low Retail
Kansas Allowed No Retail-friendly laws Low Retail
Kentucky Allowed No Alcohol compliance use Low Retail, Alcohol
Louisiana Allowed No Fraud prevention use Low Retail
Maine Restricted Yes Strict privacy rules High Retail
Maryland Restricted Yes Consent + retention limits High Retail
Massachusetts Restricted Yes Strong data protection High Retail
Michigan Allowed No General safeguards Low Retail
Minnesota Restricted Yes Privacy restrictions apply High Retail
Mississippi Allowed No Basic compliance Low Retail
Missouri Allowed No General use allowed Low Retail
Montana Restricted Yes Strict privacy laws High Retail
Nebraska Allowed No Minimal restrictions Low Retail
Nevada Allowed No Casino compliance focus Low Retail, Gaming
New Hampshire Allowed No Low regulation Low Retail
New Jersey Restricted Yes Strict privacy compliance High Retail
New Mexico Allowed No Standard use Low Retail
New York Restricted Yes Strong enforcement High Retail
North Carolina Allowed No Retail compliance use Low Retail
North Dakota Allowed No Low regulation Low Retail
Ohio Allowed No Common retail use Low Retail
Oklahoma Allowed No Standard verification Low Retail
Oregon Restricted Yes Strong privacy laws High Retail
Pennsylvania Allowed No Retail use Low Retail
Rhode Island Restricted Yes Data retention limits High Retail
South Carolina Allowed No Basic compliance Low Retail
South Dakota Allowed No Low regulation Low Retail
Tennessee Allowed No Retail use common Low Retail
Texas Restricted No Moderate restrictions Medium Retail, Hospitality
Utah Allowed No Standard use Low Retail
Vermont Restricted Yes Strong privacy laws High Retail
Virginia Restricted Yes CDPA compliance High Retail
Washington Restricted Yes Strict enforcement High Retail
West Virginia Allowed No Basic compliance Low Retail
Wisconsin Allowed No Retail use common Low Retail
Wyoming Allowed No Low regulation Low Retail

Industry-Specific ID Scanning Regulations

The legal landscape is also shaped by industry-specific regulations that govern the use of ID scanning for purposes.

1. Bars & Restaurants: Alcohol Sales Compliance

Bars & Restaurants: Alcohol Sales Compliance

For bars and restaurants, scanning ID for alcohol is primarily about age verification laws by state.

Scanners are used to confirm that a customer is of legal drinking age and to record the transaction for compliance with state liquor control boards.

While this use is generally permitted, businesses must still adhere to data retention and use restrictions.

2. Retail: Preventing Underage Sales (Tobacco, Vaping, Lottery)

Similarly, retail businesses use ID scanners to prevent the underage sale of restricted products, like scanning ID for tobacco or lottery tickets.

The practice of scanning IDs is a defense against compliance checks and can provide a record of due diligence in the event of a violation.

3. Healthcare & Banking: KYC (Know Your Customer) Requirements

In financial services and healthcare, ID scanning is often part of a broader KYC and anti-money laundering (AML) process.

Banks and other financial institutions are legally required to verify customer identity to prevent fraud and illicit financial activity.

Healthcare providers must verify patient identity to ensure accurate record-keeping and billing.

4. Employment & Background Checks: Legal Limitations

While ID scanning may be used in background checks or to verify an employee’s identity, there are strict legal limitations.

The data must be used only for this purpose and handled in accordance with laws like the FCRA.

Employers must be careful not to use this information in a way that could lead to discrimination or privacy violations.

Privacy Concerns and Potential Risks of ID Scanning

Privacy Concerns and Potential Risks of ID Scanning

While ID scanning offers convenience and potential age verification benefits, you need to be aware of the potential risks.

Many customers fear privacy breaches when they offer their ID for a scan. Therefore, it’s essential to build trust with customers (and use a reputable age verification platform).

Some of the risks include:

  • Personal Information: Scans often capture and store sensitive data like your name, address, date of birth, and photo. Breaches or leaks of this data can lead to identity theft, fraud, and discrimination.
  • Excessive Data Capture: Some scanners might capture more data than necessary, raising concerns about data minimization. Be sure to choose an ID scanner that allows you to customize the information you can collect (and only collect necessary data).
  • Data Retention: Unclear policies on how long data is stored and who has access to it can increase privacy risks.
  • Vulnerability to Cyberattacks: Scanners and storage systems can be vulnerable to hacking, malware, and insider threats, putting your data at risk. A breach reflects poorly on your business and can result in a loss of customer trust.

Common Misconceptions About ID Scanning Laws

Misunderstandings about identity verification technology can lead to major compliance violations.

Many retailers rely on hearsay rather than actual state regulations, which puts their businesses at risk for unexpected lawsuits or heavy fines.

ID Scanning Is Widely Permitted

ID scanning is generally permitted in the U.S. for purposes like age verification and fraud prevention, but rules vary by state.

For example, New Hampshire places strict limits on the electronic collection, storage, and retention of ID scan data, requiring authorization for certain uses under state law.

Other states regulate how ID information is collected, stored, and used, especially in relation to privacy and data protection requirements.

You Can Store Any Scanned ID if Encrypted

Many business owners believe that using high-level encryption makes it perfectly legal to build a digital database of scanned customer IDs.

However, security measures do not override data privacy laws. In states like California and Texas, it is illegal to keep or store scanned ID data for standard retail purchases, even if that data is fully encrypted.

The scanner must verify the age and delete the data immediately.

Only Alcohol Retailers Need Compliance

While bars and liquor stores are the most visible users of this technology, ID scanning rules apply to any business handling age-restricted or high-risk transactions.

Dispensaries, tobacco retailers, vape shops, and even pawn shops face their own strict state-level scanning rules.

For instance, Nevada requires scanning for tobacco purchases, while Illinois and Missouri mandate specific ID checks for cannabis dispensaries.

Biometric Scanning Is Always Approved for Use

Biometric Scanning Is Always Allowed

With the rise of advanced facial matching and fingerprint technology, some retailers assume they can adopt biometric identity verification without issue.

However, biometrics trigger entirely separate, severe legal frameworks. Under rules like the Illinois Biometric Information Privacy Act, you cannot perform biometric scans unless you first obtain explicit written customer consent.

Failing to obtain proper authorization can result in significant class-action penalties.

Wrapping Up: Know Your ID Scanning Laws

There are numerous benefits to using ID scans in your business. However, it’s imperative that you understand the requirements.

Because most states allow ID scans, it’s important that you consider:

  • The type of information you collect
  • Your ID data storage protocols (how long and the type of data)
  • Security and encryption

These tools streamline transactions. But if they’re not secure, they can do more harm than good. Need a reliable provider? FTx Identity is a digital ID card scanning system that’s ideal for tobacco, alcohol, and other age-restricted industries. Contact our sales team today to learn more.

Don’t risk fines and legal trouble.

Protect your business with a smart, compliant ID scanning system.

FAQs

Yes, customers have the right to refuse a digital scan, but your business also has the legal right to deny the sale.

Except for specific law enforcement situations, citizens are not federally required to let a private business scan their card.

ID scanning involves using a device to scan the barcode of an ID document (driver’s license, passport, state ID card, or government-issued ID).

A scanner reads the information, determines if the ID card is legitimate, and can then store the data.

Currently, there are no federal laws regarding ID scans. However, there are laws that govern consumer privacy.

Therefore, businesses should choose an ID scanner that’s compliant with these laws, which regulate the storage and transfer of personal information.

Yes, a customer can refuse an ID scan. In the cases outlined above (when ID verification is required by law and scanning is the method used), a transaction may not be able to proceed.

But what if an ID scan isn’t legally required?

Business owners should set their own rules. Outside of states with stricter limits on the electronic collection and retention of ID scan data (such as New Hampshire), a business owner could either:

  • Choose to refuse entry to the customer
  • Or manually inspect the driver’s license

Each state places limitations on the types of information that can be collected and stored.

Most states allow ID scans to collect:

  • Name
  • Date of birth
  • Expiration
  • ID number

Some ID scanners can collect more detailed information, including the customer’s address, image, or even biometric information.

However, the customer’s consent may be required for more sensitive information.

States govern data retention timeframes and may even have special requirements by industry. Generally, be aware of your state’s PII requirements (personally identifiable information) and timeframes.

However, many states do not have laws. For example, Alabama and Colorado do not regulate a business’s ability to retain information from a scan.

Be aware of your state and local regulations. And choose online ID scanning software that allows you to customize data collection and retention parameters.

Some states require ID scanning for the sale of tobacco or alcohol. Yet, even when it’s not required, ID scanning can protect your business.

Eleven states offer protections for businesses that practice ID scanning for age-restricted products, so-called 'affirmative defense' laws.

Simplify Age Verification.
Stay Compliant.

Complete the form to explore how FTx Identity streamlines age checks in-store and online-helping you protect your business while delivering a smoother customer experience.

Name
=