ID Scanning Laws by State: Legal Requirements for Businesses

Confused about the legality of scanning IDs in your retail store? You’re not alone.

ID scanning laws vary by state. Each state has different requirements. In Nevada, for example, retailers are required to scan IDs for tobacco sales. Note: Nevada is the only state that requires ID scanning for cigarettes.

However, although you may not be required to scan IDs, it can help you stay compliant. ID scanning can help you catch fake IDs, reduce errors, and check driver’s licenses quickly.

Generally, you might choose to scan IDs based on the products you sell (e.g., tobacco, liquor, or cannabis). Or if your business must restrict access to underage guests (like a bar, dispensary, or nightclub). In these cases, you might be wondering:

Is it legal for my store to scan driver’s licenses? (Spoiler alert: it depends heavily on where you live and what you sell!)

Can my customers refuse to have their ID scanned? (The answer might surprise you!)

What about ID scanning for cigarettes, alcohol, and other age-restricted products? (We’ve got you covered!)

This guide to ID scanning laws by state covers that and more. Keep reading to learn everything there is to know about using an ID scanner in your business.

ID Scanning Laws: A Quick Overview

A common question that we hear is: Is my business required to scan IDs before completing a purchase.

In most cases, you aren’t required to scan driver’s licenses. However, a few states do require mandatory ID scans in certain cases. They include:

• Nevada requires ID scans for tobacco and cannabis sales.
• Missouri requires ID scans for cannabis sales.
• Illinois requires ID scans at dispensaries (both to enter and purchase) and for online tobacco sales.
• Utah requires ID scans for alcohol sales and to enter bars / nightclubs.
• In Pennsylvania, ID scanning is required for to-go alcohol sales.
• Michigan requires ID scans for online tobacco sales.

Several states do require ID scanning technology for transactions like check cashing, pawn exchanges, scrap metal sales, notary public, currency exchange, the sale of cold/flu medicine, and controlled substances.

I. Can I Legally Scan IDs?

Am I legally permitted to scan IDs?

The answer is that yes, in most cases, your business can choose to scan IDs. New Hampshire is the only state that prohibits ID scanning, and Maryland has a bill under consideration.

However, each state has different requirements for:

• The information that can be collected.
• The types of transactions ID scans can be used for.
• How long or if the information can be stored.

To remain compliant, you must carefully consider your state’s ID scanning requirements.

II. Consent Laws and ID Scanning

In most cases, the business isn’t required to inform the customer before performing a scan. However, consent is required if biometric information will be collected like:

• Fingerprint
• Image scan

In these cases, the business would need a notification waiver to collect and store this sensitive data. Ultimately, review your state’s consent requirements prior to implementing ID scanning.

III. Affirmative Defense and ID Scanning Laws

Several states protect businesses that scan IDs under “affirmative defense” laws.

In these states, using an ID scanner offers businesses legal protection if they unknowingly sell to a minor despite a seemingly valid ID. The scan acts as proof that the business took “reasonable” precautions to prevent an underage sale.

For example, if an underage guest at a bar was using a fake ID and it passed an ID scan, the business could be potentially protected from fines and lawsuits (in certain cases and for the sale of certain products). These laws vary by state.

For example, in Arizona, affirmative defense relates to alcohol sales. States with affirmative defense laws with ID scanning include:

• Arizona
• Connecticut
• Nevada
• New York
• North Carolina
• Ohio
• Oregon
• Pennsylvania
• Rhode Island
• Texas
• Utah
• West Virginia

Distinctive ID Features by State

In the USA, all the IDs must comply with the federal REAL ID Act standards. And there are a couple of states out there that have their unique features that tell them apart.

State	Features
Illinois	High-line fine-pattern guilloche, ultraviolet (UV)-printed secondary photo, color-shifting ink.
New York	Embedded ghost image, either a US flag with an RFID chip or gold star, Statue of Liberty silhouette.
Georgia	UV-reactive features, star marking, raised birthday lettering.
California	UV‑reactive golden bear and star, transparent window showing birthdate, raised signature texture
Florida	Micro-line background patterns, ghost images, tactile date of birth.
Arizona	Laser‑etched tactile areas, optically variable inks that shift when tilted
Texas	Laser‑engraved ghost image, optically variable color‑shifting seal, tactile birthdate text

Federal Regulations Impacting ID Scanning

The practice of scanning IDs – whether it’s a driver’s license, state ID card, or passport – has become a routine part of modern business operations. From verifying age at a bar to confirming a customer’s identity for a bank transaction, the use of ID scanners is widespread.

1. Digital Identity Act

While no single federal “Digital Identity Act” exists to comprehensively regulate ID scanning, the concept is woven into several legislative discussions and proposals aimed at creating a more secure and privacy-respecting digital ecosystem. These discussions focus on standards for digital identity verification, security protocols, and consumer rights.

2. Consumer Protection Act

While not a specific “Consumer Protection Act” in this context, various federal laws like the Federal Trade Commission Act empower the FTC to regulate unfair or deceptive business practices. The FTC has a keen interest in how companies handle consumer data, including information collected from an ID scan.

3. Drivers Privacy Protection Act (DPPA)

The Drivers Privacy Protection Act (DPPA) is a key federal law that directly impacts how businesses handle driver’s license information. Originally enacted to prevent the resale of personal information by DMVs, its principles extend to private entities. The DPPA generally restricts access to and use of personal information contained on a driver’s license.

4. Fair Credit Reporting Act (FCRA)

The Fair Credit Reporting Act (FCRA) regulates the collection and use of consumer credit information. While an ID scan isn’t a credit check, if the data is used in a way that impacts a person’s eligibility for credit, insurance, or employment, the FCRA could apply.

5. Gramm-Leach-Bliley Act (GLBA)

The Gramm-Leach-Bliley Act (GLBA) is a federal law primarily for financial institutions. It mandates that these institutions protect the privacy of customer financial information. When a bank or other financial entity uses an ID scanner for KYC (Know Your Customer) purposes, the data collected from that scan falls under the purview of GLBA.

States with Strict ID Scanning Laws

While federal laws provide a baseline, many states have enacted their own, often more stringent, scanner laws by state. These laws dictate everything from what data can be collected to how long it can be stored.

1. California (CA Civil Code § 1798.90.1)

California’s law is a prime example of strict ID scanning regulation. It prohibits businesses from retaining data collected from a swipe or scan of a California driver’s license or ID card, except in specific, legally defined circumstances.

2. Texas (TX Business & Commerce Code § 503.001)

Texas law restricts the use of information from a driver’s license or ID card. It prohibits businesses from storing, selling, or transmitting the data and explicitly states that a business cannot require a scan as a condition of a transaction unless a specific statute or regulation permits it.

3. Illinois (Biometric Information Privacy Act – BIPA implications)

Illinois’s Biometric Information Privacy Act (BIPA) is one of the most significant state privacy laws in the country. While not a direct ID scanning law, its implications are massive. If an ID scan captures biometric data—such as a facial scan for comparison—it could fall under BIPA.

4. New York (NY General Business Law § 399-dd)

New York law specifically regulates the use of credit card information and personal data from ID cards. It prohibits businesses from swiping or scanning an ID card unless for a specific, legally defined purpose, such as age verification, and restricts the storage and sale of the information.

5. Washington (WA Rev. Code § 19.182)

Washington’s law, similar to California’s, restricts the collection and retention of data from driver’s licenses. It specifies that personal information from an ID cannot be stored unless authorized by law or with the individual’s consent, and only for a purpose specified at the time of collection.

Key Components of ID Scanning Laws

No matter the jurisdiction, there are several common themes that run through all ID scanner regulations. Understanding these is key to developing a compliant business practice.

Consent requirements

A foundational principle of many ID scanning laws is the requirement for informed consent. Businesses often need to inform the individual what data is being collected, why, and how it will be used. In some cases, like with BIPA, this consent must be in writing.

Data retention rules

Laws often specify how long a business can keep the data collected from an ID scan. Many jurisdictions mandate that the data must be deleted immediately after its purpose is served, such as after a successful age verification. Businesses must have a clear data destruction policy to ensure they don’t hold onto information longer than legally permitted.

Prohibited uses

All laws have specific prohibitions. This could be against using ID scan data for marketing purposes, selling the data to third parties, or creating a database of customers without their explicit, informed consent.

Penalties for non-compliance

The penalties for violating these laws can be severe, ranging from civil lawsuits and hefty fines to criminal charges. Some laws, like BIPA, even allow for private rights of action, enabling individuals to sue for damages, which can lead to large class-action lawsuits.

Industry-Specific ID Scanning Regulations

The legal landscape is also shaped by industry-specific regulations that govern the use of ID scanning for particular purposes.

1. Bars & Restaurants: Alcohol sales compliance

For bars and restaurants, scanning ID for alcohol is primarily about age verification laws by state. Scanners are used to confirm that a customer is of legal drinking age and to record the transaction for compliance with state liquor control boards. While this use is generally permitted, businesses must still adhere to data retention and use restrictions.

2. Retail: Preventing underage sales (tobacco, vaping, lottery)

Similarly, retail businesses use ID scanners to prevent the underage sale of restricted products, like scanning ID for tobacco or lottery tickets. The practice of scanning IDs is a defense against compliance checks and can provide a record of due diligence in the event of a violation.

3. Healthcare & Banking: KYC (Know Your Customer) requirements

In financial services and healthcare, ID scanning is often part of a broader KYC and anti-money laundering (AML) process. Banks and other financial institutions are legally required to verify customer identity to prevent fraud and illicit financial activity. Healthcare providers must verify patient identity to ensure accurate record-keeping and billing

4. Employment & Background Checks: Legal limitations

While ID scanning may be used in background checks or to verify an employee’s identity, there are strict legal limitations. The data must be used only for this purpose and handled in accordance with laws like the FCRA. Employers must be careful not to use this information in a way that could lead to discrimination or privacy violations.

Privacy Concerns and Potential Risks of ID Scanning

While ID scanning offers convenience and potential age verification benefits, you need to be aware of the potential risks. Many customers fear privacy breaches when they offer their ID for a scan. Therefore, it’s essential to build trust with customers (and use a reputable age verification platform).

Some of the risks include:

• Personal information: Scans often capture and store sensitive data like your name, address, date of birth, and photo. Breaches or leaks of this data can lead to identity theft, fraud, and discrimination.
• Excessive data capture: Some scanners might capture more data than necessary, raising concerns about data minimization. Be sure to choose an ID scanner that allows you to customize the information you can collect (and only collect necessary data).
• Data retention: Unclear policies on how long data is stored and who has access to it can increase privacy risks.
• Vulnerability to cyberattacks: Scanners and storage systems can be vulnerable to hacking, malware, and insider threats, putting your data at risk. A breach reflects poorly on your business and can result in a loss of customer trust.

Wrapping Up: Know Your ID Scanning Laws

There are numerous benefits to using ID scans in your business. However, it’s imperative that you understand the requirements.

Because most states allow ID scans, it’s important that you consider:

• The type of information you collect
• Your ID data storage protocols (how long and the type of data)
• Security and encryption

These tools streamline transactions. But if they’re not secure, they can do more harm than good. Need a reliable provider? FTx Identity is a digital ID card scanning system that’s ideal for tobacco, alcohol, and other age-restricted industries. Contact our sales team today to learn more.