Selling age-restricted items like alcohol, tobacco, or cannabis means navigating a constantly shifting legal landscape.
While using an ID scanner is a great way to catch sophisticated fakes and eliminate human error, there is no single nationwide rule governing the technology.
Before introducing scanners to your checkout lines, you must understand your local regulations.
Different states have strict regulations on whether you can legally store customer data, and you must know how to handle shoppers who refuse the scan.
This blog cuts through the legal jargon to give you a clear look at your rights and compliance responsibilities.
- ID scanning laws vary by state, so it is important for businesses to know the rules in their area before using ID scanning technology.
- Most states allow ID scanning for purposes such as verifying someone’s age, preventing fraud, and complying with the law.
- The rules for storing information from scanned IDs also differ by location. If you store this information without permission, you could get in trouble for violating the rules.
- You may need to obtain permission from individuals before scanning their IDs, especially if you are using methods such as facial recognition or fingerprint scanning.
- There are also rules about sharing ID information with companies, which can create more work for businesses to ensure they protect people’s privacy and comply with the rules.
ID Scanning Laws: A Quick Overview

In most cases, you aren’t required to scan driver’s licenses. However, a few states do require mandatory ID scans in certain cases. They include:
- Nevada requires ID scans for tobacco and cannabis sales.
- Missouri requires ID scans for cannabis sales.
- Illinois requires ID scans at dispensaries (both to enter and purchase) and for online tobacco sales.
- Utah requires ID scans for alcohol sales and to enter bars / nightclubs.
- In Pennsylvania, ID scanning is required for alcohol sales.
- Michigan requires ID scans for online tobacco sales.
Several states do require ID scanning technology for transactions like check cashing, pawn exchanges, scrap metal sales, notary public services, currency exchange, the sale of cold/flu medicine, and controlled substances.
I. Can I Legally Scan IDs?
In most cases, yes — businesses in the United States can use ID scanning technology for legitimate purposes such as age verification, fraud prevention, and compliance. However, there is no single nationwide law governing ID scanning, and requirements vary by state.
States differ in what data can be collected from an ID scan, whether it can be stored, and how long it can be retained. Most allow ID scanning when used for lawful business purposes, but privacy and data handling rules vary widely.
For example, New Hampshire places unusually strict limits on the electronic storage and retention of driver’s license and ID data, requiring authorization for certain uses under state law.
In addition, Maryland has a bill under consideration that would restrict the collection or retention of data obtained through ID scanning technology in certain contexts, reflecting a broader trend toward increased privacy regulation.
II. Consent Laws and ID Scanning
In most cases, the business isn’t required to inform the customer before performing a scan. However, consent is required if biometric information will be collected like:
- Fingerprint
- Image scan
In these cases, the business would need a notification waiver to collect and store this sensitive data. Ultimately, review your state’s consent requirements prior to implementing ID scanning.
III. Affirmative Defense and ID Scanning Laws
Several states protect businesses that scan IDs under “affirmative defense” laws.
In these states, using an ID scanner offers businesses legal protection if they unknowingly sell to a minor despite a seemingly valid ID. The scan acts as proof that the business took “reasonable” precautions to prevent an underage sale.
For example, if an underage guest at a bar was using a fake ID and it passed an ID scan, the business could be potentially protected from fines and lawsuits (in certain cases and for the sale of certain products). These laws vary by state.
For example, in Arizona, affirmative defense relates to alcohol sales. States with affirmative defense laws with ID scanning include:
- Arizona
- Connecticut
- Nevada
- New York
- North Carolina
- Ohio
- Oregon
- Pennsylvania
- Rhode Island
- Texas
- Utah
- West Virginia
Distinctive ID Features by State
In the USA, all the IDs must comply with the federal REAL ID Act standards. And there are a couple of states out there that have their unique features that tell them apart.
| State | Features |
|---|---|
| Illinois | High-line fine-pattern guilloche, ultraviolet (UV)-printed secondary photo, color-shifting ink. |
| New York | Embedded ghost image, either a US flag with a radio frequency identification (RFID) chip or gold star, Statue of Liberty silhouette. |
| Georgia | UV-reactive features, star marking, raised birthday lettering. |
| California | UV‑reactive golden bear and star, transparent window showing birthdate, raised signature texture. |
| Florida | Micro-line background patterns, ghost images, tactile date of birth. |
| Arizona | Laser‑etched tactile areas, optically variable inks that shift when tilted. |
| Texas | Laser‑engraved ghost image, optically variable color‑shifting seal, tactile birthdate text. |
Federal Regulations Impacting ID Scanning
The practice of scanning IDs – whether it’s a driver’s license, state ID card, or passport – has become a routine part of modern business operations.
From verifying age at a bar to confirming a customer’s identity for a bank transaction, the use of ID scanners is widespread.
1. Digital Identity Act
While no single federal “Digital Identity Act” exists to comprehensively regulate ID scanning, the concept is woven into several legislative discussions and proposals aimed at creating a more secure and privacy-respecting digital ecosystem.
These discussions focus on standards for digital identity verification, security protocols, and consumer rights.
2. Consumer Protection Act
While not a specific “Consumer Protection Act” in this context, various federal laws like the Federal Trade Commission Act, empower the FTC to regulate unfair or deceptive business practices.
The FTC has a keen interest in how companies handle consumer data, including information collected from an ID scan.
3. Drivers Privacy Protection Act (DPPA)
The Drivers Privacy Protection Act (DPPA) is a key federal law that directly impacts how businesses handle driver’s license information.
Originally enacted to prevent the resale of personal information by DMVs, its principles extend to private entities.
The DPPA generally restricts access to, and use of personal information contained on a driver’s license.
4. Fair Credit Reporting Act (FCRA)
The Fair Credit Reporting Act (FCRA) regulates the collection and use of consumer credit information.
While an ID scan isn’t a credit check, if the data is used in a way that impacts a person’s eligibility for credit, insurance, or employment, the FCRA could apply.
5. Gramm-Leach-Bliley Act (GLBA)
The Gramm-Leach-Bliley Act (GLBA) is a federal law primarily for financial institutions. It mandates that these institutions protect the privacy of customer financial information.
When a bank or other financial entity uses an ID scanner for KYC (Know Your Customer) purposes, the data collected from that scan falls under the purview of GLBA.
States with Strict ID Scanning Laws

While federal laws provide a baseline, many states have enacted their own, often more stringent, scanner laws by state.
These laws dictate everything from what data can be collected to how long it can be stored.
1. California (CA Civil Code § 1798.90.1)
California’s law is a prime example of strict ID scanning regulation.
It prohibits businesses from retaining data collected from a swipe or scan of a California driver’s license or ID card, except in specific, legally defined circumstances.
2. Texas (TX Business & Commerce Code § 503.001)
Texas law restricts the use of information from a driver’s license or ID card.
It prohibits businesses from storing, selling, or transmitting the data and explicitly states that a business cannot require a scan as a condition of a transaction unless a specific statute or regulation permits it.
3. Illinois (Biometric Information Privacy Act – BIPA implications)
Illinois’s Biometric Information Privacy Act (BIPA) is one of the most significant state privacy laws in the country.
While not a direct ID scanning law, its implications are massive. If an ID scan captures biometric data—such as a facial scan for comparison—it could fall under BIPA.
4. New York (NY General Business Law § 399-dd)
New York law specifically regulates the use of credit card information and personal data from ID cards.
It prohibits businesses from swiping or scanning an ID card unless for a specific, legally defined purpose, such as age verification, and restricts the storage and sale of the information.
5. Washington (WA Rev. Code § 19.182)
Washington’s law, similar to California’s, restricts the collection and retention of data from driver’s licenses.
It specifies that personal information from an ID cannot be stored unless authorized by law or with the individual’s consent, and only for a purpose specified at the time of collection.
Data Storage, Retention & Sharing Rules
Scanning an ID to verify age is simple but saving or sharing that data triggers strict legal responsibilities.
State privacy laws dictate exactly how you must secure this information and who can access it.
Failing to follow these guidelines exposes your business to heavy compliance penalties and data breach of liabilities.
Storage Limitations
Swiping an ID is legal. Holding on to the information is not. There are laws, such as California Civil Code Section 1798.90.1, that make this very clear.
These laws say that businesses cannot store information obtained from scanning an ID unless a law permits it, and it applies to their particular business.
Retention Period Rules
When a state lets you store ID data for compliance or verification, you are on schedule.
Many places require that any stored data be permanently deleted as soon as the main reason for the scan is complete.
This time limit can be as short as 24 hours or as long as a couple of weeks, depending on the laws.
Third-Party Sharing Restrictions
The law is very strict about keeping information from driver’s licenses.
You cannot use this information to make lists of people selling things to, or to see what your customers are doing, or to make ads that’re just for them, without their consent in writing.
The only thing you can use this information for now is to check someone’s identity and age.

Consent Requirements for ID Scanning
When you scan a customer’s ID to verify age, you must follow data privacy regulations. Most laws require you to get the customer’s permission, since some people might not want their ID scanned, so you have to offer them an alternative.
Explicit vs. Implied Consent
When you hand a driver’s license to a clerk, it is like you are saying it is okay to check your age.
If a store uses special machines that can recognize your face, that is not enough. The store needs to obtain your permission clearly.
This means the customer has to sign a paper or click a button indicating they agree before the store can use the face recognition system on the customer’s driver’s license.
The customer needs to give permission to the store to use the customer’s driver’s license with the face recognition machine.
Signage Requirements in Stores
You can’t just spring a scanner on shoppers at the counter. Many places need signs at the store entrance or the cash register.
These signs must say that you have to scan to buy things like tobacco or alcohol. Having signs helps customers know what to expect and keeps the checkout line moving.
Digital Consent in Mobile Apps
When you sell age-restricted products like alcohol or tobacco through a delivery app or a rewards app, you need to get permission from the person buying it in some way.
The phone or tablet will not let the app use the camera or scan a barcode until the person using it says it is okay.
Your app has to tell the person why you need to scan something, what information you are going to review, and how you are going to keep it secure.
The person has to tap a button to say it is okay before the app will work.
Opt-Out Rights in Some States
Privacy frameworks in states like California and Washington protect a consumer’s right to opt out of data scanning.
If a customer objects to the electronic scanner, your store needs a compliant backup plan.
Clerks must be trained to immediately perform a visual check of the physical card to confirm the birthdate, rather than forcing a digital scan.
Technology Compliance in ID Scanning Systems
When you buy an ID scanner, it is not about the hardware. You need to make sure your ID scanner and the computer system it connects to are reliable enough to protect your business.
Your business needs to comply with technology and security regulations to avoid getting in trouble with the law. Your ID scanner and computer system must be up to date with the latest technology and security standards.
POS System Requirements
Your ID scanning software should work well with your Point of Sale (POS) system, not as a tool. When the setup is compliant, it uses automated age checks.
This means the POS terminal stops the checkout process for items that require age checks, like alcohol, tobacco, or cannabis, until an ID is scanned successfully.
The system must also handle data on the device or through a secure local network. This keeps consumer data safe. Prevents vulnerable logs from being created outside the system.

Verification Accuracy Requirements
We cannot just look at a driver’s license to see if it is real or not. We need to use machines to check the barcode on the back of US driver’s licenses.
These machines have to be able to read the PDF417 barcode. To stop people from using licenses that look real, the machine should also check the front of the license and compare it to the information in the barcode. The machine should use something called Optical Character Recognition to do this.
It checks for things like expiration dates on US driver’s licenses. Make sure everything matches up. If something does not match, the machine will let us know about fake US driver licenses.
Integration with Compliance Platforms
An effective ID scanner acts as a reliable audit trail for law enforcement and liquor control boards.
Your system needs to integrate directly with regulatory compliance platforms to document that your business consistently performs its due diligence.
If your business ever faces an enforcement check, your platform can securely retrieve encrypted metadata logs to prove that a real, technology-backed age check took place, which is vital for asserting an affirmative defense.
Key Components of ID Scanning Laws
No matter the jurisdiction, there are several common themes that run through all ID scanner regulations. Understanding these is key to developing a compliant business practice.
Consent requirements
A foundational principle of many ID scanning laws is the requirement for informed consent.
Businesses often need to inform the individual what data is being collected, why, and how it will be used. In some cases, like with BIPA, this consent must be in writing.
Data retention rules
Laws often specify how long a business can keep the data collected from an ID scan.
Many jurisdictions mandate that the data must be deleted immediately after its purpose is served, such as after a successful age-verification.
Businesses must have a clear data destruction policy to ensure they don’t hold information longer than legally permitted.
Prohibited uses
All laws have specific prohibitions. This could be against using ID scan data for marketing purposes, selling the data to third parties, or creating a database of customers without their explicit, informed consent.
Penalties for non-compliance
The penalties for violating these laws can be severe, ranging from civil lawsuits and hefty fines to criminal charges.
Some laws, like BIPA, even allow for private rights of action, enabling individuals to sue for damages, which can lead to large class-action lawsuits.
State-Wise ID Scanning Compliance Table (U.S.)
ID scanning laws vary across the United States, especially when it comes to consent, data storage, and retention requirements.
The table below gives a high-level look at how each state generally handles compliance.
| State | Status | Consent Required | Data Storage Rule | Risk Level | Primary Use Case |
|---|---|---|---|---|---|
| Alabama | Allowed | No | Minimal restrictions | Low | Retail, Alcohol |
| Alaska | Allowed | No | General compliance | Low | Retail |
| Arizona | Allowed | No | Secure storage allowed | Low | Retail, Hospitality |
| Arkansas | Allowed | No | Basic verification only | Low | Retail |
| California | Restricted | Yes | Strict privacy laws (CCPA) | High | Retail |
| Colorado | Restricted | Yes | Data minimization required | High | Retail |
| Connecticut | Restricted | Yes | Limited retention rules | High | Retail |
| Delaware | Allowed | No | Moderate safeguards | Low | Retail |
| Florida | Allowed | No | General safeguards | Low | Retail, Hospitality |
| Georgia | Allowed | No | Minimal restrictions | Low | Retail |
| Hawaii | Restricted | Yes | Strong privacy controls | High | Retail |
| Idaho | Allowed | No | Minimal regulation | Low | Retail |
| Illinois | Restricted | Yes | Biometric restrictions apply | High | Retail, Finance |
| Indiana | Allowed | No | Standard compliance use | Low | Retail |
| Iowa | Allowed | No | General safeguards | Low | Retail |
| Kansas | Allowed | No | Retail-friendly laws | Low | Retail |
| Kentucky | Allowed | No | Alcohol compliance use | Low | Retail, Alcohol |
| Louisiana | Allowed | No | Fraud prevention use | Low | Retail |
| Maine | Restricted | Yes | Strict privacy rules | High | Retail |
| Maryland | Restricted | Yes | Consent + retention limits | High | Retail |
| Massachusetts | Restricted | Yes | Strong data protection | High | Retail |
| Michigan | Allowed | No | General safeguards | Low | Retail |
| Minnesota | Restricted | Yes | Privacy restrictions apply | High | Retail |
| Mississippi | Allowed | No | Basic compliance | Low | Retail |
| Missouri | Allowed | No | General use allowed | Low | Retail |
| Montana | Restricted | Yes | Strict privacy laws | High | Retail |
| Nebraska | Allowed | No | Minimal restrictions | Low | Retail |
| Nevada | Allowed | No | Casino compliance focus | Low | Retail, Gaming |
| New Hampshire | Allowed | No | Low regulation | Low | Retail |
| New Jersey | Restricted | Yes | Strict privacy compliance | High | Retail |
| New Mexico | Allowed | No | Standard use | Low | Retail |
| New York | Restricted | Yes | Strong enforcement | High | Retail |
| North Carolina | Allowed | No | Retail compliance use | Low | Retail |
| North Dakota | Allowed | No | Low regulation | Low | Retail |
| Ohio | Allowed | No | Common retail use | Low | Retail |
| Oklahoma | Allowed | No | Standard verification | Low | Retail |
| Oregon | Restricted | Yes | Strong privacy laws | High | Retail |
| Pennsylvania | Allowed | No | Retail use | Low | Retail |
| Rhode Island | Restricted | Yes | Data retention limits | High | Retail |
| South Carolina | Allowed | No | Basic compliance | Low | Retail |
| South Dakota | Allowed | No | Low regulation | Low | Retail |
| Tennessee | Allowed | No | Retail use common | Low | Retail |
| Texas | Restricted | No | Moderate restrictions | Medium | Retail, Hospitality |
| Utah | Allowed | No | Standard use | Low | Retail |
| Vermont | Restricted | Yes | Strong privacy laws | High | Retail |
| Virginia | Restricted | Yes | CDPA compliance | High | Retail |
| Washington | Restricted | Yes | Strict enforcement | High | Retail |
| West Virginia | Allowed | No | Basic compliance | Low | Retail |
| Wisconsin | Allowed | No | Retail use common | Low | Retail |
| Wyoming | Allowed | No | Low regulation | Low | Retail |
Industry-Specific ID Scanning Regulations
The legal landscape is also shaped by industry-specific regulations that govern the use of ID scanning for purposes.
1. Bars & Restaurants: Alcohol Sales Compliance

For bars and restaurants, scanning ID for alcohol is primarily about age verification laws by state.
Scanners are used to confirm that a customer is of legal drinking age and to record the transaction for compliance with state liquor control boards.
While this use is generally permitted, businesses must still adhere to data retention and use restrictions.
2. Retail: Preventing Underage Sales (Tobacco, Vaping, Lottery)
Similarly, retail businesses use ID scanners to prevent the underage sale of restricted products, like scanning ID for tobacco or lottery tickets.
The practice of scanning IDs is a defense against compliance checks and can provide a record of due diligence in the event of a violation.
3. Healthcare & Banking: KYC (Know Your Customer) Requirements
In financial services and healthcare, ID scanning is often part of a broader KYC and anti-money laundering (AML) process.
Banks and other financial institutions are legally required to verify customer identity to prevent fraud and illicit financial activity.
Healthcare providers must verify patient identity to ensure accurate record-keeping and billing.
4. Employment & Background Checks: Legal Limitations
While ID scanning may be used in background checks or to verify an employee’s identity, there are strict legal limitations.
The data must be used only for this purpose and handled in accordance with laws like the FCRA.
Employers must be careful not to use this information in a way that could lead to discrimination or privacy violations.
Privacy Concerns and Potential Risks of ID Scanning

While ID scanning offers convenience and potential age verification benefits, you need to be aware of the potential risks.
Many customers fear privacy breaches when they offer their ID for a scan. Therefore, it’s essential to build trust with customers (and use a reputable age verification platform).
Some of the risks include:
- Personal Information: Scans often capture and store sensitive data like your name, address, date of birth, and photo. Breaches or leaks of this data can lead to identity theft, fraud, and discrimination.
- Excessive Data Capture: Some scanners might capture more data than necessary, raising concerns about data minimization. Be sure to choose an ID scanner that allows you to customize the information you can collect (and only collect necessary data).
- Data Retention: Unclear policies on how long data is stored and who has access to it can increase privacy risks.
- Vulnerability to Cyberattacks: Scanners and storage systems can be vulnerable to hacking, malware, and insider threats, putting your data at risk. A breach reflects poorly on your business and can result in a loss of customer trust.
Common Misconceptions About ID Scanning Laws
Misunderstandings about identity verification technology can lead to major compliance violations.
Many retailers rely on hearsay rather than actual state regulations, which puts their businesses at risk for unexpected lawsuits or heavy fines.
ID Scanning Is Widely Permitted
ID scanning is generally permitted in the U.S. for purposes like age verification and fraud prevention, but rules vary by state.
For example, New Hampshire places strict limits on the electronic collection, storage, and retention of ID scan data, requiring authorization for certain uses under state law.
Other states regulate how ID information is collected, stored, and used, especially in relation to privacy and data protection requirements.
You Can Store Any Scanned ID if Encrypted
Many business owners believe that using high-level encryption makes it perfectly legal to build a digital database of scanned customer IDs.
However, security measures do not override data privacy laws. In states like California and Texas, it is illegal to keep or store scanned ID data for standard retail purchases, even if that data is fully encrypted.
The scanner must verify the age and delete the data immediately.
Only Alcohol Retailers Need Compliance
While bars and liquor stores are the most visible users of this technology, ID scanning rules apply to any business handling age-restricted or high-risk transactions.
Dispensaries, tobacco retailers, vape shops, and even pawn shops face their own strict state-level scanning rules.
For instance, Nevada requires scanning for tobacco purchases, while Illinois and Missouri mandate specific ID checks for cannabis dispensaries.

Biometric Scanning Is Always Allowed
With the rise of advanced facial matching and fingerprint technology, some retailers assume they can adopt biometric identity verification without issue.
However, biometrics trigger entirely separate, severe legal frameworks. Under rules like the Illinois Biometric Information Privacy Act, you cannot perform biometric scans unless you first obtain explicit written customer consent.
Failing to obtain proper authorization can result in significant class-action penalties.
Wrapping Up: Know Your ID Scanning Laws
There are numerous benefits to using ID scans in your business. However, it’s imperative that you understand the requirements.
Because most states allow ID scans, it’s important that you consider:
- The type of information you collect
- Your ID data storage protocols (how long and the type of data)
- Security and encryption
These tools streamline transactions. But if they’re not secure, they can do more harm than good. Need a reliable provider? FTx Identity is a digital ID card scanning system that’s ideal for tobacco, alcohol, and other age-restricted industries. Contact our sales team today to learn more.
Don’t risk fines and legal trouble.
Protect your business with a smart, compliant ID scanning system.