Lately, bars, lounges and nightclubs are using a variety of new devices that scan patron identification cards upon entry, storing the information for future reference, and in some instances, sharing the information with other proprietors or using it for marketing purposes.
The justification for the scanners is that they assist in age verification and fake ID detection. And law enforcement is encouraging and sometimes requiring the use of scanners for these reasons.
But the saving and storing of more information than is necessary to verify age, or the sharing or selling of the information to a third party without the consent of the patron, may violate state laws and/or invade the privacy of the patron.
Making the situation a little more complicated is that these practices are enabled by the continuing evolution of technology at the speed of light, while the law, typically moving at a tortoise pace, tries to keep up.
Even if a specific law is not in place to provide boundaries for these practices, there are other civil legal pitfalls that we need to be concerned about.
Several questions should arise when these practices are being considered:
- Does the operator have the right, without the patron’s consent, to even collect/store the information that it is being used to validate age? What about addresses, demographics, etc?
- Are there local or state laws (be sure to check the state alcohol beverage code) that prohibit the collection or storage?
- What is the operator’s obligation to protect the personal data that it collects? How is it being stored? Is it password and firewall protected? Is it being aggregated with other personal information such as credit card numbers? If so, does that trigger the Payment Card Industry Data Security Standards?
- Does the operator have the right to use the collected data that was gathered, ostensibly to validate age, to market to the patrons in the future? Again, is there a local or state (such as New York) law that prohibits this practice?
- Are they violating the privacy of the card holder by sharing the collected data with other proprietors or third party marketers?
- What is the reason the data is being shared? Is it for blacklisting? These practices may trigger broader based claims outside of the privacy realm.
- How is it being shared? If electronically, is it encrypted?
As the jury is still out on the appropriateness of some of these practices, savvy alcohol beverage outlets that are using these devices should proceed with caution. Suggested practices to be adopted in the interim include checking with a local attorney to be sure your practices are in compliance with local or state law and with your state alcohol beverage commission to be sure you are operating within their boundaries. If the green light is given, then post a large notice where the scanners are being used, informing the patron of the practice and extent of collection (what is being collected and saved, if shared, and other potential future use).
When it comes to private data, the adage of “collection spurs protection” applies, so be sure the data is protected (using the PCI-DSS standards would be a good practice) when stored or distributed.
Clearly understand the potential consequences of a breach of the security measures. In many states, fines are significant, as are the expenses incurred to notify the affected patrons of the breach; and of course the loss of customer good will is enormous.