Oregon Stores Can Now Swipe Everyone’s ID for Age-Restricted Purchases Under New Law
Several laws passed in Oregon last year came into effect on January 1, including one that allows retailers to swipe everyone’s license for age-restricted purchases.
Oregon Stores Can Now Legally Swipe ID For All Age-Restricted Purchases
A legal conflict arose between retailers and customers after chains like Plaid Pantry implemented universal ID-scanning policies requiring all customers to have their licenses or state ID cards swiped, regardless of age. Two class action lawsuits challenged the practice, but retailers lobbied to change it.
After Senate Bill 1005 removed privacy restrictions entirely, stores can now implement universal ID-check policies requiring every customer, even if they’re 65 years old and clearly not a teenager trying to buy beer, to have their license or state ID scanned to purchase age-restricted products. The law came into effect on January 1.
Retailers can scan your license to confirm it’s real and belongs to the customer, especially those paying with something other than cash or requesting a refund. Exceptions that allow businesses to keep your data:
- Returning an item or requesting a refund: Your name, address, date of birth, and ID number can be retained to prevent fraud.
- Paying by check: Businesses can transmit your information to companies for verification.
- Banks and credit unions: Can collect your information when you apply for accounts or loans.
- Pharmacies: Can submit your data to state systems when selling certain medications containing pseudoephedrine or ephedrine.
- Telecommunications companies: Must offer the choice to have your information collected manually rather than through swiping.
Here is what SB 1005 allows retailers to do with ID swipes and what they cannot keep.
| Allowed reason to swipe | Storage or sharing rules | Law reference |
|---|---|---|
| Verify ID authenticity or identity for non cash payment / returns / refunds | May not store, sell, or share personal information from the swipe | ORS 807.750(2)(a) and (3) |
| Verify age for an age restricted good or service for any customer | May not store, sell, or share personal information from the swipe | ORS 807.750(2)(b) and (3) |
| Fraud prevention system used for returns or refunds | May store or share only: name, address, date of birth, ID number | ORS 807.750(2)(c) and (4) |
| Transmit to a check services company to approve check or similar payment | May store or share only: name, address, date of birth, ID number | ORS 807.750(2)(d) and (4) |
| Financial institution processing an application for a deposit account or loan | Collection allowed for the application process / other banking rules apply | ORS 807.750(2)(e) |
| Pharmacy submitting required info for pseudoephedrine or ephedrine sales | Submission allowed to the state tracking system for regulated products | ORS 807.750(2)(f) |
| Telecom provider establishing or maintaining a contract, with permission | Must offer manual collection option / limited fields only | ORS 807.750(6) |
| If a business violates these limits | Consumer can sue for actual damages or $5,000 minimum, plus fees | ORS 807.750(8) |
Rights Under Oregon’s Consumer Privacy Act
The Oregon Legislature passed Senate Bill 619- the Oregon Consumer Privacy Act, ORS 646A.570-646A.589 in 2023, and it took effect on July 1, 2024.
Source: Oregon Department of Justice / Oregon Consumer Privacy Act consumer FAQs and overview
Dailytidings.com
The law gives consumers rights to access and delete personal data held by covered businesses, but the law only applies to companies that process data on firms with over 100,000 customers (or over 25,000 if they make over 25% of their revenue from selling data), which may leave many small retailers outside the law’s reach.
For businesses that misuse customer data, a House Rules Committee amendment increased penalties to $5,000. If a company improperly swipes, stores, shares, sells, or uses your information, you can sue to recover damages.
Under the privacy law, consumers have the right to access personal data collected about them and to have their personal data deleted.