While PatronScan advertises its services to bars and nightclubs, the company also appears to have its eyes on influencing public policy.
Sacramento seems like an unlikely testing ground for networked ID scanning — the California state capital of 500,000 people is not a wild nightlife destination, nor does it have unusual problems with underage drinking or crime. Nonetheless, in 2016 the city, at the suggestion of local law enforcement, began requiring some businesses that had both alcohol and entertainment permits to start using PatronScan.
Safety and security requirements “are really unique to each venue,” says Tina Lee-Vogt, Sacramento’s entertainment program administrator, noting the city requires about 30 of 80 venues in the city to use PatronScan. “We’re very cognizant of the costs. We’re not going to have a smaller business burdened by this system — that wouldn’t be appropriate.”
CCPA: What you need to know
Lee-Vogt argues that the PatronScan dragnet actually prevents the discrimination that civil liberties watchdogs fear. “There’s a consistency,” Lee-Vogt says. “Every patron is scanned, so you can’t say, I’m only going to scan this group of African Americans.” According to statistics PatronScan shared with California legislators, the company collected and retained the information of 561,087 customers in the first five months of 2018 in Sacramento — a number greater than the entire population of the city.
The Electronic Frontier Foundation, a San Francisco-based digital privacy nonprofit, has described the technology as “a form of mass surveillance .” Now, a new generation of tech firms has made it possible for private citizens to use the devices, known as automatic license plate readers, or ALPRs—without the strict oversight that governs this type of data collection by law enforcement.
PatronScan collected and retained the information of 561,087 customers in the first five months of 2018 in Sacramento — more than the entire population of the city.
PatronScan’s network is particularly valuable to businesses and law enforcement when used in multiple venues within the same community. The company markets directly to cities with a toolkit outlining how to institute municipal-wide ID scanner adoption. That includes a ready-made “request for information” template to start a contract bidding process that will presumably be PatronScan-friendly. The company’s founders have said that many municipalities have mandated the use of their scanners, though it’s unclear which ones. In its marketing materials, PatronScan includes price quotes for widescale ID scanning implementation in Austin, Seattle, and Charleston. Representatives for Austinand Seattle said those cities had no such contract or mandate. Officials from Charleston did not respond to requests for comment.
Among other municipalities, Sacramento and Pomona, California both require certain bars to use ID scanners. The entire state of Utah also requires an ID scan of any customer who appears to be under 35. But the majority of states do not have laws specifically regulating how and when IDs can be scanned, or how that data can be retained or used.
In 2014, Multnomah County, Oregon launched a program implementing ID scanners made by PatronScan’s parent company Servall Biometrics in downtownbars. The scanners were purchased by a nonprofit with a county contract, with the stated goal of reducing alcohol abuse. A few bars refused to implement the system, but many relented, stating to local media that they were pressured by police and local authorities. The program was suspended after just a few weeks, when local media questioned the scanners’ legality under a 2009 Oregon state law, which states that scanner technology is not to be used to compile individuals’ personal data into “private databases of transactional information.”
In 2018, California passed a law that updated existing rules limiting the data collection powers of ID scanner services and the businesses that use them. The legislation was written and championed by Assemblymember Jim Cooper, who was alarmed by PatronScan’s roll-out in Sacramento. In effect, the bill added “scan” to a law already on the books that regulated each ID “swipe.”
The Coalition for Humane Immigrant Rights supported the bill, stating that “placing individuals on a database that labels them a ‘threat to public safety’ has significant immigration consequences that could lead to deportation, revoking of current status, or denial of future immigration relief.” The city of Sacramento and PatronScan formally opposed the bill, and hired lobbyists to work against it.
In a statement released when the legislation was passed, Assemblymember Cooper said the Personal Information Protection Act “will help protect your personal information from your driver’s license or identification card from being collected, stored, or shared when your driver’s license or ID is scanned or swiped for age verification purposes.”
The bill was signed into law in September 2018, and took effect January 1, 2019. Though it represents a step toward regulation, its impact is unclear. The law states that scanners can be used to verify a customer’s age, and “to collect or disclose personal information that is required for reporting, investigating, or preventing fraud, abuse, or material misrepresentation.” The law also stipulates that the data should not be retained or used for any other purpose.
PatronScan claims that it is compliant with the new law, and that patron privacy is of “utmost importance.”
In California, PatronScan now only retains individual data for 30 days instead of the default 90 days. Patrons in California can no longer receive “private” or “other” bans, and there’s a new online process for filing and resolving disputes more quickly than in other jurisdictions.
But those changes weren’t required by law, and they don’t satisfy privacy advocates. “The rule is don’t retain and don’t share,” says Joe Mullin, policy analyst for the Electronic Frontier Foundation, which supported the California law. Mullin says that despite its new policies, PatronScan may be violating the legislation, and not being regulated accordingly. “There is sometimes a real enforcement problem with privacy laws. [If the system is] ok with the bars, it’s certainly ok with the service provider that’s making a lot of money, and if it’s ok with the police, who’s there to stop it?”
According to PatronScan’s own marketing material and bars that use the system, the company continues to maintain a centralized database and banned patron list in California. Establishments in Sacramento that use PatronScan said the reforms hadn’t noticeably changed their use of the devices. “Basically it’s just a robot checking an ID to make sure you’re cool — and then something that we can keep track of for future reference,” says Martinez of Coin-Op. “It helps wean out the kinds of patrons we don’t want in our bar.”