"Swiping": Building a Database Through Swiping Drivers Licenses
I was taking a quick look at the issues around "swiping" drivers licenses when I came across an interesting article titled "A Farewell to the Era of Anonymous Drinking," by Jem Matzan. (Unrelated general site with many links here.)
The Article
The article recounts the dining experiences of the author at Houston's restaurant, operated by Hillstone Restaurant Group. He's dining at the restaurant with his companion and after he orders drinks is "carded" by the waiter. The waiter then proceeds to take his license away from the table and "swipe" it. According to the waiter, this was done in order to "verify" the license. The writer inquires as to specifics, and the waiter does not have a coherent explanation for how exactly the license was "verified". The writer next contacts Houston's management who similarly fails to provide a coherent explanation:
a few days later I got a call from Robert Hardie, a regional vice president at Hillstone . . . . The second thing Hardie told me was that serving alcohol was a privilege, not a right, and that Hillstone implemented the license scanning procedure to protect customers from false IDs. I told him outright that what he'd just said was ridiculous because my safety and security were not at risk until my license was confiscated and scanned by the waitress, effectively putting me at risk instead of removing some imaginary risk. I asked him to explain how I could possibly benefit from his license scanning scheme. The answer was that it protects people under the age of 21 from drinking alcohol, which has benefits that are supposed to be obvious to me, and as a side effect it protects the restaurant from underage drinking sting operations. "Aha," I said, "So it does not protect me, it protects you." He agreed reluctantly.
The linked article has interesting details about security of the scanning machines and technical details around them.
Legal Issues
The legal issues around "swiping," as the practice is called, seem somewhat murky. A federal statute (The Drivers Privacy Protection Act [EPIC page]) protects the privacy of license information but courts have yet to spell out its contours. For example, one recent case dealt with the issue of whether a plaintiff is required to prove actual damages in order to recover under the statute. (Answer: no [Kehoe v. Fidelity Federal Bank & Trust, (11th Cir. 2005)].)* Issues such as the level of fault required of the actor have similarly yet to be resolved. Kehoe (the linked case) was appealed to the Supreme Court. The Supreme Court denied cert., but Justice Scalia noted in passing that:
A second and equally important legal question is bound up in this case -- namely, whether petitioner can be held liable under the Act if it did not know that the State had failed to comply with the Act's "express consent" requirement. The District Court did not reach this issue since it awarded summary judgment to petitioner on the actual damages question. The scienter question remains open in light of the Eleventh Circuit's judgment reversing and remanding the case . . . . Depending on the course of proceedings below, it may later be appropriate for us to consider granting certiorari as to either or both issues. But because I agree that our consideration of the case would be premature now, I concur in the denial of certiorari.
This brings us back to an interesting point raised by Jem's post, linked above. Namely, what is the level of consent required when license information is obtained by swiping?
The statute actually contains/authorizes states to establish waiver/consent procedures pursuant to which states can disclose records in response to third party requests. The disclosure can only be for certain purposes and the agency has to "mail a copy" of the request to the affected person. (The statement from Kehoe above alludes to the fact that the consent needs to be "express".) But the consent procedure outlined in the state only applies where the information is released by the "state motor vehicle department." (The statute does not speak to release of information by the affected person. Ostensibly, when the information is obtained by the person in question, the statute may not even apply, since the information is not released by the agency in question.)
But the manner of collection by Houston's and their lack of disclosure to the affected person will make it extremely difficult for Houston's to raise a consent defense. A better way to do it would be to bring around a card reader to the table, explain why the license is being scanned, and most importantly, give the person an express opportunity to opt out of having their name placed in any database or their information used for any marketing purposes. (And require the patron to "check the box," stating they've been provided the necessary disclosures.) Then again, this would place a bit of a crimp on the dining experience. Which is one potential reason why Houston's didn't do it. Either way, if the information finds its way into a Houston's database or is used by Houston's for marketing purposes, Houston's could find some class action trouble on its hands.
* This is an issue that comes up in the CAN-SPAM context, as well as the context of other statutes (e.g., FACTA).
Comments