Oregon stores can now swipe your driver’s license or ID every time you buy alcohol or cannabis, even if you’re 65 years old and clearly not a teenager trying to score beer.

The change took effect January 1. It emerged after convenience stores faced lawsuits over universal ID-checking policies that violated existing law, and it has drawn criticism from privacy advocates who testified that it forces Oregonians to surrender personal data without reasonable cause.

Here’s what every Oregon shopper needs to know before their next age-restricted purchase.

What changed on January 1?

Current Oregon law only permits retailers to swipe your ID when there’s “reasonable doubt” about whether you’ve reached 21 years of age. State administrative rules define this as appearing under 26 years old.

Senate Bill 1005 removes that restriction entirely, allowing stores to implement universal ID-check policies in which every customer, regardless of age or appearance, must have their license or state identification scanned to purchase age-restricted products.

What prompted this new law?

The bill emerged directly from legal conflict between retailers and customers.

Many Oregon convenience stores, led by chains like Plaid Pantry, had already implemented universal ID-scanning policies, requiring all customers to have their licenses or state ID cards swiped, regardless of age. These policies violated existing law, leading to two class action lawsuits challenging the practice.

Rather than comply with the law, retailers lobbied to change it. The bill’s sponsors, led by former state Senator Dick Bonham (R-The Dalles), brought forward legislation to legalize the practice.

Jonathan Polonsky, CEO of Plaid Pantry, testified that his 104-store chain uses ID-scanning equipment “strongly encouraged by virtually all public safety organizations” and maintains “one of the best, if not the best, compliance record[s] in the state” in preventing underage sales.

Why are retailers allowed to swipe IDs?

The law permits ID swiping for two primary purposes when selling age-restricted goods. Retailers can scan your license to confirm it’s real and belongs to you, particularly if you’re paying with something other than cash or requesting a refund.

The scanning technology reads the magnetic strip or barcode on your license, instantly retrieving information such as your name, address, date of birth, and ID number.

Can stores keep my information?

If a business swipes your ID solely to verify your age or check that your license is authentic, they “may not store, sell or share personal information collected,” according to the bill.

Plaid Pantry submitted evidence to the Oregon Legislature showing that its scanning vendor, Verifone, doesn’t store personal information. 

In correspondence with the Portland Police Bureau regarding a robbery in which a suspect’s ID was scanned, Verifone explained that the system only generates “a random number assigned to the transaction that can not be traced back to the actual ID swiped,” according to an email submitted as testimony from Detective Sterling Farrar.

In one transaction example provided to police, the only identifying information retained was a date of birth with no name, address, or ID number attached.

The law includes several exceptions that allow businesses to retain your data:

  1. If you’re returning an item or requesting a refund, stores can store your name, address, date of birth, and ID number to prevent fraud. 

  2. When you pay by check, businesses can transmit your information to companies that perform verification. 

  3. Banks and credit unions can collect your information when you apply for accounts or loans. 

  4. Pharmacies can submit your data to state systems when selling certain medications containing pseudoephedrine or ephedrine.

While major chains like Plaid Pantry may use systems that don’t retain data, the law applies to all retailers.

What if I don't want my ID swiped?

The law doesn’t give you the right to refuse a swipe when a retailer requests it for age verification. However, you always have the option to:

  • Shop at businesses that verify age manually rather than electronically

  • Pay with cash to minimize how much of your information is collected

  • Ask the retailer about their data retention policies before making a purchase

An exception is if you’re dealing with certain telecommunications companies. They must offer you the choice to have your information collected manually rather than through swiping.

What are the privacy concerns?

Critics argue that the existing standard worked perfectly well. As opponent Scott Dale testified, “OLCC does not use people in their stings who look middle aged or seniors for a reason. Why? Because there is obvious reasonable doubt.”

“I speak for the senior citizen who can’t speak for himself,” Dale said in a written testimony. “The one forced to drive across town to find a store that won't force him to surrender his ID to be scanned by a kid with pimples. This man fought in Korea for his country and keeps up on the news. He sees the reports of data theft all the time.”

The definition of “swipe” in Oregon law is remarkably broad. It includes any device “capable of deciphering, in an electronically readable format, the information electronically encoded in a magnetic strip or bar code.” 

This definition doesn’t prohibit devices that also photograph or copy the entire license.

Dale noted that seniors might be offered a senior discount at one store, only to be required to prove they’re over 21 at the next. Dale also reported seeing handwritten signs reading “we card everyone” and being told by a 7/11 clerk that “a law is coming out” when asked why the store was carding everyone.

What happens if a business violates the law?

The original bill maintained the existing $1,000 minimum penalty. But a House Rules Committee amendment increased this to $5,000, quintupling the stakes for businesses that misuse customer data. If a company improperly swipes, stores, shares, sells, or uses your information, you can sue to recover damages.

You can collect your actual damages or $5,000–whichever amount is greater. If a court finds the violation was willful or knowing, damages can be tripled. You can also recover attorney fees and court costs if you win.

But as the Oregon Progressive Party noted, catching violations is “largely illusory.” You'll likely never know your data was misused until it’s too late.

Who supported and opposed this bill?

Senate Bill 1005 received strong bipartisan support, though the margins narrowed slightly as concerns mounted.

Bonham and Senator Mark Meek (D-Gladstone) carried the bill in the Senate, while Representatives Emily McIntire (R-Eagle Point) and E. Werner Reschke (R-Malin) championed it in the House.

The bill passed 26-1 in the Senate on April 10, then 26-2 on final passage after House amendments. Only Senator Deb Patterson (D-Salem) voted no in the initial vote. The House approved it 42-10 on June 19, with opposition coming from both Democratic and Republican members.

What should I do now?

As the law takes effect, consider these steps:

  1. When shopping, ask retailers whether they routinely swipe IDs and what they do with the information.

  2. Check businesses’ posted privacy policies.

  3. If you’re concerned about data misuse, keep track of where your ID is being swiped and watch for unusual activity.

  4. Remember that improperly storing or sharing your age verification data violates the law, and you have the right to take legal action.