AB 1839 permits businesses and designated organ procurement organizations to scan or swipe California DMV driver’s licenses or ID cards only for a short list of purposes: age or authenticity checks; compliance with a legal recording requirement; transmitting name and ID number to a check service for payment approvals; and collecting or disclosing data needed to report, investigate, or prevent fraud. The bill separately authorizes organ procurement organizations to transmit license information to the Donate Life California registry, but only after a prescribed electronic consent and verification sequence and under the DMV’s Information Security Agreement.
The bill also forbids retention or use of scanned license information for any purpose other than those enumerated and makes violations a misdemeanor punishable by up to one year in county jail, a $10,000 fine, or both. For compliance officers, payment processors, organ procurement organizations, and privacy teams, the statute creates narrow lawful pathways for scanning while shifting enforcement into the criminal sphere and leaving several implementation details — ephemeral storage, logging, and administrative enforcement — unresolved.
At a Glance
What It Does
The bill limits lawful electronic capture of California DMV licenses to specific purposes (age/authenticity checks, legal recordkeeping, limited check-service transmission, fraud reporting, and organ-donor registry enrollment) and bars retention or use beyond those purposes. It requires organ procurement organizations to follow a staged consent process and the DMV Information Security Agreement when enrolling donors.
Who It Affects
Retailers and any commercial enterprise that scans or swipes DMV IDs, check service companies that process payment approvals, organ procurement organizations enrolling donors, DMV contractors and compliance teams, and California consumers whose license data may be scanned. Point-of-sale vendors and software providers that implement scanning systems will also need to adjust workflows.
Why It Matters
AB 1839 creates defined but narrow exceptions that legalize common scanning uses while criminalizing misuse — a shift that imposes compliance and technical constraints on businesses and OPOs. It also establishes a standardized electronic consent path for donor enrollment, which could materially increase registrations if implemented correctly, but leaves operational and enforcement standards ambiguous.
More articles like this one.
A weekly email with all the latest developments on this topic.
What This Bill Actually Does
AB 1839 draws a tight line around when a California driver’s license or ID card can be scanned or swiped into an electronic device. Instead of a broad allowance, the bill lists five discrete purposes for scanning: verifying age or authenticity, meeting a legal requirement to record or transmit information, sending a name and identification number to a check service company for payment approvals, collecting or disclosing information strictly for fraud-related reporting or prevention, and, for organ procurement organizations (OPOs), sending data to the state organ-donor registry.
The bill treats organ procurement differently by spelling out a consent workflow: the OPO may populate an electronic form from the scanned card, the applicant must verify the prefilled information and click a distinct consent message, then provide a signature, and finally receive written confirmation that they are registered. The statute also mandates that OPO transmissions comply with the DMV’s Information Security Agreement, effectively tying donor enrollments to the DMV’s security expectations.Across the board AB 1839 forbids retention or use of scanned license data for any purpose other than those listed.
The prohibition is broad and applies to both businesses and OPOs, meaning vendors and operators must design systems that either avoid storing the data or ensure immediate deletion unless one of the enumerated exceptions applies. The enforcement mechanism is criminal: violations are misdemeanors punishable by jail time, fines up to $10,000, or both.
The bill defines 'business' broadly and adopts the federal designation for organ procurement organizations, but it does not create a private right of action or lay out an administrative enforcement regime.
The Five Things You Need to Know
The bill permits check service companies to receive only the licensee’s name and identification number from a scanned DMV license and bars them from using or retaining any other information.
Organ procurement organizations must follow a three-step electronic consent flow—verify prepopulated information, click a standalone consent message, and obtain the applicant’s signature—before transmitting registration data to the Donate Life California registry.
All entities that scan licenses are prohibited from retaining or using the captured information for any purpose other than those explicitly listed in the statute.
The statute requires organ procurement organizations to comply with the Department of Motor Vehicles Information Security Agreement when transmitting donor registration data, but it does not mandate that same agreement for other businesses.
Violations are criminalized as misdemeanors carrying up to one year in county jail, a fine up to $10,000, or both; the bill does not provide an administrative penalty scheme or a private remedy.
Section-by-Section Breakdown
Every bill we cover gets an analysis of its key sections.
Authorized business uses for scanning DMV IDs
This subsection lists the only four lawful business reasons to scan or swipe a DMV-issued license: verify age or authenticity, comply with a legal requirement to record or transmit the information, transmit name and ID number to a check service for payment approval, and collect or disclose information expressly needed to address fraud. Practically, retailers doing age-restricted sales and businesses required by statute to keep a record (for example, alcohol vendors with mandatory logs) can scan, but any other operational uses—marketing, customer profiling, loyalty programs—are explicitly outside the statute’s permission.
Organ procurement scanning and consent workflow
This subsection authorizes organ procurement organizations (OPOs) to scan licenses to enroll individuals in the Donate Life California registry, but only under two constraints: (1) transmissions must comply with the DMV Information Security Agreement, and (2) the OPO must obtain explicit, stepwise consent on an electronic form—verification of prefilled data, a separate consent click, a signature, and a written confirmation of registration. The provision aims to streamline donor enrollment while establishing a clear audit trail and affirmative consent requirement.
Prohibition on retention and secondary use
This short but consequential clause bars any business or OPO from retaining or using scanned license information for purposes outside the enumerated exceptions. The practical implication is a strong data-minimization mandate: systems must either avoid persistent storage or implement defensible deletion procedures. The statute doesn’t define retention windows, backup exclusions, or whether transient in-memory processing counts as 'retention,' leaving implementation detail to operators and their counsel.
Definitions for 'business' and 'organ procurement organization'
Subdivision (b) supplies two targeted definitions. 'Business' is broadly defined to capture any commercial enterprise, which makes the rule applicable to sole proprietors through large corporations. 'Organ procurement organization' tracks the federal HHS designation, tying eligibility to an existing federal accreditation/recognition system rather than a state licensing scheme; this limits OPO coverage to organizations already recognized at the federal level.
Criminal enforcement and penalties
This section makes noncompliance a misdemeanor with up to one year in county jail and/or a $10,000 fine. The statute places enforcement power into the criminal realm without specifying administrative remedies, civil liability paths, or a regulatory enforcement agency. That choice elevates prosecutorial discretion and could lead to uneven enforcement across jurisdictions.
This bill is one of many.
Codify tracks hundreds of bills on Privacy across all five countries.
Explore Privacy in Codify Search →Who Benefits and Who Bears the Cost
Every bill creates winners and losers. Here's who stands to gain and who bears the cost.
Who Benefits
- Organ procurement organizations: the bill gives OPOs an explicit, authorized pathway to use scanned DMV data to enroll donors and requires a standardized consent workflow that can streamline registrations and create clear evidence of consent.
- Consumers opting into donor registration: applicants receive a defined electronic consent and written confirmation, reducing uncertainty that their consent was recorded and making the enrollment process more transparent.
- Check service companies and payment processors: the statute authorizes a narrowly defined data feed (name and identification number), creating a clearer lawful basis for limited identity verification tied to payment approvals.
- Retailers and regulated vendors performing age or authenticity checks: businesses that need to verify age or authenticity have explicit statutory authorization to scan IDs, removing ambiguity about basic point-of-sale verification activities.
Who Bears the Cost
- Retailers and other scanning businesses: they must alter POS and ID-capture workflows to avoid retaining data outside permitted uses, adapt deletion protocols, and potentially invest in technology changes or vendor contracts to comply.
- Point-of-sale and software vendors: developers need to implement technical controls to prevent storage of captured data, support the OPO consent workflow, and demonstrate compliance with the statute’s constraints.
- Organ procurement organizations: OPOs must implement the DMV-required Information Security Agreement, build the multi-step consent UI/UX, and provide written confirmations—work that carries staffing, development, and legal costs.
- Prosecutors and county criminal justice systems: criminalization shifts enforcement costs to the criminal justice system and may require investigative resources when alleged misuse occurs.
- Check service companies: they must limit retention to the licensee’s name and identification number and modify data handling policies and contracts to avoid wider use of scanned data.
Key Issues
The Core Tension
AB 1839 attempts to balance efficient, modern ID capture for narrow legitimate uses against strong privacy protections by outlawing retention and criminalizing misuse—the central dilemma is whether criminal penalties and narrow exceptions are the right tool to deter abuse without stifling ordinary business operations or imposing undue technical burdens on organizations that rely on ID scanning for lawful, low-risk activities.
The statute creates a clear, limited set of lawful uses for scanning DMV IDs but leaves several implementation questions open. The retention ban is strict in language but silent on technical specifics: it does not define 'retain' versus transient processing, it does not state whether logs, caches, backups, or analytics derived from a scan are covered, nor does it specify retention timelines or exceptions for lawful discovery or subpoena compliance.
That ambiguity will force organizations to choose conservative architectures (avoid storage entirely) or to seek regulatory or judicial clarification.
Another unresolved issue is enforcement architecture. AB 1839 criminalizes violations without creating an administrative enforcement mechanism, a private right of action, or guidance on prosecutorial thresholds.
Criminalization can deter misuse but risks uneven enforcement and may punish inadvertent technical errors. The bill also treats OPOs differently by requiring the DMV Information Security Agreement for donor transmissions but not imposing that same contractual requirement on all businesses; that creates an asymmetry in security obligations.
Finally, the interaction between this statute and federal law—principally the Driver’s Privacy Protection Act (DPPA), which limits disclosure of DMV data—remains to be reconciled; the bill does not reference DPPA exceptions or whether these state-authorized transmissions fit federal carve-outs.
Try it yourself.
Ask a question in plain English, or pick a topic below. Results in seconds.