This complaint was related to several issues, the first was regarding the Age Verification Program which requires establishments licensed by the governmental entity to verify an individual’s age before the individual can enter a bar or purchase alcohol. The Complainant was concerned that although the statute only requires a licensee to verify age if a patron appears to be 35 years of age or younger, some licensees require all patrons to verify their age. In response, the governmental entity referenced their governing statute, and the administrative rule that was established in accordance with the statute. The governmental entity pointed out that neither the statute nor the rule limit age verification to only patrons who appear to be under 35. They also indicated that there is nothing that prohibits or restricts a licensee from instituting their own policy that requires all patrons to verify their age, regardless of how old the patron appears to be.
However, this review of the Age Verification Program indicated that there may be some privacy concerns. The statute and the rule both state that if a licensee uses an electronic age verification device to verify age, it must read, display, and retain certain personal data. If the licensee uses an alternate method of verifying age, the licensee must record or log the same personal information. The governmental entity indicated that this personal data was collected for law enforcement purposes as described in their statute. However, these requirements may not be consistent with the data minimization requirements in the Government Data Privacy Act (GDPA). Subsection 63A-19-401(2)(a)(ii) provides that a governmental entity shall “obtain and process only the minimum amount of personal data reasonably necessary to efficiently achieve a specified purpose”. It was recommended that the governmental entity consider whether their statute is consistent with the newly enacted State Data Privacy Policy which provides that “an individual has a fundamental interest in and inherent expectation of privacy regarding the individual’s personal data that the individual provides to a governmental entity” and requires governmental entities to process personal data in a manner that is consistent with these interests and expectations. See Section 63A-19-102.
In addition, the Complainant was concerned that individuals are required to provide identification every time they attempt to purchase alcohol at a state liquor store. In response the governmental entity cited their policy which requires all employees to request identification from anyone seeking to purchase alcohol, regardless of how old the individual appears to be. The governmental entity said that the policy was implemented to prevent the sale of alcohol to minors and avoid accusations of discrimination. The governmental entity also referenced their governing statute as support for this policy. A recommendation was made to the governmental entity that they consider incorporating this requirement in a public-facing rule, rather than in an internal policy, in order to promote transparency and protect individuals’ privacy rights. See Subsection 63A-12-103(4).
The final issue was related to the requirement in the GDPA that a governmental entity to provide a privacy notice to an individual “from whom the governmental entity requests or collects personal data”. See Subsection 63A-19-402(1). Personal data includes any “information that is linked or can be reasonably linked to an identified individual or an identifiable individual”. See Section 63A-19-101. Although the governmental entity indicated that they do not retain or store any personal data when an individual provides their identification to purchase alcohol, this requirement to provide a privacy notice applies any time a governmental entity requests an individual provide their personal data. Consequently a recommendation was made to the governmental entity to explore ways in which a privacy notice may be provided as described in Section 63A-19-402.