Privacy in equipment rental — can you legally scan a customer's driver's license?

In March 2026, a small rental company in Sacramento settled a class-action lawsuit for $87,000. The reason: they scanned every customer's driver's license and stored those scans on an unencrypted server for five years "just in case."The shop argued it was an industry standard, that "everyone does it," and that without it they had no way to verify customers. The plaintiffs' lawyers responded simply: industry standard doesn't override state privacy law, and alternative verification methods exist and are sufficient.This wasn't the first such case. Over the past two years, state attorneys general — primarily in California (CCPA), Colorado (CPA), Virginia (VCDPA), and Texas — have started enforcing against businesses that collect more identity data than necessary. Equipment rentals are next in line, especially as major rental chains tighten their procedures and smaller shops stay stuck with practices from a decade ago.Below are the most common questions rental shop owners ask about ID scanning and customer data. Each answer starts with a direct take — no "it depends," no legal hedging.## Can I scan a customer's driver's license?As a default — no. You can ask to see the ID and write down the necessary data, but you should not create or store a copy.The principle of data minimization sits at the core of every modern privacy law (CCPA, CPA, VCDPA, GDPR). You can process only the data necessary for a specific purpose. A scanned ID contains roughly ten data categories — full name, date of birth, address, license number, expiration date, height, eye color, signature, photograph, organ donor status. To rent out an angle grinder, you need at most three of those.State enforcement consistently takes the position that — unlike banks or notaries — rental businesses don't have a legal basis to collect copies of identity documents. It's only justified when:- A specific law requires it (e.g., AML rules in the financial sector)- The customer gave explicit, informed, and freely given consent- The processing is necessary to fulfill the contract and there's no less-invasive wayThat last condition is the kicker. Since you can verify a customer without a scan (and you can), the scan isn't "necessary."## What customer data do I actually need?For a typical equipment rental contract, you need:- Full name — party to the contract- ID number (just the number — not the whole document)- Mailing address — for any contact in case of dispute- Phone number — contact during the rental- Email — for sending invoices and protocolsSocial Security Number? Almost never. Specific tax-reporting situations might require it, but in those cases you'll know — and you'll be storing it under separate, stricter security rules.Date of birth? You don't need it. Even if you're verifying someone's at least 18 — the visual check against the ID photo is enough, without copying.State of birth, mother's maiden name, full driver's license barcode? Never. That's data a rental shop has no business collecting in any context.## How do I verify identity without scanning?A procedure that satisfies privacy law and gives you practical coverage:Step 1. The customer shows their ID.Step 2. Your employee visually compares the photo to the person and confirms the ID isn't expired.Step 3. Your employee types into the system or contract: full name, ID number, address.Step 4. The customer signs the contract with the data filled in — that's their confirmation it's accurate.That's it. No scanning, no copying, no photographing. You have the data, you have legal coverage, and the privacy laws are satisfied.If a customer refuses to show their ID, you have the right to refuse the contract. That's not discrimination — it's standard verification of a contracting party. But refusing to show ≠ refusing to scan. A customer can refuse the scan and you still have an obligation to serve them.## Can the customer just consent to a scan?They can, but it's a weak legal basis and doesn't hold up in practice. Consent under modern privacy law has to be:- Informed — the customer knows what they're signing- Explicit — a "I accept the terms" checkbox doesn't count- Freely given — the customer doesn't feel pressured- Revocable — they can withdraw it at any timeIf consent is a condition of renting ("no scan = no rental"), it's not freely given. If a customer revokes it a month later — you have to delete the scan from your systems. If one customer in a thousand files a complaint with the state AG, you face an audit of your entire database.In rental industry practice, consent doesn't save you. State enforcers treat it as an attempted workaround of the minimization principle.## How long can I keep customer data?As long as a legitimate purpose exists for processing it — and not a day longer.Purposes and retention windows:- Performing the contract — duration of the rental (typically 1–30 days)- Tax and accounting records — usually 7 years from the year the invoice was issued (varies by state)- Pursuing claims — through the statute of limitations (typically 4 years for written contracts in most states)After that, you have to delete the data — not archive, not encrypt and stash in another folder. Delete.In practice: 7 years is the typical maximum retention for most rental customer data. After 7 years — delete or anonymize.## What about security cameras and call recording?Internal security camera surveillance of your rental yard is allowed, but only as a security measure for property protection. You must:- Mark the area — visible "Premises Under Surveillance" signs- Have a policy — who has access to footage, how long it's retained- Justify the purpose — security, not "watching customers"- Delete after 30 days — unless the footage documents a specific incidentRecording phone calls with customers requires notifying the customer ("this call may be recorded for quality purposes") and their implied consent (continuing the call = consent). Some states are two-party consent — meaning both parties must explicitly agree before recording starts. Without that, you're breaking state law even if "you've always done it that way."## A customer disappeared with the equipment — can I share their data with police?Yes — and that's the one situation where rental businesses can freely disclose customer data.Law enforcement operates under specific statutory authority that creates a legal basis under any privacy law. If an officer presents identification and a written request (or in urgent cases — a verbal request, ideally followed up in writing), you have an obligation to turn over the data.What do you give them? Everything you have — name, address, phone, ID number, rental history. You don't need the customer's consent. You don't need a special procedure. Just hand it over.For verbal urgent requests in active criminal investigations, get a written follow-up after the fact — for your records.## How do I document privacy compliance without hiring a lawyer?The minimum documentation any rental shop should have:1. Privacy notice — a one-page document for customers, signed at first rental. It must include: who you are as data controller, what data you collect, for what purpose, how long you store it, what rights they have.2. Internal data policy — describing your procedures. Who has access to data, how it's secured, what happens in case of a breach.3. Data inventory — required if you have employees. A list of every process where you handle data (customer registration, invoicing, marketing).4. Breach response procedure — what to do if your customer database gets hacked or an employee loses a laptop. Most state laws require notification within 30–60 days.It sounds bureaucratic, but it's a dozen pages you write once and update yearly. Lawyer cost: $1,500–$3,500. Cost of a state enforcement action: easily ten times that, plus reputation damage.## What about international customers — passports, foreign licenses?Treat a passport like a driver's license — don't scan it, write down the data (full name, passport number, expiration date, country of issue).A driver's license isn't actually a primary identity document for legal purposes — it's evidence of driving privileges. You can check it if a customer is renting a vehicle or equipment requiring a license (e.g., a forklift), but it shouldn't be the sole identifying document for the contract.A customer from another EU country — GDPR applies and is stricter than US state laws, so the conservative US procedure already covers it. A customer from outside the EU/US — same conservative approach, no scan, take the data manually.

## Practical playbook — what to change starting tomorrowIf you're reading this and just realized your procedure isn't compliant, here are three moves to make this week:Move 1. Stop scanning and copying IDs. Starting tomorrow. Type the data manually from the original.Move 2. Audit your customer database — what's in there? Three-year-old ID scans whose retention purpose is long gone? Delete them.Move 3. Update your privacy notice and rental terms. Tell the customer plainly what data you don't collect and why. That builds trust.The rental industry is just maturing into modern privacy compliance. Most owners know about the laws but still run procedures from before 2020. State enforcers are starting to look at this sector and the penalties are real.Better to adjust today than to explain yourself tomorrow.---If you're looking for a system that lets you run a rental business without storing ID scans, Toolero collects only the minimum required data and automatically deletes it after the retention period. 7 days free, no credit card required.