City requires popular entertainment venues to collect customers’ personal information, but doesn’t require disclosure
Privacy advocates are worried the city of Sacramento is making its nightlife scene part of an expanding corporate surveillance apparatus.
Their concern is based on the city’s decision to require 30 of Sacramento’s most popular entertainment venues to use a specific ID-scanning technology, one that allows a single company to harvest and share customers’ personal information with any business linked to its network—including those around the world.
Civil liberty groups familiar with the company behind the PatronScan software warn its model can lead to customers being unfairly blacklisted for long periods—without them knowing it happened or why.
At the same time, city officials also confirmed to SN&R that while they require certain bars and nightclubs to use these scanners at the door, the city doesn’t mandate that these venues disclose to patrons what the technology is or how it works.
The degree to which Sacramento’s nightlife scene is facilitating an unregulated dragnet of personal information was revealed in early June by freelance journalist Susie Cagle, a regular contributor to ProPublica and The Nation. In an investigative piece published in OneZero, an online magazine on the Medium platform, Cagle shared excerpts from one of PatronScan’s own reports from May 2018 to highlight that its technology was used to scan and save the personal data of more than 10,000 customers in a single day and 500,000 over a five-month period.
The same report showed that PatronScan was tracking at least 1,100 “banned” individuals in Sacramento who are banned from clubs, and that the average blackball period for locals in its system is 19 years.
This month, Folsom-based public relations specialist Marko Mlikotin said on behalf of PatronScan that this policy has been changed: Now, flagged patrons will be on the banned list for no more than five years at a specific venue, and no more than one year in the company’s overall network. He said the latter was always the company’s policy.
Cagle’s report also used PatronScan’s own literature to show that, since 2016, there were 53 instances when the company handed over personal information to the Sacramento Police Department.
According to Mlikotin, the police department cannot simply ask for the data, but must produce an “investigation number or any other uniquely identifiable number that can be traced back to the purpose of the disclosure request.”
City and police officials have defended the policy, describing it as a tech-savvy way to prevent underage drinking and keep serial sexual harassers and hooligans out of venues. But while some of PatronScan’s categories for flagging a bar-goer are straightforward (such as “fighting,” “sexual assault” and “drug trafficking”) others (such as “disturbance”) are more subjective.
Once someone’s ID has been absorbed into the PatronScan system, they can be flagged by any employee who persuades a manager to sign off.
City Hall’s decision to force popular venues to use PatronScan is coming under fire from groups including the American Civil Liberties Union and the Electronic Freedom Foundation.
Ashkhen Kazaryan, director of civil liberties at TechFreedom, a Washington, D.C., think tank, said that while PatronScan has an appeals process for people it flags, it has nothing resembling due process.
“This is very concerning,” Kazaryan said. “Placing people on a database that would rate them as a threat to public safety can lead to a whole chain of other events. We’ve also seen that these private companies gathering and keeping personal information brings up so many issues, including civil rights issues.”
In Sacramento, there have already been some controversies and concerns about civil rights issues in the bar scene. In 2016, a group of black women accused the Mix Downtown of discrimination. Three years later, an owner of Track 7 was sued for sexual harassment and retaliation. Most recently, Goldfield’s came under fire for booking an anti-LGBTQ rapper.
The idea that club managers and employees can be automatically trusted not to abuse PatronScan won’t sit in a city where some establishments have a questionable track record on inclusivity and equal treatment of customers, critics say.
At the moment, less than half of the city’s 85 bars and nightclubs with entertainment permits are required to use PatronScan. “That decision is made on a case-by-case basis,” city spokesman Tim Swanson wrote in an email. “And it is made through a collaborative process with the business owner (s).”
Swanson added the main criteria for requiring venues to install PatronScan is whether the establishment offers entertainment, including deejays, live music or dancing. While the language on the city’s entertainment permit only specifies the venue has to use a general ID-scanner, Swanson confirmed that—at the moment—the Police Department has decided that PatronScan the only scanner that will suffice, allowing it to corner this burgeoning market.
On Saturday, June 15, SN&R approached Dive Bar staff who were using PatronScan. When asked what the scanner does, the employees answered that it checks if incoming customers have had problems at nearby bars. That’s true.
Asked if the scanner was connected to a wider network, staff described it as their own system that was interfacing with other systems. The employees then stressed that any information scanned is deleted in 30 days. But that’s only the case if someone’s not flagged.
Just down K Street at Malt & Mash, the bouncer told SN&R that the information would only be deleted “if there’s no problem” while inside.
When asked, staff at both Dive Bar and Malt & Mash said their understanding was that PatronScan’s technology was not data-mining.
But PatronScan is harvesting every relevant data-point on IDs, including date of birth, gender, ZIP code and a photograph, all logged in a way that can be cross-referenced against that person’s bar and club-going history. PatronScan insists that it doesn’t share the data with other companies and deletes the majority of it after 30 days.
The fact that multiple employees didn’t have a uniform understanding of the scanner’s data-mining capabilities can be attributed to the city lacking a policy to guide them.
Additionally, city officials acknowledged there’s no policy requiring establishments to even tell the public they’re using PatronScan.
Many of the venues required to use PatronScan reside within the central city district of Councilman Steven Hansen, who could not be reached for comment.
The controversy around PatronScan is raising eyebrows with some bar owners who operate outside of city limits. Pat Doyle, co-owner of the popular Doyle’s Pub in Folsom, said the city officials he works with have never mentioned requiring any scanning technology.
“That doesn’t seem like it’s legal,” Doyle said. “That also doesn’t sound like a fair way to treat customers.”
A PARTIAL LIST OF SACRAMENTO VENUES REQUIRED TO USE PATRONSCAN, BASED ON THE COMPANY’S MAY 2018 SAFETY REPORT:
Ace of Spades, Badlands, Chaise Lounge, Chandos Cantina, Coin-Op Game Room, District 30, Dive Bar, El Ray, Faces Nightclub, Harlows and the Momo, Hookaholics Hookah Lounge, Knobs & Knockers, Lowbrau, Malt & Mash, Mangos, Mix Downtown, Punch Bowl Social, Republic Bar, Sky KTV, Social Nightclub, The Park Ultra Lounge, Vanguard 1415