THE LEGAL SIDE

RFID & Privacy Issues: A Snapshot of Proposed Laws

While RFID technology has the potential to provide numerous benefits and opportunities for businesses, it also raises concerns for consumers regarding the privacy of their personal information. Although privacy concerns may be premature given current RFID technology and limited adoption of this technology, there has already been considerable debate regarding privacy and security of personal information, and the measures necessary to safeguard personal information.

Generally, privacy concerns regarding adoption of RFID technology include (among others):

• The unauthorized reading of RFID tags.
• The security of personal information contained on RFID tags to prevent the unauthorized use or dissemination of such information.
• The ability of third parties to profile individuals by their possessions containing RFID tags.
• The use of RFID technology to provide covert tracking or surveillance of individuals.

It is possible that many of the public's privacy concerns could be addressed through industry self-regulation, which would require adherence to privacy policies encompassing fair information practices and possible implementation of privacy enhancing technologies. Given the increasing rate of adoption of RFID, public perception of a privacy threat to personal information, and lack of current standard industry practices to address these concerns, there is mounting support for the need for legislation to address these privacy risks. This article will focus on the current legislative developments to provide companies with insight on what compliance with legislations may entail and to assist companies in possible self-regulation to address these concerns.

On a national level, there is little law currently directed at RFID privacy issues. Of some significance, however, is a not-for-profit lobbyist named Consumers Against Supermarket Privacy Invasion and Numbering (CASPIAN), which is dedicated to protecting consumer privacy in the marketplace. This organization drafted the "RFID Right to Know Act of 2003," which seeks amendments to the Fair Packaging and Labeling Program, the Federal Food, Drug, and Cosmetic Act Relating to Misbranding, and the Federal Alcohol Administration Act (Title 15, Chapters 36 and 94).

Though no legislation has been enacted based on CASPIAN proposed Act, it does address privacy concerns with a set of primary requirements:

• "Notice": Labels that are conspicuous in size, location, and contrasting print are required on products containing RFID tags with a warning that the tag can transmit unique identification information to a reader both before and after purchase.
• "Limitation of Use": Businesses are prohibited from: 1) combining or linking an individual's non-public personal information with RFID tag identification information beyond what is required to manage inventory; 2) disclosing such information to a non-affiliated third party; or 3) using RFID tag identification information to identify an individual.
• "Education": Requiring the Federal Trade Commission to establish appropriate standards for businesses to follow to protect an individual's personal information and publish documents to educate the public about RFID technology.

In other national RFID privacy dialogue, U.S. Senator Leahy of Vermont presented a speech entitled "The Dawn of Micro Monitoring: Its Promise, And Its Challenges To Privacy And Security" in March, 2004. Leahy encouraged public discussion of the issues and spoke of the possibility of congressional hearings on RFID technology.

While RFID legislation on the federal level is still taking shape, this year at least 12 states introduced legislation to address privacy concerns raised by the implementation of RFID technology (including CA, MD, MA, MO, NV, NH, NM, RI, SD, TN, TX, and UT). The proposed measures in these bills vary significantly, from simply calling for the establishment of a task force to address the implications of the proliferation of RFID technology, to requiring RFID "kill" technology to deactivate RFID tags upon completion of sale, to seeking to establish criminal liability for misuse of personal information obtained through RFID.

However, many of the proposed bills have common minimum requirements. Often among the requirements is including conspicuous notice requirements similar to those in the CASPIAN-proposed Act. Here are some recent developments on the state level.

Utah: In March 2005, Utah passed amendments to the Utah Computer Crimes Act, which essentially carve out certain reading or tracking of product information within a retailer's location from criminal liability under the Utah Computer Crimes Act. While this carve-out addresses certain risks of liability to a company implementing an RFID system, Utah has also been active in discussing the protection of consumer personal information. In 2004, Representative Hogue proposed the "RFID — Right to Know Act," which would modify the Utah Consumer Sales Practices Act to protect against misuse of personal information transferred through RFID. The proposed act would require conspicuous notice to consumers, and require every RFID tag to be disabled or deactivated unless the consumer chooses to leave it active. The legislation expired at the end of the 2004 session and has not been reintroduced.

California: A bill entitled "Identity Information Protection Act of 2005" was passed by the California Senate, but was recently shelved by the Assembly Appropriations Committee. The proposed Act included restrictions on the use of RFID technology by public agencies, and included requirements for protection against unauthorized reading of personal information, implementation of strong encryption of personal information, and written notification. The proposed act would also criminalize the unauthorized reading of information identification documents punishable by a fine of up to $5,000 and/or imprisonment.

There is certainly a great deal of public debate regarding RFID and privacy concerns. While industry self-regulation may be able to address many of these concerns, legislation will continue to be proposed as the appropriate solution until standard privacy procedures and technologies are adopted. While this article provides an overview of RFID legislation in the U.S., there are other international implications, including momentum for legislation in other geographic regions.

When formulating privacy policies and procedures relating to RFID implementation, companies should be aware of the current issues being discussed by regulatory bodies and the proposed legislations relating to RFID. Companies could then better assess what measures should be adopted to address compliance with possible RFID-related laws.

Ken Adler is a partner in the New York office of Brown Raysman Millstein Felder & Steiner, where he concentrates on complex transactions, intellectual property, and outsourcing issues relating to emerging technologies, e-commerce, telecommunications, and computer law. Ken writes and speaks regularly on RFID, outsourcing, e-commerce, intellectual property, and technology related issues, and can be reached at 212-895-2410 or kadler@brownraysman.com.