Friday, September 08, 2006

California RFID Legislation: It’s the Data, Not the Technology!

RFID Law Journal
Newsletter No. 7
September 8, 2006

Recently approved legislation (by a 30-7 vote) is on the verge of disrupting the deployment of radio frequency identification in California. Though it’s far from clear whether the underlying requirements would actually improve privacy or data protection, it would certainly undermine the business case for deploying RFID for certain applications. Unfortunately, while sufficient data/privacy protection legislation exists on the books, the California legislature deemed it necessary to craft special legislation for RFID.

In our view, this really isn’t a debate about RFID. It’s a debate about how we feel about existing data protection. Leveraging our societal discomfort over the privacy of personal information, politicians know that they can score quick points with their constituents by passing additional legislation in the name of “protecting” consumers. Regrettably, while this legislation provides new additional protection, it contributes to the sentiment that auto identification technologies are risky or unsafe, i.e., subject to hacking and tampering.

Surely, we can all agree that there is a common good arising out of data protection measures, especially when such measures thwart data identity thieves. However, a legislated solution isn’t necessarily required to achieve such an objective (or even a desirable course of action). Both policy makers and industry advocates share incentives for ensuring appropriate steps are taken for avoiding data protection breaches and limiting any damage arising out of intentional or inadvertent leaks.

In the context of RFID, can existing or potential technology solutions address legitimate concerns about data protection? Certainly. Governmental agencies typical encrypt important information, and in the case of identity cards, it is customary practice to separate the information on, for example, an access card from the associated database. In addition, swiping of cards usually takes place at secure, governmental chokepoints. Is it really necessary for a state legislature to dictate to the executive branch the means which it must take to prevent an identity theif from engaging in illicit action (e.g., attempting to place himself in proximity with a secure area for the purpose of stealing personal data)?

The California legislature must be hypothecating a world of roaming identity thieves, and despite their obvious concern over the privacy of data, their proposed requirements may potentially undermine security. A persual of these requirements is disturbing. What social benefits can be derived from legislation that would require (i) publication of the location of RFID readers and information being collected on such readers and (ii) maintenance (by public entities) of websites identifying RFID reader locations? Why provide such bread crumbs to identity thieves?

The legislation’s mandatory opt-out provision is particularly puzzling, as it would appear to require (in every situation) human interaction with RFID-enabled systems. This would establish an unacceptable default rule. Policy makers who might otherwise consider a RFID system would be required to factor into their project costs and operating budgets an additional cost center – human drones hired to monitor the RFID system. Such a default rule means that RFID’s automation benefit will largely be discounted by California policy makers. This legislation would make RFID a less attractive alternative from a ROI point of view and would likely mean that fewer RFID projects will be deployed (in California) in the coming years. So the muted response of the industry is a bit puzzling...

We urge the RFID Industry participants to inject their opinions into this discussion. For more information about the underlying issues posed by the California RFID legislation, you can review articles posted by RFID Law Blog and RFID Update. You can review RFID Law Blog’s article in its entirety at the following link: You can view RFID Update’s analysis at Note: RFID Law Blog and RFID Update are third parties and are not affiliated with the RFID Law Journal.

© 2006 – RFID Law Journal, LLC. All rights reserved.
Learn more about RFID legal issues at You may contact our editor about this publication at The information provided herein is for your informational purposes only and is not to be construed as legal or other advice (including, without limitation, investment advice) or as a substitute for legal or other appropriate counsel. Online readers should not act upon this information without seeking professional counsel from a trusted advisor. Usage of the information contained herein is subject to the terms and conditions set forth at


Post a Comment

<< Home