BILL ANALYSIS �
SB 1834
Page 1
Date of Hearing: June 22, 2004
ASSEMBLY COMMITTEE ON BUSINESS AND PROFESSIONS
Lou Correa, Chair
SB 1834 (Bowen) - As Amended: June 14, 2004
SENATE VOTE : 22-9
SUBJECT : Radio frequency identification systems.
SUMMARY : Prohibits companies and libraries from using radio
frequency identification (RFID) systems on items in order to
gather, store, use or share personally-identifiable information
about the customer unless specified requirements are met.
Specifically, this bill :
1)Prohibits a private entity from using a RFID system on
consumer products to gather, store, use or share information
that could be used to identify an individual, unless all of
the following conditions are met:
a) The information is collected only to the extent
permitted by law.
b) The information has been provided by a customer for the
purpose of completing a transaction to purchase or rent an
item containing a RFID tag at a retail store.
c) The information is not collected at any time before or
after the actual transaction.
d) The information regards only a customer who actually
presents the item for purchase or rent, and is in regard to
only that item.
2)Prohibits a library from using RFID systems to collect, store,
use, or share information that could be used to identify a
borrower, unless all of the following conditions are met:
a) The information is collected only to the extent
permitted by law.
b) The information has been voluntarily provided by the
borrower for the purpose of using the library's collection
and services or to borrow a RFID-tagged item from the
�
SB 1834
Page 2
library.
c) The information is not collected at any time before or
after the actual transaction.
d) The information is collected with regards only to a
borrower who actually attempts to borrow the item and is in
regards to only that item.
EXISTING LAW prohibits financial institutions from sharing or
selling personally identifiable non-public information with
unaffiliated third parties without obtaining a consumer's
consent. Financial institutions have to provide people with an
opportunity to "opt-out" of having their information shared with
marketing partners and affiliates.
Existing law prohibits stores with "club card" programs from
collecting drivers license and Social Security numbers on club
card applications and prohibits them from selling or sharing
personal customer information.
Existing federal law prohibits video stores and libraries from
sharing or selling customer records without first getting
express consent from the customer.
FISCAL EFFECT : Unknown. This bill is keyed non-fiscal.
COMMENTS :
Purpose of this bill . This bill is intended to place
restrictions on the use of RFID and electronic product code
(EPC) systems in order to prevent personally identifiable
information from being tracked and collected.
In practice, this bill would restrict the ability of private
entities and libraries to apply and scan RFID tags on consumer
products and library books. Any information collected would be
restricted to the time of the transaction, be relevant to
completing the transaction, and encompass only the item and
individual that is part of the transaction.
The author argues that this bill is necessary to preempt future
abuses or invasions of privacy, while opponents argue that this
bill is premature and would unduly restrict a developing
technology. Some privacy advocates note their concern about the
�
SB 1834
Page 3
general topic without supporting this particular bill, and
instead suggest alternative approaches to the issue.
Radio frequency identification technology . RFID is a generic
term for technologies that use radio waves to automatically
identify items at a distance and store information. In concept,
RFID technology functions much like the bar codes and magnetic
strips used on credit and identification cards, allowing
specific information to be stored, retrieved, added and changed.
However, RFID is different in that it uses tiny electronic
computer chips that can be read from 25-30 feet away and at
indirect angles, removing any need for a person with a hand-held
scanner to read the product.
As an example, RFID tags are placed on pallets of factory-sealed
products to easily tell shippers the quantity, type, date
manufactured and destination as they pass through warehouse
doors that are equipped with an RFID reader (also called an
antenna). Antennas can be placed on walls, shelves, and
doorways, and can both read and write data on tags that pass by.
According to the author, "RFID tags are expected to replace bar
codes on everything from library books to groceries within the
next decade, allowing businesses to save millions of dollars by
automating their shipping and inventory processes. At about 20
to 50 cents per tag and $1,000 per reader, RFID systems are
still too expensive for widespread use. Some experts project,
though, that as demand grows, manufacturing costs will drop and
within the next decade the use of RFID technology will become
much more prevalent."
The author cites a number of examples of RFID technology already
in use: California's FasTrak automatic bridge toll system, ID
chips implanted in pets, pilot projects for tracking consumer
product interactions, and shipping systems by large retailers
such as WalMart (which already provides an RFID disclosure tag
on some products). The author also cites examples of real or
proposed RFID uses that raise serious privacy concerns: RFID
surveillance of consumer movements in retail establishments, the
tracking of humans in hospitals, the possible incorporation of
RFID tags into European Union currency, and the tracking of
library books and the profiling of library patrons.
Arguments in support . According to the author, "SB 1834 doesn't
�
SB 1834
Page 4
change what information businesses can collect on people when
they buy products. Instead, it focuses on the collection method
- RFID, in this case - and whether that collection method can be
used to collect information on customers outside of the standard
rental/purchase transaction?"
"Privacy advocates are concerned RFID will become as omnipresent
as video surveillance and give marketers another way to track
people's movements and shopping behaviors. For example, it
would be theoretically possible for businesses to tag everything
with RFID, allow RFID antennas anywhere to scan the contents of
people's purses, wallets, shopping bags, not to mention
identifying the makers of the clothes, jewelry, and shoes
they're wearing. The ability to collect, aggregate, and
manipulate this information could give businesses a powerful
marketing tool if they can use it to profile and identify
potential customers as they walk through the mall entering
stores and restaurants."
"SB 1834 attempts to address additional privacy issues created
by this new technology by permitting stores and libraries to
collect the same information they already collect now using bar
codes, while at the same time banning the use of the technology
to track people as they shop or after they leave the store."
Arguments in opposition . A coalition of opponents argue that
RFID is a new technology that is currently being adopted, and
that regulation could unintentionally distort the development of
the technology. They note that "[s]everal major retail
operators have required manufacturers to implement EPC and RFID
at the case and pallet level by January 1, 2005. We believe
this implementation will have consumer benefit by the swift
replenishment of products on shelves, theft control and the
identification of counterfeit products. Further product recalls
could be conducted in a much more efficient and effective
manner?"
Opponents also argue that the potential impacts of RFID
technology on privacy are already being examined, noting the
creation of the MIT AutoID Center in 1999 to do field tests and
pilots, as well as the adoption of industry guidelines dealing
with notice, choice, education, record use, record retention,
and security."
Opponents contend that "SB 1843 would place a number of
�
SB 1834
Page 5
restrictions on the use of EPC and RFID at a time when the
technology is at its infancy. We believe these restrictions
could have a number of unintended consequences that could blunt
the potential benefits consumers could derive from the
technology. " The California Grocers Association add: "RFID
technology is at the same stage the Internet was about twenty
years ago. And while there have been a number of
less-than-desirable by-products from Internet use, most
Californians would suggest that the benefits far outweigh any
such negatives. We are hopeful that we can say the same ten or
twenty years from now regarding RFID."
Privacy advocates neutral on SB 1834; raise general concerns
about RFID . A coalition of privacy advocates (American Civil
Liberties Union, Electronic Frontier Foundation, and the Privacy
Rights Clearinghouse), while not in support of this bill,
believe that if "[u]sed improperly, [RFID] can jeopardize
consumer privacy, reduce or eliminate purchasing anonymity, and
threaten civil liberties."
In general, the advocates argue that RFID technology creates
serious privacy concerns because of the potential for
"profiling." Because they are so small and unobtrusive, RFID
tags can be incorporated into common objects and clothing, so
that people will not know when they are being scanned.
Furthermore, widespread RFID deployment would permit the
creation of "massive databases" of tag data, much of which could
be linked with personal identifying data. If personal
information and RFID data were linked, then "individuals could
be profiled and tracked without their knowledge or consent."
"Even without such linkage, the RFID tags can themselves permit
the tracking of individuals, since each one contains a unique
identifier. That unique identifier permits an individual to be
tracked from place to place even though those doing the tracking
may not initially know the name of the person they are
tracking."
As an alternative to this bill, the coalition suggests a
three-part "framework" of recommendations to address the
concerns created by RFID systems:
First, RFID "must undergo a formal technology assessment, and
RFID tags should not be affixed to individual consumer products
until such assessment takes place".
�
SB 1834
Page 6
Second, "RFID implementation must be guided by the principles of
Fair Information Practice [FIP]." The FIP is a set of privacy
guidelines adopted by the Organisation for Economic Co-operation
and Development, an international group of over 30 member
countries, that "plays a prominent role in fostering good
governance in the public service and in corporate activity."
Third, "certain uses of RFID should be flatly prohibited," which
would include forcing consumers to accept tagged products,
prohibiting consumers from detecting and disabling tags,
tracking individuals without consent, and incorporating tags
into currency.
More specifically, the advocates recommend the following
modifications to this bill: RFIDs should not be permitted in
driver's licenses or ID cards, public sector entities should be
banned from gathering data from the private sector, the
prohibitions on library RFID use should be deleted to ensure
that they do not interfere with tougher local restrictions,
notice of RFID location on products should be required,
consumers should be given a right to read and disable RFIDs, and
other clarifications as well.
REGISTERED SUPPORT / OPPOSITION :
Support
None on file.
Opposition
American Civil Liberties Union
American Electronics Association
California Chamber of Commerce
California Grocers Association
California Retailers Association
Consumer Specialty Products Association
Electronic Frontier Foundation
General Motors Corporation
Grocery Manufacturers of America
Privacy Rights Clearinghouse
Analysis Prepared by : Hank Dempsey / B. & P. / (916) 319-3301
�
SB 1834
Page 7