RFID, or Radio Frequency Identification Tags, are increasingly being used to track shipments, inventory, and even living things (such as pets).
But since RFID-tagged items can appear in public places such as airports and store shelves, as well as remain on the item or packaging when the consumer takes the tagged item home, there’s a level of privacy expectation that needs to be addressed.
The Center for Democracy and Technology has some recommendations, which they offer in an interim policy draft paper entitled Privacy Best Practices for Deployment of RFID Technology.
I’ve examined this document closely, and have zeroed in on what I think is most important for you, the commercial RFID-user, to know.The Center For Democracy and Technology Working Group on RFID recommends that:
Consumers should be provided with clear, conspicuous and concise notice when information, including location information, is collected through an RFID system and linked, or is intended by a commercial entity to become linked, to an individual’s personal information either on the RFID tag itself or through a database.
In either of these situations, the notice should specify:
The presence of RFID involving linked information; the purposes for which the linked information is being collected; how linked information will be used; whether the linked information is used solely to enable the functioning of the device the consumer has purchased or delivery of the service for which the consumer has contracted, or to facilitate completion of the commercial business’s transaction with the consumer.
Whether the linked information may be used for additional or subsequent uses, such as marketing; that if the linked information is to be used for such additional or subsequent uses, it will be used only consistent with theconsumer’s choice; and whether the RFID tag can be removed or deactivated.
Whenever practicable, notice of the use of the RFID system to collect linked information should be provided prior to the completion of the transaction through which the good or service is obtained. In cases where there is no good or service obtained, then notice should be provided prior to the association of PII with information collected through the RFID system.
Responsibility for providing notice lies with the company having the direct relationship with the consumer.
When the information on the RFID tag, such as the tag number, is not directly associated with an identified individual, in order to create a link between the information on the RFID tag and an identified individual it is usually necessary to access a series of databases or other information repositories. It is the responsibility of the commercial entities involved in the deployment of RFID systems to exercise judicious discretion in determining whether the degree of linkage is sufficiently close so as to consider the information collected to be linked information.
In general, commercial entities should consider the likelihood of the linkage between PII and/or location information and the RFID identification number in determining whether notice is necessary. In making this determination, a company should give good faith consideration to the following:
The likelihood of a single individual or entity having access to all elements of information and databases necessary to effect the linkage;
The number of elements of information required to effect the linkage;
The security measures surrounding the information;
Legal protections or safeguards applicable to accessing or using the information; and
The sensitivity of the information linked to the RFID data.
The CDT adds that companies should engage in annual internal assessments to confirm that the posted notices accurately reflect their information practices related to RFID systems.