Apr 11, 2005During the past year, the fledgling implementation of RFID has produced many interesting news reports. Among the stories taking center stage are the continuing sagas of the Wal-Mart, Target and Department of Defense mandates; the Food and Drug Administration's drug pedigree recommendation; and the ratification of the Gen 2 EPC specification for tracking goods using UHF tags. While those are certainly significant topics, one important issue that has been percolating under the radar screen is the impact of current and future regulations on end users once they implement RFID in their place of business.
Key RFID regulatory issues affecting end users include compliance with rules from the Federal Communications Commission (FCC), and the likely implementation of various state privacy laws. Ignorance of these critical matters could result in, among other things, delays in RFID deployment, forced shutdowns of functioning RFID systems and substantial monetary losses.
RFID is regulated under Part 15 of the FCC's rules for low-power devices. Since Part 15 equipment has a relatively low probability of causing harmful interference to other wireless operations, a user may operate it without a license. Although RFID devices are unlicensed, the FCC's rules require that (with limited exceptions), they must be authorized by the FCC as meeting its radio frequency (RF) emissions limitations, power restrictions and other requirements before they may be operated or marketed.
Because RFID devices transmit radio waves, they are classified by the FCC as "intentional radiators." The FCC's rules require that an intentional radiator be authorized via the certification process, which entails filing an application with the FCC containing legal, regulatory and technical information about the device. The FCC evaluates the application and, if it determines that the device meets its requirements, it certifies the device as compliant with its rules. The device, after being properly labeled, may then be marketed and operated in the U.S.
The party applying for and receiving certification—typically the manufacturer, vendor or importer—is the party responsible for ensuring initial compliance with the FCC's requirements. If an intentional radiator is marketed or operated without proper certification or is otherwise in violation of the FCC's rules, the responsible party could be subject to substantial monetary forfeitures or, in extreme circumstances, having its equipment seized by the federal government.
Although end users of RFID equipment are not typically the parties responsible for FCC compliance, they could suffer significant consequences if the devices they purchase do not satisfy FCC requirements. For example, if a vendor installs an RFID system that is not compliant with FCC rules, the FCC could order the entire system shut down until the problem is remedied and the responsible party recertifies the system.
Accordingly, an end user would want to specify in a contract for RFID equipment that, among other things, the vendor/manufacturer (a) warrants that the equipment is FCC-compliant; (b) is required to promptly replace any equipment found to be in violation of the FCC's rules; and (c) compensates the end user for lost time and money during any downtime resulting from equipment that violates the FCC's rules.
End users should also carefully examine indemnification clauses in RFID equipment contracts to ensure that they are not held responsible for problems caused by the equipment interfering with other operations. Some RFID equipment, for example, operates in the 13.56 MHz band, which is also used for operating industrial, scientific and medical (ISM) equipment. There is some potential for RFID operations to interfere with ISM equipment under some circumstances. Consequently, a contract should provide that the vendor will indemnify the end user in the event of legal action by a third party based on a charge that the RFID equipment caused harmful interference to another device.
Other FCC issues may arise during the course of RFID system operations. One critical matter concerns RFID equipment modification. The FCC's rules provide that a party who modifies an intentional radiator automatically becomes responsible for compliance with FCC regulations. If an end user changes the antenna, increases power or otherwise alters RFID equipment, that user will be the party subject to FCC sanctions and monetary forfeitures if the equipment is operated in violation of FCC rules. Additionally, any sort of substantial modification (e.g., frequency change, power increase, etc.) to RFID equipment requires recertification before it can be legally operated.
As more and more unlicensed devices are put into operation in the U.S., the potential for interference among those devices increases. The FCC is very strict about compliance with its rules for low-power equipment, and in recent years it has imposed some sizeable monetary fines and operational sanctions on various parties who marketed and operated noncompliant Part 15 devices. Accordingly, full compliance with FCC rules for RFID systems is imperative.
Although RFID has yet to be widely implemented, the legal waters are already being tested to determine how much privacy must be afforded individuals by retailers and other end users deploying RFID devices. In 2004 alone, six states and the federal government introduced bills concerning RFID privacy matters. During the first three months of 2005, six additional states have introduced RFID privacy bills.
The trend among the states appears to be toward promulgating broader RFID privacy bills. Many of the bills introduced in 2004 were limited to retail sales; those bills would have required that retailers notify customers when items for sale contain RFID tags and/or that retailers remove tags at the point of sale. As illustrated by the bills recently introduced by the South Dakota and New Mexico legislators, the 2005 bills tend to be more comprehensive:
HB 1114, HB 1136 (South Dakota). HB 1114 would prohibit the implantation of an RFID chip in any other person. HB 1136 would require (a) a person using an electronic product code RFID system to obtain written consent from another person before collecting personally identifiable information from that person via the RFID system or disseminating that information; (b) the signatory must have access to his/her information; (c) a person who collects individual data via RFID must take reasonable measures to secure the information; and (d) a retail store that uses RFID must detach or destroy the tag before the consumer leaves the store.
HB 215 (New Mexico). HB 215 would require businesses that tag consumer items to (a) notify consumers of the existence of the tags; (b) conspicuously label all items that are tagged; (c) permit a consumer, upon written request, to obtain all stored personal information; and (d) remove the tags at point of sale. This bill would also prevent dissemination of consumer information obtained via RFID, and it states penalties for violation.
Although none of the RFID bills have yet to be passed into law, as the industry and government mandates continue, numerous privacy laws are likely to be implemented. Many state lawmakers who introduced RFID privacy bills stated that the Wal-Mart and Target mandates were key factors in their decisions to push for those laws. Accordingly, companies planning to use RFID would be well advised to stay current on the state of privacy laws, and be prepared to implement business plans that will be able to handle the legal mandates of those laws.
Ronald E. Quirk Jr. is counsel at Venable LLP in Washington, DC. To comment on this article, send email to
firstname.lastname@example.org, or click on the link below.