Europe’s RFID Privacy Policy Might Be a Mistake

A draft document suggests retailers should remove or deactivate tags at the point of sale, but this might be the wrong approach—or, rather, the right approach at the wrong time.
Published: January 14, 2008

For almost two years now, the European Commission has been exploring the potential implications of radio frequency identification (see European Commission Works on RFID Policy). Realizing the importance of RFID, it has taken a proactive approach, funding several research projects that could spur adoption and enhance the competitiveness of European companies.

The EC has also examined the implications RFID might have for consumer privacy, and is now close to publishing a report. I’m told it might recommend European retailers remove or deactivate RFID tags at the point of sale if requested by the consumer. It seems like a reasonable suggestion, and I wholeheartedly support a consumer’s right to privacy. But the commission might be acting too hastily, because its recommendations could hurt European companies and slow RFID adoption in Europe—without actually enhancing consumer privacy.

Let me explain why I think it’s too early for the commission to make a recommendation. First, I don’t think the recommendations protect consumer privacy. Why? Because there is little to no risk that shoppers will leave stores with tagged items and have something negative happen to them.

We are nowhere near the point where all individual items are tagged, and we are even further from the day where it will make sense to embed tags in consumer items, such as clothing or shoes. (We might need these recommendations when tags are being embedded in products, but even then, we might not—and I’ll explain why later.) Most companies will tag cases of product. The tagged cases will then be thrown away when shelves are replenished, so consumers won’t ever see the case tags.

Some high-value individual items consumers buy are being tagged, such as computers, DVD players, printers, handbags and other designer accessories. But companies such as Marks & Spencer and Metro are putting RFID tags on packaging or hang tags, so the tags get thrown away when a person gets home.

Yes, someone could theoretically stand outside a store with an RFID interrogator, skim data from the tags on my products and learn the serial numbers on the items I bought. But in the case of RFID tags that don’t conform to Electronic Product Codes (EPCs), the numbers would be meaningless. And even if someone were to read EPCs and understood a little about what they meant, so what if that person knew I purchased a shirt or printer? How could anyone use this information to harm me? (Don’t tell me they’re going to rob me—robbers focus more on opportunities to get people alone in a deserted area, rather than on what they might steal from them.)

The commission says that even if only 0.1 percent of your product is tagged, European retailers must outfit every checkout stand with an RFID reader to kill the tag if the consumer requests it. So even though the risk to a consumer’s privacy is almost zero, retailers will have to spend tens of thousands of euros to kill that tag. This will create an unnecessary burden on European retailers looking to adopt RFID, and could hamper adoption.

And what about retailers that don’t yet use RFID and receive tagged goods? For example, Hewlett-Packard could divert a shipment of tagged printers bound for Metro to such a retailer to avoid an out-of-stock situation. That retailer would be put in a position where it couldn’t kill tags at the point of sale, and would thus be open to public criticism. You could also have a scenario where retailers might tell suppliers not to ship them anything with RFID tags. This recommendation could have a chilling effect on adoption in Europe.

You might say some retailers could simply ignore the recommendations—the commission doesn’t have the force of law, after all. But few companies are going to want to go against its recommendations. Just from a public relations standpoint, it would look very bad for a company to deploy RFID and not do the things the commission suggests. In fact, it would be an open invitation to privacy advocates to damage the company’s reputation with consumers.

Ironically, the commission says you don’t have to kill that tag if it’s a necessary feature of the product. So companies that want to abuse privacy could potentially get around the recommendations by embedding a tag in a shirt and saying it’s a feature of the product.

The other reason I oppose the recommendation to kill tags at this early stage is that it could also stifle innovation. President John F. Kennedy used to say, “Don’t take the aspirin until you have the headache.” If RFID never leads to privacy invasion—and it hasn’t yet—then why do we need the government telling companies where and when they should kill a tag?

Look, if companies ever abuse RFID and infringe on consumer privacy, governments will need to step in and protect citizens. But the reality is that businesses have a financial reason not to engage in such infringement: If they do, they will lose customers. To date, as far as I am aware, no retailer has used RFID to gather information on customers without their knowledge.

It makes no sense to create policies about what might happen. How does the commission, or anyone else, know what the future holds? New technologies evolve over time, and RFID could evolve in ways that might make it unlikely or impossible to infringe on consumer privacy.

Take the Internet, for example. Companies developed the idea of using cookies to track the behavior of people visiting their Web sites. Consumers objected. Therefore, technology providers changed their products to give consumers the ability to block all cookies, or to accept them selectively.

I think RFID will evolve in the same way. There will be new applications that give consumers the ability to either kill the tags or use them to their benefit—for, say, faster returns. By recommending, at this early stage, that tags be killed, the commission is essentially stifling innovation that could very well benefit consumers. Think what would have happened if regulators simply stopped Web sites from using cookies at all. We would not be able to get the benefits that come with using cookies on sites we trust—all of the personalization you can do on the Web would not be possible.

I laud the European Commission for grasping the importance of RFID technology, and for taking a proactive approach in trying to promote adoption and protect consumers. But I think the recommendation to kill the tags at the point of sale comes too early. It should be enough that consumers be alerted to the presence of a tag in the packaging of whatever they purchase. They can then easily remove it and protect their own privacy, and that will allow the technology to evolve. If I’m wrong, and RFID doesn’t evolve to serve the needs of consumers and businesses, then the commission can step in and solve a specific problem that exists at that time.