Ontario’s Privacy Commission Issues RFID Guidelines

The document focuses on helping retailers address privacy concerns as they implement item-level RFID technology.
Published: June 20, 2006

Ontario’s Information and Privacy Commission (IPC), in collaboration with EPCglobal Canada, has issued guidelines to help retailers address privacy concerns as they implement item-level RFID technology. The IPC, an agency of Ontario’s legislative assembly, acts independently of the provincial government to promote the protection of personal privacy. Its commissioner, Ann Cavoukian, explains that in an effort to be proactive, before consumer-privacy problems arise involving RFID, her agency has issued a list of 10 items intended to provide a simple guide for retailers and other companies planning to use item-level RFID technology on products sold in Canada.

Privacy concerns center around the ability of RFID tags to allow tracking and surveillance of individuals buying tagged products—if the tags are not disabled at the time of purchase—by linking the tagged products to the account numbers of the credit cards used to purchase them.


Ann Cavoukian

Cavoukian says she began a dialogue last summer with ECPglobal Canada’s president and CEO, Art Smith, regarding consumers’ privacy concerns and the best way to address them before beginning pilots. “We’re trying very hard to introduce privacy protections before concerns arrive,” she explains. “If we address this in the design phase, retailers can build in the necessary protections.” The two offices formed a subcommittee that began preparing these guidelines in the fall of 2005.

As of this date, Cavoukian says, she knows of no item-level RFID pilots underway in Canada, though she has followed pilots in other countries and has been interested in how they addressed privacy concerns. She cites the pilot at Marks & Spencer (M&S) in London as a successful RFID deployment in which consumers were informed and included in the process (see EPC in Fashion at Marks & Spencer). But , she says, an RFID-related announcement in 2003 involving— Benetton demonstrated how misinformation or a lack of information for consumers can undermine a pilot. That incident led to a threatened boycott of Benetton stores (see Benetton Explains RFID Privacy Flap).

“Clearly, it’s not anyone’s intent to spy on consumers,” Cavoukian says. “The vast majority of RFID technology is used in terms of supply-chain management, and none of that involves threats to privacy. When you get to item-level tagging, then for the first time you have a potential linkage with credit-card information.”

The guidelines focus on how RFID is deployed rather than the technology itself, urging users of RFID technologies and information systems to address privacy and security issues early in the design stages. Wherever possible, the guidelines assert, efforts should be made to minimize the amount of RFID data a store or company obtains, and to maximize participation with consumers by being as open with them as possible.

Some specific tips in the guidelines include having a privacy policy in place, with retailers bearing the greatest responsibility for privacy protection. The guidelines also state that organizations should clearly identify and communicate to customers the purposes for collecting tag data and linking it to personal information. Automatic deactivation of RFID tags at the point of sale, with the capability to re-activate, should be the ultimate goal.

“Consumers should be able to choose to re-activate them at a later date, re-purpose them, or otherwise exercise control over the manner in which the tags behave and interact with RFID readers,” the guidelines state. Retailers need to be open about their product tagging, the document urges, and consumers should have the ability to obtain information about the data being collected.

A copy of IPC’s Privacy Guidelines for RFID Information Systems is available at the organization’s Web site. The IPC office encourages readers to e-mail questions or comments.