Washington State Adopts Second RFID Privacy Law

The bill, newly signed by the governor, prohibits scanning RFID tags unless they were provided by the business or agency itself.
Published: April 17, 2009

Washington State Governor Christine Gregoire has signed into law a bill prohibiting the scanning of an RFID tag by anyone except the business or agency that issued that tag, with certain exceptions.

The legislation, known as House Bill (HB) 1011, lists a dozen such exceptions, including situations in which the scanning is part of a sales transaction initiated by the tag holder, or data from an individual’s identification device is remotely read or stored in the course of an act of good-faith security research, experimentation or scientific inquiry. The law is set to go into effect on July 26, 2009.

HB 1011 was one of three RFID-related privacy-protection bills introduced by House Speaker Pro Tempore Jeff Morris (D-Mount Vernon) in January of this year (see Washington State Rep Reintroduces RFID Legislation). While HB 1011 was modified and ultimately signed into law on Apr. 13, Morris says the remaining two bills will be dropped for the current legislative session.

After its January introduction, HB 1011 went through several modifications, including the elimination of language that would have required a signature from the RFID tag holder indicating he or she was aware of the tag and approved of its use by the providing company or agency. Dan Mullen, president of automatic-identification standard trade association AIM Global, believes the bill signed into law was reasonable and well thought-out. “They’re looking at punishing surreptitious reading of a tag,” he says, “and they’ve added a lot of exceptions that seem pretty reasonable.”

Morris says that after meeting this year with a stakeholder group that included retailers and RFID technology vendors, he decided that obtaining signed permission from holders of RFID tags (such as those embedded in a retailer’s loyalty cards) was a matter that should be decided by the business itself. “We’ve had a six-year engagement with the stakeholders,” he states. Although the bill as signed represented a compromise, he says, “I think this is a big step for privacy.”

Some of the bill’s exceptions had already been included in the original version, such as the use of RFID for triage or medical care in the case of a public disaster, court-ordered electronic monitoring, incarcerated individuals and the reading of a lost identification document by police.
HB 1011 also provides an exception for inadvertent RFID reads in situations in which an individual or group retrieving data from RFID chips that are not their own—such as those contained in loyalty cards—unintentionally reads another RFID tag, as long as the information is not used or disclosed. Mullen indicates his approval of this exception, which he says “shows that legislators are thinking this through,” by considering the likelihood of such inadvertent RFID reads.

Gregoire vetoed a section of the bill that would have required the state’s attorney general to make annual recommendations to the legislature regarding any new “potentially invasive technologies,” In a public statement, she claimed this section of the bill would have created a financial hardship to the state, noting, “This requirement is unfunded and will require the Attorney General’s Office to divert its scarce financial resources away from other higher priority activities. Additionally, a presumptive label as ‘personally invasive’ may stifle emerging technologies with high potential in the research and commercial fields.”

In March 2008, the state passed HB 1031, targeting criminals who might utilize an RFID interrogator to capture information regarding an individual by reading the tags without his or her knowledge (see Washington State Governor Signs Anti-Skimming Law). HB 1031 made it a Class C felony to read data on RFID tags without that person’s knowledge and consent, for the purposes of committing fraud, identity theft or other illegal activity.

The two other bills Morris introduced in January were HB 1006 and HB 1044. HB 1006 would have required all RFID-tagged products to bear a universal, clear and conspicuous label—recognizable by the public—to indicate RFID technology is being utilized. Morris says he has dropped this bill because he believes privacy is already properly ensured in HB 1011. “I think what we’ve adopted here secures privacy,” he says, “while at the same time doesn’t inhibit commerce.”

HB 1044 would have directed the Washington State Information Services Board to develop privacy standards for state agencies employing RFID technology. The bill would have provided the board with oversight regarding the use of radio frequency identification, and whether the technology is the most appropriate solution for a specific application, by state agencies such as the Department of Licensing. Currently, the department provides RFID-enabled driver’s licenses intended to be read by interrogators at the Canadian border as an alternative to a passport. Morris says he plans to spend the summer session discussing this bill further with stakeholders before deciding whether to pursue it.

Legislators in the states of Nevada, New York and New Hampshire are currently reviewing bills intended to protect privacy by limiting the use of RFID (Senate Bill 125, Assembly Bill A00276 and House Bill 478, respectively). In Virginia, a similar recent legislative effort, Senate Bill 1255, failed to pass that state’s Senate Commerce and Labor Committee.