Washington State Representative Introduces RFID Legislation

By Mary Catherine O'Connor

If passed, House Bill 1031 would impose rules on how companies could deploy RFID and retain personal information gathered via the technology.

image_pdfimage_print

Washington Representative Jeff Morris (D) has introduced legislation, House Bill 1031, that would place restrictions on how RFID technology could be deployed and used in the state. Dubbed the Electronic Bill of Rights, the legislation lists a number of rules designed to protect consumer privacy with respect to RFID. It says a person must first obtain consent from a consumer before it can “collect, maintain and disclose information gathered by an electronic communication device.” The bill defines such a device as one that “passively or actively uses radio frequency identification technology in the 902-928 MHz frequency range or the 2.4 GHz frequency authorized by the Federal Communications Commission, or any subsequent frequency range authorized by the Federal Communications Commission for radio frequency identification technology.”

The bill stipulates that consumers have a right to expect “a person selling or issuing an electronic communication device will implement security measures to ensure that any personal information stored about their consumers is secure.”


Rep. Jeff Morris

The proposed legislation also states: “Any person who sells or issues an electronic communication device that has not been disabled, deactivated, or removed at the point of sale or issuance must use industry accepted best standards to secure the electronic communication device.” However, it doesn’t define what it means to “secure” such a device, nor does it specify the entity that would determine these industry-accepted best standards. According to Rep. Morris, the standard required to secure that electronic communication would need to be the best standard endorsed by the RFID industry at the time the particular tag in question was first brought to market. In a legal case, he says, the court would determine what that standard is or was by consulting industry experts.

In addition, the bill would enable consumers to seek damages from parties violating these rights.

HR 1031, introduced by Rep. Morris in early January, was sent to the House Technology, Energy and Communications Committee, which held a public hearing on the bill on Jan. 10 and another on Feb. 16, due to changes made to its wording. The Technology, Energy and Communications Committee must approve the current bill by Feb. 28 for it to be heard by the full House.

EPCglobal expressed opposition to the bill at these hearings, as did several telecommunications companies and a number of other technology organizations, including the National Retail Federation (NRF) and the Healthcare Distribution Management Association. The bill has support from five other state representatives, as well as from consumer privacy groups, including the American Civil Liberties Union (ACLU). A number of women’s advocacy groups also support the bill because of their concern that RFID devices could be used to track or stalk women as targets of abuse.

The consumer protections listed in the bill closely match those noted in EPCglobal’s own guidelines for consumer products. However, EPCglobal’s Allison Fleming, manager of the public policy steering committee, says her organization’s opposition to the bill stems from its concern that the legislation would engrave in stone the current guidelines for how companies should deploy RFID. “We do not want to codify our guidelines [with respect to consumer notice and privacy protections], because as RFID technology evolves, our guidelines are going to evolve,” she says.

According to Fleming, EPCglobal has suggested that Rep. Morris focus his legislation not on restricting RFID technology, but rather on outlawing abuses of consumer privacy, such as skimming data from tags. She says the state of Washington currently has several pieces of legislation, including an anti-skimming statute originally written to prevent stealing credit card data from magnetic-stripe transactions, and that Rep. Morris should work to add RFID-specific language to those laws.

Morris, on the other hand, notes that the bill he has drafted would be added to existing state laws on protecting privacy. The bill is needed, he says, because courts would otherwise dismiss suits filed over RFID-specific privacy invasion under existing laws, citing the fact that such applications of the technology didn’t exist when the original laws were passed.

Morris says companies selling RFID products and services oppose his bill because, if passed, it might require them to enact separate sales and production practices for products sold in the state of Washington. “They would rather have to address this on a national level, and I can understand that,” he says, “but national law is not likely to be passed on an issue like this until the states begin legislating.”

Rep. Morris notes that his state has been a leader in terms of enacting laws aimed at protecting consumer rights with respect to emerging technologies. By way of example, he points to Washington’s passage of laws against spyware and spam. “We want to offer a way for companies to develop [RFID] technology in a way that won’t lead to public outcry—and, that, in the end, will save those companies money.”

The scope of technologies named in the suit was initially quite broad, says Morris, and included data transmitted through Bluetooth and other types of devices. Mobile telecommunications companies have opposed the bill because it would impact their plans for offering products and services utilizing near-field communication (NFC), a short-range, high-frequency RFID protocol. He and his staff, he adds, are researching how they might exempt cellular phones and PDA phones from the bill to make sure their use of NFC technology would not be impacted.