RFIDs: Getting Personal


IT.Can 2006 Annual Conference


Teresa Scassa

(Professor, Dalhousie Law School)

John D. Gregory

(Policy Division, Ministry of the Attorney General – Ontario)



What are RFIDs?


Radio-Frequency Identification devices are used to send signals from the device to a “reader” or “scanner”. They have been around in one form or the other since the mid-20th century.  Recent reductions in their size and cost have multiplied their potential uses.


RFIDs may be active or passive.  Active RFIDs have their own power source and contain more information than passive devices, which respond to signals from readers with less information.  The latter are smaller and cheaper than the former.


The tags or devices can carry any information that the designers of the system choose, within the (expanding) technical limits of the devices.  Thus they can include product descriptions, biometric information for personal use, provenance data, and more.


Where are RFIDs?


The most frequent use of RFIDs today is in inventory control, as a replacement for bar codes (UPC, universal product codes).  RFIDs embedded in packages of goods or pallets of boxes of goods can be read by a scanner without actual physical contact. This allows inventory control, for example, by a simple radio signal from the aisles of a warehouse.  It is anticipated that in the next few years, RFIDs may be incorporated into each individual product, giving a much finer control over inventory. 


Another common use of RFIDs is as a payment device, either to signal a transaction that reduces an account, or to create a debt that is collected by other means (such as a later invoice).  Some examples are the transponders used to levy tolls automatically on highways like Highway 407 north of Toronto, the cards used to pay tolls on the Macdonald Bridge between Halifax and Dartmouth, and the SpeedPass that Imperial Oil customers can use to pay for gas at the station. 


Related to this last use are RFIDs used for building security, often in the form of an employee identity badge or card that is used to get access to buildings or areas in buildings.  There are many such uses within the government of Ontario and among private employers.   


Other security uses include a child-, pet- or object-finder.  Many personal pets are today outfitted with a microchip under their skin, readable by police or veterinarians, to help recover lost or stolen animals.  A more frivolous use has recently been tried in Spain, where members of a social club have had tags implanted under the skin of their arms, in order to facilitate entry to the club premises at crowded hours.


At the individual level, a recently advertised system includes a reader, a pair of active RFIDs with a ‘panic button’ that can be worn by a child or other vulnerable person, who can signal the ‘home’ station (usually a responsible adult) in cases of doubt or emergency; and some passive tags that can be used so the holder of the scanner can find the objects (car keys, glasses) to which the tags are attached.


Combining security with inventory control, it is contemplated that RFID tags could be inserted into all cattle, so that any individual that is found to carry mad-cow disease can be properly traced to its origin, including its history from origin to diagnosis.


The public health aspect of this use shows that RFIDs can straddle the public/private sector border.  So does the procurement of inventory from private sellers by public buyers, such as in the US Department of Defense. While public sector uses are strictly speaking beyond the scope of this paper, which focuses on commercial applications, one may mention in passing the use of RFIDs in US and other country’s passports and in European currency as an anti-counterfeiting measure, not to mention the more prosaic library-book security systems.


In short, the uses are limited by imagination as much as by the technology, and are bound to expand over time.


Privacy issues


Clearly some of the uses of RFIDs raise few if any privacy concerns, while others either fall within current privacy legislation or appear to require a policy or legislative framework to protect privacy interests.


There are two categories of concern:


·                    Tag-centred concerns:  These are based on the presence of tags and their being read, either knowingly or not, and either with authority of the person whose information is collected or not.  The concerns arise when RFIDs are used to track products in the hands of consumers, to monitor their use, to follow the consumer, to associate the purchase of one product with others.  This can happen in digital shopping registers, but also through the use of loyalty cards or some credit cards, which allow “neutral” product information to be associated with information attached or attachable to a particular person.  At that point all the information becomes “personal information” within the meaning of much privacy legislation.


·                    Data collection concerns:  These focus on the matching of data from RFID tags with other data.  It is related to the concern above about retail data collection, but considers the resulting data bases and their use and potential disclosure, as well as the process of collection.  Once the information is in a data base, concerns arise as well about the risk of illicit access to those data or public-sector compulsory access, as well as about their intended application.  The more the RFID devices in different products are interoperable, the easier it will be to compile the information from all of them into comprehensive data bases.


Privacy law


The basic law in Canada on commercial uses of personal information is the Personal Information Protection and Electronic Documents Act (Canada) – PIPEDA.  Quebec, Alberta and British Columbia have their own legislation that operates instead of PIPEDA for provincial purposes within those provinces.  Ontario and others have personal health information protection laws instead or as well. The current brief overview does not purport to raise, much less dispose of, all the possible applications of these statutes.


PIPEDA limits the collection, use and disclosure of personal information by organizations in the course of “commercial activity”.  Any such actions must be reasonable, and must also comply with the statutory rules themselves.  On the other hand, PIPEDA implicitly authorizes a balance between the privacy interests of individuals about their information and the commercial usefulness of that information.  Just where certain uses of RFIDs will be held to fall is open to discussion.


The clearest case of applicability of PIPEDA would be the collection of information from RFIDs on consumer products and the linking of this information to data about the purchaser, taken from vendor records or loyalty card records.  Assuming that the collection and the desired uses of the information were reasonable, the Act requires that the collection and use be done only with the informed consent of the individual. 


It is possible that the process of applying for the loyalty card could give an opportunity to secure the consent of the applicant.  It is arguable that more detail would be needed, especially at the time of the collection.  People may need to know what products have RFIDs in them, and when the information is being read, as well as when it is collected (and ultimately used).  They arguably need to know that the information can be collected remotely and without their being aware of it at the time.  The relation between the loyalty card and the RFID needs to be spelled out.


These basic principles are relatively easy to apply but may not go far enough to relieve legitimate concerns of legal policy or real reservations of potential customers that merchants will not want to alienate.  What else might be done?


It is not just the merchant or loyalty-card issuer who may collect the information.  Product manufacturers may have their own scanners in the store to collect information about the movement of their products.  Again, if the information is not linked to people, this is not problematic, but if it is – say a picture is taken when the product is moved – then privacy law is invoked.


Interesting questions arise about implied consent: if customers know that goods contain RFIDs, does their purchase of the goods imply consent to the collection of the information in the products, and association with the purchasers?  It would be bold to assert this without a good deal of express notice, and arguably even with such notice.


Privacy policy


The law is sometimes said to protect reasonable expectations of privacy.  Here as elsewhere, this protection should not be subject to whittling away because technology is known to reduce privacy, and thus people’s reasonable expectation of it.  Otherwise technology will ultimately rule, regardless of how people feel about it or what uses of personal information the technology enables.


Thus it may be that legislation is needed to ensure that the legal principles in our law now will cover the uses that the technology will provide in the foreseeable future.  One could legislate that private deployment of RFIDs would require a privacy impact assessment as a pre-condition, though the content of such an assessment and the enforcement of such an obligation may raise problems.


For example, the ability to control the uses of one’s information may require, or urge, the ability to deactivate the RFIDs on purchase.  However, sometimes the vendors or merchants find it useful to have an active tag in order to authorize warranty service or return of goods (one can verify that the product came from that vendor). At present tags cannot be turned off and on at will.  It is possible that such technology will be developed.


Can or should legislation focus on the technology itself, banning certain results or techniques or promoting others?  It is a commonplace that systems should be designed to support privacy (and privacy concerns arise because of the systems in which RFIDs are used, not just because the devices themselves have particular capacities).  It is difficult to retrofit privacy into a system that was not built to protect it. 


At what point is it useful to legislate the capacity of a device, or the capacity of a system for using devices, and at what point does such legislation simply impede the development of the technology itself?  How legitimate are objections to legislated standards based on the presumed or anticipated costs of building the system one way rather than another? 


For example, California Governor Schwarzenegger recently vetoed a bill that would have addressed a number of privacy and security concerns associated with the use of RFIDs.  His rationale for vetoing the bill was reportedly that it was premature.  He did not want California legislation to conflict with national standards, which he anticipated would be enacted in relation to identification documents.  Further, he expressed concerns about the effect that the bill would have had on state agencies in the process of using RFID technology to streamline operations.


And how widespread does a legislated standard have to be in order to create a functioning market for privacy-respecting technology?  A patchwork of inconsistent rules will not promote development of the industry.  Are there risks that such standards might create a backwater that does not enjoy innovation while other less restricted jurisdictions see a flowering of technology that manages to respect privacy as well, but in unexpected ways that legislators could not predict?


This is to some extent an argument for technology neutrality in policy development and in legislation, to some extent for humility in drafting, and to some extent nevertheless an appeal to the courage of one’s principles.


Best practices


Sometimes legislation will not be appropriate, either because the technology is not sufficiently developed, or because the threats to privacy are not direct.  But in such cases, or even where legislation may be pending, the users of RFIDs may nevertheless wish to show that they respect privacy for reasons of customer relations or even sound principle.


In cases where RFID tags are used strictly in inventory control, and the product information is not associated with personal information, it may be appropriate to calm customers’ nervousness by making the RFID system explicit: give notice that the tags are present, identify the readers, tell people how they work, give options for deactivating tags in purchased goods or for removing the tags (ensuring that they are affixed in ways that permit this without damage to the goods, obviously).  Merchants could deactivate the tags at checkout as a practice, unless the customers choose the contrary.  Some of these are arguably beyond the scope of information needed to support a valid consent under privacy law.


It seems likely that a common identification label will be developed to indicate the presence of RFID tags, just as there are common labels for certain hazardous products, or for washing instructions, or for composition of some products.  Whether the use of such labels would be required by legislation or just adopted by merchants as a marketing advantage like other sound privacy policies, time will tell.


Merchants could limit their own uses, and say so: no collecting data before or after a transaction, no tracking of customers in the store by the RFIDs on products they are buying or have bought, no collection of data from tags on the customer’s person, limited storage of the personal information, no sharing of information. They could have someone on the premises to explain the technology or answer questions, including about the nature of the information collected, its proposed use, and the rights of the individuals with respect to it. They should keep the information in the tags and readers and the communications between the two devices secure and confidential.  Some of these practices are arguably required by law, in the absence of consent, but merchants who limit themselves rather than seeking broad consent may benefit from goodwill.


The legal consent to the collection and use of personal information may satisfy the law, but the desirability of deactivation or removal may remain.  This too could constitute a “best practice”, one adopted by open-minded merchants though beyond their legal obligation.


The role of public and not-for-profit sector privacy advocates in educating the public is important, too.  Many of the guidelines and best practices in this field come from such sources today, and this is likely to continue.  Reliable independent sources of information about the technology as it evolves are crucial to public confidence and ultimately acceptance of RFIDs.




The deployment of RFIDs and their increasing capacities make their growing impact on privacy inevitable.  As with any new technology, the application of current law to the novel situations will take some time and analysis, and the real deficiencies of the law to deal with novelty will become apparent. 


Here as elsewhere in legislating with respect to evolving technology, legislators must take care not to foreclose promising or profitable developments by overly narrow concepts of how to solve privacy problems.


For this reason many privacy advocates in Canada and elsewhere have focused on non-legislative recommendations.  Just as privacy principles – “fair information practices” – are very widely accepted, so too it appears that best practices with respect to RFIDs are becoming harmonized.  One sees the same ideas across many borders.


There will no doubt be inconveniences, worries and even battles, but it is not at all clear that privacy will have to be a victim of RFID technology.





Much of the discussion of the privacy implications of RFIDs turns on how one applies the known principles of the law, the codes, and the fair information practices to the technology, or how the technology may invoke the principles or threaten them. The following discussions explain the interaction between technology and principle as well as recommend how to protect the principles in the face of the technology.

Scassa, Chiasson, Deturbide, Uteck, An Analysis of Legal and Technological Privacy Implications of Radio Frequency Identification Technologies, prepared for the Privacy Commissioner of Canada, April 2006.

Privacy Commissioner of Canada, Fact Sheet: RFID Technology, February 23, 2006.

Information and Privacy Commissioner (ON), Tag, You’re It: Privacy Implications of Radio Frequency Identification (RFID) Technology, February 2004.

- Privacy Guidelines for RFID Information Systems (RFID Privacy Guidelines), June 2006.

- Practical Tips for Implementing RFID Privacy Guidelines, June 2006.

Information Commissioner’s Office (United Kingdom), Data Protection Technical Guidance, Radio Frequency Identification, August 2006.

OECD, Radio-Frequency Identification (RFID): Drivers, Challenges and Public Policy Considerations, February 2006.

EU Working Party 29, Working Document on data protection issues related to RFID technology (10107/05/EN/WP 105) January 2005.

- Results of the Public Consultation on Article 29 Working Document ON Data Protection Issues Related to RFID Technology (1670/05/EN/WP 111) September 2005.

Electronic Frontier Foundation: Radio Frequency Identification (RFID)

Electronic Privacy Information Center (EPIC) Radio Frequency Identification (RFID) Systems

EPC Global, RFID Implementation Cookbook. September 2006.