Download File: rfid.pdf [size: 0.21 mb]
Executive Summary
Radio Frequency Identification (RFID) is a technology that allows people and objects to be identified and tracked via a radio frequency signal. This report looks at privacy issues surrounding the likely use of RFID by major retailers, and suggests limits to these systems consistent with present privacy laws, as well as comments on whether the present privacy law regimes adequately protect consumers from retail surveillance. As this is a new technology, the report will seek to define the new technology, and to report on its applications and likely applications thus far as well as to report on consumer attitudes to the technology.
RFID is well-established in the supply chain of major retailers already. To a certain extent, RFID use in manufacturing and supply chain management has been encouraged by government safety concerns with products such as pharmaceuticals and automobile tires. However, government, when encouraging such ‘pre-retail’ uses, does not generally require privacy impact assessments, which might limit the extension of RFIDs from manufacturing into the retail environment.
Consumers soon will face RFIDs at the retail level. It is this ‘item-level’ use of RFID that raises consumer privacy and related concerns. Item level RFIDs produce individual data which, when linked to an individual shopper through a loyalty card or otherwise, constitutes a form of low-level, distributed consumer surveillance. This potential surveillance raises the specter of consumer profiles that track consumer behaviour in relation to objects. Such profiles may become available to not only the original retailer, but also affiliated companies, or even to the federal government under national security exceptions to Canada’s private sector privacy law. RFID tags, if left live ‘post-sales’ (whether consciously for warranty and related purposes or unconsciously – that is, not ‘killed’ at the point of sale) risk being read by third parties, if encryption or similar security measures are not applied by the original retailer.
RFID technology presents a novel challenge to Canadian privacy law. The “primitive” surveillance capabilities of RFID at present are unlikely to violate a reasonable expectation of privacy as interpreted by the Supreme Court of Canada. However, Canada’s private sector Personal Information Protection and Electronic Documents Act (PIPEDA) does appear to severely limit RFID use for consumer surveillance purposes. RFID technology has caught the eye of Canada’s Office of the Privacy Commissioner (OPCC), which has asked retailers for details of their planned RFID uses.
PIPEDA appears to require retailers who wish to track individual shoppers to obtain the informed consent of customers for the use or disclosure of the shopping patterns the RFID chips reveal about their customers. Such ‘informed consent’ will be difficult to achieve without extensive disclosure to the customer of the full implications of RFID surveillance and a positive indication of consent to the use and disclosure of RFID surveillance.
Retailers with more modest goals of controlling in-store inventory, rather than tracking customers will face less rigour in informing customers of RFID use. But, they will still be required as a matter of course to ‘kill’ RFID tags at the point-of-sale or undertake encryption or similar technological measures to safeguard the personal information of their shoppers from third party interception post-sales. Such retailers would appear to be prohibited from associating personal information from loyalty card or other customer information databases with RFID data obtained from interaction of individual customers with RFID chipped products.
Consumer polling appears to indicate great consumer discomfort in the surveillance aspect of RFID technology. While consumers may welcome certain safety and convenience benefits from RFID, their concern with privacy-invasive aspects of RFID outweighs it to the point where RFID use as surveillance appears unreasonable. In addition, some of the benefits of RFID promised by retailers may in fact interfere with established consumer rights and expectations – for example regarding hassle-free return policies.
As RFID implementation is moving forward quickly, it is recommended that immediate action be undertaken by the OPCC to provide RFID-specific guidelines which explain the constraints on the use of the technology for consumer surveillance and profiling, at least in the absence of very clear, and informed consumer consent. Ideally, the OPCC should ask that RFID- or surveillance-specific provisions be added to PIPEDA during the Parliamentary review of the legislation slated for 2006.