Addressing Consumer Privacy Challenges: Best Practices and Principles The Workshop concluded with a panel examining various approaches to addressing the privacy issues raised by RFID technology. As participants noted, these challenges are not insubstantial, in light of RFID’s evolving nature and the uncertainty as to how various existing and potential uses may affect consumers. Industry guidelines, legislative developments, and technological solutions designed to address privacy and security concerns were among the options discussed and debated. A. Existing Industry Practices and Standards Panelists voiced a range of opinions as to what approach or combination of measures would be most effective at meeting the challenges posed by RFID. Many participants agreed that, at a minimum, businesses deploying RFID should take steps to protect consumer privacy. One self-regulatory model already in place is EPCglobal’s "Guidelines on EPC for Consumer Products" ("EPCglobal Guidelines"). According to a Workshop panelist, the Guidelines were developed with input from privacy experts and apply to all EPCglobal members. The Guidelines call for consumer notice, choice, and education, and also instruct companies to implement certain security practices. The first element, consumer notice, requires that companies using EPC tags "on products or their packaging" include an EPC label or identifier indicating the tags' presence. According to a Workshop participant, EPCglobal has developed a template label that companies can use to inform consumers of the presence of EPC tags. Displaying a copy of the model identifier, the speaker explained that the template label discloses that a particular product's packaging contains an EPC tag, which may be discarded by a consumer after purchase. The Guidelines' second requirement, consumer choice, concerns the right of consumers to "discard or remove or in the future disable EPC tags from the products they acquire." The Guidelines explain, "for most products, the EPC tags [would] be part of disposable packaging or would be otherwise discardable." Consumer education is the third prong of the Guidelines, which provides that consumers should have "the opportunity easily to obtain accurate information about EPC tags and their applications." The Guidelines task companies using RFID with "familiariz[ing] consumers with the EPC logo and . . . help[ing] consumers understand the technology and its benefits." Finally, the Guidelines call for companies to ensure that any "data which is associated with EPC is collected, used, maintained, stored and protected" consistent with "any applicable laws." They further instruct companies to publish "information on their policies regarding the retention, use and protection of any personally identifiable information associated with EPC use." To help ensure compliance with these Guidelines, EPCglobal will provide a forum to redress complaints about failures to comply with the Guidelines. According to Workshop participants, some companies have already endorsed or implemented these practices as they test RFID systems. Panelists discussed how Wal-Mart, which is currently operating a pilot program with EPC tags in a limited number of stores, has posted a "shelf-talker" disclosing the presence of EPC tags. According to this tear-off notice reportedly made available to Wal-Mart shoppers, only cases of certain products or specific large items, like computer printers, include EPC tags and bear the EPCglobal logo. The disclosure further explains that the technology "will not be used to collect additional data about [Wal-Mart’s] customers or their purchases." Consistent with that commitment, Wal-Mart has stated that it has no readers on store floors, so consumers should not be exposed to any communications between tags and readers. Workshop panelists also discussed the privacy guidelines adopted by Procter & Gamble ("P&G"), another company involved in RFID trials both in the U.S. and abroad. In addition to its global privacy policy, P&G has developed an RFID-specific position statement calling for "clear and accurate" notice to consumers about the use of RFID tags and consumer choice with respect to disabling or discarding EPC tags "without cost or penalty" as well as disclosure of whether any personally identifiable information about them is "electronically linked to the EPC number on products they buy." Further, P&G stated at the Workshop that it will not participate in item-level tagging with any retailer or partner that would link personal information about consumers using RFID, "other than what they do for bar codes today." The Workshop also explored a case study of retail item-level RFID tagging in action. A representative of Marks & Spencer, one of the United Kingdom’s largest retailers, described his company’s in-store RFID pilot program, tagging menswear in select stores. Marks & Spencer’s use of "Intelligent Labels," as it has designated its RFID program, is for stock control – a continuation of the supply chain management process. With this limited purpose in mind, the Marks & Spencer official explained how his company incorporated privacy-protective measures into its Intelligent Label program. According to the company, these considerations are reflected in the mechanics of its RFID deployment, which apply the notice, choice, and education principles advocated by EPCglobal and others. The hang-tags bearing the Intelligent Labels are large, visibly placed, and easily removable. No data is written to the tags, and they are not scanned at the cash register, so there is no possibility of connecting the unique identifier on the tag to the purchaser. Indeed, the tags are not scanned at all during store hours, but rather are read for inventory control purposes when customers are not present. Finally, all of these practices are described in a leaflet that Marks & Spencer makes available to shoppers. Some Workshop participants stated that these industry initiatives represent effective ways to address consumer privacy concerns, but others maintained they are necessary, but insufficient, steps. Privacy advocates at the Workshop called for merchants to take additional precautions when using RFID tags on consumer items, including fully transparent use of RFID.146 With respect to company statements disclosing the presence of in-store RFID devices, privacy advocates argued that such disclosures should be clear and conspicuous. One participant stated that disclosures should contain specific information: that a product bears an RFID tag; that the tag can communicate, both pre- and post-purchase, the unique identification of the object to which it is attached; and the "basic technical characteristics of the RFID technology." Another Workshop panelist urged that any such disclosures be "simple and factual," avoiding "happy face technology" that is essentially "marketing hype." This panelist felt that by disclosing its RFID practices in a straightforward manner, a company will convey information in a way that consumers are more likely both to understand and trust. B. Regulatory Approaches Privacy advocates at the Workshop also called for RFID to be subjected to a "formal technology assessment," conducted by a neutral body and involving all relevant stakeholders, including consumers. This process could examine issues such as whether RFID can be deployed in less privacy-intrusive ways. Until such an assessment takes place, these participants requested that RFID users voluntarily refrain from the item-level tagging of consumer goods. In addition, some Workshop panelists argued that government action to regulate RFID is necessary. One panelist urged the Commission to implement a set of guidelines for manufacturers and retailers using RFID on consumer products. According to this participant, other international standards that already apply to the use of RFID in this context support the need for comparable regulation in the U.S. Certain Workshop participants also endorsed specific restrictions on RFID use, including prohibitions on tracking consumers without their "informed and written consent" and on any application that would "eliminate or reduce [individuals'] anonymity." In addition, these participants called for "security and integrity” in using RFID, including the use of third-party auditors that could publicly verify the security of a given system. Similarly, one panelist argued that consumers should be able to file with designated government and industry officials complaints regarding RFID users’ noncompliance with stated privacy and security practices. Other Workshop panelists disputed the need for regulation at this point, contending that legislation could unreasonably limit the benefits of RFID and would be ill-suited to regulate such a rapidly evolving technology. According to one participant, the FTC’s existing enforcement authority is adequate to address abuses of RFID technology, citing the Commission's ability to challenge misrepresentations by a company about its privacy and/or security practices. Therefore, this participant concluded that technology-specific privacy legislation is unnecessary at this juncture. C. Technological Approaches Workshop participants also debated the merits of various technological approaches to addressing consumer privacy concerns. In addition to the database security measures discussed above, these proposals include protocols protecting communications between readers and tags, such as encryption or passwords. These methods would restrict access to the tag itself by requiring some measure of authentication on behalf of the scanning device. Even if a reader could get a tag to "talk," encryption would prevent the reader from understanding the message. One commenter strongly urged that "[a]uthorization, authentication, and encryption for RFID . . . be developed and applied on a routine basis to ensure trustworthiness of RFID radio communications." A related technical approach discussed at the Workshop involves "blocker tags," which prevent RFID tags from communicating accurately with a reader. With blocker tags, which are tags literally placed over or in close proximity to the RFID tag, consumers would be able to control which items they want blocked and when. This would allow consumers to benefit from any post-purchase applications of RFID that may develop, such as "smart" refrigerators. Finally, Workshop participants discussed the "kill switch," a feature that permanently disables at the point-of-sale an RFID tag affixed to a consumer item. Such a function has been proposed as a way to provide "choice" to consumers in the context of item-level tagging. However, a number of Workshop participants disputed the effectiveness of this approach. Some privacy advocates found the options of killing or blocking tags both lacking because of the burden they could impose on consumers. For example, setting up a "kill kiosk," as one retailer abroad reportedly had done, contemplates that consumers first purchase an item and then deactivate an attached RFID tag. Some panelists argued that this process was cumbersome by requiring that consumers engage in two separate transactions when making a purchase. They argued that this process may dissuade consumers from exercising the option to disable tags on purchased items. Another critique of these technological "fixes" raised at the Workshop focused on their potential to reward – and thus foster – RFID use. Some participants argued that if the only method of protecting consumer privacy was to disable tags at purchase, any post-purchase benefits would accrue only to those who kept their RFID tags active. As a result, these panelists suggested, consumers would be more likely to keep tags enabled. Conversely, another participant argued that giving shoppers this option could drive up costs for all consumers, even those who do not object to the presence of active RFID tags on items they purchase. According to this speaker, merchants would likely be reluctant to charge higher prices for consumers who elect to deactivate RFID tags prior to purchase. Finally, as one commenter pointed out, the effectiveness of tag-killing technology depends on whether the presence of RFID is effectively disclosed: no consumer will seek to deactivate a tag of which she or he is unaware. << Previous: Consumer Perceptions and Privacy Concerns Next: Conclusion >> Back to Pat's Planet.net