How to Deploy RFID and Respect Customer Privacy

Companies using radio frequency identification (RFID) tags on products should always tell their customers and make sure they know whether they can deactivate the tags, according to a set of best practices for RFID deployment proposed by a group of IT vendors, RFID users and consumer advocates.

“There should be no secret RFID tags or readers,” according to a draft report by the Center for Democracy and Technology (CDT) Working Group on RFID. Members of the group include Cisco, IBM, Intel, the National Consumers League, Procter & Gamble and VeriSign.

The report adds that, by itself, consumer notification does not mitigate all privacy concerns. Companies collecting personally identifying information through RFID tags should tell customers how that data will be used. And if customers can opt out of sharing that information, or can destroy the tags, those options must be readily available, the report says.

“The document draws from widely accepted and traditional principles of fair information practices,” says Paula Bruening, staff counsel at CDT, a privacy and civil liberties advocacy group. It offers concrete guidance for companies that want to deploy RFID in a way that respects privacy, but also recognizes the need for technological flexibility, she adds.

The expanding use of RFID, embraced by large retailers such as Wal-Mart and Target, has raised concerns about privacy. Because scanners can read RFID chips from a short distance, privacy advocates worry that the technology could eventually be used to track people’s movements and purchases.