Bill targets private use of RFID tags

By CMTA Staff

Capitol Update, May 18, 2007 Share this on FacebookTweet thisEmail this to a friend

SB 388 (Ellen Corbett, D-San Leandro) requires any private entity that issues anything containing a radio frequency identification (RFID) tag to disclose what information can be scanned from the tag, security measures used by the card to safeguard information, and steps the cardholder can take to prevent unauthorized access or scanning of information on the card.

The bill applies to RFID that can be scanned for "personal information", including first or last name, address, telephone number, e-mail, internet protocol, or web site address, date of birth, driver's license number or California identification card number, religion, ethnicity or nationality, photograph, fingerprint or other biometric identifier, social security number, or any unique personal identifier. Including "any unique personal identifier" may be of concern as it means even those that are randomly generated. The bill also does not appear to acknowledge or exempt information that is encrypted.

Additionally, the bill proposes a new private right of action by allowing a cardholder to bring an action against the violating entity for statutory damages of $1,000, actual damages sustained, or both. The lawsuits allowed under the bill may create new costs and risks for organizations seeking to implement RFID solutions.

If this measure is of concern to you, please contact Matt Sutton at

Read more Regulatory / Legal articles

Capitol updates archive 989898989