Privacy and RFID

Considering privacy when using RFID in retail stores

By Tom Vieweger

March 14 2018

Who would have thought ten years ago that we would have an — almost invisible — functioning ‘computer’ in a piece of clothing being sold for less than ten Euro? Technology has become significantly more advanced, more ingrained in our everyday life and more invisible. It is no wonder that we are increasingly more concerned about the influence of all this technology on our personal lives, thus our privacy.

To overcome this and to “ensure that the fundamental right to personal data protection is guaranteed”, the European Commission adopted new EU data protection rules [1]. The General Data Protection Regulation (GDPR) will become effective in the European Union in May 2018. The GDPR replaces and harmonizes existing privacy regulations, while at the same time creating a more extensive set of ‘digital rights' for European citizens. Together with hefty fines (up to 4% of worldwide turnover), it is extremely important for retail companies to use RFID technology to comply with this regulation.

While the usage of RFID in retail stores and supply chain is mainly oriented towards increasing stock accuracy and improving logistic processes, this doesn’t exclude a privacy element for the consumers buying products with RFID included. This article will explain in detail what privacy elements there are in using RFID in retail stores, how they are affected by new and existing regulations and how to best comply with those.

Application of the GDPR for RFID

One of the core elements of personal privacy is the protection of personal data. The GDPR has a definition for personal data where it states that “personal data means any information relating to an identified or identifiable natural person.” It can be anything from a name, a home address, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer’s IP address. Personal data means any information relating to an identified or identifiable natural person.

The data in the RFID tag relates to a product identifier (which states that it is a “blue t-shirt in size M” or a “red dress in size XL”) plus a serial number. The combination of the product identifier and the serial number (EPC) is unique across the globe. So, when you ‘read’ an EPC in Amsterdam and later in Paris, you can be pretty sure that the product belonging to the EPC is exactly the same. Taking it one step further, if the product is exactly the same, and somebody is wearing that product, you can be quite sure that it involves the same person.

Is the EPC personal data then? It depends. As long as it is not related to a single individual person it is not. So, if the EPC is purely treated as a supply chain element — it will not be personal data.

However, when additional use cases are introduced, it can quickly become personal data:

In those cases, the EPC becomes personal data, and a lot more care should be taken. Here are some examples of what should be taken care of, whilst not being exhaustive:

European recommendation on RFID

While the GDPR is not specifically targeted at the usages of RFID, there is an existing European recommendation that is focusing on RFID. It is called “on the implementation of privacy and data protection principles in applications supported by radio-frequency identification” (2009) [3]. This recommendation also gives some interesting insights on how to implement RFID in a privacy-conscious way.

An important point in the recommendation is: “Because of its potential to be both ubiquitous and practically invisible, particular attention to privacy and data protection issues is required in the deployment of RFID.” This is of course true: if you truly embed the RFID tag in the product (e.g. using an RFID yarn), no customer is able to determine whether it contains RFID or not.

Because of its potential to be both ubiquitous and practically invisible, particular attention to privacy and data protection issues is required in the deployment of RFID.

And then it continues: “Consequently, privacy and information security features should be built into RFID applications before their wide­ spread use (principle of ‘security and privacy-by-design).” This makes sense, and the RFID industry is adopting this. An example is the ‘untraceable’ functionality that is present in the most recent version of the RFID standard. The ‘untraceable’ feature offers the following functionality:

Of course, those features are password protected to prevent misuse by third parties.

The recommendation also lists some specific suggestions for retail trade applications:

And very important: “Deactivation or removal of tags should not entail any reduction or termination of the legal obligations of the retailer or manufacturer towards the consumer.” So, if a customer chooses to have the RFID tag removed, they should still be able to return the product.

Deactivation or removal of tags should not entail any reduction or termination of the legal obligations of the retailer or manufacturer towards the consumer.

Privacy impact assessment

A follow-up of the 2009 recommendation was set two years later with the RFID Privacy Impact Assessment [4]. Using this assessment, a retail company that is about to deploy RFID technology is able to assess the impact of that deployment on the privacy of consumers and is able to take precautionary measures to minimize the impact.

The international standards organization GS1 has transformed this into an Excel-based tool that can be found on https://www.gs1.org/pia; another tool was created by the French National Centre for RFID (CNRFID) on http://rfid-pia-en16571.eu.

Whether a Privacy Impact Assessment needs to be completed, and what level of detail is required, depends on the following criteria:

  1. Whether the RFID application processes personal data, or whether RFID tags are linked to personal data.
  2. Whether the RFID tags themselves contain personal data.
  3. Whether the RFID tags are carried by an individual.

If the answer to all those three questions can be answered by ‘no’, no PIA needs to be carried out.

Summary and recommendation

Dealing with the complexity of deploying RFID on a large scale, and at the same time taking care of the privacy of your customers can seem very overwhelming. However, when following the next three straightforward recommendations privacy of customers can be ensured.

  1. Embed the RFID tags in the swing ticket when getting started (instead of using the care label or directly integrating it in the product). This ticket is always removed by the consumers after buying the item, which does away with a lot of the privacy risks already.
  2. Inform the consumers about the usage of RFID by having the RFID-logo on the swing tickets and on the shop window. In addition, it is helpful to explain to them why you deploy RFID and what you do with the data (e.g. on your website or at the POS).
  3. Do not store the EPC in relation to personal data in systems. With Nedap iD Cloud, this is definitely the case: we don’t store any end-consumer data related to EPCs.

When the initial RFID roll-out has been completed, more time and knowledge is available to consider the next steps by introducing new use cases. The Privacy Impact Assessment (PIA) tools are helpful to judge whether a new use case or RFID tag integration method has more impact on the privacy of your customers, and how to minimize that impact.

Special thanks to my colleague Ruud van Balveren (Nedap Privacy Officer) for his assistance in writing this article.

[1]: http://europa.eu/rapid/press-release_STATEMENT-16-1403_en.htm

[2]: http://eur-lex.europa.eu/legal-contentEN/TXT/?uri=celex:32016R0679 — article 6.1b-6.1f

[3]: http://eur-lex.europa.eu/eli/reco/2009/387/oj

[4]: https://ec.europa.eu/digital-single-market/en/news/privacy-and-data-protection-impact-assessment-framework-rfid-applications

Tom Vieweger
RFID business expert
Tom Vieweger