Electronic product codes – marketing plus or privacy
Robert Bond looks at the use of electronic product codes (EPC), in particular
radio frequency identification (RFID) and addresses the privacy and information
security issues associated with their use in the United Kingdom.
Many businesses recognise that, from a marketing and advertising perspective,
the use of EPC provides a tremendous opportunity to "know your customer"
and to provide “personalised” marketing. By using tags on
a wide variety of products, it is possible to logically link the data
derived from the purchaser of one product, to other purchases that they
make within a supermarket or a shopping mall and to harness that data
for the benefit of more targeted marketing and advertising, whether on
the basis of the data simply collected from the tags or, from a combination
of that data with further information gathered on loyalty/credit cards
used to make such purchases.
however, EPC tags do not require direct line of sight to be read and have
the capability to identify not only the brand and model of the product
but the unique item of that brand and product. This, for example, is an
essential improvement for food traceability that can identify potential
health issues from the feed lot to the packaged product. This traceability
also permits more effective product recall and targeted consumer health
and safety alerts. EPC systems may allow businesses to explore new ways
to meet consumer needs, reduce costs and maintain inventory.
the use of tags to improve efficiencies and competition in the supply
and distribution chain, there are numerous benefits to consumers including
identification of counterfeit products, faster product recall, enhanced
product availability, improved warranty service and potentially faster
check-outs. On the other hand, rather than providing "personalised”
marketing it is perhaps more appropriate to describe the use of this technology
as providing "personal” marketing. In other words, whilst there
are distinct marketing and advertising advantages in the use of EPC there
is also the potential to infringe personal data rights and privacy.
The simple barcode on products is gradually being replaced by smart tags
that use wireless technology, such as WI-FI, RFID, Bluetooth, Global Positioning
System Technology and General Packet Radio Service.
or tagging in the past, was generally restricted to barcoding which was
a relatively passive form of tagging since it required the use of barcode
readers to interpret data and the data itself revealed little more than
the identity of the product.
product tagging, such as RFID has, until recently, been expensive to implement
(and indeed is still relatively expensive) but this more sophisticated
product coding technology now allows for, not only identification of the
product itself but specific confirmation of the precise batch that a product
came from and using wireless technology, the ability to track the movement
of that product.
can be either active or passive. Passive RFID tags do not have their own
power supply because the minute electronic current induced in the antenna
as a result of the incoming radio frequency scan will provide enough power
for the tag to send a response. Consequently, the lack of power means
that the amount of information that can be managed in a passive RFID may
be limited to an ID number only. Passive RFID tags can be extremely small
but have limited transmission ranges from 10mm up to about 5m.
On the other
hand, active RFID tags require a power source but have longer ranges and
larger memories than passive tags.
Although RFID tags are assumed to be a relatively recent innovation they
were, in fact, in use during World War II when, in the form of transponders,
they were fitted to allied aircraft and known in the forces as IFF (Identification
Friend or Foe).
Global companies such as Gillette, Phillips, Procter & Gamble, Wal-Mart
and others see huge savings to be made from the use of EPC and there are
numerous pilot projects underway which are indicating that there are savings
to be made in supply chains as well as the ability to add value to both
product owner, product reseller and customer.
technology and the like will make savings in the supply chain, it may
also produce a range of smart solutions, such as refrigerators or waste
bins that automatically create shopping lists, products tagged for store
returns, reduction of the risk of fraud and theft and smart travel tickets
that indicate your location in airports, stations and so on. However,
privacy groups and consumer associations have expressed concern that the
same technology may have invasive features since, if the technology can
track the product, then the same technology can track the product purchaser.
Several of the companies named above, such as the Gillette Company, Procter
& Gamble and Wal-Mart have joined together with other well-known companies
such as Hewlett Packard and Johnson & Johnson to create International
standards for the use of RFID tags and EPC in general and many of the
same companies are also actively involved in the International Chamber
of Commerce (ICC) Task Force on EPC which is drafting its own guidelines
for the responsible deployment and operation of EPC as discussed recently
at an ICC Round Table meeting in New York at which the author was a speaker.
currently a number of the new tagging technologies can only be read over
short distances there are suggestions that if there are connected sites
with suitable readers, it is feasible that the purchaser of an RFID tagged
product could be tracked from the point that the product is put into a
shopping trolley to the point of payment and indeed beyond. Such tracking
enables retailers to build up sophisticated profiles on purchasers but
at the same time may, potentially, breach human rights and in particular
the Data Protection Act 1998. Companies which see commercial and marketing
value in the use of electronic product codes may dismiss issues like data
protection on the basis that EPC technology utilises information about
products and not people and contains no personally identifiable information.
This view is not necessarily shared by the regulatory authorities in Europe.
Protection Act 1998 defines personal data as "data which relates
to a living individual who can be identified either from that data or
from that data and other information which is in the possession or is
likely to come into the possession of the data controller.” So data
from an RFID tagged product, when read in conjunction with the purchaser's
loyalty card, swiped at the point of payment, produces a record of product
purchase to purchaser and in conjunction with other products purchased
at the same time builds a profile. If those tagged products are readable
outside a store it is possible that yet more data can be gathered to track
and profile the purchasing style of that individual within a locality.
it is not the tagging in itself that is potentially a breach of data protection
laws but the subsequent collection and processing of data derived from
the tagged product that causes the problem.
Examples of Conflict Between the Technology and the Law
On the 15
July 2004 Peter Schaar, in his capacity as the Chairman of the Article
29 Data Protection Working Party created in the European Union under the
general Data Protection Directive, gave an opinion to Howard Beales, Director
of the Bureau of Consumer Protection of the Federal Trade Commission in
relation to the above issues. In his letter Mr Schaar provides some useful
examples of cases where RFID technology clearly uses personal data and
a first example, consider where a manufacturer of pharmaceutical products
puts tags on a series of medicines which are sold under presentation of
a prescription. When the consumer buys the medicine, the information regarding
the individual, the type of medicine bought and the time of day, are entered
into a database. If the individual returns for a refill, the retailer
reader immediately identifies him/her. The information about the refill
is logged and his/her behaviour is monitored.
As a second
example, consider where a conference organiser decides to tag conference
badges which are delivered to delegates upon arrival and registration
for a conference. RFID readers are placed in different parts of the conference
premises. This allows the conference organiser to collect data regarding
the location and movement of the conference participants. The data is
linked to each participant and entered into a database.
In both the
above scenarios, the provisions of the Data Protection Directive would
examples, include the addition of an RFID to an implantable cardioverter
defibrillator, in order to enable the device manufacturer, the patient
and the surgeon to monitor performance of the device and to give a more
efficient and timely aftercare service to the patient. Another example
that was recently reported on the 29 October 2004 by E Health Media Limited
was an article relating to a West Midlands hospital which was piloting
electronic product codes for patients with links to electronic records
containing digital photographs and a new easily updateable electronic
operating list. According to the report, patient details are kept on a
simple electronic record that is separate to the hospitals own patient
records and the WI-FI tags are embedded in the normal hospital name tags
which patients are routinely given.
The data protection legislation in the UK requires that individuals are
notified of data processing activities and are given sufficient information
about the way in which such data will be stored and used to be able to
give informed consent.
of projects under way have been marketing led and often have not perceived
data protection as a fundamental issue.
notifying individuals of their rights under the Data Protection Act 1998
and obtaining their consent to the use of their data through an electronic
product code system it is equally important to consider information security
issues. The 7th principle of the Data Protection Act 1998 states that
"appropriate technical and organisational measures shall be taken
against unauthorised or unlawful processing of data as well as against
accidental loss, destruction or damage to such data". In many cases
the EPC system will comprise of the tag itself, the communications network
over which data may be transferred and other systems in which the data
may be stored and processed. Furthermore, aspects of the system may well
be outsourced to third parties including network operators and data processing
that collects personal data through an EPC system primarily remains responsible
for the management and security of personal data and therefore may be
at risk when the processing of that data is carried out through third
parties. In some of the examples given in this article it is clear that
third party data processors may be involved in the operation and there
are onerous requirements placed on businesses to comply with applicable
data protection and human rights laws including monitoring and the use
of location data.
of the examples given in this article, it is clear that the data which
is being processed through the use of EPC systems will include sensitive
personal data (for example health records) and even greater compliance
requirements are placed upon businesses that use such sensitive data particularly
when it is transferred outside Europe.
The 8th principle
of the Data Protection Act 1998 makes it clear that personal data cannot
be transferred outside the European Economic Area (the 25 member states
plus Iceland, Lichtenstein and Norway) to any other country in the world
that is not deemed, by the European Commission, to have adequate data
protection laws. Very few countries, so far, come up to the standards
set by the European Commission and yet in the case of multinationals it
is highly likely that any personal data obtained using EPC will be shared
on a global basis. This, again, is a compliance issue which needs addressing.
to the conflict between the use of EPC and the Data Protection Act 1998
there is also the matter of the use of location data which is now regulated
by the UK implementation of the E-Privacy Directive under the UK E-Privacy
Regulations which came into force on the 11 December 2003. These regulations,
amongst other things, regulates the use of electronic communications traffic
data and location data and require that location data may only be processed
when it is made anonymous or with the consent of the individual. Both
these regulations and the general rights of an individual under the Data
Protection Act 1998 require that an individual is given sufficient information
to enable that individual to give informed consent to the use of personal
data for marketing and other purposes.
It is important that any business that intends to utilise EPC technologies
considers the following practical steps:
that, in general, the business is in compliance with the applicable laws
including data protection laws
• Guarantee that the business has in place adequate information
security and asset management policies and procedures to keep personal
• Notify individuals of when and how their data may be collected
and processed through the use of EPC
• Put in place contractual controls where personal data is being
processed by third parties
• Allow individuals to have the right to disenable tags if they
are already a number of technology standard groups looking at codifying
tagging technology on a global basis, little investigation has been done
into the issues of compliance with data protection laws, although the
ICC Task Force on Electronic Product Codes is addressing legal and regulatory
issues. This Task Force, which met in New York on the 2 and 3 December
2004, has put together a proposed frame-work on responsible deployment
and operation of EPC, as well as a set of principles on deployment and
operation, which addresses, amongst other things, issues relating to consumer's
information and choice, openness, data protection compliance, information
security as well as generally linking such guidelines to existing ICC
Guidelines on Marketing and Advertising.
Bond is a partner based in the London office of Faegre and Benson.
He is a Companion of the British Computer Society and a Fellow of the
Society of Advanced Legal Study. With the ever increasing legal constraints
and higher and higher standards placed on companies today, the IT industry
is also seeing increasing pressure to ensure that it conforms. Here are
just a few examples of these present day pressures.
Database security controls
and Benson offer clients advice and legal services through its world-wide
network of offices employing more than 450 lawyers. In the United States
the firm is based in Minnesota, Colorado, and Iowa, in Europe at London
and Frankfurt and in Asia in Shanghai. Faegre & Benson was established
in 1886 and has evolved into one of the 100 largest law firms in the U.S.
It has clients and in more than 60 countries. http://www.faegre.co.uk/firm_practice_detail.aspx?practiceID=147