The state of California was ahead of the curve on the anti-spam debate, enacting one of the first spam regulations in 1998. Now, the state senator who authored that law is attempting a similarly preemptive strike on radio frequency identification (RFID) and the ways it could be harnessed to compromise individual privacy.

SB 1834, passed by the state senate in a 22-8 vote late last month, prevents stores and libraries from collecting information beyond what they already capture via bar codes. The measure prohibits the use of RFID technology to track individuals as they shop (by monitoring items they may have picked up) or after they leave the store or library (via tags embedded in items like clothing).

California is known for being a trailblazer when it comes to laws surrounding technology issues. And with the start last month of Wal-Mart's RFID experiment bringing the concept into practice, all eyes are on how California lawmakers deal with the situation.

Opposition mounts
"I think it's poorly thought out and really premature," says Mark Roberti, founder and editor of RFID Journal. "Why are we going around legislating a problem that doesn't yet exist?"

SB 1834 author Debra Bowen (D-Redondo Beach) doesn't agree. "Waiting for a problem to develop before setting standards generally prompts the argument that 'we've already got all of this infrastructure in place and it's too expensive to change now,'" she says. "It's much better and much cheaper to address the social and ethical implications of emerging technologies much earlier -- so government isn't constantly running to catch up by passing laws."

The bill's naysayers argue that RFID won't be rolled out on a widespread basis for at least three years. By then, the measure's provisions could be applied more broadly or narrowly than originally intended. "Others, such as law enforcement or marketing analysts, will come along and say 'Gee, you have this infrastructure in place, let's use it for additional task X.' Each of those additions has the potential to be a problem," says Gene Spafford, a Purdue University professor and executive director of the school's Center for Education and Research in Information Assurance and Security.

The bill's stipulation that companies cannot track shoppers' actions also strikes some as unduly restrictive. Taken in the aggregate, information would seem only to help manufacturers and retailers learn more about their businesses, without any undue privacy encroachment.

"That's the argument used against every single privacy bill," Sen. Bowen counters. "I don't have any problem with stores and manufacturers collecting aggregate data. What I object to, and what the bill focuses on, are those cases where the store or the manufacturer wants to collect that kind of data and tie it to a shopper's personal information."

The bill's shortcomings
Critics of the California measure also argue that it lacks several key components. Suggestions include requirements that RFID tags must be permanently disabled after a product purchase unless the purchaser expressly requests otherwise, as well as specific guidelines outlining who can access the collected information.

Roberti's greatest concern with the legislation, however, is that it robs consumers of the opportunity to make their own decisions. "What [the measure] says to me is that [the government] doesn't think consumers are smart enough," he explains, noting that some might allow themselves to be monitored in exchange for a discount or other incentive.

Beyond discounts and incentives, however, this legislation would prevent California residents from enjoying significant customer conveniences made possible by RFID technology (see our related article for more information).

Sen. Bowen strongly disagrees with this interpretation, noting that there are many comparable laws already on the books. For example, video stores cannot disclose records of the titles an individual has rented; and cable TV companies are prohibited from tracking what subscribers watch. "It has nothing to do with whether shoppers are smart or whether they're savvy about technology and privacy issues, because if RFID becomes ubiquitous, people won't have the ability to make any choices," she says.

According to Peppers & Rogers Group Partner Don Peppers, "While I certainly agree that the right to privacy should be taken seriously, it is astonishing that a legislator could seriously advocate a law that does not even give consumers the right to choose for themselves. If there's one thing that everyone ought to know by now it is that people are not all the same, and among all their other differences they have different levels of sensitivity regarding their own privacy."

"Californians should count themselves lucky that Sen Bowen wasn't around 50 years ago to 'protect' them from the introduction of credit cards."

SB 1834 will be heard by the California State Assembly in June.