Considering privacy when using RFID in retail stores

Who would have thought ten years ago that we would have an — almost invisible — functioning ‘computer’ in a piece of clothing being sold for less than ten Euro? Technology has become significantly more advanced, more engrained in our everyday life and more invisible. It is no wonder that we are increasingly more concerned about the influence of all this technology on our personal lives, thus our privacy.

To overcome this and to “ensure that the fundamental right to personal data protection is guaranteed”, the European Commission adopted new EU data protection rules [1]. The General Data Protection Regulation (GDPR) will become effective in the European Union in May 2018. The GDPR replaces and harmonizes existing privacy regulations, while at the same time creating a more extensive set of ‘digital’ rights for European citizens. Together with hefty fines (up to 4% of worldwide turnover), it is extremely important for retail companies using RFID technology to comply with this regulation.

While the usage of RFID in retail stores and supply chain is mainly oriented towards increasing stock accuracy and improving logistic processes, this doesn’t exclude a privacy element for the consumers buying products with RFID included. This article will explain in detail what privacy elements there are in using RFID in retail stores, how they are affected by new and existing regulations and how to best comply with those.

Application of the GDPR for RFID

One of the core elements of personal privacy is the protection of personal data. The GDPR has a definition for personal data where it states that “personal data means any information relating to an identified or identifiable natural person.” It can be anything from a name, a home address, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer’s IP address.

“personal data means any information relating to an identified or identifiable natural person”

The data in the RFID tag relates to a product identifier (which states that it is a “blue t-shirt in size M” or a “red dress in size XL”) plus a serial number. The combination of the product identifier and the serial number (EPC) is unique across the globe. So, when you ‘read’ an EPC in Amsterdam and later in Paris, you can be pretty sure that the product belonging to the EPC is exactly the same. Taking it one step further, if the product is exactly the same, and somebody is wearing that product, you can be quite sure that it involves the same person.

Is the EPC personal data then? It depends. As long as it is not related to a single individual person it is not. So, if the EPC is purely treated as a supply chain element — it will not be personal data.

However, when additional use cases are introduced, it can quickly become personal data:

• Customer relations management (CRM) When associating the EPC of a product with a customer in a CRM system (e.g. for service purposes), the EPC becomes personal data.
• Effortless (online) returns Because the EPC is unique, when a customer returns a product to a store, there is no need to ask for a receipt: the EPC can always be traced back to the original customer to issue a refund.

In those cases, the EPC becomes personal data, and a lot more care should be taken. Here are some examples of what should be taken care of, whilst not being exhaustive:

• The personal data should be removed as soon as it is not needed anymore. For example, in the case of product returns: once the return period has passed, the EPC should be removed from the systems.
• The consumer has to give consent for personal data to be processed when there is no explicit need to process the data (where explicit need is defined in [2]).
• The customer has the right of access to their personal data and check how it is being processed.
• The customer has the right to erase his or her personal data.

European recommendation on RFID

While the GDPR is not specifically targeted at the usages of RFID, there is an existing European recommendation that is focusing on RFID. It is called “on the implementation of privacy and data protection principles in applications supported by radio-frequency identification” (2009) [3]. This recommendation also gives some interesting insights on how to implement RFID in a privacy-conscious way.

An important point in the recommendation is: “Because of its potential to be both ubiquitous and practically invisible, particular attention to privacy and data protection issues is required in the deployment of RFID.” This is of course true: if you truly embed the RFID tag in the product (e.g. using a RFID yarn), no customer is able to determine whether it contains RFID or not.

“Because of its potential to be both ubiquitous and practically invisible, particular attention to privacy and data protection issues is required in the deployment of RFID.”

And then it continues: “Consequently, privacy and information security features should be built into RFID applications before their wide­ spread use (principle of ‘security and privacy-by-design’).” This makes sense, and the RFID industry is adopting this. An example is the ‘untraceable’ functionality that is present in the most recent version of the RFID standard. The ‘untraceable’ feature offers the following functionality:

• Reduce the read range of the tag from long range (2–5 meter) to only short range (few centimeters). This can be done at point-of-sale and reversed at return.
• Hide part of the EPC. This allows hiding the serial number, which makes the EPC unique. It also has the capability of hiding the non-changeable production identifier of the tag.

Of course, those features are password protected to prevent misuse by third parties.

The recommendation also lists some specific suggestions for retail trade applications:

• Inform customers of the presence of RFID tags. This can be easily done by including the ISO standardized RFID logo on a product (for example on the price ticket with a minimum size of five by five mm) and putting the logo on the shop window.
• Customers should be easily able to remove or deactivate the RFID tag. This is quite straightforward when the RFID tag is in a swing ticket (which is safely to be assumed removed by the customer after purchase), but more challenging when the RFID tag is in a care label or embedded in the product. In the latter case it makes sense to offer a ‘deactivation’ service to customers.

And very important: “Deactivation or removal of tags should not entail any reduction or termination of the legal obligations of the retailer or manufacturer towards the consumer.” So, if a customer chooses to have the RFID tag removed, they should still be able to return the product.

“Deactivation or removal of tags should not entail any reduction or termination of the legal obligations of the retailer or manufacturer towards the consumer.”

Privacy Impact Assessment

A follow-up of the 2009 recommendation was set two years later with the RFID Privacy Impact Assessment [4]. Using this assessment, a retail company that is about to deploy RFID technology is able to assess the impact of that deployment on the privacy of consumers and is able to take precautionary measures to minimize the impact.

The international standards organization GS1 has transformed this in an Excel-based tool that can be found on https://www.gs1.org/pia; another tool was created by the French National Centre for RFID (CNRFID) on http://rfid-pia-en16571.eu.

Whether a Privacy Impact Assessment needs to be completed, and what level of detail is required, depends on the following criteria:

1. Whether the RFID application processes personal data, or whether RFID tags are linked to personal data.
2. Whether the RFID tags themselves contain personal data.
3. Whether the RFID tags are carried by an individual.

If the answer to all those three questions can be answered by ‘no’, no PIA needs to be carried out.

Summary and recommendation

Dealing with the complexity of deploying RFID at large scale, and at the same time taking care of the privacy of your customers can seem very overwhelming. However, when following the next three straightforward recommendations privacy of customers can be ensured.

1. Embed the RFID tags in the swing ticket when getting started (instead of using the care label or directly integrating it in the product). This ticket is always removed by the consumers after buying the item, which does away with a lot of the privacy risks already.
2. Inform the consumers about the usage of RFID by having the RFID-logo on the swing tickets and on the shop window. In addition, it is helpful to explain them why you deploy RFID and what you do with the data (e.g. on your website or at the POS).
3. Do not store the EPC in relation to personal data in systems. With Nedap !D Cloud, this is definitely the case: we don’t store any end-consumer data related to EPCs.

When the initial RFID roll-out has been completed, more time and knowledge is available to consider next steps by introducing new use cases. The Privacy Impact Assessment (PIA) tools are helpful to judge whether a new use case or RFID tag integration method has more impact on the privacy of your customers, and how to minimize that impact.

Special thanks to my colleague Ruud van Balveren (Nedap Privacy Officer) for his assistance in writing this article.

[1]: http://europa.eu/rapid/press-release_STATEMENT-16-1403_en.htm
[2]: http://eur-lex.europa.eu/legal-contentEN/TXT/?uri=celex:32016R0679 — article 6.1b-6.1f
[3]: http://eur-lex.europa.eu/eli/reco/2009/387/oj
[4]: https://ec.europa.eu/digital-single-market/en/news/privacy-and-data-protection-impact-assessment-framework-rfid-applications