In late 2004/early 2005, radiofrequency identification (RFID) was apparently poised for rapid growth due to, among other things, mandates from leading retailers and the Department of Defense (DoD) that their suppliers implement RFID in their supply chains, and the Food and Drug Administration’s (FDA) recommendation that pharmaceutical companies use RFID to create electronic pedigrees (e-pedigrees) to prevent drug counterfeiting.1 At the same time, RFID participants were also concerned about regulatory matters such as Federal Communications Commission (FCC) regulations and the ever-increasing spread of proposed state privacy legislation, as ignoring them could result in financial losses as well as sanctions that would impede deployment of RFID systems.2 Regulatory concerns, as well as cost, technical, and logistical issues, resulted in relatively slow RFID deployment during the past two years.
RFID Deployment Should Accelerate
While RFID deployment in the U.S. has not quite lived up to initial expectations, the trend is toward much stronger growth over the next several years. Recent developments have addressed many of the initial deployment problems and primed RFID for substantial expansion in the near future. These events include: (a) adoption of EPCglobal, Inc.’s (EPCglobal)3 Gen-2 specification as the de facto industry standard for RFID systems operating in the UHF frequency band; (b) notable technological innovations; and (c) government rulemakings aimed at requiring RFID for healthcare safety and international travel.
At the same time, RFID regulatory concerns have increased. For example, during the past year a well-known manufacturer was forced to suspend shipments of its RFID equipment, pay monetary forfeitures, and take other corrective actions when it was found to have violated the FCC’s equipment authorization and marketing rules. Also, seventeen states introduced RFID privacy bills in 2006, and two of those bills were passed into law. One pending bill would effectively ban RFID use in the state’s retail establishments.
Major Industry/Government Deployment Updates
Developments in Retailers’ Deployment of RFID
Back in June of 2003, Wal-Mart announced that it would require its top 100 suppliers to apply RFID tags on all their cartons and pallets delivered to its distribution centers by early 2005. Due to cost issues, unavailability of suitable tags, and technological problems, many suppliers could not comply with that mandate. Consequently, WalMart scaled back its mandate, initially requiring its top 100 suppliers to ship tagged pallets and cases of specific stock-keeping units to three distribution centers and 150 stores in Texas.
While Wal-Mart’s initial mandate was significantly reduced, the retailer has since made significant progress in its RFID rollout. By January 2006, Wal-Mart’s top 300 suppliers were shipping tagged cases and pallets to five distribution centers and 500 stores across the country equipped with RFID technology. By mid 2007, Wal-Mart expects to have up to 1,000 RFID-equipped stores, and is working with 300 more suppliers to ensure that they tag their cases and pallets for delivery to those stores. Wal-Mart is evidently convinced that RFID will be a vital tool in helping it to reduce out-of-stocks and excess inventory at its stores. This belief is supported by a 2005 study conducted by the University of Arkansas at 12 pilot Wal-Mart stores. The results of this study revealed that for items selling at a rate of 0.1 to 15 units a day, the use of RFID reduced out-of-stocks by 30%.4
Consequently, Wal-Mart plans to continue its RFID rollout, with the goals of implementing it universally in its supply chain and eventually tagging all items in its stores.
Several years ago Target also announced ambitious RFID plans. Since then, this retailer has concluded that it is not yet ready to engage in a widespread RFID deployment. Target had similar supplier issues as Wal-Mart, but instead of continuing its planned implementation, it has decided to limit its current RFID rollout to one distribution center. Target is exploring in-store RFID applications to serve customers, and is not devoting a substantial amount of RFID resources to its supply chain efficiencies. Target does not plan to significantly expand its RFID implementation until it has developed applications that will deliver a more immediate return on investment, which it sees as occurring three or four years in the future.5 RFID Rollout at the Department of Defense
In August 2004, DoD announced its policy to mandate use of RFID within its supply chain. This “phased in” policy initially requires suppliers to tag certain commodities at the pallet and case levels for shipments to two Defense Logistic Agency (DLA) distribution centers in California and Pennsylvania, while gradually increasing the tagging requirements to cover more items shipped to various DoD locations. Specifically, Phase I of DoD’s RFID mandate requires suppliers to tag cases and pallets of packaged operational rations, clothing, personal items, tools, and weapons systems parts and components shipped to the California and Pennsylvania DLAs. Phase II, which started in 2006, requires suppliers to tag cases and pallets of the aforementioned items, plus medical supplies (except pharmaceuticals), construction materials, packaged chemicals, petroleum, lubricants, oils, preservatives, and additives shipped to eight DLAs, ten defense distribution depots (DDDs), and three Air Force bases around the country. Phase III, scheduled to begin in 2007, will require suppliers to tag cases and pallets of virtually all commodities, and individual items that require a unique item identifier (UID) (e.g., items costing $5,000 or more, mission-essential items, precious metals, hazardous materials, items with a high resale value that are susceptible to theft) shipped to all major DoD receiving locations worldwide.
By late 2006, DoD had installed RFID at 69 facilities at 19 DDDs in 11 states. DoD plans to implement Phase III as more of its receiving locations become RFIDenabled. Due to technical and logistical issues, full implementation of Phase III may not occur until sometime after 2007. And, DoD has announced that it will not require suppliers to tag UID items during the 2007 calendar year.
E-Pedigree Implementation Delays and Prospects
Due to its concerns about increased incidents of drug counterfeiting, in 2003 FDA released a report stating that RFID should be used as a primary weapon in its war on counterfeit drugs. The report recommended that pharmaceutical companies use RFID to create an e-pedigree that records where and how a drug is distributed, i.e., by tagging a unit of drugs at the manufacturer and using readers to track it through the supply chain to the pharmacy, the pharmacist can ensure that the drug is authentic.
In an attempt to speed implementation of its e-pedigree program, in 2004 FDA implemented pilot programs and declared publicly that it would like to see U.S. drug companies implement RFID to track all prescription drugs at the unit level by 2007. FDA did not mandate its e-pedigree program, but rather “advised” the pharmaceutical industry to adopt its proposal.
FDA’s advocacy has not yet resulted in wide implementation of the e-pedigree program. At the end of 2006, less than ten types of prescription drugs were being tagged as they entered the supply chain. Without a specific mandate from FDA, drug companies have been hesitant to implement RFID. They cite a number of reasons for their delays.
Drug companies have balked at the up-front costs of implementing RFID. Manufacturers would incur substantial expenses from tagging and coding drugs before they enter the supply chain, while distributors and pharmacies would sustain costs from deploying antennas and readers at distribution and retail points. Consumer privacy is another key matter. Drug companies are concerned that if an RFID tag containing identifying information is still on the drug when it reaches the consumer, an unauthorized person with a reader might be able to read the information without the consumer’s knowledge. The main worry here is the substantial bit capacity of an RFID tag’s EPC, which enables the assignment of individual identifiers to tagged objects. The drug companies fear that since RFID has the potential to collect a good deal of personal information on tags and in company databases, that information might be accessible to experienced computer hackers. Another reason is that until recently there has been no harmonized standard for RFID. In years past, RFID vendors had adopted various standards, which among other things led to equipment incompatibility, lack of interoperability, low tag-yield rates, and high tag costs.6
Additionally, some states have implemented their own drug pedigree laws with different compliance requirements; none of which requires RFID. California, Florida, Nevada, and Virginia have each passed pedigree laws. Many drug companies are avoiding the upfront costs of RFID by using less expensive alternatives such as barcodes and paper to comply with these laws.
In light of the drug companies’ reluctance to implement e-pedigrees, in June of 2006 FDA released an updated drug counterfeiting report wherein it urged the industry to move quickly to implement RFID. In that report, FDA announced that it would, effective January 2007, lift the stay on regulations related to the Prescription Drug Marketing Act of 1987 (PDMA). These regulations require smaller drug distributors to institute pedigrees (though not necessarily e-pedigrees), to track the chain of custody of prescription drugs moving through their distribution systems. Although the PDMA regulations do not mandate e-pedigrees, FDA hoped that lifting the stay would encourage drug companies to implement RFID, which is a much more efficient tracking technology than bar codes or paper.
A federal court subsequently blocked FDA’s plan. In the summer of 2006, ten pharmaceutical distributors filed suit against FDA in the U.S. District Court for the Eastern District of New York, seeking to prevent FDA’s lifting of the stay on the PDMA regulations.7 The crux of the plaintiffs’ claim is that FDA’s pedigree rules are unconstitutional, because they are applied only to the smaller distributors, not the three largest U.S. distributors, termed the “authorized distributors of record” (ADR).8 The pedigree rules specifically exempt ADRs, and permit them to voluntarily track individual shipments through their systems.9 ADRs would be compliant with the regulations as long as they can provide sufficient documentation demonstrating receipt of their products directly from the manufacturers and distributors to the dispensing pharmacy.10
The court agreed with the plaintiffs, and in December 2006 it issued an injunction, effectively reinstating the stay on the pedigree rules.11 Sources say that the injunction is likely to stay in effect until the suit is ultimately resolved, which could take years.
Nonetheless, many legal experts expect that FDA’s PDMA rules will eventually be instituted. Courts typically favor the government in cases such as this, that allege violations of the Constitution’s Equal Protection and Due Process Clauses when the rational basis test applies, i.e., the challenger must show that a law is not rationally related to a legitimate government interest. This is a high burden to place on a challenger, and the government often wins these kinds of cases.
Ultimately, the e-pedigree issue may be resolved on Capitol Hill. In 2006 the U.S. Senate and House of Representatives proposed companion bills, both entitled Reducing Fraudulent and Imitation Drugs Act of 2006.12 These bills would require that all prescription drugs be tagged with RFID or similar technology to create an epedigree for tracking and tracing purposes. Both bills are currently pending in committees, but it is expected that they will be taken up again by the new Congress this year.
Additionally, some large drug companies are apparently rethinking their initial resistance to implementing RFID. These companies have recently launched pilot programs for RFID-based e-pedigrees, based on the idea that a universally adopted RFID e-pedigree could have a favorable cost/benefit ratio because it would enable trading partners to share data, improve inventory control, facilitate recalls, and withdraw products with expired use dates. These pilot programs are in their early stages, and at this point it is difficult to gauge their ultimate success.
Standards and Technology Advances
ISO’s Approval of Gen 2 May Expedite RFID Implementation
In July 2006, the International Standards Organization (ISO) approved EPCglobal’s Second Generation, Class 1 protocol standard for RFID devices operating in the UHF (860 to 960 MHz) band as part of its ISO/IEC 180000-6 standard (Gen 2). When Gen 2 was ratified by EPCglobal in 2004, it sufficiently impressed experts in the field, who enthusiastically touted it as the first truly worldwide standard for RFID. The ISO ratification confirms that view.
Gen 2 has the capacity to store large amounts of information on a tag,13 and permits customization of content. This enables supply chain trading partners to encode data to, and read EPCs from, UHF tags in a similar manner. Gen 2 also allows supply chain entities to share an interoperable reading and software infrastructure.
Gen 2 conforms to the UHF radio regulations of the FCC and European and Asian telecommunications regulatory bodies. Consequently, Gen 2 tags and equipment can be used nearly universally, which allows manufacturers, distributors, and vendors from all over the world to seamlessly coordinate their supply chains via RFID.
Gen 2’s positive impact on the deployment of RFID is illustrated by the recent decisions by Wal-Mart and DoD to require their suppliers to use it exclusively. In 2005, Wal-Mart lab-tested Gen 2 tags and readers and determined that Gen 2 was a vast improvement over other standards in its ability to read tags on products moving on conveyors and through dock doors. As a result, in 2006 Wal-Mart began to phase out RFID products using standards other than Gen 2, and ordered its suppliers worldwide to use Gen 2 tags on their new products shipped to Wal-Mart.
DoD has also determined that its RFID mandate will consist solely of Gen 2 technology. After observing and testing the advanced capabilities of Gen 2, DoD determined that it provided the best performance of all the standards. And, with the ISO ratification, DoD concluded that Gen 2 would be able to provide efficient interoperability with vendors and distributors worldwide. Consequently, DoD decided to discontinue use of RFID tags and equipment using standards other than Gen 2. As of October 2006, DoD will accept only tags compliant with the Gen 2 standard.
Near-Field UHF: One RFID Infrastructure Instead of Two
One of the more compelling RFID advances in 2006 was the introduction of near-field UHF technology.14 Near-field UHF appears to have the characteristics to enable it to be used effectively at all points in a supply chain, from the manufacturer through the retailer.
Traditional UHF RFID technology has a much longer read range (10-30 feet) than HF15 (3-10 feet), which makes it ideal for materials management and supply chain tracking. But, UHF has been seen as less desirable for item-level tagging, because it transmits electromagnetic waves that have RF absorption tendencies, which tend to degrade its transmission around metal and liquid products.
Conversely, HF readers use the magnetic field to power the tags, which prevents their signals from attenuating around metal and liquids. Hence, with the traditional technologies, entities that seek to implement RFID in their supply chain and at the item level would be forced to invest in HF and UHF equipment and tags, which raises obvious cost and logistics issues.
Near-field UHF technology has the necessary characteristics for item level tagging. For example, near-field UHF tags work well around metal products by allowing the metal to help couple the electrical field onto the tag. This produces a very efficient performance on metal. Also, because near-field UHF, like HF, uses the magnetic field (as opposed to electromagnetic waves), it works well around liquids. Moreover, near-field UHF has a much faster read rate than HF. HF has the capability to read 200 tags per second, whereas near-field UHF can read up to 1,000 tags per second.
In sum, UHF RFID is a very versatile technology for supply tracking and tracing. When used in its conventional mode, UHF RFID travels as electromagnetic waves where an electronic field feeds off a magnetic field; both fields build up to the point where the waves radiate off into the distance. This enables long-range tag reading, which is good for tracking at the case and pallet level. And, UHF RFID can now also be deployed for near-field reading at the item level, which utilizes the magnetic field and does not attenuate around metal and liquids.
A number of suppliers have developed near-field UHF tags and inlays in 2006 that are Gen 2 compliant. Because near-field UHF permits RFID users to invest in one infrastructure only (instead of two to accommodate HF and UHF), and because UHF comports with the world-wide Gen 2 standard, it is likely that the use of this technology will help to spur RFID deployment in the future.
Government Proceedings Portend RFID Deployment in Medical and Travel Fields
In 2006, FDA and the U.S. Department of State (State) instituted rulemaking proceedings that will almost certainty increase the momentum for widespread RFID implementation. Both of these proceedings will likely result in government-mandated RFID use for the important and expanding medical equipment and international travel industries.
FDA Seeks UDI for Medical Devices
In August 2006, FDA released a Notice and Request for Comments concerning its proposed implementation of a unique identification system (UDI) to track and trace medical devices in hospitals and other health care settings. The main purpose of UDI would be to reduce medical errors by providing more automated collection of information about various medical devices such as the manufacturer, make and model, unique attributes, serial numbers, identifying lot numbers, and expiration dates. That information would then be matched up against patient information. FDA suggested that UDI could also be used to facilitate device recalls, improve medical device reporting, identify device incompatibilities, and decrease costs in medical equipment supply chains. FDA sought comment on various aspects of its proposal, including which technology should be used for UDI.
FDA is considering implementing a mandatory UDI possibly based on RFID technology. A number of commentators agreed, stating, among other things, that: (a) RFID could help reduce medical errors, because tags have the capacity to collect the unique attributes of a medical device and the protocol to efficiently transmit the information to hospital databases; (b) RFID can expedite product recalls by capturing data such as lot number and location information on individual items, which would reduce the time spent identifying items targeted for recall, as well as reducing the likelihood of a mass market recall of branded products; and (c) RFID is useful in improving adverse event reporting because, due to tag capacity to collect detailed information, it can be used to create electronic health records and provide specific information regarding uses of a given device.
FDA is currently reviewing all comments received in this proceeding. It is expected that FDA will write regulations based on the findings from this proceeding in the winter of 2007 and put them out for public review and comment soon thereafter. FDA sources say that should regulations concerning UDI/RFID be adopted, there will likely be a phased-in compliance period lasting one to five years.
State Department Proposes RFID Passport Cards
In October 2006, State released a Notice and Request for Comments seeking public input on its proposal to implement the use of RF-enabled passport cards at U.S. points of entry. State’s proposal is intended to carry out its statutory mandate contained in the Intelligence Reform and Terrorism Prevention Act of 2004 (IRTPA). IRTPA provides that U.S. citizens and nonimmigrant aliens may enter the U.S. only with passports or alternative documents deemed satisfactory by the Department of Homeland Security (DHS) as establishing identity and citizenship.
IRTPA is scheduled to go into effect early this year for travelers entering the U.S. by air, and early 2008 for travelers entering the U.S. by land or sea. State’s proposal addresses the latter category. Specifically, State intends that U.S. citizens crossing U.S. land borders or traveling by sea from Mexico, Canada, the Caribbean, or Bermuda should be able to obtain entry by using a driver’s license-sized card with an embedded RFID tag in lieu of a traditional passport book. The idea is to expedite entry into the U.S. by having border guards utilize RFID to rapidly scan the passport cards as people and vehicles approach U.S. borders or ports.
In its Notice, State declares that it is nearly certain to implement its proposal, and its comment solicitation focused mainly on whether it would adopt UHF Gen 2 technology or HF technology for the passport cards. State contends that it would tend to prefer UHF Gen 2 technology over HF, due to its much longer read range. But, State is currently reviewing the comments on this matter, some of which favor HF technology. It is expected that State will release proposed rules resulting from this proceeding by the spring of 2007.
Regulatory and Privacy Concerns
FCC Aggressively Enforcing Rules for RFID and Other RF Devices
In March 2006, a leading manufacturer of RFID readers and reader modules received a notice from one of its customers that some of its products were apparently not certified as compliant with FCC rules. The company quickly hired a law firm to investigate the matter. The investigation revealed FCC rule violations, which resulted in: (a) a months-long cessation of shipping and importing of its equipment; (b) the firing of its Chairman and CEO; (c) unfavorable press coverage; and (d) FCC enforcement proceeding resulting in $40,000 in forfeitures and other penalties.
Section 302(b) of the Communications Act of 1934, as amended, prohibits the manufacturing, importation, marketing or use of any radio device that does not comply with FCC rules.16 RFID is regulated under Part 15 of the FCC’s rules for lowpower devices.17 Because RFID devices transmit radio waves, the FCC classifies them as intentional radiators which must be authorized via testing and certification that the devices will not cause harmful interference to other radio operations.18 With limited exceptions, the FCC’s rules require that most intentional radiators be certified prior to marketing, importation, or use in the U.S.19
Full compliance with FCC rules for RFID equipment is very important, and the consequences for RFID players failing to do so can be very severe. For example, if a company purchases RFID equipment that has not been certified or is otherwise in violation of the rules, the FCC can, at any time, legally shut down the company’s RFID network. Moreover, anyone who sells or operates the non-compliant equipment is subject to substantial fines and other enforcement actions by the FCC.
The FCC has been vigorously enforcing its equipment authorization rules. During the past two years the FCC has instigated dozens of investigations against entities suspected of marketing or using unauthorized devices. Recently, the FCC issued eight citations in one day to different sellers of the same unauthorized device, ordering them to immediately cease selling the device or risk penalties including fines up to $11,000 for each day the device is sold. In other instances, the FCC forced manufacturers of non-compliant devices to take all of their devices off the market and pay fines ranging from $30,000 to $75,000.
RFID Privacy Legislation Continues Unabated
According to state legislatures around the country, privacy is the most important RFID-related issue. Ever since Wal-Mart announced its RFID mandate in 2003, statehouses have continuously launched RFID privacy bills. Many of these bills appear to be overreactions to unfounded threats, but they tend to be politically popular.
The number of RFID privacy bills introduced each year is accelerating. In 2004, six states and the federal government introduced privacy bills. In 2005, 12 states proposed privacy legislation. And, in 2006, 17 states attempted to pass RFID bills that purport to protect the privacy of individuals; two of them were passed into law. In 2004 and the early part of 2005, most of the state privacy bills concerned the use of RFID tags by retailers. Those bills would typically require retailers to notify customers if RFID tags were affixed to merchandise, and to remove or disable tags at the point of sale. More recently, the privacy bills tend to cover areas beyond that of RFID in retail settings.
Two bills that were signed into law in 2006 illustrate the current trend of privacy legislation. New Hampshire’s H.B. 1738 prohibits the use RFID to identify ownership of a vehicle or the identity of a vehicle’s occupants. Wisconsin’s A.B. 290 prohibits any individual from forcing another to undergo the implanting of an RFID chip in that person’s body.
The general trend of RFID privacy bills covers many new areas, but the retail sector is still subject to proposals from state legislatures that would severely restrain the use of RFID. For example, in late 2006, a member of the Washington State House of Representatives propounded what could possibly be the most chilling RFID privacy bill ever introduced in the U.S.20
The “Electronic Bill of Rights” would effectively ban the use of RFID in retail settings in Washington State. The bill’s most restrictive provisions include:
- A requirement that a retailer selling any item with an RFID tag attached post a conspicuous notice stating that: (i) the item has or may contain an RFID tag; (ii) the customer may request that the tag be inactivated at point of sale; and (iii) the customer may request a copy of all personal information collected about him or herself via RFID, including the identity of any person who has had access to that information.
- A prohibition on the sale or use of an item containing an RFID tag unless a label is attached to the item, stating that it contains the tag, which is “capable of transmitting personal information to an independent reader or scanner both before and after purchase or issuance.”
- A proscription against “coercing” a customer into keeping a “live” RFID tag on an item after sale, as a condition of repairing or replacing the item.
- A prohibition against “linking” or “combining” a customer’s personal information with information gathered by, or contained within, an RFID tag.
- A complete ban on using an RFID device to: (i) remotely scan, or attempt to scan, an item associated with a consumer, without that consumer’s knowledge; or (ii) disclose or use a consumer’s personal information associated with information gathered by an RFID tag.
There are no signs that the spate of RFID privacy bills proposed and passed in the past two years will abate any time soon. Consequently, the RFID industry must remain aware of these bills and work with the state governments to educate them on the technology and lobby against the passage of bills that would impede the growth of RFID. Federal preemption may be necessary to prevent a patchwork of privacy laws that would require RFID businesses to expend substantial resources in order to comply with them.
Lack of Regulatory Savvy Could Stunt the Growth of RFID Networks
Due to various mandates and government proposals, the consensus on RFID during the years 2003 to 2004 was that this technology would, within a few short years, be universally adopted by drug companies, and fully implemented in retail and certain government supply chains. As with many “new” technologies, the early hype did not coincide with practical considerations. Infrastructure hindrances, cost concerns, technological limitations, and other problems resulted in a temporary delay in widespread RFID deployment.
In 2007, many of the causes that hindered RFID implementation are being resolved, and new mandates are in the offing. Accordingly, it is expected that RFID will experience robust growth in the future.
Nonetheless, as recent history shows, noncompliance with technical regulations can severely hinder the deployment of RFID systems, and result in financial losses and other hardships for manufacturers, vendors, and users of RFID. Also, privacy bills will continue to multiply, and, as happened in 2006, some are sure to become law. Consequently, it is very important for all businesses that produce, market, import, or use RFID equipment to be aware of the changing regulatory landscape, and develop programs to ensure compliance with current and future regulations.