California has enacted a statute prohibiting the compelled or coerced implantation of a subdermal identification device, such as a Radio Frequency Identification (RFID) microchip or a newer chipless "RFID tattoo." The new law does not impact voluntary implantation. California now joins Wisconsin and North Dakota as states that have banned forced RFID implantation. Florida is among several states considering a similar law.
The new California statute (SB No. 362, now Chapter 538) was approved by Governor Schwarzenegger on October 12. It establishes a new Civil Code Section 52.7, which provides that "no person shall require, coerce, or compel any other individual to undergo the subcutaneous implanting of an identification device." It creates a civil action under which a person implanted may recover a "civil penalty" of no more than $10,000 per implant and no more than $1,000 "for each day the violation continues," actual damages and compensatory damages, as well as injunctive relief. Punitive damages may be awarded on proof of the defendant's "malice, oppression, fraud or duress" in requiring device implantation. This statute becomes effective on January 1, 2008.
Why the Statute Believed Needed
Recent RFID technology advances in microchip miniaturization have resulted in the development of hundreds of new RFID-enabled products, including devices designed to identify, track and monitor people. The sponsor of the California law, State Senator Joe Simitian (D-Palo Alto), introduced the bill after learning that a Cincinnati surveillance company, Citywatcher.com, had required employees who work in its secure data center to have an RFID chip implanted in an arm. In 2004, the U.S. Food and Drug Administration (FDA) approved VeriChip Corporation's use of an RFID tag for human implantation to allow medical professionals to access a patient's medical history in case of an emergency. The VeriChip device is an ultra-small glass-encapsulated RFID tag (about the size of a grain of rice) that is injected beneath the skin. According to VeriChip, more than 2,000 people have had its RFID tag implanted.
VeriChip Corporation, which went public in February of this year, addressed how unresolved privacy issues could impact its business in its February 9, 2007, prospectus filed with the Securities and Exchange Commission: "While we support all pending and enacted legislation that would preclude anything other than voluntary implantation, legislative bodies or government agencies may determine to go further, and their actions may have the effect, directly or indirectly, of delaying, limiting or preventing the use of human-implantable RFID microchips or the sale, manufacture or use of RFID systems utilizing such microchips."
A December 2006 Department of Homeland Security privacy committee report noted that efficiencies from RFID-enabled identification documents are limited because staff still need some means of confirming that the document holders are who they say they are. This problem could be addressed with subdermal implantation of RFID devices. While subdermal RFID has some promise when used voluntarily, it comes with the same security and privacy risks associated with other RFID-enabled products. Because it is injected beneath the skin and is costly and challenging to remove safely, subdermal RFID presents a Pandora's Box of policy questions in addition to its implications for constitutionally protected rights to freedom and privacy.
Pending before the California legislature are several other bills, also introduced by Senator Simitian, that are aimed at addressing privacy concerns of RFID use in school identification documents, driver's licenses and similar personal documents.