BILL ANALYSIS                                                                                                                                                                                                    






                           SENATE JUDICIARY COMMITTEE
                        Senator Ellen M. Corbett, Chair
                           2007-2008 Regular Session


          SB 362                                                 S
          Senator Simitian                                       B
          As Amended April 9, 2007
          Hearing Date: April 10, 2007                           3
          Civil Code                                             6
          ADM                                                    2
                                                                 

                                     SUBJECT
                                         
                Identification Devices: Subcutaneous Implanting

                                   DESCRIPTION  

          This bill would prohibit a person from requiring, coercing,  
          or compelling any other individual to undergo the  
          subcutaneous implanting of an identification (ID) device.

          This bill would provide specified rights of action and  
          remedies for a violation of its provisions.

          This bill would provide that its provisions shall be  
          liberally construed so as to protect privacy and bodily  
          integrity.

          This bill would provide that actions brought pursuant to  
          its provisions would be independent of any other actions,  
          remedies, or procedures that may be available to an  
          aggrieved party pursuant to any other law.  

          This bill would define the terms "identification device,"  
          "person," "personal information," and "subcutaneous" for  
          purposes of its provisions.

                                    BACKGROUND  

          Radio Frequency Identification (RFID) is an old technology  
          that has recently raised new privacy questions due to its  
          increasing prevalence in day-to-day life.  RFID contactless  
          technology allows for the transfer of information via radio  
                                                                 
          (more)



          SB 362 (Simitian)
          Page 2



          waves to a nearby RFID scanner.  Tiny chips, with  
          associated antennae, are embedded within items, including  
          ID devices the size of a grain of rice, and designed to  
          respond to the proper signal from a scanner.  Depending on  
          the type of RFID technology used, a RFID tag may be read  
          from a wide range of distances.  (See Comment 2.)
          In 2004, the U.S. Food and Drug Administration (FDA)  
          approved an implantable RFID device, VeriMed patient ID  
          system, which contains patient identification and health  
          information.  "The key components of the VeriMed system are  
          a passive microchip, which is approximately the size of a  
          grain of rice, a fixed location or a wireless handheld  
          scanner used to read the 16-digit identification number  
          contained on the microchip ? and a web-enabled database  
          containing [patient medical information]."  The company  
          marketing the VeriMed system, VeriTech Corp., went public  
          in February 2007.  VeriTech's prospectus includes other  
          applications of implantable microchips, including  
          "asset/staff location and identification" systems.  

          The advent of implantable ID devices has raised privacy  
          concerns in a number of states, particularly with respect  
          to nonvoluntary implantation.  Wisconsin recently enacted  
          legislation prohibiting an individual from being required  
          to undergo the implanting of a microchip.  This bill is  
          intended to ensure that no Californian is forced to undergo  
          subcutaneous implantation of an ID device.   

                             CHANGES TO EXISTING LAW
           
           Existing law  provides that all people in this state have an  
          inalienable, constitutional right to privacy.  [Cal. Const.  
          art. I, Section 1.]

           Existing law  provides that every person has, subject to  
          qualifications and restrictions provided by law, the right  
          of protection from bodily restraint or harm, from personal  
          insult, from defamation, and from injury to personal  
          relations.  [Civil Code (CC) Section 43.]
          
           This bill  would prohibit a person from requiring, coercing,  
          or compelling any other individual to undergo the  
          subcutaneous implanting of an identification device.

           This bill  would provide that:
                                                                       




          SB 362 (Simitian)
          Page 3



           Any person who violates or threatens to violate its  
            provisions may be enjoined in any court of competent  
            jurisdiction.
           Any person found in a civil action to have violated its  
            provisions may be assessed an initial civil penalty of no  
            more than $10,000, and no more than $1,000 for each day  
            the violation continues until the deficiency is  
            corrected.
           The court may award a prevailing plaintiff reasonable  
            attorney's fees and costs.
           In assessing the amount of the civil penalty, the court  
            may consider all of the following:
               a)  the nature and extent of the violation;
               b)  the number and severity of the violations;
                  c)  the economic effect of the penalty on the  
               violator;
               d)  whether the violator took good faith measures to  
                 comply with the bill's    provisions and the time  
                 those measures took;
                  e)  the willfulness of the violator's misconduct; 
               f)   the deterrent effect that imposition of the  
                 penalty would have on the violator and the regulated  
                 community as a whole; and
                  g)  any other factor that justice may require.
           Civil actions pursuant to the bill's provisions may be  
            brought by any aggrieved party or by the Attorney  
            General, a district attorney, or a city attorney.
           An action brought under the bill's provisions would have  
            to be commenced within 3 years of the date the ID device  
            was implanted, unless the person who received the implant  
            lacked capacity at the time of implantation, in which  
            case, within 3 years after the discovery date.

           This bill  would provide that its provisions shall be  
          liberally construed so as to protect privacy and bodily  
          integrity.

           This bill  would provide that actions brought pursuant to  
          its provisions would be independent of any other actions,  
          remedies, or procedures that may be available to an  
          aggrieved party pursuant to any other law.  

           This bill  would define "identification device" as any item,  
          application, or product that is passively or actively  
          capable of transmitting personal information, including,  
                                                                       




          SB 362 (Simitian)
          Page 4



          but not limited to, devices using radio frequency  
          technology.

           This bill  would define "person" to mean an individual,  
          business association, partnership, limited partnership,  
          corporation, limited liability company, trust, estate,  
          cooperative association, or other entity.  

           This bill  would define "personal information."  (See  
          Comment  2.)

           This bill  would define "subcutaneous" to mean existing,  
          performed, or introduced under the skin.

                                     COMMENT
           
          1.    Stated need for the bill  

            The author writes:

               Subdermal RFID-enabled ID devices have been developed  
               and are currently being marketed in the U.S. and  
               abroad - VeriChip Corporation, which went public on  
               Feb. 9, 2007, and has the only FDA-approved human  
               implantable RFID system, acknowledged in its  
               prospectus its intent to develop human implantation  
               markets and expects these to be major future revenue  
               sources.

               Privacy and security risks - RFID systems can be  
               compromised, many in seconds, which exposes device  
               holders to identity theft, property theft,  
               surveillance, stalking and tracking, and other serious  
               harm.

               No limits, no protections - There are no legal limits  
               on the type of information that can be stored on an  
               RFID tag; and there are no laws establishing minimum  
               security protections for the information that tags  
               contain.  Thus, nothing prevents an employer or public  
               entity from forcing a person to carry or implant a  
               RFID tag that may broadcast the person's race,  
               religion, employer, or home address to anyone with an  
               inexpensive RFID reader.

                                                                       




          SB 362 (Simitian)
          Page 5



               Healthcare and other costs - Subdermal RFID is a new  
               RFID application.  Its long-term health effects and  
               related costs are unknown.  Even assuming subdermal  
               applications prove safe, who will pay healthcare costs  
               related to insertion and/or removal?  In the event of  
               a device recall, employment termination, technological  
               obsolescence, or identity theft, who pays?

               Incentives matter - A 2006 Department of Homeland  
               Security privacy committee report notes that  
               efficiencies from RFID-enabled IDs are limited due to  
               the need for staff to confirm the holder is who they  
               say they are.  This problem could be addressed by  
               subdermal implantation, which could thereby provide a  
               powerful incentive for such implantation.  

               Wisconsin has enacted a law to prohibit forced  
               implantation of ID devices.  California law does not  
               currently explicitly prohibit such forced implantation  
               of ID devices, though certainly such conduct would  
               constitute a battery, actionable under tort law.  This  
               bill would provide a clear statutory prohibition on  
               forced implantation of an ID device.  

          2.   "  RFID" and "personal information" defined  

            A.   RFID defined

               As stated in the Department of Homeland Security's  
               Data Privacy and Integrity Advisory Committee's report  
               on The Use of RFID for Human Identity Verification:

               RFID is a type of automatic identification technology  
               that enables the user to "tag" objects with a tiny  
               device that can later be detected by automatic means.   
               That detection can range from simply noting the  
               presence of the device, to obtaining a fixed  
               identification number from the device, to initiating a  
               two-way communication with the device.  The essential  
               functionality of the system is that when the tag is in  
               the presence of an appropriate radio frequency (RF)  
               signal emanated by a reader, the tag responds by  
               sending back a reflected RF signal with information in  
               response.  Some can only operate over a very short  
               distance of a few centimeters or less, while others  
                                                                       




          SB 362 (Simitian)
          Page 6



               may operate at longer distances of several meters or  
               more.  At the higher-end of RFID technology, the  
               contactless RFID tags have been enhanced with the full  
               capabilities of smart card chips that contain  
               general-purpose computer processors and large  
               non-volatile memory spaces ?.

            B.   Personal information defined

               This bill would define "personal information" to  
               include any of the following data elements to the  
               extent they are used alone or in conjunction with any  
               other information used to identify an individual: 1)  
               first or last name; 2) address; 3) telephone number;  
               4) email, Internet Protocol, or website address; 5)  
               birth date; 6) driver's license or CA identification  
               card number; 7) any unique personal identifier number  
               contained or encoded on a driver's license or  
               identification card; 8) bank, credit card, or other  
               financial institution account number; 9) any unique  
               personal identifier contained or encoded on a health  
               insurance, health benefit, or benefit card or record  
               issued in conjunction with any government-supported  
               aid program; 10) religion; 11) ethnicity or  
               nationality; 12) photograph; 13) fingerprint or other  
               biometric identifier; 14) Social Security number; or  
               15) any unique personal identifier.

          3.    Bill would not prohibit voluntary subcutaneous ID  
          device implantation  

            This bill would prohibit a person from requiring,  
            coercing, or compelling any other individual to undergo  
            subcutaneous implantation of an ID device.  The bill  
            would not prohibit voluntary subcutaneous implantation of  
            an ID device.  VeriChip, the company with FDA approval  
            for an implantable RFID device, stated in its February  
            2007 prospectus that it supports "all pending and enacted  
            legislation that would preclude anything other than  
            voluntary implantation ?."

          4.    Right to bodily integrity would be protected by the  
          bill  

            This bill would prohibit required, coerced, or compelled  
                                                                       




          SB 362 (Simitian)
          Page 7



            subcutaneous implantation of an ID device.  By doing so,  
            the author asserts this bill would protect a person's  
            fundamental right to bodily integrity.  Bodily integrity  
            is protected by both statutory and case law, depending on  
            the particular issue involved.  An example of the right  
            to bodily integrity is the doctrine of informed consent  
            with respect to medical procedures.  The author notes  
            that U.S. Supreme Court justices have underscored the  
            importance of the right to bodily integrity:

               [N]o right is held more sacred, or is more carefully  
               guarded, by the common law, than the right of every  
               individual to the possession and control of his [or  
               her] own person, free from all restraint or  
               interference of others, unless by clear and  
               unquestionable authority of law.  [Union Pacific Ry.  
               Co. v. Botsford (1891) 141 U.S. 250.]

               [E]very human of adult years and sound mind has a  
               right to determine what shall be done with his [or  
               her] own body.  [Schloendorff v. Society of the N.Y.  
               Hosp. (1914) 211 N.Y. 125.]

          5.    Societal and practical implications of involuntary  
            subcutaneous ID device implantation  

            The author states that, while forced implantation of an  
            ID device may appear farfetched, VeriChip is floating  
            various implantation proposals, including to track  
            employees and visitors and to secure access to restricted  
            facilities.  The author notes that there was a time when  
            the U.S. Supreme Court sanctioned involuntary  
            sterilization of women with severe mental deficiencies  
            (Buck v. Bell (1927) 274 U.S. 200).  And, while  
            involuntary sterilization would not pass constitutional  
            muster today, particularly due process guarantees,  
            certain groups, such as employees could feel pressured or  
            coerced to accept ID implantation in order to earn a  
            living.

            The author also notes that forced implantation raises a  
            number of practical questions:  1) who pays for the cost  
            of purchasing, implanting, and monitoring; 2) who pays if  
            a person has an adverse reaction; and 3) what happens  
            when a chip becomes obsolete or compromised, and must be  
                                                                       




          SB 362 (Simitian)
          Page 8



            replaced?  As an example, a company, CityWatcher.com,  
            recently closed its doors.  The company, which provided  
            video surveillance to clients and law enforcement, had a  
            number of employees who got "chipped," with a chip  
            containing certain unspecified information.  While these  
            employees were ostensibly not forced to get "chipped,"  
            questions remain about what happens now that the company  
            has gone out of business, and the employees still have  
            implanted chips.  

          6.    Parental choice to have child subcutaneously implanted  
          with ID device  

            In general, parents control what occurs to their minor  
            children, i.e., children under the age of 18.  However,  
            both the defined age of a "minor" and a minor's rights  
            depend on the context of the right at issue.  For  
            example, in the area of minor's health rights, the  
            minor's age and rights, and the degree of parental  
            involvement vary depending on the context and  
            circumstances, whether it be pregnancy, contraception,  
            abortion, emergency medical services, rape services,  
            mental health services, AIDS/HIV testing and treatment,  
            general medical care, or drug/alcohol abuse treatment.  

            The California Medical Association (CMA), in one of its  
            advisory opinions, provides that a parent or guardian of  
            a minor is authorized to give informed consent for most  
            medical decisions on behalf of the minor.  However, a  
            number of statutes allow minors to consent to medical  
            treatment except certain irreversible and highly invasive  
            procedures, such as psychosurgery.  CMA's advisory  
            opinion also provides that, unless otherwise provided by  
            statute, "a minor does not have the exclusive authority  
            to consent to a particular treatment; that is, the  
            minor's parent(s) or guardian can legally consent to  
            certain treatment even if the minor objects."  Some  
            situations may require guidance from the court.

            It is thus unclear how parents' and minors' rights would  
            play out in the context of a parent's decision to have  
            his or her child subcutaneously implanted with an ID  
            device.  It likely would depend on a number of factors,  
            including the purpose for the implantation, the nature of  
            the information implanted, the minor's age, the parental  
                                                                       




          SB 362 (Simitian)
          Page 9



            intent in doing the implantation, and whether the  
            implantation amounted to a tort, such as battery.

          7.    Remedies provided in the bill would be non-exclusive  

            The author states that he does not intend the remedies  
            provided in the bill to be exclusive of other remedies a  
            person may be entitled to.  Thus, the bill has been  
            amended to provide:

               Actions brought pursuant to this section are  
               independent of any other actions, remedies, or  
               procedures that may be available to an aggrieved party  
               pursuant to any other law. 

          8.    Recent amendments  

            This bill has been amended to include a three-year  
            statute of limitations for any action brought for a  
            violation of its provisions.  The three years would run  
            from the date of implantation, or, if the person  
            implanted lacked capacity at the time of implantation  
            (such as being a minor), from the date of discovery.  

            The bill has also been amended to provide that its  
            provisions shall be liberally construed so as to protect  
            an individual's privacy interests and right to bodily  
            integrity.  

          Support:   Privacy Rights Clearinghouse; CA Alliance for  
                 Consumer Protection; Consumer Federation of CA;  
                 Protection & Advocacy, Inc.; ACLU; Gun Owners of CA;  
                 Consumer Action

          Opposition:   None Known


                                     HISTORY
           
          Source:   Author

           Related Pending Legislation:  SB 28 (Simitian of 2007)  
                                would prevent the DMV from issuing an  
                                RFID-enabled driver's license or  
                                identification card.  (This bill  
                                                                       




          SB 362 (Simitian)
          Page 10



                                passed out of the Senate  
                                Transportation and Housing  
                                Committee.)

                                SB 29 (Simitian of 2007) would  
                                prevent the use of RFID devices  
                                transmitting personal information for  
                                the purpose of tracking students or  
                                their attendance.  (This bill is on  
                                the Senate Floor.)

                                SB 30 (Simitian of 2007) would impose  
                                minimum security requirements for  
                                government issued RFID-enabled ID  
                                documents.  (This bill passed out of  
                                this committee and has been referred  
                                to the Senate Public Safety  
                                Committee.)

                                SB 31 (Simitian of 2007) would  
                                criminalize the unauthorized  
                                intentional reading, or attempted  
                                reading of an individual's personal  
                                ID document.  (This bill passed out  
                                of this committee and has been  
                                referred to the Senate Public Safety  
                                Committee.)

                                SB 388 (Corbett of 2007) would  
                                require minimum disclosures from  
                                private issuers of RFID-enabled items  
                                capable of transmitting personally  
                                identifiable information.  (This bill  
                                is set for hearing in this committee  
                                on April 10.)

           Prior Legislation:   SB 682 (Simitian of 2005) contained  
                        the original Identity Information Protection  
                        Act of 2005 language that was amended into SB  
                        768 on September 2, 2005.  (This bill was  
                        thereafter gutted and amended.)

                        SB 768 (Simitian of 2006) would have imposed  
                        minimum requirements on government issued ID  
                        documents, required a study by the California  
                                                                       




          SB 362 (Simitian)
          Page 11



                        Research Bureau, and criminalized the  
                        unauthorized intentional skimming of a  
                        person's ID document.  (This bill was vetoed  
                        by the governor.)

                        SB 1834 (Bowen of 2004), which failed passage  
                        in Assembly Business & Professions Committee,  
                        would have prohibited the use of RFID on  
                        library circulating materials to collect,  
                        store, or share information that could be  
                        used to identify a borrower, and would have  
                        limited the use of RFID on other consumer  
                        products to gather, store, use, or share  
                        information that could be used to identify an  
                        individual.


                                 **************