BILL ANALYSIS SENATE JUDICIARY COMMITTEE Senator Ellen M. Corbett, Chair 2007-2008 Regular Session SB 362 S Senator Simitian B As Amended April 9, 2007 Hearing Date: April 10, 2007 3 Civil Code 6 ADM 2 SUBJECT Identification Devices: Subcutaneous Implanting DESCRIPTION This bill would prohibit a person from requiring, coercing, or compelling any other individual to undergo the subcutaneous implanting of an identification (ID) device. This bill would provide specified rights of action and remedies for a violation of its provisions. This bill would provide that its provisions shall be liberally construed so as to protect privacy and bodily integrity. This bill would provide that actions brought pursuant to its provisions would be independent of any other actions, remedies, or procedures that may be available to an aggrieved party pursuant to any other law. This bill would define the terms "identification device," "person," "personal information," and "subcutaneous" for purposes of its provisions. BACKGROUND Radio Frequency Identification (RFID) is an old technology that has recently raised new privacy questions due to its increasing prevalence in day-to-day life. RFID contactless technology allows for the transfer of information via radio (more) SB 362 (Simitian) Page 2 waves to a nearby RFID scanner. Tiny chips, with associated antennae, are embedded within items, including ID devices the size of a grain of rice, and designed to respond to the proper signal from a scanner. Depending on the type of RFID technology used, a RFID tag may be read from a wide range of distances. (See Comment 2.) In 2004, the U.S. Food and Drug Administration (FDA) approved an implantable RFID device, VeriMed patient ID system, which contains patient identification and health information. "The key components of the VeriMed system are a passive microchip, which is approximately the size of a grain of rice, a fixed location or a wireless handheld scanner used to read the 16-digit identification number contained on the microchip ? and a web-enabled database containing [patient medical information]." The company marketing the VeriMed system, VeriTech Corp., went public in February 2007. VeriTech's prospectus includes other applications of implantable microchips, including "asset/staff location and identification" systems. The advent of implantable ID devices has raised privacy concerns in a number of states, particularly with respect to nonvoluntary implantation. Wisconsin recently enacted legislation prohibiting an individual from being required to undergo the implanting of a microchip. This bill is intended to ensure that no Californian is forced to undergo subcutaneous implantation of an ID device. CHANGES TO EXISTING LAW Existing law provides that all people in this state have an inalienable, constitutional right to privacy. [Cal. Const. art. I, Section 1.] Existing law provides that every person has, subject to qualifications and restrictions provided by law, the right of protection from bodily restraint or harm, from personal insult, from defamation, and from injury to personal relations. [Civil Code (CC) Section 43.] This bill would prohibit a person from requiring, coercing, or compelling any other individual to undergo the subcutaneous implanting of an identification device. This bill would provide that: SB 362 (Simitian) Page 3 Any person who violates or threatens to violate its provisions may be enjoined in any court of competent jurisdiction. Any person found in a civil action to have violated its provisions may be assessed an initial civil penalty of no more than $10,000, and no more than $1,000 for each day the violation continues until the deficiency is corrected. The court may award a prevailing plaintiff reasonable attorney's fees and costs. In assessing the amount of the civil penalty, the court may consider all of the following: a) the nature and extent of the violation; b) the number and severity of the violations; c) the economic effect of the penalty on the violator; d) whether the violator took good faith measures to comply with the bill's provisions and the time those measures took; e) the willfulness of the violator's misconduct; f) the deterrent effect that imposition of the penalty would have on the violator and the regulated community as a whole; and g) any other factor that justice may require. Civil actions pursuant to the bill's provisions may be brought by any aggrieved party or by the Attorney General, a district attorney, or a city attorney. An action brought under the bill's provisions would have to be commenced within 3 years of the date the ID device was implanted, unless the person who received the implant lacked capacity at the time of implantation, in which case, within 3 years after the discovery date. This bill would provide that its provisions shall be liberally construed so as to protect privacy and bodily integrity. This bill would provide that actions brought pursuant to its provisions would be independent of any other actions, remedies, or procedures that may be available to an aggrieved party pursuant to any other law. This bill would define "identification device" as any item, application, or product that is passively or actively capable of transmitting personal information, including, SB 362 (Simitian) Page 4 but not limited to, devices using radio frequency technology. This bill would define "person" to mean an individual, business association, partnership, limited partnership, corporation, limited liability company, trust, estate, cooperative association, or other entity. This bill would define "personal information." (See Comment 2.) This bill would define "subcutaneous" to mean existing, performed, or introduced under the skin. COMMENT 1. Stated need for the bill The author writes: Subdermal RFID-enabled ID devices have been developed and are currently being marketed in the U.S. and abroad - VeriChip Corporation, which went public on Feb. 9, 2007, and has the only FDA-approved human implantable RFID system, acknowledged in its prospectus its intent to develop human implantation markets and expects these to be major future revenue sources. Privacy and security risks - RFID systems can be compromised, many in seconds, which exposes device holders to identity theft, property theft, surveillance, stalking and tracking, and other serious harm. No limits, no protections - There are no legal limits on the type of information that can be stored on an RFID tag; and there are no laws establishing minimum security protections for the information that tags contain. Thus, nothing prevents an employer or public entity from forcing a person to carry or implant a RFID tag that may broadcast the person's race, religion, employer, or home address to anyone with an inexpensive RFID reader. SB 362 (Simitian) Page 5 Healthcare and other costs - Subdermal RFID is a new RFID application. Its long-term health effects and related costs are unknown. Even assuming subdermal applications prove safe, who will pay healthcare costs related to insertion and/or removal? In the event of a device recall, employment termination, technological obsolescence, or identity theft, who pays? Incentives matter - A 2006 Department of Homeland Security privacy committee report notes that efficiencies from RFID-enabled IDs are limited due to the need for staff to confirm the holder is who they say they are. This problem could be addressed by subdermal implantation, which could thereby provide a powerful incentive for such implantation. Wisconsin has enacted a law to prohibit forced implantation of ID devices. California law does not currently explicitly prohibit such forced implantation of ID devices, though certainly such conduct would constitute a battery, actionable under tort law. This bill would provide a clear statutory prohibition on forced implantation of an ID device. 2. " RFID" and "personal information" defined A. RFID defined As stated in the Department of Homeland Security's Data Privacy and Integrity Advisory Committee's report on The Use of RFID for Human Identity Verification: RFID is a type of automatic identification technology that enables the user to "tag" objects with a tiny device that can later be detected by automatic means. That detection can range from simply noting the presence of the device, to obtaining a fixed identification number from the device, to initiating a two-way communication with the device. The essential functionality of the system is that when the tag is in the presence of an appropriate radio frequency (RF) signal emanated by a reader, the tag responds by sending back a reflected RF signal with information in response. Some can only operate over a very short distance of a few centimeters or less, while others SB 362 (Simitian) Page 6 may operate at longer distances of several meters or more. At the higher-end of RFID technology, the contactless RFID tags have been enhanced with the full capabilities of smart card chips that contain general-purpose computer processors and large non-volatile memory spaces ?. B. Personal information defined This bill would define "personal information" to include any of the following data elements to the extent they are used alone or in conjunction with any other information used to identify an individual: 1) first or last name; 2) address; 3) telephone number; 4) email, Internet Protocol, or website address; 5) birth date; 6) driver's license or CA identification card number; 7) any unique personal identifier number contained or encoded on a driver's license or identification card; 8) bank, credit card, or other financial institution account number; 9) any unique personal identifier contained or encoded on a health insurance, health benefit, or benefit card or record issued in conjunction with any government-supported aid program; 10) religion; 11) ethnicity or nationality; 12) photograph; 13) fingerprint or other biometric identifier; 14) Social Security number; or 15) any unique personal identifier. 3. Bill would not prohibit voluntary subcutaneous ID device implantation This bill would prohibit a person from requiring, coercing, or compelling any other individual to undergo subcutaneous implantation of an ID device. The bill would not prohibit voluntary subcutaneous implantation of an ID device. VeriChip, the company with FDA approval for an implantable RFID device, stated in its February 2007 prospectus that it supports "all pending and enacted legislation that would preclude anything other than voluntary implantation ?." 4. Right to bodily integrity would be protected by the bill This bill would prohibit required, coerced, or compelled SB 362 (Simitian) Page 7 subcutaneous implantation of an ID device. By doing so, the author asserts this bill would protect a person's fundamental right to bodily integrity. Bodily integrity is protected by both statutory and case law, depending on the particular issue involved. An example of the right to bodily integrity is the doctrine of informed consent with respect to medical procedures. The author notes that U.S. Supreme Court justices have underscored the importance of the right to bodily integrity: [N]o right is held more sacred, or is more carefully guarded, by the common law, than the right of every individual to the possession and control of his [or her] own person, free from all restraint or interference of others, unless by clear and unquestionable authority of law. [Union Pacific Ry. Co. v. Botsford (1891) 141 U.S. 250.] [E]very human of adult years and sound mind has a right to determine what shall be done with his [or her] own body. [Schloendorff v. Society of the N.Y. Hosp. (1914) 211 N.Y. 125.] 5. Societal and practical implications of involuntary subcutaneous ID device implantation The author states that, while forced implantation of an ID device may appear farfetched, VeriChip is floating various implantation proposals, including to track employees and visitors and to secure access to restricted facilities. The author notes that there was a time when the U.S. Supreme Court sanctioned involuntary sterilization of women with severe mental deficiencies (Buck v. Bell (1927) 274 U.S. 200). And, while involuntary sterilization would not pass constitutional muster today, particularly due process guarantees, certain groups, such as employees could feel pressured or coerced to accept ID implantation in order to earn a living. The author also notes that forced implantation raises a number of practical questions: 1) who pays for the cost of purchasing, implanting, and monitoring; 2) who pays if a person has an adverse reaction; and 3) what happens when a chip becomes obsolete or compromised, and must be SB 362 (Simitian) Page 8 replaced? As an example, a company, CityWatcher.com, recently closed its doors. The company, which provided video surveillance to clients and law enforcement, had a number of employees who got "chipped," with a chip containing certain unspecified information. While these employees were ostensibly not forced to get "chipped," questions remain about what happens now that the company has gone out of business, and the employees still have implanted chips. 6. Parental choice to have child subcutaneously implanted with ID device In general, parents control what occurs to their minor children, i.e., children under the age of 18. However, both the defined age of a "minor" and a minor's rights depend on the context of the right at issue. For example, in the area of minor's health rights, the minor's age and rights, and the degree of parental involvement vary depending on the context and circumstances, whether it be pregnancy, contraception, abortion, emergency medical services, rape services, mental health services, AIDS/HIV testing and treatment, general medical care, or drug/alcohol abuse treatment. The California Medical Association (CMA), in one of its advisory opinions, provides that a parent or guardian of a minor is authorized to give informed consent for most medical decisions on behalf of the minor. However, a number of statutes allow minors to consent to medical treatment except certain irreversible and highly invasive procedures, such as psychosurgery. CMA's advisory opinion also provides that, unless otherwise provided by statute, "a minor does not have the exclusive authority to consent to a particular treatment; that is, the minor's parent(s) or guardian can legally consent to certain treatment even if the minor objects." Some situations may require guidance from the court. It is thus unclear how parents' and minors' rights would play out in the context of a parent's decision to have his or her child subcutaneously implanted with an ID device. It likely would depend on a number of factors, including the purpose for the implantation, the nature of the information implanted, the minor's age, the parental SB 362 (Simitian) Page 9 intent in doing the implantation, and whether the implantation amounted to a tort, such as battery. 7. Remedies provided in the bill would be non-exclusive The author states that he does not intend the remedies provided in the bill to be exclusive of other remedies a person may be entitled to. Thus, the bill has been amended to provide: Actions brought pursuant to this section are independent of any other actions, remedies, or procedures that may be available to an aggrieved party pursuant to any other law. 8. Recent amendments This bill has been amended to include a three-year statute of limitations for any action brought for a violation of its provisions. The three years would run from the date of implantation, or, if the person implanted lacked capacity at the time of implantation (such as being a minor), from the date of discovery. The bill has also been amended to provide that its provisions shall be liberally construed so as to protect an individual's privacy interests and right to bodily integrity. Support: Privacy Rights Clearinghouse; CA Alliance for Consumer Protection; Consumer Federation of CA; Protection & Advocacy, Inc.; ACLU; Gun Owners of CA; Consumer Action Opposition: None Known HISTORY Source: Author Related Pending Legislation: SB 28 (Simitian of 2007) would prevent the DMV from issuing an RFID-enabled driver's license or identification card. (This bill SB 362 (Simitian) Page 10 passed out of the Senate Transportation and Housing Committee.) SB 29 (Simitian of 2007) would prevent the use of RFID devices transmitting personal information for the purpose of tracking students or their attendance. (This bill is on the Senate Floor.) SB 30 (Simitian of 2007) would impose minimum security requirements for government issued RFID-enabled ID documents. (This bill passed out of this committee and has been referred to the Senate Public Safety Committee.) SB 31 (Simitian of 2007) would criminalize the unauthorized intentional reading, or attempted reading of an individual's personal ID document. (This bill passed out of this committee and has been referred to the Senate Public Safety Committee.) SB 388 (Corbett of 2007) would require minimum disclosures from private issuers of RFID-enabled items capable of transmitting personally identifiable information. (This bill is set for hearing in this committee on April 10.) Prior Legislation: SB 682 (Simitian of 2005) contained the original Identity Information Protection Act of 2005 language that was amended into SB 768 on September 2, 2005. (This bill was thereafter gutted and amended.) SB 768 (Simitian of 2006) would have imposed minimum requirements on government issued ID documents, required a study by the California SB 362 (Simitian) Page 11 Research Bureau, and criminalized the unauthorized intentional skimming of a person's ID document. (This bill was vetoed by the governor.) SB 1834 (Bowen of 2004), which failed passage in Assembly Business & Professions Committee, would have prohibited the use of RFID on library circulating materials to collect, store, or share information that could be used to identify a borrower, and would have limited the use of RFID on other consumer products to gather, store, use, or share information that could be used to identify an individual. **************