BILL ANALYSIS �
SENATE JUDICIARY COMMITTEE
Senator Ellen M. Corbett, Chair
2007-2008 Regular Session
SB 362 S
Senator Simitian B
As Amended April 9, 2007
Hearing Date: April 10, 2007 3
Civil Code 6
ADM 2
SUBJECT
Identification Devices: Subcutaneous Implanting
DESCRIPTION
This bill would prohibit a person from requiring, coercing,
or compelling any other individual to undergo the
subcutaneous implanting of an identification (ID) device.
This bill would provide specified rights of action and
remedies for a violation of its provisions.
This bill would provide that its provisions shall be
liberally construed so as to protect privacy and bodily
integrity.
This bill would provide that actions brought pursuant to
its provisions would be independent of any other actions,
remedies, or procedures that may be available to an
aggrieved party pursuant to any other law.
This bill would define the terms "identification device,"
"person," "personal information," and "subcutaneous" for
purposes of its provisions.
BACKGROUND
Radio Frequency Identification (RFID) is an old technology
that has recently raised new privacy questions due to its
increasing prevalence in day-to-day life. RFID contactless
technology allows for the transfer of information via radio
(more)
�
SB 362 (Simitian)
Page 2
waves to a nearby RFID scanner. Tiny chips, with
associated antennae, are embedded within items, including
ID devices the size of a grain of rice, and designed to
respond to the proper signal from a scanner. Depending on
the type of RFID technology used, a RFID tag may be read
from a wide range of distances. (See Comment 2.)
In 2004, the U.S. Food and Drug Administration (FDA)
approved an implantable RFID device, VeriMed patient ID
system, which contains patient identification and health
information. "The key components of the VeriMed system are
a passive microchip, which is approximately the size of a
grain of rice, a fixed location or a wireless handheld
scanner used to read the 16-digit identification number
contained on the microchip ? and a web-enabled database
containing [patient medical information]." The company
marketing the VeriMed system, VeriTech Corp., went public
in February 2007. VeriTech's prospectus includes other
applications of implantable microchips, including
"asset/staff location and identification" systems.
The advent of implantable ID devices has raised privacy
concerns in a number of states, particularly with respect
to nonvoluntary implantation. Wisconsin recently enacted
legislation prohibiting an individual from being required
to undergo the implanting of a microchip. This bill is
intended to ensure that no Californian is forced to undergo
subcutaneous implantation of an ID device.
CHANGES TO EXISTING LAW
Existing law provides that all people in this state have an
inalienable, constitutional right to privacy. [Cal. Const.
art. I, Section 1.]
Existing law provides that every person has, subject to
qualifications and restrictions provided by law, the right
of protection from bodily restraint or harm, from personal
insult, from defamation, and from injury to personal
relations. [Civil Code (CC) Section 43.]
This bill would prohibit a person from requiring, coercing,
or compelling any other individual to undergo the
subcutaneous implanting of an identification device.
This bill would provide that:
�
SB 362 (Simitian)
Page 3
Any person who violates or threatens to violate its
provisions may be enjoined in any court of competent
jurisdiction.
Any person found in a civil action to have violated its
provisions may be assessed an initial civil penalty of no
more than $10,000, and no more than $1,000 for each day
the violation continues until the deficiency is
corrected.
The court may award a prevailing plaintiff reasonable
attorney's fees and costs.
In assessing the amount of the civil penalty, the court
may consider all of the following:
a) the nature and extent of the violation;
b) the number and severity of the violations;
c) the economic effect of the penalty on the
violator;
d) whether the violator took good faith measures to
comply with the bill's provisions and the time
those measures took;
e) the willfulness of the violator's misconduct;
f) the deterrent effect that imposition of the
penalty would have on the violator and the regulated
community as a whole; and
g) any other factor that justice may require.
Civil actions pursuant to the bill's provisions may be
brought by any aggrieved party or by the Attorney
General, a district attorney, or a city attorney.
An action brought under the bill's provisions would have
to be commenced within 3 years of the date the ID device
was implanted, unless the person who received the implant
lacked capacity at the time of implantation, in which
case, within 3 years after the discovery date.
This bill would provide that its provisions shall be
liberally construed so as to protect privacy and bodily
integrity.
This bill would provide that actions brought pursuant to
its provisions would be independent of any other actions,
remedies, or procedures that may be available to an
aggrieved party pursuant to any other law.
This bill would define "identification device" as any item,
application, or product that is passively or actively
capable of transmitting personal information, including,
�
SB 362 (Simitian)
Page 4
but not limited to, devices using radio frequency
technology.
This bill would define "person" to mean an individual,
business association, partnership, limited partnership,
corporation, limited liability company, trust, estate,
cooperative association, or other entity.
This bill would define "personal information." (See
Comment 2.)
This bill would define "subcutaneous" to mean existing,
performed, or introduced under the skin.
COMMENT
1. Stated need for the bill
The author writes:
Subdermal RFID-enabled ID devices have been developed
and are currently being marketed in the U.S. and
abroad - VeriChip Corporation, which went public on
Feb. 9, 2007, and has the only FDA-approved human
implantable RFID system, acknowledged in its
prospectus its intent to develop human implantation
markets and expects these to be major future revenue
sources.
Privacy and security risks - RFID systems can be
compromised, many in seconds, which exposes device
holders to identity theft, property theft,
surveillance, stalking and tracking, and other serious
harm.
No limits, no protections - There are no legal limits
on the type of information that can be stored on an
RFID tag; and there are no laws establishing minimum
security protections for the information that tags
contain. Thus, nothing prevents an employer or public
entity from forcing a person to carry or implant a
RFID tag that may broadcast the person's race,
religion, employer, or home address to anyone with an
inexpensive RFID reader.
�
SB 362 (Simitian)
Page 5
Healthcare and other costs - Subdermal RFID is a new
RFID application. Its long-term health effects and
related costs are unknown. Even assuming subdermal
applications prove safe, who will pay healthcare costs
related to insertion and/or removal? In the event of
a device recall, employment termination, technological
obsolescence, or identity theft, who pays?
Incentives matter - A 2006 Department of Homeland
Security privacy committee report notes that
efficiencies from RFID-enabled IDs are limited due to
the need for staff to confirm the holder is who they
say they are. This problem could be addressed by
subdermal implantation, which could thereby provide a
powerful incentive for such implantation.
Wisconsin has enacted a law to prohibit forced
implantation of ID devices. California law does not
currently explicitly prohibit such forced implantation
of ID devices, though certainly such conduct would
constitute a battery, actionable under tort law. This
bill would provide a clear statutory prohibition on
forced implantation of an ID device.
2. " RFID" and "personal information" defined
A. RFID defined
As stated in the Department of Homeland Security's
Data Privacy and Integrity Advisory Committee's report
on The Use of RFID for Human Identity Verification:
RFID is a type of automatic identification technology
that enables the user to "tag" objects with a tiny
device that can later be detected by automatic means.
That detection can range from simply noting the
presence of the device, to obtaining a fixed
identification number from the device, to initiating a
two-way communication with the device. The essential
functionality of the system is that when the tag is in
the presence of an appropriate radio frequency (RF)
signal emanated by a reader, the tag responds by
sending back a reflected RF signal with information in
response. Some can only operate over a very short
distance of a few centimeters or less, while others
�
SB 362 (Simitian)
Page 6
may operate at longer distances of several meters or
more. At the higher-end of RFID technology, the
contactless RFID tags have been enhanced with the full
capabilities of smart card chips that contain
general-purpose computer processors and large
non-volatile memory spaces ?.
B. Personal information defined
This bill would define "personal information" to
include any of the following data elements to the
extent they are used alone or in conjunction with any
other information used to identify an individual: 1)
first or last name; 2) address; 3) telephone number;
4) email, Internet Protocol, or website address; 5)
birth date; 6) driver's license or CA identification
card number; 7) any unique personal identifier number
contained or encoded on a driver's license or
identification card; 8) bank, credit card, or other
financial institution account number; 9) any unique
personal identifier contained or encoded on a health
insurance, health benefit, or benefit card or record
issued in conjunction with any government-supported
aid program; 10) religion; 11) ethnicity or
nationality; 12) photograph; 13) fingerprint or other
biometric identifier; 14) Social Security number; or
15) any unique personal identifier.
3. Bill would not prohibit voluntary subcutaneous ID
device implantation
This bill would prohibit a person from requiring,
coercing, or compelling any other individual to undergo
subcutaneous implantation of an ID device. The bill
would not prohibit voluntary subcutaneous implantation of
an ID device. VeriChip, the company with FDA approval
for an implantable RFID device, stated in its February
2007 prospectus that it supports "all pending and enacted
legislation that would preclude anything other than
voluntary implantation ?."
4. Right to bodily integrity would be protected by the
bill
This bill would prohibit required, coerced, or compelled
�
SB 362 (Simitian)
Page 7
subcutaneous implantation of an ID device. By doing so,
the author asserts this bill would protect a person's
fundamental right to bodily integrity. Bodily integrity
is protected by both statutory and case law, depending on
the particular issue involved. An example of the right
to bodily integrity is the doctrine of informed consent
with respect to medical procedures. The author notes
that U.S. Supreme Court justices have underscored the
importance of the right to bodily integrity:
[N]o right is held more sacred, or is more carefully
guarded, by the common law, than the right of every
individual to the possession and control of his [or
her] own person, free from all restraint or
interference of others, unless by clear and
unquestionable authority of law. [Union Pacific Ry.
Co. v. Botsford (1891) 141 U.S. 250.]
[E]very human of adult years and sound mind has a
right to determine what shall be done with his [or
her] own body. [Schloendorff v. Society of the N.Y.
Hosp. (1914) 211 N.Y. 125.]
5. Societal and practical implications of involuntary
subcutaneous ID device implantation
The author states that, while forced implantation of an
ID device may appear farfetched, VeriChip is floating
various implantation proposals, including to track
employees and visitors and to secure access to restricted
facilities. The author notes that there was a time when
the U.S. Supreme Court sanctioned involuntary
sterilization of women with severe mental deficiencies
(Buck v. Bell (1927) 274 U.S. 200). And, while
involuntary sterilization would not pass constitutional
muster today, particularly due process guarantees,
certain groups, such as employees could feel pressured or
coerced to accept ID implantation in order to earn a
living.
The author also notes that forced implantation raises a
number of practical questions: 1) who pays for the cost
of purchasing, implanting, and monitoring; 2) who pays if
a person has an adverse reaction; and 3) what happens
when a chip becomes obsolete or compromised, and must be
�
SB 362 (Simitian)
Page 8
replaced? As an example, a company, CityWatcher.com,
recently closed its doors. The company, which provided
video surveillance to clients and law enforcement, had a
number of employees who got "chipped," with a chip
containing certain unspecified information. While these
employees were ostensibly not forced to get "chipped,"
questions remain about what happens now that the company
has gone out of business, and the employees still have
implanted chips.
6. Parental choice to have child subcutaneously implanted
with ID device
In general, parents control what occurs to their minor
children, i.e., children under the age of 18. However,
both the defined age of a "minor" and a minor's rights
depend on the context of the right at issue. For
example, in the area of minor's health rights, the
minor's age and rights, and the degree of parental
involvement vary depending on the context and
circumstances, whether it be pregnancy, contraception,
abortion, emergency medical services, rape services,
mental health services, AIDS/HIV testing and treatment,
general medical care, or drug/alcohol abuse treatment.
The California Medical Association (CMA), in one of its
advisory opinions, provides that a parent or guardian of
a minor is authorized to give informed consent for most
medical decisions on behalf of the minor. However, a
number of statutes allow minors to consent to medical
treatment except certain irreversible and highly invasive
procedures, such as psychosurgery. CMA's advisory
opinion also provides that, unless otherwise provided by
statute, "a minor does not have the exclusive authority
to consent to a particular treatment; that is, the
minor's parent(s) or guardian can legally consent to
certain treatment even if the minor objects." Some
situations may require guidance from the court.
It is thus unclear how parents' and minors' rights would
play out in the context of a parent's decision to have
his or her child subcutaneously implanted with an ID
device. It likely would depend on a number of factors,
including the purpose for the implantation, the nature of
the information implanted, the minor's age, the parental
�
SB 362 (Simitian)
Page 9
intent in doing the implantation, and whether the
implantation amounted to a tort, such as battery.
7. Remedies provided in the bill would be non-exclusive
The author states that he does not intend the remedies
provided in the bill to be exclusive of other remedies a
person may be entitled to. Thus, the bill has been
amended to provide:
Actions brought pursuant to this section are
independent of any other actions, remedies, or
procedures that may be available to an aggrieved party
pursuant to any other law.
8. Recent amendments
This bill has been amended to include a three-year
statute of limitations for any action brought for a
violation of its provisions. The three years would run
from the date of implantation, or, if the person
implanted lacked capacity at the time of implantation
(such as being a minor), from the date of discovery.
The bill has also been amended to provide that its
provisions shall be liberally construed so as to protect
an individual's privacy interests and right to bodily
integrity.
Support: Privacy Rights Clearinghouse; CA Alliance for
Consumer Protection; Consumer Federation of CA;
Protection & Advocacy, Inc.; ACLU; Gun Owners of CA;
Consumer Action
Opposition: None Known
HISTORY
Source: Author
Related Pending Legislation: SB 28 (Simitian of 2007)
would prevent the DMV from issuing an
RFID-enabled driver's license or
identification card. (This bill
�
SB 362 (Simitian)
Page 10
passed out of the Senate
Transportation and Housing
Committee.)
SB 29 (Simitian of 2007) would
prevent the use of RFID devices
transmitting personal information for
the purpose of tracking students or
their attendance. (This bill is on
the Senate Floor.)
SB 30 (Simitian of 2007) would impose
minimum security requirements for
government issued RFID-enabled ID
documents. (This bill passed out of
this committee and has been referred
to the Senate Public Safety
Committee.)
SB 31 (Simitian of 2007) would
criminalize the unauthorized
intentional reading, or attempted
reading of an individual's personal
ID document. (This bill passed out
of this committee and has been
referred to the Senate Public Safety
Committee.)
SB 388 (Corbett of 2007) would
require minimum disclosures from
private issuers of RFID-enabled items
capable of transmitting personally
identifiable information. (This bill
is set for hearing in this committee
on April 10.)
Prior Legislation: SB 682 (Simitian of 2005) contained
the original Identity Information Protection
Act of 2005 language that was amended into SB
768 on September 2, 2005. (This bill was
thereafter gutted and amended.)
SB 768 (Simitian of 2006) would have imposed
minimum requirements on government issued ID
documents, required a study by the California
�
SB 362 (Simitian)
Page 11
Research Bureau, and criminalized the
unauthorized intentional skimming of a
person's ID document. (This bill was vetoed
by the governor.)
SB 1834 (Bowen of 2004), which failed passage
in Assembly Business & Professions Committee,
would have prohibited the use of RFID on
library circulating materials to collect,
store, or share information that could be
used to identify a borrower, and would have
limited the use of RFID on other consumer
products to gather, store, use, or share
information that could be used to identify an
individual.
**************