RFID Privacy and Consumer Protection

RFID Privacy Guide

RFID tags can be read without the knowledge of the person carrying them — and that characteristic creates legitimate privacy concerns. Consumer groups, regulators, and the EU's GDPR all impose obligations on organisations deploying RFID in contexts where individuals are identifiable. This guide covers the technical mechanisms available to protect privacy and the legal framework that governs them.

The Privacy Problem

An EPC is a globally unique identifier. If an item carries an EPC and a person regularly carries that item, any reader the person walks past can log their presence. At scale, this enables tracking of individuals across retail environments, transit systems, or public spaces — without consent or awareness.

Three technical properties make consumer-facing RFID privacy-sensitive:

1. Covert readability — standard UHF tags respond to any compliant reader within range
2. Unique identifiers — EPCs are item-unique, enabling linkage across time and location
3. Persistence — tags remain active unless explicitly disabled

Kill Command

The kill command permanently and irreversibly disables a tag. Once killed, the tag's IC is non-functional and will never respond to another reader. This is the strongest privacy protection available.

The kill password must be set before use — tags ship with a default kill password of 0x00000000, which disables the kill command. Retailers must program a non-zero kill password at commissioning and execute the kill at checkout.

Untraceable Mode

Untraceable mode is a crypto-tag feature (EPC Gen 2v2, implemented by NXP UCODE DNA, Impinj M800) that hides the tag's identity from unauthenticated readers. In untraceable mode:

• The tag replies with a short, randomised response instead of its real EPC
• Unauthenticated readers cannot link successive reads to the same tag
• Only a reader possessing the correct authentication key can reveal the true EPC

This is suitable for scenarios where the tag must remain functional after the point of sale (e.g., luxury resale, returns) but should not be trackable by arbitrary readers.

Protected Mode

Protected mode gates all read and write operations behind AES-128 authentication. A tag in protected mode will not return its EPC memory to a standard Gen 2 inventory command. Only a reader that completes a successful mutual authentication exchange gains access.

Protected mode is stronger than untraceable mode from a confidentiality standpoint but requires all legitimate readers to be equipped with authentication credentials — a significant infrastructure investment.

EAS Bit and Post-Sale Tag Behaviour

The EAS (Electronic Article Surveillance) bit in Gen 2 tags is set at commission and cleared at POS checkout. EAS-aware reader portals near store exits can detect unpurchased items. At purchase, clearing the EAS bit (or executing the kill command) is standard practice. Neither operation by itself prevents post-sale tracking — only the kill command eliminates read response entirely.

GDPR and RFID

The EU General Data Protection Regulation (GDPR-RFID) applies whenever RFID data can be linked to an identified or identifiable natural person — which includes item-level retail tags when combined with loyalty programme data, transaction records, or video surveillance.

Practical steps for GDPR compliance in retail RFID:

1. Document your lawful basis before deploying reader infrastructure
2. Implement kill at POS for all consumer-facing items
3. Separate the EPC-to-customer linkage in your data model so it can be deleted on request
4. Do not retain raw reader logs beyond the operational window needed for inventory reconciliation

See also: RFID Security Threats and Countermeasures, Crypto-Enabled RFID Tags.