BILL ANALYSIS
SENATE JUDICIARY COMMITTEE
Senator Ellen M. Corbett, Chair
2007-2008 Regular Session
SB 30 S
Senator Simitian B
As Introduced
Hearing Date: March 13, 2007 3
Civil Code 0
BCP:jd
SUBJECT
Identity Information Protection Act of 2007
DESCRIPTION
This bill would establish interim protections to apply to
remotely readable identification documents (IDs) that are
created, mandated, purchased, or issued by state government
entities. The protections would require government
entities to incorporate specified security measures into
remotely readable IDs and their readers, and to give
written information to ID holders regarding: the
possibility that an ID may be remotely read, available
protections, the location of authorized readers, the
purpose of any intended reading, and the nature of any data
that will be collected by the readers. Existing systems
would be exempt from these protective requirements, as
would other specified systems.
The bill would also contain interim civil and criminal
prohibitions, including: (1) a prohibition against the
disclosure of "operational system keys," subject to
misdemeanor prosecution; and (2) a prohibition against the
disclosure of data regarding a person's location, except in
"exigent circumstances" or in response to specified law
enforcement requests or warrants. The bill would also
permit any interested person to enforce the interim
protections, subject to a 30-day notice and opportunity to
cure for the government entity. A prevailing plaintiff in
such an action could be awarded attorney's fees and costs.
The bill would also require the California Research Bureau
(more)
SB 30 (Simitian)
Page 2
to convene an advisory committee and prepare a report for
the Legislature on security and privacy issues relating to
such IDs, and would state that it is the intent of the
Legislature that the bill's interim protections be replaced
with permanent legislation or regulations in the most
timely and expeditious fashion possible following the
issuance of the California Research Bureau's report.
BACKGROUND
Radio Frequency Identification (RFID) is an old technology
that has recently raised new privacy concerns. RFID
technology allows for the contactless transfer of
information via radio waves to a remote reader. As stated
in the Department of Homeland Security's Data Privacy &
Integrity Advisory Committee's report on The Use of RFID
for Human Identity Verification:
RFID is a type of automatic identification
technology that enables the user to "tag" objects
with a tiny device that can later be detected by
automatic means. That detection can range from
simply noting the presence of the device, to
obtaining a fixed identification number from the
device, to initiating a twoway communication with
the device. The essential functionality of the
system is that when the tag is in the
presence of an appropriate radio frequency
(RF) signal emanated by a reader the tag
responds by sending back a reflected RF signal
with information in response. Some can only
operate over a very short distance of a few
centimeters or less, while others may operate at
longer distances of several meters or more. At
the higherend of RF technology, the contactless
RFID tags have been enhanced with the full
capabilities of smart card chips containing
generalpurpose computer processors and larger
nonvolatile memory spaces . . .
The author of this bill introduced several bills during the
2005-06 session that would have prohibited the use of RFID
technology in certain government IDs, and required
SB 30 (Simitian)
Page 3
protective measures to be implemented for other government
IDs. The most comprehensive of these previous bills was SB
682 (Simitian), which was approved by this committee on
April 26, 2005, and later narrowed and placed in SB 768
(Simitian) at the end of the 2005 legislative session.
Also last year, members of industry sponsored AB 2561
(Torrico) - a study bill that would have required the
California Research Bureau to convene an advisory board and
file a report with the Legislature regarding the security
and privacy issues associated with the use of RFID in
government IDs. However, when AB 2561 was approved by this
committee on June 27, 2006, it was with the understanding
that AB 2561 would be double-joined with a Senator Simitian
RFID bill that would institute interim protections for the
time during which the California Research Bureau's report
is compiled, its findings considered by the Legislature,
and a permanent legislative or regulatory solution is
crafted.
On August 17, 2006, SB 768 (Simitian) was amended in the
Assembly to incorporate both protective measures that align
with the purposes underlying the terms of SB 682, the
previous terms of SB 768, and language from AB 2561 to
commission a report by the California Research Bureau to
assist the Legislature in crafting a permanent legislative
or regulatory solution. The language contained in that
bill was agreed upon by consumer and privacy advocates who
sponsored the other Senator Simitian RFID bills, and by the
industry representatives who sponsored Assembly Member
Torrico's study bill. SB 768 passed out of the Assembly,
this committee, the Senate and was vetoed by the Governor.
This year, the provisions of SB 768 were re-introduced in
two different bills, SB 30 and 31. Except for the
provision that would make the intentional unauthorized
reading or attempted reading of a personal identification
document a misdemeanor crime, located in SB 31, the
remainder of SB 768 has been placed in this bill.
Importantly, the proposed interim minimum security
standards for RFID-enabled government identification
documents would become inoperative on December 31, 2013, or
upon the legislative enactment of alternate statewide
regulations. If passed by this committee, the bill will be
SB 30 (Simitian)
Page 4
heard by the Senate Public Safety Committee.
CHANGES TO EXISTING LAW
Existing law provides that all people in this state have an
inalienable, constitutional right to privacy. [Cal.
Const., Art I 1.]
Existing law , the Information Practices Act, precludes a
state agency from disclosing personal information it
possesses "in a manner that would link the information
disclosed to the individual to whom it pertains," except in
specified circumstances. [Civ. Code 1798.24.]
Existing law establishes that a person who intentionally
discloses non-public information obtained from a state or
federal agency is subject to a civil action for invasion of
privacy. [Civ. Code 1798.53.]
Existing law establishes that a person who willfully
requests or obtains any record containing personal
information from an agency under false pretenses is guilty
of a serious misdemeanor. [Civ. Code 1798.56.]
Existing law establishes that a person who uses an
electronic tracking device to determine the location or
movement of another person is guilty of a misdemeanor.
[Pen. Code 637.7.]
This bill would enact the Identity Information Protection
Act of 2007, to: (1) establish interim privacy and security
protections to apply to remotely readable IDs created,
mandated, purchased, or issued by government entities,
until subsequent legislation or regulations are enacted;
(2) require the California Research Bureau to submit a
report to the Legislature on security and privacy for
government-issued, remotely readable IDs on or before June
30, 2008; and (3) specify that it is the intent of the
Legislature that the interim measures contained in the Act
be replaced with permanent legislation or regulations in
the most timely and expeditious fashion possible following
the issuance of the California Research Bureau's report.
This bill would institute the following protective
requirements for government IDs that use radio waves to
SB 30 (Simitian)
Page 5
transmit data or to enable data to be read remotely:
The ID must incorporate tamper-resistant features to
prevent duplication, forgery, or cloning.
The ID and authorized readers must use an authorization
process.
The issuing entity must inform the ID holder in writing:
(1) that the ID can transmit data or enable data to be
read remotely without the holder's knowledge; (2) that
specified countermeasures may be used to help control
that risk; (3) the location of readers used or intended
to be used by the issuing entity to read the ID; (4) all
circumstances under which the entity intends to read the
ID and the underlying reasons for the reading; and (5)
any information that is being collected or stored
regarding the individual when the ID is read.
If personally identifiable information is transmitted
from the ID: (1) the ID and authorized readers must use a
"mutual authentication process"; (2) the ID must make the
data unreadable and unusable by an unauthorized person;
and (3) the ID must implement an access control protocol
to give the holder direct control over the transmission
of data.
If a unique personal identifier number is transmitted and
is used (1) to provide the ID holder access to more than
one application or service, (2) to record attendance of a
pupil at a public school, or (3) to access public transit
services, the issuing entity must implement one of
several protective measures.
This bill would exempt government IDs from the bill's
interim restrictions when the following circumstances are
present:
Actions were taken to establish an RFID ID system prior
to specified dates, including actual implementation,
public issuance of the government proposal for the
system, and execution of the contract for the system.
The ID was issued to an incarcerated person, a juvenile
detainee, a person housed in a mental health facility, a
SB 30 (Simitian)
Page 6
criminal defendant subject to a court order, or a person
subject to court-ordered electronic monitoring.
The ID was issued to an employee at a jail, prison, or
juvenile facility, is not removed from the facility, and
specified requirements were met.
The ID was issued to a law enforcement officer or
emergency response personnel for use on active duty, and
specified requirements were met.
The ID was issued to a patient in specified medical
centers for a single episode of care, subject to
specified requirements.
The ID was issued to a person in the care of a skilled
nursing facility who was diagnosed with dementia or other
cognitive impairments, subject to specified requirements.
The ID was issued to a patient for emergency medical
care, as specified.
The ID was issued to facilitate secured access to a
public building or parking area, subject to specified
requirements.
The ID was a license, certificate, registration, or other
authority for engaging in a business or profession
regulated under the Business and Professions Code,
subject to specified requirements.
This bill would prohibit a government entity from
disclosing to a third party the "operational system keys"
to a mutual authentication system or other specified
systems that are designed to make transmitted data
unreadable and unusable by an unauthorized person, except
where the third party has a bona fide business relationship
with the government entity and the disclosure is necessary
to the operation, testing, or installation of the ID
system, or where emergency response personnel need the
disclosure to locate or identify a person in a disaster, as
specified. This bill would make it a misdemeanor crime to
disclose operational system keys in violation of these
terms.
SB 30 (Simitian)
Page 7
This bill would prohibit a government entity or authorized
third party from disclosing any data or information
regarding the location of a person derived from the use of
radio waves, except in specified situations involving
"exigent circumstances," requests from law enforcement
personnel, or search warrants.
This bill would permit any interested person to institute
proceedings against a governmental entity for injunctive or
declaratory relief or a writ of mandate to prevent or stop
any violation of the restrictions of the bill, but only
after giving written notice of the asserted violation to
the government entity and allowing 30 days for the entity
to cure the violation and inform the plaintiff in writing
of its curative actions. This bill would permit a court to
assess reasonable attorney's fees and costs against a
government entity if the plaintiff prevails in the action.
This bill would specify that this civil enforcement
provision does not limit or supplant any other remedies
that may be available in law or equity.
This bill would require the California Research Bureau to
submit a report to the Legislature by June 30, 2008
relating to security and privacy for remotely readable
government IDs.
This bill would require its provisions to become
inoperative on December 31, 2013, or upon the legislative
enactment or promulgation of alternative statewide
regulations pertaining to the privacy and security of
remotely readable identification documents, whichever is
earlier.
COMMENT
1. Stated need for bill
According to the author, "SB 30 puts in place basic,
common sense safeguards to protect people's privacy and
security." The author maintains that SB 30's interim
RFID security requirements are necessary due to
demonstrated security and privacy threats, the lack of
current minimum safeguards, and spreading public concern
about RFID technology.
SB 30 (Simitian)
Page 8
Specifically, the author states that "[t]he technology
and business communities, independent researchers, and
several government agencies all agree that using RFID in
government IDs with few or minimal protections poses
serious privacy and security threats." In support, the
author cites recent hacks of the encryption scheme for
RFID-enabled Dutch passports, the Exxon Mobile key fob,
VeriChip human RFID implant, California State Capitol
building access system and new RFID passports.
Furthermore, the author states that
[n]either existing statute nor current practices
require protections against the threats posed by
the inclusion of RFID in government-issued IDs,
such as a driver's license, a student ID or a
health card. To make matters worse, competing
RFID vendors have sometimes obfuscated risks and
sold products with little or no security in an
effort to sell the cheapest product. From local
elementary schools to state agencies impacting
millions of Californians, RFID is being included
in identification documents with no minimum
safeguards or standards in place
Accordingly, SB 30 would seek to impose interim minimum
standards for RFID-enabled government identification
documents. The author maintains that "[b]y requiring the
use of basic safeguards, SB 30 is essential to rebuilding
the public's trust in RFID technology and its use in
government-issued IDs."
2. Concerns raised by industry with respect to the
Governor's veto message
As noted above, last years negotiations for SB 768
resulted in most parties withdrawing their opposition to
that bill. That opposition has now reemerged. The
High-Tech Trust Coalition, in current opposition,
states:
[w]e worked . . . in an attempt to address what
we viewed as the unintended negative consequences
of this legislation. However, at the end of the
year, the Governor vetoed the Identity
SB 30 (Simitian)
Page 9
Information Protection Act, which [has been]
reintroduced as SB 30 . . . We are compelled to
agree [with the Governor's veto message.]
Specifically, the Governor's veto message stated:
SB 768 . . . is premature. The federal
government, under the REAL ID Act, has not yet
released new technology standards to improve the
security of government ID cards. SB 768 may
impose requirements in California that would
contradict the federal mandates soon to be
issued.
In addition, this bill may inhibit various state
agencies from procuring technology that could
enhance and streamline operations, reduce
expenses and improve customer service to the
public and may unnecessarily restrict state
agencies. In addition, I am concerned that the
bills provisions are overbroad and may unduly
burden the numerous beneficial new applications
of contactless technology.
In response, the author disputes each of the Governor's
contentions, and in turn similar arguments raised by
industry.
a) Maturity of RFID technology
As stated above, the Governor's veto message contended
that the prior bill was premature. Similarly, the
High-Tech Trust Coalition, citing advances in
performance, security and privacy technology, contends
that "[a]s this industry continues to grow and mature
. . . it becomes more and more apparent that such
legislation is not called for."
In response, the author maintains that RFID, currently
found in numerous cards, documents and other items, is
"hardly an 'emerging' technology that needs to be
handled with kid gloves while markets develop."
Historically, RFID can be traced back to the German's
use of similar technology to identify friendly
aircraft during World War II. Over the years, the
SB 30 (Simitian)
Page 10
technology dramatically evolved, leading to the
relatively low cost RFID tags available today.
According to the author,
[m]arket researchers expect 1.71 billion RFID
tags to be sold, with an aggregate value of $5
billion for the total RFID market, in 2007 . .
. These tags can, and have been, cloned,
skimmed and otherwise hacked to the detriment
of their owners.
Regarding the need for legislated minimum standards,
HID Global contends that SB 30 is "an example of a
solution searching for a problem, and . . .
perpetuate[s] unfounded criticism of RF-based
technology that has been proven safe and reliable for
more than 30 years." While most examples of
vulnerabilities have been demonstrated by researchers
in a laboratory setting, not discovered by law
enforcement, the author argues that the demonstrated
potential to hack current technology demonstrates that
"[w]e're already at risk."
For example, on October 23, 2006, the New York Times
reported that researchers were able to "skim"
information off of major credit cards. That article
reported that "tests on 20 cards from Visa, MasterCard
and American Express, the researchers here found that
the cardholder's name and other data was being
transmitted without encryption and in plain text."
Other examples cited by the author include weaknesses
in RFID-enabled key fobs and the VeriChip human RFID
implant.
Furthermore, the aforementioned report by the Data
Privacy & Integrity Advisory Committee noted that "the
use of RFID-enabled systems for human identification
may create a number of risks that are not found in
conventional identification processes." As a further
example of risks generated by RFID-identification
documents, the Daily Mail reported on March 4, 2007
that it was able to copy the details from a delivered
but unopened UK biometric passport. Using a device
built from parts purchased from the internet, the
passport's information was copied without opening the
SB 30 (Simitian)
Page 11
delivery envelope, thus demonstrating one possible way
a recipient's information may be comprised without
their knowledge.
Although no RFID-security is foolproof, SB 30 would
attempt to minimize risks through the proposed interim
minimum requirements.
b) Draft regulations released for the Federal REAL ID
Act
The federal REAL ID Act of 2005 prohibits federal
agencies, as of May 11, 2008, from accepting state
issued drivers licenses or identification cards unless
the requirements of the Act are met. For various
reasons, including potential state cost, it appears
questionable whether the REAL ID Act will proceed.
Currently, the Department of Homeland Security (DHS)
has granted states an extension for compliance until
December 31, 2009. To that end, the author states
that "[i]f the Act actually goes forward, it is
unlikely that federal regulators will restrict states
to a single technology, and less likely if it does,
that that technology will be RFID."
On March 1, 2007, the Department of Homeland Security
released draft rules on the implementation of the REAL
ID Act for public comment. Those draft regulations
did not propose any RFID-specific requirements, but
did request public comment "on how States would or
could incorporate a separate WHTI-compliant
technology, such as an RFID-enabled vicinity chip
technology, in addition to the REAL ID PDF417 barcode
requirement." Thus, the draft regulations support the
author's contention that RFID is "an unlikely
candidate as the sole technology for REAL ID."
c) Inhibition of state agencies
The Governor's veto message further argued that the
bill may inhibit state agencies from procuring
technology that would increase efficiency and customer
service.
In response, the author contends that "[s]tate
SB 30 (Simitian)
Page 12
agencies already have to comply with security and
privacy protections for other technologies [and that
this] bill simply levels the playing field by applying
existing standards to the new use of an old
technology." Those privacy protections, contained
within the Information Practices Act of 1977, Civil
Code Section 1798 et seq., prevent agency disclosure
of "any personal information in a manner that would
link the information disclosed to the individual to
whom it pertains," subject to limited exceptions. By
instituting minimum RFID standards for state-issued
identification documents, SB 30 would not prohibit the
use of RFID, but instead implement standards that may
further protect an individuals' information.
Moreover, SB 30 only would apply to state-issued
identification documents, the most sensitive of
documents issued by the state. The California
Federation of Teachers, in support, reiterate that
"[o]ther state-issued documents [would be] afforded
levels of protections commensurate with the
sensitivity of the information contained on the
computer chip and the vulnerability of the people
carrying the identity documents."
Opponents contend that state agencies should retain
flexibility to choose the appropriate RFID system to
match their needs. That flexibility provides the
state with discretion to choose the most secure, or in
the alternative, the cheapest RFID-enabled system.
Unlike other items, identification documents play an
essential day-to-day role in society. The Asian
Americans for Civil Rights & Equality (AACRE), in
support, argue that "Californians should not be
required to carry identity documents that allow their
personal information and locations to be read at a
distance without their knowledge." Accordingly, SB 30
would institute minimum standards for state-issued
identification documents in lieu of relying upon state
agencies and industry to dictate standards for those
items.
d) Concerns about SB 30 being overbroad, imposing an
undue burden on developing technology
Finally, the Governor expressed concern that SB 768
SB 30 (Simitian)
Page 13
was "overbroad and may unduly burden the numerous
beneficial new applications of contactless
technology." Similarly, The High-Tech Trust Coalition
contends that the "end result of this legislation
would be to strongly discourage agencies from
utilizing this technology . . ." and HID Global states
that "[b]y imposing specified requirements . . . SB 30
will economically disadvantage California users of
RF-based systems and create a climate of uncertainty
for users of the technology going forward."
The author refutes the overly broad argument by noting
the multitude of uses of RFID which would not be
affected by this bill. These uses include supply
chain, document tracking, and other potentially
cost-saving uses of RFID. The author further
emphasizes that "[t]his bill applies only to the use
of RFID in human identification documents, and even
then, it simply applies existing privacy standards -
it doesn't outlaw the technology . . ." (emphasis in
original).
Although opponents argue that the implications of SB
30 reach beyond state-issued identification documents,
the bill itself attempts to provide narrow interim
protections for the most sensitive of those documents.
Furthermore, SB 30 states the intent to replace these
interim requirements with a state framework "in the
most timely and expeditious fashion possible following
the issuance of recommendations by the California
Research Bureau."
3. California Research Bureau would be required to submit
a report on security and privacy for government-issued,
remotely readable identification documents
The interim protections of SB 30 would only remain in
effect until December 31, 2013, or the legislative
enactment of alternate statewide regulations. In order
to facilitate the timely and expeditious formulation of
those regulations, the California Research Bureau would
be required to submit a report on security and privacy
for government-issued, remotely readable identification
documents. That report must be submitted to the
Legislature "within 270 days of receiving a request from
SB 30 (Simitian)
Page 14
the Office of the President pro Tempore of the Senate or
the Office of the Speaker of the Assembly, or before June
30, 2008, whichever is earlier . . ." Since this bill
would presumably go into effect on January 1, 2008, less
than 270 days before June 30, 2008, it does not appear
that there would ever be a situation where either office
would be able to seek early issuance of the bureau's
report. This does not appear to be a problem, provided
that six months is sufficient time to generate the
report.
In preparing the report, the California Research Bureau
would be required to convene an advisory board composed
of the State Chief Information Officer, Chief of the
Office of Privacy Protection, and Attorney General or
their designees, along with numerous representatives from
state agencies, industry, and privacy groups. Along with
reviewing best practices, the bureau would be required
to:
[i]dentify, develop, and evaluate options for the
Legislature to
review and consider for action for a legislative
and regulatory
framework that would ensure the safety and
security of information contained on remotely
readable identification documents and the privacy
of the individuals to whom the documents are
issued.
Assuming the report is completed timely, it has the
potential to be acted upon late in the 2008 legislative
session. While the California Research Bureau is not
frequently required to formulate such reports on
technology to the Legislature, the advisory board would
provide the Bureau with the necessary expertise.
Furthermore, should concern arise, the author's office
appears to be flexible to any suggestions as to other
neutral state agencies that may have the capability of
completing the report.
4. Definitions, and exceptions to those definitions for
SB 30
As stated above, SB 30 imposes interim RFID-security
SB 30 (Simitian)
Page 15
requirements for government issued identification
documents. Those minimum requirements would vary
depending on whether personally identifiable information
or a unique personal identifier is transmitted. All of
those terms are defined in detail in proposed Civil Code
Section 1798.135.
Of specific interest, the definition of identification
document would exempt devices used for the limited
purpose of collecting toll funds for bridges or roads.
That exception would only apply if the device is not
exclusively used by an individual and does not transmit
or enable the remote reading of personally identifiable
information. Moreover, although FasTrak is specifically
mentioned as an example, that system would already be
excluded from the scope of this bill as it was
implemented prior to January 1, 2008. Although excluding
existing contactless identification systems from this
bill's interim standards may leave insecure systems in
operation, that exception prevents the state from
incurring the significant cost required to redo existing
systems.
5. Civil enforcement provision
To aid enforcement of this bill's provisions, SB 30 would
establish a private right of action for any interested
person to enforce the protections in the bill by seeking
injunctive or declaratory relief or a writ of mandate.
Given the recognized importance of privacy rights, and
the relatively intangible nature of those rights, an
enforcement provision that allows all interested persons
to bring an action appears appropriate.
From a public policy standpoint, it seems prudent to
allow enforcement by all interested persons, without a
showing of injury, because an enforcement action for
declaratory or injunctive relief, taken at an early stage
in a government entity's statutory violation, could help
to prevent a continued statutory violation that might
subject the entity to class action litigation for damages
once the action has actually resulted in a monetary
injury. For example, an enforcement action to prevent
practices that may expose a person's personal information
to identity theft could help encourage entities to stop
SB 30 (Simitian)
Page 16
such practices before an identifiable instance of
identity theft causes people to suffer actual monetary
losses. The entity's potential monetary liability under
the bill's enforcement provision could be significantly
less than a later action for damages, since the
enforcement provision would only permit a prevailing
plaintiff to obtain injunctive or declaratory relief, and
potentially attorney's fees, and would not permit
recovery of damages.
The High-Tech Trust Coalition, in opposition, contends
that SB 30 "threatens those agencies with costly civil
litigation if they interpret the legislation
incorrectly." Although there may be differences in
opinion as to what SB 30 would require, this bill would
provide a government entity 30 days to fix an alleged
violation of this act. Under those terms, an entity
could avoid any monetary liability whatsoever if
enforcement is sought before any tangible losses are
suffered and the entity acts promptly to cure the
violation.
6. Remaining concerns
The opponents' remaining concerns include arguments over
other details of this bill, such as conforming
definitions to current technological practices, best
resolved through continued negotiations.
Support: AARP; Asian Americans for Civil Rights and
Equality (AACRE); California Applicants' Attorneys
Association (CAAA); California Commission on the
Status of Women; California Federation of Teachers;
California Labor Federation, AFL-CIO; California
State Employees Association (CSEA); Consumer
Federation of California; Consumers Union; Privacy
Activism
Opposition: HID Global; The High-Tech Trust Coalition
[consisting of 3M, AeA (American Electronics
Association), ActivIdentity, AIM Global, Alvaka
Networks, Aubrey Group, Inc., American Express,
California Business Properties Association,
California Chamber of Commerce, EDS, Elpac
Electronics, Inc., Grocery Manufacturers
Association, InCom Corp., Infineon Technologies
SB 30 (Simitian)
Page 17
North America Corp., Information Technology
Association of America (ITAA), Matheson Tri-Gas,
MAXIMUS, Motorola, National Semiconductor, Natoma
Technologies, Inc., NXP, Oberthur Card Systems,
Oracle Corporation, Precision Dynamics, Retail
Industry Leaders Association, San Jose Silicon
Valley Chamber of Commerce, SAS, Secura Key, SIA
(Semiconductor Industry Association), Sonnett
Technologies, Inc., Texas Instruments, VEDC,
Inc., Zebra Technologies]
HISTORY
Source: Author; American Civil Liberties Union (ACLU);
Electronic Frontier Foundation; Privacy Rights
Clearinghouse
Related Pending Legislation: SB 28 (Simitian), would
prevent the DMV from
issuing an RFID-enabled drivers
license or identification card.
SB 29 (Simitian), would prevent the
use of RFID devices transmitting
personal information for the purpose
of tracking students or their
attendance.
SB 31 (Simitian), would criminalize
the unauthorized intentional reading,
or attempted reading of an
individual's personal identification
document.
SB 362 (Simitian), would prevent the
required implantation of an
identification device capable of
transmitting personally identifiable
information.
SB 388 (Corbett), would require
minimum disclosures from private
issuers of RFID-enabled items capable
of transmitting personally
identifiable information.
SB 30 (Simitian)
Page 18
Prior Legislation: SB 682 (Simitian), as amended August
15, 2005, contains the
original Identity Information Protection Act
language that was amended into SB 768 on
September 2, 2005. This bill was gutted and
amended on August 7, 2006.
SB 768 (Simitian, 2006), would have imposed
minimum requirements on government issued
identification documents, require a study by
the California Research Bureau and
criminalize the unauthorized intentional
skimming of a person's identification
document. This bill was vetoed by the
Governor.
AB 2561 (Torrico, 2005), would have mirrored
the California Research Bureau report
requirement in this bill. This bill was
gutted and amended on August 24, 2006.
SB 1834 (Bowen, 2004), failed passage in
Assembly B & P, would have prohibited the use
of RFID on library circulating materials to
collect, store, or share information that
could be used to identify a borrower, and
would have limited the use of RFID on other
consumer products to gather, store, use, or
share information that could be used to
identify an individual.
**************