The European Union isn't the only entity that's growing concerned about the privacy implications of RFID tags. Two states that have substantial tech economies, Washington and California, have bills advancing through their state legislatures that would punish those that enable or engage in the surreptitious reading of personal information through RFID technology. There are very significant differences, however, between the focuses of the two pieces of legislation, raising the possibility that those who produce or market RFID equipment may wind up having to navigate a confusing patchwork of state regulations.

First up is California, which previously outlawed compulsory implantation of RFID devices as a condition of employment. There, the state senate recently passed a bill that focuses on the use of personal identification information stored in RFID tags that might simply be carried by citizens. Here, the bill covers a lot of ground, including student and employee IDs, insurance cards, library cards, and various government documents.

Anyone reading information from those devices without their owner's knowledge and consent will be liable for some combination of a year in jail and a $1,500 fine. Various law enforcement and medical personnel are explicitly exempted. Anyone else operating RFID equipment that accidentally reads the wrong tag is directed to destroy the data as soon as the mistake is recognized.

Washington's bill (PDF) has passed the House and been sent on to the Senate. It's far broader in scope, and essentially spells out a bill of rights for the RFID age.

It is the further intent of the legislature that all consumers have the following fundamental rights with respect to the sale or issuance of electronic communications devices:

(1) The right to receive notice prior to a person selling or issuing an electronic communication device;

(2) The right to expect that a person selling or issuing an electronic communication device will label the device in a clear and conspicuous manner;

(3) The right to expect that a person selling or issuing an electronic communication device will implement security measures to ensure that any personal information stored about their consumers is secure; and

(4) The right to seek private remedies if a person fails to comply with any of the principles outlined in subsections (1) through (3) of this section.

Should the bill be enacted, consumers would be notified whenever they receive any RFID-containing device, and the seller would be responsible for following best security practices. After the sale, scanning the devices would be permitted only following owner consent.

The bill backs up these rights with some serious financial teeth. Anyone guilty of breaking the law would be liable for $10,000 per violation, and judges are given the option of tripling damages if a pattern of abuse is in evidence. Fees for attorneys and other costs are also the responsibility of the losing side in these cases. About the only people who are in the clear are those who resell used electronics.

It's hard not to be enthused about the pro-privacy aspects of the legislation. Still, the fact that radically different visions of RFID are being contemplated in different states must be causing migraines within the electronics industry. After all, a device sold in Oregon, which doesn't appear to have laws governing RFID, may face completely different issues depending on whether it's moved north or south.