The scope of this Recommendation covers the following objectives including threats and requirements for protection of personally identifiable information (PII) in applications using tag-based identification as described below: ?C To describe PII threats in a business-to-customer (B2C)-based environment of applications using tag-based identification; ?C To identify requirements for PII protection in a B2C-based environment of applications using tag-based identification. The following objectives are not covered by the scope of this Recommendation: ?C to analyse the general security threats and requirements of applications using tag-based identification; ?C to analyse the PII threats and requirements between an identification (ID) tag and an ID terminal; ?C to analyse the PII threats and requirements depending on the specific ID tagging and reading method@ e.g.@ radio frequency identification (RFID) tag and ID terminal; ?C to define and develop the message formats and mechanism for protection of PII based on the user PII policy profile of an application using tag-based identification. NOTE 1 ?C Further work will be necessary to define such formats@ which may not be restricted to the sole protection of PII of tag-based identification use@ but perhaps with a more general (privacy) approach. In this Recommendation@ the ID tag user has the capability for controlling the ID tag itself@ and therefore it is assumed that the ID tag user is responsible for the behaviour of the ID tag. NOTE 2 ?C In some cases@ the ID tag user cannot have any capability for controlling the ID tag. For example@ someone buys a tagged product and the manufacturer requires the ID tag to remain active for warranty purposes. In this scenario@ the ID tag user may be just a person carrying and using the tagged product. Hence@ this Recommendation cannot be applied to solve the above problem for this case. This scenario involves some legislation and policy issues (see [b-OECD]) and this issue can be addressed in another Recommendation.