Disney and RFID: What it Means for Privacy

Disney has always embraced cutting-edge technology, but in their theme parks, that technology tends to be behind the scenes. In the last decade, however, Disney’s Next Generation Experience, or “NextGen,” project has aimed to integrate technology overtly into the theme park experience by capitalizing on millennials’ use of smartphones to improve the park experience.

Users with a smartphones can download the My Disney Experience app, which can be used to book dining reservations, access the PhotoPass and FastPass+ systems, and view wait times at attractions around the park. FastPasses allow for users to plan ahead and wait in shorter lines for rides and attractions. The project’s keystone, though, is Disney’s MagicBand.


What’s a MagicBand?

A MagicBand is a radio-frequency operated wristband designed for maximum breathability, with ridges for air-flow, and a patented tear-off structure allows the wristband to be one-size fits all, even fitting small children. They’re made of thermal plastic polyurethane, which means they’re hypoallergenic, resilient, elastic, eco-friendly, and waterproof (which is important, considering the pools and water parks throughout the resort).

The MagicBand has several main functions, all performed by a tap of the wrist. The band acts as a hotel room key and park admission ticket, reducing park entrance time. If customers choose, they can link their credit card and/or Disney meal plan to the band, allowing guests to make cashless purchases without having to dig through their bag for their wallet. The spending feature can be eliminated or capped for children, and when a purchase over $20 is made, the user must also enter a pin number.

MagicBands use radio frequency identification, or RFID, technology. Inside the wristbands there are two passive RFID tags (a high frequency and an ultra high frequency) and an active transmitter. The passive RFID tags only work when they’re within a few inches of a receiver; that’s why you have to “tap” them against the receiver for them to work. The active transmitter can be read over further distances, using beacons throughout the resort. Because the active transmitter is constantly sending  signals to users in the park, Disney can use this data to get more accurate information on wait times for rides, as well as aggregate data about traffic flow and customer habits throughout the park. The MagicBand also allows the park to personalize the guest’s experience and make it more “magical”: cast members can address guests by name and acknowledge special events, like birthdays


Spending Money to Make Money

The MagicBand project was estimated to cost $800 million to $1 billion, to install in a single park: Walt Disney World. The major cost isn’t the bands themselves (passive RFID tags only cost a couples cents each, and active transmitters a few dollars), but the receivers, park alterations, and employee training. Beyond new merchandising opportunities related to the bands themselves, MagicBands earn back their value in other ways. Because of the convenient way to pay, customers tend to spend more. Some RFID wristband manufacturers report that when customers use cashless spending on wristbands, they spend 15-30% more than they otherwise would.

But increased spending isn’t the biggest plus for Disney; Disney also profits indirectly through data collection. The passive RFID tags show where and when guests eat and when and what merchandise guests purchase. The active transmitter allows Disney to track guests’ movement throughout the resort complex, meaning they can see what path you take through the park and what rides and attractions you visit. This information collectively tells Disney how you spent almost every minute of your day. The MagicBand’s custom color options and name personalization isn’t just for your benefit; this assures Disney that the data they’re collecting is pure (i.e. that a child is wearing her wristband, rather than her dad’s), allowing Disney to improve the user experience even further. They can use the data to better the theme park visitor flow, place food and merchandise in optimal locations, and dozens of other improvements.

Additionally, based on the preferences guest have demonstrated, Disney can send targeted advertisements. Some consumers are concerned about this method of advertising, especially when children are involved.  However, Disney has pledged not to target advertisements to children under the age of 13, and anyone has the ability to opt out of targeted advertisements. While targeted advertising may seem manipulative, people tend to forget that targeted advertising prevents the consumer from receiving information about things they aren’t interested in.


Concerns About RFID Technology

Besides targeted advertisements, some consumers are concerned with the location tracking aspect of the wristbands, but the wristbands do not contain GPS trackers, and the active transmitters only work when they’re within a certain distance of a beacon. According to Disney’s Privacy Policy, they collect two types of information: personal and anonymous. The anonymous information may sometimes be grouped together to form aggregate information for particular categories of guests, like men in their fifties or teenage girls. You actually have the ability to request the personal information that’s been collected about you, and that it be altered or deleted, but Disney will always collect aggregate data.

The idea of Disney’s MagicBands not only sparked concerns with consumers, but with Congress as well. As a result of a New York Times article about MagicBands, then-Representative Ed Markey penned a three-page letter to Bob Iger, Chairman and CEO of the Walt Disney Company, explaining his concerns about privacy and posing several questions regarding the new wristband. Markey, then serving as Co-Chairman of the Congressional Bipartisan Privacy Caucus, wrote “Although kids should have the chance to meet Mickey Mouse, this memorable meeting should not be manipulated through surreptitious use of a child’s personal information.” He claimed that, “Disney’s proposal could potentially have a harmful impact on our children” and  “[Magic Bands] could dramatically increase the personal data Disney can collect about its guests….” Iger responded in kind, saying in his own letter to Markey,  “We are offended by the ludicrous and utterly ill-informed assertion in your letter…” and “It is truly unfortunate and extremely disappointing that you chose to publicly attack us before taking the time to review our policies and/or contact us for information, which would have obviated the need for your letter. ” Iger made clear that, “MyMagic+ is a completely optional program that was designed with privacy controls from the outset.”

Many of the concerns over the use of RFID wristbands are over whether or not individuals outside the Disney corporation could get their hands on guests’ personal information, especially credit card data. The two main ways to obtain RFID data are through “skimming” or “eavesdropping.”  Skimming is when an individual uses an RFID reader or outside receiver to read an RFID chip. Eavesdropping is when someone reads the frequencies being emitted by the RFID device as the information is passed to a legitimate receiver. According to Disney, no personal information is stored on the band and any information transmitted is merely an ID number. Each person, and wristband, is assigned a numerical code, and the computer stores the information associated with that numerical code. So even if someone were to intercept a signal, they would just get an ID number. But even if personal information was being transmitted, this concern may be misplaced. Every time we go to a restaurant we hand our credit card to a waiter we’ve never met, who disappears with it for five to fifteen minutes. It would be significantly easier to copy the magnetic strip in that time than it would to intercept the MagicBands’ radio frequency signals.


RFID is Everywhere, for Better or for Worse

Even before MagicBands, RFID chips were already everywhere; in loyalty cards, metro cards, library books, school IDs, EZ-Pass devices, Speedpass devices, and even passports. Many such uses enhance our lives. RFID chips are already being used in large shipping centers to track merchandise. Disney originally used RFID tracking to keep tabs on costume equipment in their parks. RFID technology could help the travel industry track lost luggage. Convenient cashless payment (such as ApplePay or Google Wallet) could expand even further. Cashiers would no longer have to scan dozens of grocery items’ barcodes one-by-one; RFID could ring up the total all at once. You could track lost pets that had RFID implants. Human implants could store medical records of patients that may not be able to communicate that information, like Alzheimer’s patients.

Human implants can be a touchy subject in the RFID community. While they could have great medical benefits, some are concerned that we’ll all be required to get RFID implants in the future. While this may sound like a grand conspiracy theory, humans are already being implanted with RFID chips for non-medical reasons.  Video surveillance company, CityWatcher.com requested that employees be implanted with an RFID chip that would allow them to access secure areas. Two employees agreed to go under the knife to have a glass-encapsulated RFID chip, manufactured by VeriChip, implanted in the triceps area of their arm. Although CityWatcher insists the procedure is optional, it has caused some concern that this creates a new class of worker. Although they would be unable to fire someone who refused to get the implant, questions remain as to whether someone with the implant be promoted for showing “dedication,” “loyalty” or another intangible quality. RFID technology provides many benefits, but it has its downsides and could provide a slippery slope for invasions into our privacy.


What Does Disney Mean for RFID Technology?

Disney is not the first company to use RFID technology. It’s not even the first theme park to use RFID wristbands. Now defunct amusement park, Wannado City, starting using them in 2004, and Great Wolf Lodge water parks has been successfully integrating them into their customer experience since 2006. It wasn’t until Disney started utilizing RFID wristbands that public outcry emerged. But in both consumer studies and public opinion polls, Disney has consistently been high on the list of most-trusted brands. As Iger pointed out in his letter to Senator Markey, “…Disney’s record and commitment to children’s safety and security and the protection of their privacy is exemplary. People around the world trust Disney and its products. That trust is the cornerstone of our company, and we take it very seriously.”  So why are people concerned now, about a company that’s viewed as trustworthy? Steve Brown, chief operating officer for British line management company Lo-Q, suggests an answer: “When Disney makes a move, it moves the culture.”

Disney is so large, and so broad-reaching, that it has a serious impact on society. Senator Markey’s letter, for all its errors, voices concerns that we should all have on our mind. Maybe not concerns about Disney, but concerns about RFID technology and invasions of privacy in general. A consumer may not have any qualms about Disney observing them in their park; Disney could do it the old-fashioned way with security cameras and credit card receipts. Anyone truly concerned could choose not to go to the park. What society should be concerned about is how Disney’s MagicBands affect our view of all RFID technology. If consumers keep accepting small invasions on their privacy, they may become desensitized and eventually unknowingly accept malicious intrusions on their lives.

We already allow our personal information to be gathered, without even realizing it. Many phone apps are able to collect our personal data, like location, 24 hours a day, even though that information is completely unnecessary for the app to function. We’re already giving out much more information than MagicBands collect, without ever realizing it. The government also makes intrusions into our privacy: In 2011 alone, U.S. Law enforcement agencies made 1.5 million requests for information from cell phone companies, and wiretapping is still a common occurrence.



Amusement parks exist to do exactly what their name says: amuse us. If a guest decides to pay $119 for one day at Walt Disney World’s Magic Kingdom, they expect it to be a magical experience. The MagicBand can make a guest feel like they are getting their own, unique experience at the park, rather than the same as thousands there that day.

Most concerns about the new wristbands are unfounded, and can be addressed by looking at Disney’s Privacy Policy or examining how the technology works. Some people have legitimate concerns, such as the possibility for tracking, but a guest has to choose to go to Walt Disney World and choose to wear a MagicBand before any personal information is collected. But do we really have a choice on whether to carry a cell phone anymore? A cell phone collects significantly more information than an RFID transmitter. What about the devices we don’t even know contain RFID chips? Disney’s use of RFID drew much criticism, but their use of the technology is mostly benign. It’s the other uses of RFID which should concern us.


Comments are closed.