H.B 251 is a Utah House of Representatives bill re RFID privacy, the “Radio Frequency Identification – Right to Know Act”: http://www.le.state.ut.us/~2004/htmdoc/hbillhtm/hb0251.htm
As of 2/25/04, it had been passed in the House, and sent to the Senate for consideration.
California state Senator Bowen’s RFID bill (SB 1834) addresses some aspects of RFID, and omits others.
Among the issues:
“If a retail store uses an RFID system on a consumer product, the RFID tag shall be detached or destroyed before a consumer leaves the store” seems to provide no latitude for choice. It would preclude any post-purchase persistence of RFID, even pseudonymized tags, customer-elected recodings, or secured tags (e.g., password-protected tags that could only be interrogated by the retailer, for returns, etc.).
The bill contains nothing addressing RFID tagging per se. If I’m not using RFID systems in my store, I have no responsibility for any of the products I sell which might bear RFIDs. This is the “leaky retailer” problem, where lots of tags can get loose, as no one is responsible for their being removed/disabled. (Of course, it’s not particularly fair to require Mom-n-PopCo. to assume an “unfunded mandate” of dealing with manufacturers’ tagged products, either.)
One seemingly significant omission: notice. One would expect to see a requirement that stores that do employ RFID systems inform the public of that fact; one might also suggest that stores which sell products which may be RFID tagged and which they can’t/won’t detach or destroy provide notice as well.
There are some knotty problems of inference left untouched here as well. For example, “Collecting information through an RFID system that is aggregate in nature and that does not personally identify an individual is not a violation of this chapter” means that I could use RFID to compile an exhaustive record of tag comings & goings that might be of use to some other party… I could, say, record all the RFID tags entering/exiting a hundred monitored points in my mall/office building/business district, then sell the resulting data set to an out-of-state data aggregator which could cross-reference tags seen with other known information. So I’ve got 200 instantiations of Tag #123456 with dates/times/places; BigSibling Corp., it turns out, happens to know that Tag #123456 happens to correspond to Jane Q. Public’s attache case, and pays me handsomely for the raw transactional data I provide.
California state Senator Bowen has introduced a bill regarding RFID and privacy: http://www.leginfo.ca.gov/pub/bill/sen/sb_1801-1850/sb_1834_bill_20040220_introduced.pdf
From the legislative analysis:
“This bill would require a person or entity that uses radio frequency
identification (RFID) systems to comply with certain conditions,
including obtaining an individual’s written consent before attaching or
storing personally identifiable information with data collected via an
RFID tag or before any personally identifiable information collected
via an RFID system is shared with a third party. The bill would make
a violation of the bill an act of unfair competition that is subject to
specified enforcement provisions, including actions brought by the
Attorney General or a district attorney or city attorney.”
The New Orleans chapter of the John Birch Society is concerned about RFID, presumably because of how it might enable supranational government authority:
http://www.nolajbs.net/news/rfid.shtml
And, of course, the KKK will want to ensure that tags on linens are disabled at point of sale! 
In an article called “The ROI of Privacy Invasion,” the Association for Automatic Identification and Mobility looks to argue that it would just be too expensive for governments to surveil via RFID:
That’s right, $3.5 billion dollars just to put readers at all mall and shopping center entrances. And that does not include the cost of networks, computers, huge (really, really huge) databases, wireless network hardware, satellite communications, installation and programming costs.
Of course, “they” would want to wire all the airports, rail and bus terminals, government offices, Post Offices, libraries, schools, recreation centers, parks, playgrounds, liberal/radical bookstores, bars, liquor stores, places that sell pornography, churches/mosques/temples…the list goes on…and on…and on.
In short, the cost to create the national spy network (with all associated costs) could be a number not even Carl Sagan could pronounce but, just to throw a number out there, could be well over 1 trillion dollars ($1,000,000,000,000).
But I think that’s a pretty flimsy straw man. What government might also do is simply to leverage the work of the private sector, with either or both of carrots and sticks. For example, one might compel “critical infrastructure” facilities (airports, power facilities, etc.) to establish RFID sensors, incent others (e.g., offering banks additional services in “vetting” prospective customers, or alerts against impending robberies, if they agree to tie in RFID sensors to some sort of “Financial Security Network”), and use the power of the warrant or subpoena (or just the implication… “We’ll get what we want, eventually…why cause trouble?”) to collect records, a la the collection of dive shop registrations post-9/11, and Las Vegas hotel records this last holiday season.
Simson Garfinkel writes on concerns over RFID and privacy in The Nation.
The article is discussed on Slashdot.