Facial Recognition in Retail: Can It Be Privacy Compliant?
In an era that is defined by the widespread availability of astounding technology, new tech can be a double-edged sword for businesses. It offers incredible benefits and quick implementation, but can also introduce unforeseen complications like privacy compliance. Such may be the case for many retail businesses that have installed facial recognition software in their physical store locations.
The Tech
The idea is simple: Use live facial recognition software to improve store security. Surveillance cameras capture an image of every customer’s face, the software then scans the faces and sends the biometric data to a cloud server where it is checked against a database of known offenders (people who have been caught shoplifting in the past, for example). If there is a match, security staff receive an alert so they can keep a closer eye on the person.
The advantages of this technology are clear. Theft is a major problem for retailers, the costs of which ultimately get passed on to consumers. Preventing shoplifting would therefore seem to be a win-win situation.
But what about privacy laws? Is this allowed?
The Rule(s)
There are glaring privacy concerns presented by the idea of automatically scanning every customer’s face and sending that data to an outside vendor for analysis. Under most privacy laws, the processing of biometric data is of particular concern and subject to enhanced protections. These protections will differ from jurisdiction to jurisdiction.
GDPR
Europe's General Data Protection Regulation (GDPR) identifies biometric data processed for the purpose of uniquely identifying a person as a “special category” of personal data. Special categories of data may only be processed if certain conditions are met, such as if the processing is necessary and proportionate for reasons of substantial public interest. At least in the UK, the Information Commissioner’s Office has issued an opinion that live facial recognition software is allowable under the GDPR, provided that adequate safeguards are in place.
U.S. Privacy Laws
In the United States, the question is more complicated due to the state-by-state analysis required.
For example, Illinois’ Biometric Information Privacy Act (BIPA) requires private entities to obtain written consent in most cases before collecting or disclosing biometric identifiers. This law also grants consumers a private right of action, meaning a business may be sued over a violation.
The California Consumer Privacy Act (CCPA) includes biometric data as a category of “sensitive personal information.” This classification triggers additional disclosure requirements and possibly the consumer’s right to limit the use and disclosure of their sensitive personal information.
In most other states with comprehensive privacy laws, biometric data is classified as sensitive data, which means businesses must obtain consumer consent before processing it. However, these laws typically also contain a broad exception stating that they do not restrict businesses’ ability to “prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity.”
This exception would appear to cover the use of biometric data for security and anti-shoplifting purposes, assuming the business does not use it for any other purposes. On the other hand, the Connecticut Attorney General released a report on privacy enforcement which throws doubt on that conclusion. They sent a cure notice to a local grocery store “regarding the store’s use of biometric software for purposes of preventing and/or detecting shoplifting.” We don’t know the outcome of that case, but its inclusion in the report indicates that the state may consider the use of this technology to be a privacy violation.
The Reality
There is no single rule that retailers can follow to safely implement facial recognition software in their stores. Laws will vary from state to state, and there is still much uncertainty as to what these rules actually mean and how they will be enforced.
What is clear is that live facial recognition presents at least some level of privacy compliance risk in many jurisdictions. Any business that is considering using one of these systems should look carefully at local laws and determine whether it is allowed before moving forward.
In the event that such facial scans can only be performed with prior consent from consumers, that would effectively make the technology unlawful. There is no practical way to obtain and track affirmative consent from every consumer who enters a store. Further, such consent may not even be considered valid if it is being forced on the consumer.
Privacy Compliance Made Simple
TrueVault US helps businesses of all sizes get compliant with privacy laws from across the country with one streamlined platform. Designed by attorneys, TrueVault US is a software solution that guides you at every step of the way, from onboarding vendors to responding to consumer privacy requests.
To learn more about how TrueVault US can help your business, contact our team today.
Disclaimer: This content is provided for general informational purposes only and does not constitute legal advice. This content is not a substitute for obtaining legal advice from a licensed attorney. The information on this page may be changed without notice and is not guaranteed to be complete, correct or up-to-date, and may not reflect the most current legal developments.
- ON THIS PAGE
- The Tech
- The Rules
- The Reality
- Simplified Privacy Compliance
Get compliant today
Our attorney-designed software will step-by-step guide you through the compliance process from start to finish.
Request a Demo