Informed consent key to compliant retail facial recognition deployments
While it becomes increasingly popular for retailers to implement facial recognition technology for anti-theft purposes, one case in Spain has seen complaints for lack of adherence to European GDPR regulations, while a U.S.-based poll reiterates these concerns via a public opinion poll.
In July of 2020 two complaints were filed at The Spanish Data Protection Agency (AEPD) against Spanish supermarket chain Mercadona for the use of face biometrics systems in forty stores, without getting the informed consent of all customers, which is where it fell afoul of the law, says Veridas in a legal analysis.
The systems, part of a pilot project, used a 1:N system which uses biometric data aimed at identifying a specific person from among several (one-to-many, or 1:N). Mercadona was issued a fine by AEPD, which argued that the usage of such biometric systems and the processing of personal data ultimately affected those who the system was used on.
This conclusion was drawn even though the AEPD authorizes both biometric identification and biometric verification, provided that the measures required by the GDPR are met. In this instance the systems in question came under a particular category of data processing subject to the guarantees outlined in Article 9 of the GDPR which prohibits the processing of data based on facial recognition for identification purposes.
In a Data Protection Impact Assessment (DPA) of its implementation of facial recognition with the dasGate access control system, Veridas concluded that it is imperative to ensure that because it is confined to a small capture area and adequately marked, all persons whose data could be subject to processing are aware of it. People can move around the site without having their biometric data processed, and are only identified should they stand in front of the terminal, which makes dasGate not a remote biometric identification system, Veridas argues.
The company also points out the dasGate operates in 1:1 mode, as well as 1:N mode.
The implementation in the Mercadona case, Veridas concludes, is not similar to dasGate deployments, which the company says can meet the legal requirements enforced by the AEPD.
The use of facial recognition and verification techniques in retail stores in the U.S. is facing stiff opposition from advocacy groups for being too invasive of people’s privacy.
Insight platform Piplsay polled 31,184 people across the U.S. on August 8 and 9, 2021, to understand people’s views on the uses of facial recognition technology in public spaces.
Some major U.S. retailers like Macys and Lowes have been using facial recognition to help to better detect organized retail theft and repeat offenders. Forty percent of people surveyed were unaware of this fact and while 42 percent of people said they did not mind this, 38 percent did not support the use of the technology.
Many stores do not openly disclose the use of the technology therefore the public are not aware of the data which is being processed and how. Similarly, in Canada during June, several licensed liquor and cannabis retailers were found to have been collecting individual biometric data without adequate privacy management programs or documented privacy policies despite obligations under British Columbia’s private sector Personal Information Protection Act (PIPA).
Reflected in the survey, 68 percent of people said stores using facial recognition should inform people beforehand and 65 percent agreed that people should be given the option to opt out. Though it was found that opinions on the biggest advantage of facial recognition technology usage is fraud and threat detection (38 percent), others said it would result in faster checkout and less waiting time (16 percent).
Overall, according to the responses in Piplsay’s survey, it seems people are less bothered by the technology when they are warned of it in advance.