Some privacy laws require businesses to create data retention policies, but figuring out the maximum amount of time you can hold on to data can be complicated.
In an era that is defined by the widespread availability of astounding technology, new tech can be a double-edged sword for businesses. It offers incredible benefits and quick implementation, but can also introduce unforeseen complications like privacy compliance. Such may be the case for many retail businesses that have installed facial recognition software in their physical store locations.
The idea is simple: Use live facial recognition software to improve store security. Surveillance cameras capture an image of every customer’s face, the software then scans the faces and sends the biometric data to a cloud server where it is checked against a database of known offenders (people who have been caught shoplifting in the past, for example). If there is a match, security staff receive an alert so they can keep a closer eye on the person.
The advantages of this technology are clear. Theft is a major problem for retailers, the costs of which ultimately get passed on to consumers. Preventing shoplifting would therefore seem to be a win-win situation.
But what about privacy laws? Is this allowed?
There are glaring privacy concerns presented by the idea of automatically scanning every customer’s face and sending that data to an outside vendor for analysis. Under most privacy laws, the processing of biometric data is of particular concern and subject to enhanced protections. These protections will differ from jurisdiction to jurisdiction.
Europe's General Data Protection Regulation (GDPR) identifies biometric data processed for the purpose of uniquely identifying a person as a “special category” of personal data. Special categories of data may only be processed if certain conditions are met, such as if the processing is necessary and proportionate for reasons of substantial public interest. At least in the UK, the Information Commissioner’s Office has issued an opinion that live facial recognition software is allowable under the GDPR, provided that adequate safeguards are in place.
In the United States, the question is more complicated due to the state-by-state analysis required.
For example, Illinois’ Biometric Information Privacy Act (BIPA) requires private entities to obtain written consent in most cases before collecting or disclosing biometric identifiers. This law also grants consumers a private right of action, meaning a business may be sued over a violation.
The California Consumer Privacy Act (CCPA) includes biometric data as a category of “sensitive personal information.” This classification triggers additional disclosure requirements and possibly the consumer’s right to limit the use and disclosure of their sensitive personal information.
In most other states with comprehensive privacy laws, biometric data is classified as sensitive data, which means businesses must obtain consumer consent before processing it. However, these laws typically also contain a broad exception stating that they do not restrict businesses’ ability to “prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity.”
This exception would appear to cover the use of biometric data for security and anti-shoplifting purposes, assuming the business does not use it for any other purposes. On the other hand, the Connecticut Attorney General released a report on privacy enforcement which throws doubt on that conclusion. They sent a cure notice to a local grocery store “regarding the store’s use of biometric software for purposes of preventing and/or detecting shoplifting.” We don’t know the outcome of that case, but its inclusion in the report indicates that the state may consider the use of this technology to be a privacy violation.
There is no single rule that retailers can follow to safely implement facial recognition software in their stores. Laws will vary from state to state, and there is still much uncertainty as to what these rules actually mean and how they will be enforced.
What is clear is that live facial recognition presents at least some level of privacy compliance risk in many jurisdictions. Any business that is considering using one of these systems should look carefully at local laws and determine whether it is allowed before moving forward.
In the event that such facial scans can only be performed with prior consent from consumers, that would effectively make the technology unlawful. There is no practical way to obtain and track affirmative consent from every consumer who enters a store. Further, such consent may not even be considered valid if it is being forced on the consumer.
Disclaimer: This content is provided for general informational purposes only and does not constitute legal or other professional advice. Without limiting the foregoing, the content may not reflect recent developments in the law, may not be complete, and may not be accurate or relevant in an applicable jurisdiction. This content is not a substitute for obtaining legal advice from a qualified licensed attorney in the applicable jurisdiction. The content is general in nature and may not pertain to specific circumstances, so it should not be used to act or refrain from acting based on it without first obtaining advice from professional counsel qualified in the applicable subject matter and jurisdictions.
Get monthly updates on the latest updates on policy & the shifting privacy landscape.
Dive into a world of knowledge, trends, and industry updates on the TrueVault blog.