“Male – Young Adult – Attention Time 896 – Smile – Glasses” read the seemingly innocuous words of a crashed digital billboard in a takeaway pizza restaurant in Oslo.
Out of curiosity, Jeff Newman looked at little closer at the board, realising as he did that these words were in fact describing him as he glanced at what would have been an advertisement for Pepe’s Pizza.
Newman recounted his story on Reddit, a post that subsequently went viral and was picked up by a handful of media outlets, including The Sun.
Unbeknownst to Newman, this was likely not the first time his information had been collected by facial recognition software while out shopping.
Facial recognition software has already been adopted by retailers across the UK, and is set to become ever more common as the technology becomes more advanced and more affordable.
Axis Communications’ retail business development manager Andy Martin said the types of software available was growing becoming more advanced.
“To capture faces randomly in open places with cameras until very recently was more difficult,” he told the Retail Gazette shortly after returning from an event on the new technology.
Retailers now hold and exercise the ability to recognise your face (whether you are smiling or frowning), your age and gender, and perhaps most importantly whether you have been in store before.
Records of your face can be stored and shared to third party companies who process the data and produce shopper insights – gold dust to large retailers.
“If they have not informed customers, then the use of CCTV is likely to be unlawful”
“With this there are some extremely positive volunteering ways of doing it,” Martin added.
“There are other ways of course that are more of a concern where without you preventing yourself being recognised, a CCTV camera can recognise you anywhere.
“The big concern is how that data is used.”
Currently it is being used in three key areas.
The first is the voluntary side, where for instance someone with a gambling problem can sign himself up be “blacklisted” and disallowed into betting shops. This can also work with voluntary “whitelisting” where a frequenter to a local luxury store can have their favorite coffee made as soon as they enter.
Ethical concerns arise on the nonvoluntary side. Blacklisting known shoplifters is an invaluable attribute, but retailers now have the potential to recognise big spenders and send assistants to ensure they’re treated above and beyond the average browser.
The third is what’s referred to as profiling, where retailers will establish your name, gender and age based on your facial features. Although your data is retained, it is anoymised. Your name is not important to the retailer, just your information.
“Unless you actually enroll and give it your name, it will only recognise you as a series of numbers and nothing that could be easily deciphered,” Martin said.
“There’s definitely some protection around that.”
Despite the anonymity argument, retaining your personal data without your consent raises some legal concerns. If you have not given consent, you must be informed you are being filmed.
“If they have not informed customers, then the use of CCTV is likely to be unlawful,” said Alisaon Deighton, a partner at UK law firm TLT.
According to the Information Commissioner’s Office (ICO), the recommended way to do this is by “using prominently placed signs at the entrance to the surveillance system’s zone and reinforcing this with further signs inside the area”.
Deighton adds: “There must be a legal condition to justify the processing. The only legal conditions that could potentially apply are consent or legitimate interests.
“There is no legal definition of what constitutes ‘legitimate interests’. It tends to be construed widely and will include any legitimate business purpose, such as marketing or profiling of customers to seek to target adverts or offers to increase sales.”
“One of the concerns at the moment is there isn’t a central repository for managing the information”
In short, current legislation allows your personal data, including facial features, to be kept on record, without your consent, for the sole purpose of boosting retail sales.
Retention of personal data, beyond the initial ethical concerns, becomes dangerous when it is made unsecure. Data breaches involving the loss or leaking of client information hit 38 in the year to March, up from 19 a year prior.
The issue is that the technology is progressing quicker than legislation can keep up. Not only are new technologies allowing more in-depth insights being rolled out as fast as budgets will allow, but new methods of mining the existing data are being introduced daily.
According to Martin, managing this information is a major focus in the industry.
“One of the concerns at the moment is there isn’t a central repository for managing the information,” he said.
“The key to this is to get some better industry standards that are driven and accepted by law enforcement.”
Next year new legislation in the form of the new General Data Protection Regulation (GDPR) will be enforced.
Although a “fair well established” set of guidelines already exists, GDPR will see those guidelines become enforceable by law. This will also see punishments for misdemeanours become severe.
For context, according to an insider source, Tesco Bank’s recent data breach would have seen them cop a fine of four per cent of turnover, estimated to be worth around £2 billion.
Ahead of this, companies are being understandably cautious. Although the legal responsibility will fall on the retailer, third party firms who process the data are ensuring a dialogue is kept between law enforcement and relevant organisations like the Biometrics Commission.
Martin said his company was pushing for this dialogue so that they could “ensure not only that we meet the guidelines of the GDPR, which largely focuses on ensuring data is anonymised, but also to make sure the security industry as a whole starts to create best practice and a secure framework for data to be stored and used for the public good”.
Retailers are likely to be hard hit by the new legislation, which will require them to justify the use of CCTV for marketing purposes against privacy law.
“In some respects, the information gathered is no different than what would be gained from a researcher standing at the door”
According to Deighton, the new law requires data protection impact assessments to be carried out for “risky” processing in order to identify the privacy risks and how they can be mitigated.
“Use of CCTV for profiling and marketing purposes is highly likely to fall within the category of processing that requires an assessment,” she told Retail Gazette.
“In addition, the new law requires retailers to embed privacy by design and by default into their operations.”
There is an argument to be made in favour of facial recognition technology. In some respects, the information gathered is no different than what would be gained from a researcher standing at the door – it is simply capable of producing more data more efficiently. Also in terms of crime prevention, the benefits are clear.
The trouble lies in seeking to balance the scales between privacy and the usefulness of data. The UK is one of the most watched countries on Earth, but this also means that we hold the potential to lead the way in terms of the way it is used.
Within the retail world, the average shopper may be shocked to learn that they are personally recognised by cameras when they enter a store. Yet if this technology was used to find and prosecute someone who robbed them in store, they may feel very differently.
“It’s going to be a really fine line,” Martin surmised.
“I think facial recognition technology in terms of autoenrollment could only be justified in the interests of security, safety and crime reduction. I think the shopper insight argument around facial recognition is entirely different.”