Facial Recognition – well hello there Mr Customer…!

It was recently reported that supermarket giant, Tesco, is launching face scanning technology at petrol stations in order to show customers more targeted advertisements while they wait at the till (OptimEyes).

Tesco has teamed up with UK technology group, Amscreen (a company run by Lord’s Sugar’s son Simon Sugar), to launch “OptimEyes screen“, across its 450 petrol stations, in a reported five year deal. The technology uses a camera to work out a customer’s gender and age by scanning their face. This is the latest move in the retail sector to find new data sources of customers to “mine”. However does face scanning comply with data privacy laws?

Simon Sugar was reported, in “The Grocer“, as saying that the “technology does not invade privacy as it doesn’t store images or recognise people, it just works out gender and sorts customers into one of three age brackets“. But the scanning of a customer’s face and determining their age and gender for targeted advertising, is likely to amount  to the processing of personal data and will therefore be caught under the Data Protection Act 1998 (DPA).

To determine whether this activity is lawful, we need to consider whether it complies with the eight data protection principles which underpin the DPA. Under the First Data Protection Principle, personal data must be processed “fairly and lawfully“. In order to fulfil this principle, an organisation must satisfy the processing conditions as well as providing a “fair processing notice” to the data subject. One of these conditions is that the customer has given consent. However, it is difficult to see how a valid consent can be collected from customers standing in petrol stations. Equally, it is doubtful that this is necessary for a retailer’s “legitimate interests” (an alternative condition for processing).

But what about the duty to provide a “fair processing notice”?  It could be challenging to notify customers of the fact that their images may be captured for these purposes in a way which is legally compliant and doesn’t “scare the horses”. We are used to seeing CCTV warning notices on premises but how would customers react to a “face scanning warning”?

In addition, if the scanners where to be used to process “sensitive personal data” (such as ethnicity), the customer’s explicit consent will also be required.  At present, the reports indicate that only a customer’s age and gender will be determined by the scanners so this is outside the scope of sensitive personal data.

It is not hard to imagine that the data collected by the scanners could, in the near future, be combined with in-store purchases made by a customer and produce even further targeted advertisements to a customer when waiting in a queue or walking down a supermarket aisle. Or imagine a system that recognises you when you enter a shop and reminds you what you need to buy! This technology seems to be a step in that direction and retailers using/contemplating using such technology should, from the outset, consider the data privacy impact. Retailers will also need to monitor the new Data Protection Regulation (currently in draft and now due for implementation in 2015), to determine whether more stringent requirements need to be satisfied, in order for their use of technology, to be lawful.

Thank you to Danielle van der Merwe who assisted in writing this post.

Subscribe and stay updated
Receive our latest blog posts by email.
Nick Graham

About Nick Graham

Nick Graham is the Global Co-Chair of Dentons' Privacy and Cybersecurity Group. He specialises in data privacy, cybersecurity, information governance. Nick advises across all sectors including retail, telecoms, energy, manufacturing, banking, insurance, transport, technology and digital media.

Full bio