I’m all lost in the supermarket
I can no longer shop happily
Facial recognition laws and regulations vary from jurisdiction to jurisdiction, and as organizations apply facial recognition, they can’t just assume that facial recognition laws are the same as other privacy laws.
Caution urged as UK supermarkets check out facial recognition
This is the point that UK professor Fraser Sampson makes in a Biometric Update article. Among other things, Sampson (former UK Biometrics & Surveillance Camera Commissioner) notes the following:
This is not just any data processing, this is biometric processing. Major retailers have deep and wide experience handling customer data at macro level, but biometrics are elementally different. Using a biometric recognition system in the UK means they are processing ‘special category data’ and biometric data differs even from other types of special categories. This brings a number of significant risks, obligations and restrictions, some technological, some legal, some societal. The opportunities for missteps are many and the consequences profound. An early decision for the supermarket would be whether they want to be the controller, joint controller or processor; an early mistake would be to think it doesn’t matter.
Data controllers and data processors
For those who don’t inhabit the world of GDPR, the UK GDPR, and other privacy laws, here is Data Grail’s definition of a data controller:
A data controller is a service provider or organization determining the purposes and means of processing personal data. In simpler terms, a data controller decides why and how personal data collection, storage, and use occurs. They have the ultimate responsibility of ensuring data processing activities comply with applicable privacy laws and regulations. Data controllers bear the legal obligations associated with data protection, including providing transparency, obtaining consent, and safeguarding the personal data of data subjects.
Contrast that with a data processor:
Data processors are entities or organizations that process personal data on behalf of data controllers. They act under the authority and instruction of data controllers and handle personal data for the specified purposes defined by the data controller. Data processors are contractually bound to ensure data security and confidentiality. They don’t have the same decision-making power as data controllers and must adhere to the instructions provided by the data controller.
If you’re a supermarket in the United Kingdom, and you’re collecting facial biometric (and other) data, do you want to be a data controller or a data processor? And how will you manage the privacy aspects of your data collection?
Enter the facial recognition vendor
And if you’re a vendor of facial recognition software selling to UK supermarkets, how will you advise them?
And…you should have known this was coming…how will you provide content for your prospects and customers that educates them on the nuances of facial recognition privacy regulations?
If you need help with your facial recognition product marketing, Bredemarket has an opening for a facial recognition client. I can offer
- compelling content creation
- winning proposal development
- actionable analysis
If Bredemarket can help your stretched staff, book a free meeting with me: https://bredemarket.com/cpa/
(All images from Imagen 3)
Bredemarket 