With more than 500,000 shoplifting offences recorded last year, the question is no longer whether businesses will adopt the technology, as many already have, but rather how to use it responsibly.
The difference between a system that protects staff and one that lands a retailer in difficulty isn’t just about the camera. It depends upon what happens next – whether an alert regarding an individual is accurate and, subsequently, whether it is treated as a verdict or as a prompt.
That distinction is everything. An alert that flags a known shoplifter can never be taken as conclusive evidence that a criminal is operating within the store. Although continuously improving, the technology is still quite capable of misidentifying people.
To allow an automated alert to trigger a confrontation, search or ejection is to allow technology to make a fully autonomous decision about a customer’s liberty and reputation – precisely what data protection law is designed to guard against.
Retailers should be asking hard questions of their providers: where does the database come from, who is on it and on what evidence? Someone accused is not someone convicted, and a system that cannot tell the difference is a liability.
Putting the right safeguards in place
The safeguards needed to use this technology well don’t have to be complicated. The first to ensure there is always a human in the loop to referee the alert. No decision about whether to approach, search or ask a shopper to leave should ever rest solely on notification. The technology informs, a trained person decides. How that interaction is handled is the difference between a defensible process and regulatory and reputational risk.
Proportionality matters too. Capturing the biometric template of every face entering a store is a serious intervention. Retailers must weight their commercial and safety interests against individual privacy rights, and ensure the response fits the risk. The calculation for a high-theft city-centre grocery store will likely be very different from that of a suburban shop with little evidence of crime.
Then comes transparency before entry. Prominent signage must make clear that biometric technology is in use before a customer crosses the threshold. The system’s watchlist itself needs the right legal basis.
Getting these foundations right is not just good housekeeping. Where safeguards fall short, individuals can bring claims for distress and damage under the UK GDPR. The regulator can also impose fines of up to £17.5m or 4% of global turnover, whichever is greater. And the reputational stakes are just as real –public trust, once lost, is hard to win back.
The strongest retail operators already grasp this. They treat facial recognition not just as a security gadget that runs itself, but a system demanding governance, training and human judgement.
There is no doubt the technology can be used well. Whether it is depends on the people controlling it.
Lauren Wills-Dixon is partner and head of privacy and data protection at Gordons
No comments yet