The First Time I Saw Your Face... I Saved it in a Database: Facial Recognition Technology for Retailers

Facial recognition technology, which instantly captures facial profiles, is quickly evolving as a valuable tool for retailers. Facial recognition can help protect a retailer against shoplifting, but it can also help it develop very personalized relationships with its customers. For example, Microsoft has created a billboard that uses the technology to identify individuals as they pass by in order to create ads personalized to their purchase history. 

Facial recognition technology has been around for years. It’s the same technology used by police departments and the military for crime prevention and by Facebook to identify and “tag” users’ uploaded photos. And now, facial recognition is rapidly making its way into the retail arena as a very versatile asset. Facial recognition technology uses cameras paired with software to instantly capture every point on an individual’s face and then compare that facial profile with a database composed of millions of profiles to determine a match. Matching the image taken by a camera to a database with millions of other profiles can allow a retailer to build a database of shoplifters and valuable customers, and closely track shopping and buying behaviors. 

While some research suggests that three out of every ten stores uses facial recognition software, over half of consumers are opposed to the idea. It remains a mystery though, which retailers are actually using the technology. In November, Walmart reported that after testing the technology, it wasn’t a good fit for the discount retailer. Nordstrom, Bloomingdales, and Neiman Marcus have all commented that they are not using it. 

While there are currently no federal privacy laws that expressly regulate commercial use of facial recognition technology, Texas and Illinois have passed laws against using the technology without first obtaining informed consent. The Illinois law requires companies to disclose when the technology is being used, why the information is being collected, and how long the company will keep the data. Companies then must receive a “written release” before actually collecting information via facial recognition. The Illinois law is already facing a very public challenge. A lawsuit filed in April alleges that Facebook violates the consent component of the law when it automatically stores the profiles obtained from users’ uploaded photos. The case has been transferred to the Northern District of California on a consolidated class action complaint, and Facebook has filed a motion to dismiss. 

While Facebook users voluntarily upload their photos of last weekend’s bachelorette party, parents entering a store with their young children likely do not intend to have their face or those of their children profiled. What’s more, the circumstances of each instance the technology is used may implicate different privacy concerns. For instance, the Children’s Online Privacy Protection Act requires website and online service operators to obtain verifiable parental consent before collecting personal information from children under 13, and the Fair Credit Reporting Act gives consumers certain rights to opt out of allowing their personal information to be shared for certain marketing purposes. While the Facebook case may help clarify just what kind of consent is required by the Illinois law, given the seemingly endless possibilities of the technology and the privacy implications of using it, it’s likely that other states will quickly follow in developing laws regulating the use of facial recognition technology.