The law that took effect January 1 says businesses must “inform” consumers that they are collecting personal information “at or before the point of collection.” The attorney general’s draft regulations, due to be finalized in time for enforcement to begin in July, suggests physical premises distribute paper notices or display “prominent signage” with a web link.
B8ta declined to explain how it reasoned that knee-high notices might inform customers or count as “prominent.” The company’s stores, which resemble Apple stores, feature quirky consumer gadgets such as an e-ink typewriter alongside products from names like Asus and Google. The retailer’s pitch to lure new partners cites its stores’ ability to provide live data on how customers engage or linger near products on display.
Other companies collecting data from customers in stores have taken different approaches to disclosure.
One patron of Brazilian steakhouse Fogo De Chão received a printed CCPA notice when he visited the chain’s San Francisco restaurant in early January. It informed him that the company collects personal information during purchases and reservations, uses security cameras, and mentions the restaurant’s guest Wi-Fi. That, too, according to the company’s updated online policy, collects personal information.
When department store Macy’s updated its privacy policy to comply with CCPA, it added a surprising disclosure—facial recognition may be used on customers for “security and fraud detection purposes.” The company also said that it uses Wi-Fi routers to track where shoppers linger and beacons that “map nearby Bluetooth-enabled devices, much in the same way radar works,” and sells consumer data, including device and network information.
Inside the Macy’s store in San Francisco’s Union Square this week, the cameras—potentially using facial recognition—were obvious, but no privacy notices were visible, even at knee level. The company did not respond to multiple requests for comment.
California’s new privacy regime could help reveal how use of facial recognition is spreading in stores and other semipublic places as the technology becomes more accessible. Lowe’s says it previously tested the technology in three stores, but ultimately decided not to use it.
Keep Reading
Peter Trepp, CEO of facial recognition provider FaceFirst, declined to say whether he is telling retail customers to post notices in California informing shoppers their faces might be analyzed. The company claims to work with airports, sports teams, and Fortune 500 retailers, who use the software to alert staff when shoplifters known to a store return.
“It’s still a new law and hasn’t really been tested yet,” Trepp says of CCPA. The company or its customers already post notices in places where local laws require it, he says, but declines to specify them. “We err on the side of providing notification if we need to,” Trepp says.
