Carrying out data processing in accordance with the provisions of EU Reg. 2016/679 protects the owner even in contexts such as those of shops and large shopping centers, where CCTV cameras are also used for business intelligence and marketing purposes. We analyze the critical points and the main measures for protecting users.
With the introduction of artificial intelligence software, video surveillance in the retail sector has become a constantly growing phenomenon, not only to ensure the safety and protection of people in the event of any accidents but, above all, because it offers indisputable advantages from the point of view of marketing thanks to the possibility of analyzing patrons’ access and behavior.
Video Surveillance In Action
The first impact of video surveillance by the user who goes to a shopping center already occurs when accessing the car park, which is usually monitored; furthermore, parking areas increasingly integrate a license plate reading system so as to discriminate between the user who uses paid parking and the one who instead makes purchases (and therefore can take advantage of free parking by one of the commercial establishments present in the structure).
An exciting evolution of these systems also provides for the possibility of finding the car in the increasingly frequent case in which the customer loses the vehicle, as can happen in the presence of a multi-story car park with different accesses, where it is easy to lose the vehicle. ‘orientation. The video surveillance system, through the internal cameras, is able to monitor the movements of the car and identify the stall in which it was parked, associating it with the entry ticket. It, therefore, becomes easy for the owner to find his vehicle: go to the cash desk or one of the automatic teller machines and show the access coupon.
Furthermore, the surveillance system can also be used for heritage protection functions: a different configuration of the system software makes it possible to discriminate between behaviors considered normal (such as moving between cars on foot) and potentially risky ones (because they are indicative of an attack on property or people). Specifically, the software is able to distinguish the throwing of objects against a car, the falling of broken glass to the ground, the start of a fire with open flames or diffused smoke, the collision between two vehicles (one moving, the other standing still), the violent action in which one person pulls another or throws him to the ground, or the circumstance in which an individual raises his hands in the air in the event of a robbery.
The next step is, of course, to send an alert signal to the physical operators, who can intervene accordingly. Finally, by configuring the software appropriately, it is possible to indicate to the camera which areas (for example, those that cannot be accessed without authorization) must be considered at risk so that surveillance is alerted if any individual enters the perimeter protected. This is, for example, the case of an area closed to pedestrian passage because it is flooded, that of areas involved in works that prevent free use, or that of access doors to technical rooms or service corridors, which, despite having to remain open for safety reasons, must not be frequented by simple visitors but only by professionals.
Also Read: How Can Artificial Intelligence Change People’s Lives?
CCTV Inside Shops
After access to the commercial premises, so-called people counting comes into play, i.e., the mechanism that allows you to count the visitors who enter and exit, possibly also from individual shops, monitoring the daily influx to the commercial structure and the distribution of people between the individual exercises.
This is an activity that has no implications in terms of confidentiality because only access is considered for the user without the acquisition of other data; however, it is a moment not to be underestimated because it allows us to carry out an in-depth analysis of the flows, which, when also related to purchases, can be significant for understanding which shops attract the users’ interest the most and whether this interest then corresponds to a concrete sales activity.
The next element to take into consideration is the surveillance systems of the individual shops, which, in addition to carrying out the usual anti-shoplifting function, allow us to carry out – even only via metadata, without direct identification of the customer – an analysis of the type of user, assessing whether it is a man or a woman, whether the individual is tall or short, thin or fat, young or old, with or without hair and beard; it is also possible to identify characteristic traits such as the color of hair, eyes, skin, accessories, clothing (classic, sporty, casual) and the colors of clothes – with countless other parameters that allow defining actual classes of users to be used to guide marketing strategies, as well as to optimize offers and in-store experiences.
Using the Heatmap functionality of the cameras, it is also possible to monitor the environment to understand how customers move inside, in front of which shelves or products they spend the most time, and which shopping experiences they appear to like most. In order to study this data, commercial applications aimed at maximizing the store’s performance can also be reviewed, including personalized messages adapted to the type of customer identified and transmitted on the point-of-sale screens.
Advanced video surveillance systems with AI functionality can also be used to find lost children quickly; in fact, it is possible to trace the path followed by a subject by simply comparing the morphology of the interested party without the need to identify them as a natural person. The metadata, in fact, becomes a sort of “digital fingerprint,” from which a search is carried out using the videos stored in the DVR.
CCTV: What To Do To Protect User Privacy
Even in the retail sector, the processing of data carried out via video surveillance cameras must comply with the rules dictated by the EU Regulation 2016/679 currently in force so that the owner does not engage in activities that could give rise to prescriptions or sanctions in cases of control by the competent authority. Here are the primary obligations necessary to comply with the provisions of the regulation.
The first objective to be pursued is undoubtedly the absolute transparency of data processing towards interested parties. Outside the structure, therefore, warning signs must be clearly visible, which inform users of the presence of cameras and specify the personal details of the data controller and any Data Protection Officer, with reference to the extended information, preferably available online and via link or QR code; the document must describe in detail the treatments carried out using the cameras, the different types of use of the images, the functioning of the analysis software, the retention times of the footage, and the other elements indicated by Art. 13 of the GDPR.
The processing activities must be reported in the processing register, taking care to fully identify the subjects involved (authors, contact persons, managers) and to formalize the relevant appointments. At the same time, it is necessary to adequately evaluate the risks looming over the processing, acknowledging the security measures adopted to protect the data and any entrusting of the processing to third parties (which could lead to further precautions or redistribution of responsibility).
The risk analysis must take into account the location of the archives, the use of third-party software, the outsourcing of plant maintenance activities, and the issuing of credentials that do not allow the use of the entire database of the footage but only that of a limited sample, suitable for carrying out tests to evaluate the correct functioning of the equipment. Policies and procedures within the structures must take into account the particularity of the treatments carried out via cameras and, above all, the data resulting from the behavioral analysis activities.
The information collected, even if it is used for marketing strategies not focused on the individual user but on homogeneous classes of consumers, must, in any case, provide for the pseudonymization of the data as a security measure so that it is not possible to trace, starting from the group to the analysis of the behavior of the single individual. Of particular importance in the management of events is also the training of staff, which must include a specific professional refresher session for those employed in video surveillance and video control systems—not only to limit the risk of illicit use but, above all, to prevent a data breach from occurring in the execution of duties without adequate and timely countermeasures.
The Exception (Which Proves The Rule)
Face recognition deserves a separate discussion; it is currently not permitted in Italy, at least until the issue of a law that should regulate the matter or until the deadline of December 31, 2025 (unless extended). The preventive identification of criminals or subjects already known to the commercial structure for having created problems of any nature allows the creation of perimeters protected from crime of any kind. It can be used, with the consent of the interested parties, also for the provision of studied services for the type of customer based on their preferences and behavioral and purchasing habits.
Also Read: Artificial Intelligence: Discover How It Optimizes Industry Processes