Out-Law / Your Daily Need-To-Know

Video use guide can help retailers with targeted advertising

Out-Law News | 05 Feb 2020 | 9:16 am | 2 min. read

New guidance has been issued which can help high-street retailers personalise in-store promotions based on customer data collected by video in a way which complies with the General Data Protection Regulation (GDPR).

The finalised guidelines on processing of personal data through video devices were adopted last week by the European Data Protection Board (EDPB).

Much of the guidance is focused on how organisations might use video surveillance systems to protect their property from incidents such as burglary or vandalism. However, it also sets out how video systems can be used in the context of targeted advertising.

The guidelines are very practical and provide clarity on relevant topics related to the processing of images, for example, on which images shall be considered biometric data. 

According to the guidance, while video footage of an individual will be classed as personal data, and therefore subject to data protection laws, such footage of itself will not constitute biometric data to which more stringent rules on the processing of that data apply under Article 9 of the GDPR.

Only if footage of individuals is "specifically technically processed in order to contribute to the identification of an individual" will it be classed as biometric data, the EDPB said.

The distinction between whether the footage constitutes mere personal data or biometric data is important because, as the EDPB explained, often organisations will require the "explicit consent" of data subjects to use video surveillance with biometric recognition functionality for their own purposes.

According to the EDPB, one such purpose might be to deliver targeted advertising.

"Article 9 applies if the controller stores biometric data (most commonly through templates that are created by the extraction of key features from the raw form of biometric data (e.g. facial measurements from an image)) in order to uniquely identify a person," the EDPB said. "If a controller wishes to detect a data subject re-entering the area or entering another area (for example in order to project continued customised advertisement), the purpose would then be to uniquely identify a natural person, meaning that the operation would from the start fall under Article 9."

"This could be the case if a controller stores generated templates to provide further tailored advertisement on several billboards throughout different locations inside the shop. Since the system is using physical characteristics to detect specific individuals coming back in the range of the camera (like the visitors of a shopping mall) and tracking them, it would constitute a biometric identification method because it is aimed at recognition through the use of specific technical processing," it said.

According to an example provided in the new guidelines, retailers will not be said to be processing biometric data if they customise adverts "based on gender and age characteristics of the customer captured by a video surveillance system" if the system "does not generate biometric templates in order to uniquely identify persons but instead just detects those physical characteristics in order to classify the person".

The EDPB explained that, where consent is being relied upon as the lawful basis for processing biometric data from video footage retailers cannot make access to their services conditional on customers giving their consent to the data processing.

"In other words and notably when the biometric processing is used for authentication purpose, the data controller must offer an alternative solution that does not involve biometric processing – without restraints or additional cost for the data subject," the EDPB said.

The guidelines also explain what organisations using video surveillance systems need to do to meet their transparency obligations under the GDPR. The EDPB has endorsed a multi-layered approach to providing privacy notices. It clarified both what information should be displayed in the layers used and further requirements around the prominence and accessibility of that information.

Organisations' data retention obligations and requirements for honouring the rights of data subjects, including around data access and erasure, are also explained in the new guide.

Data protection law expert Paula Fernández-Longoria of Pinsent Masons, the law firm behind Out-Law, said: "The guidelines are very practical and provide clarity on relevant topics related to the processing of images, for example, on which images shall be considered biometric data. It is also very interesting that the EDPB has studied a number of cases where recorded images are used for marketing purposes."