Following the Federal Trade Commission’s decision in December 2023 to ban Rite Aid from using AI facial recognition, it has become crystal clear that U.S. regulators expect a risk assessment when a retailer uses facial recognition technology.
A new, and detailed, report from the New Zealand privacy commission provides helpful considerations for such Data Protection Impact Assessments (DPIAs). They include:

• Was the data trained on minorities?
• How long will the retailer retained data that wasn’t matched?
• Data minimization techniques (including when to share among stores and when to add to a watchlist).
• How accurate should the match be to trigger consideration (92.5%)?