Facial recognition and biometric surveillance are becoming normalized in the retail environment, not accompanied by broad public debate but through quiet deployment in everyday spaces like grocery stores. A recent controversy involving biometric-collection signage at Wegmans Grocery Stores illustrates how quickly routine loss-prevention practices can trigger heightened legal exposure. Unlike many AI accountability disputes, biometric surveillance is already governed by a growing patchwork of state and local laws, and retailers implementing these tools may face a risk profile that includes statutory damages, regulatory enforcement, and consumer class actions, often regardless of whether any shopper can prove downstream harm.
Legal and Regulatory Issues: State Biometric Privacy Laws
Unlike federal privacy law., several states[i] have stringent requirements governing the collection, retention, and use of biometric identifiers. Under these frameworks, companies must typically:
- Provide notice to consumers before collecting data
- Obtain informed consent
- Specify how long the data will be retained
- Securely store and eventually delete biometric information
Wegman's signage complies with local requirements but does not clarify retention periods or consent mechanisms, potentially exposing the company to regulatory or private rights of action under state statutes where consent, not mere signage, is required.
Illinois: BIPA
Illinois' Biometric Information Privacy Act ("BIPA"), 740 ILCS 14/1 et seq, remains the nation's most consequential biometric statute. It requires:
- A publicly available retention/ destruction policy, including deletion when the original purpose is satisfied or within 3 years of last interaction , and
- Notice and informed written consent ("written release") before collection.
BIPA litigation has been propelled by expansive standing and technical-violation rulings. In Rosenblach v. Six Flags Entertainment Corp., 2019 IL 123186, the Illinois Supreme Court held a person is "aggrieved" and may sue based on statutory violations alone and without separate consequential harm. And in Tims v. Black Horse Carriers, Inc., 2023 IL 127801, the court held BIPA claims are governed by a five-year catchall limitations period.
For retailers and applicable vendors, BIPA's structure creates high-frequency exposure. Each failure to obtain written consent, publish retention schedules, or comply with handling rules can be pled as separate statutory violations, often turning into class litigation.
Connecticut's CTDPA and "Sensitive" Date Consent
Connecticut's Data Privacy Act (CTDPA), effective July 1, 2023, generally requires consumer consent to process "sensitive data." CTDPA's sensitive data concept can capture biometric identifiers. However, privacy statutes often include carveouts or defenses tied to security, fraud, and crime prevention, issues that retailers emphasize when they deploy facial recognition to deter repeat theft and organized retail crime. This creates a recurring legal tension. Loss prevention is often the operational justification, but plaintiffs and regulators focus on whether the biometric collection is proportionate, transparent, accurate, and constrained by retention/ deletion rules.
Regulatory Enforcement: FTC Section 5 and the Unfair Practice Playbook
Beyond state privacy law, the FTC has become a central enforcer in the biometrics space through Section 5 of the FTC Act, 15 U.S.C.§ 45 (unfair or deceptive acts/ practices). The FTC's Rite Aid action is a key example. The agency announced a settlement prohibiting Rite Aid from using facial recognition for five years and requiring safeguards after alleging the company failed to implement reasonable procedures to prevent harm and misidentifications.
For biometric surveillance, the compliance question is no longer merely "Did you post signage?" It is increasingly about whether the system reliably worked, if it validates accuracy and bias, whether the staff trained appropriately, and if foreseeable confrontations and false accusation were reasonably prevented. The FTC's public statements in the Rite Aid matter highlight these concerns.[ii]
Comparative Legal Themes
The Wegmans biometric controversy converges several broader doctrinal challenges:
- Traditional Tort Theories: The strain on traditional legal categories (e.g. product liability, negligence, privacy torts) when applied to data-driven technologies that mediate human decision-making and behavior in opaque ways.
- Foreseeability and Harm: In regard to automated biometric identification practices, the law must grapple with how to assess foreseeability of harm and allocate responsibility between technology providers and users.
- Consent and User Autonomy: Consent has become a lightning rod. Questions are emerging as to whether a user implicitly agrees to AI terms of service versus express opt-in for biometric scanning. The quality and context of consent have quickly become central to determining legal duties.
- The Role of Regulation: The biometric identifiers in the grocery store illuminate gaps in current regulatory regimes. Much is still undefined regarding requirements for AI safety standards or biometric privacy protections. These gaps in the law are likely to prompt more widespread legislative action as many courts remain hesitant to extend liability without defined guidance.
Conclusion
The Wegmans controversy reflects a broader trend. Biometric surveillance is moving from a niche security practice to an everyday retail reality, with legal exposure that can arise quickly and often without a traditional showing of damages. Unlike many emerging AI disputes, biometric privacy claims already operate with a robust statutory and regulatory framework, where notice and consent requirements, retention and deletion practices, and accuracy safeguards can determine liability. With BIPA class actions continuing to shape the national risk landscape and the FTC signaling that unsafe or poorly governed facial recognition may qualify as an unfair practice, retailers deploying biometric tactics should assume that loss prevention rationales alone will not insulate them from scrutiny. The practical lesson is straightforward: biometric compliance is not just about signage. It is about governance, transparency, proportionality, and defensible operational controls.
__________________
[i] Illinois: Biometric Identifier Privacy Act (BIPA); Texas:Capture or Use of Biometric Identifier (CUBI) & Texas Data Privacy and Security Act (TDPSA); Washington: My Health Data Act (MHMD)
[ii] https://www.ftc.gov/news-events/news/press-releases/2023/12/rite-aid-banned-using-ai-facial-recognition-after-ftc-says-retailer-deployed-technology-without.
