Do your People Counters comply with GDPR?
People counting provides essential retail analytics, showing: heat maps of popular areas, the path people take, how many pass-by without entering, where people linger as well as footfall counts.
How all this crucial data is collected is important. People’s privacy should be paramount and GDPR (EU General Data Protection Regulation)Â rules need to be complied with at all times. All our systems, therefore, are completely anonymous: no information is collected which could identify a person in any way. This isn’t the case for all methods of counting people – counting using smartphone signals is especially problematic.
Video Counting
A video counting system doesn’t know who the customer is or where the customer went before entering the premises or location. It can’t tell how often they visit or when they were last there. What it does do very effectively is count footfall, track people around a store or building, analyse how long people paused to look at displays, integrate visitor counts with point-of-sale data to calculate sales conversion, and so on.
In video people counting no images are saved or transmitted. Intelligent people-sensing units connect with overhead cameras. The people-sensors analyse the video stream and log counts and times. No video is recorded: the only data accessible are the counts and the retail analytics. Nobody is identified and privacy is protected, so the system doesn’t fall under GDPR.
Retail Sensing systems employ video counting.
Wi-Fi Smartphone Counting
Another way to count people is by using mobile signals: collecting Wi-Fi probe request signals from shoppers’ smartphones. This though, has many privacy implications as it almost always involves processing personal data.
A person’s phone regularly sends a request to nearby networks to see to which it can connect. These probe requests contain data about all the networks the phone has previously found. This means that details of all the physical locations that the person has been to can be accessed. Linking this with other data means enables a person’s identity, home address, workplace, travel habits and so on to be deciphered. This method of counting and tracking people falls foul of GDPR and all the regulations apply, including consent.
Failure to comply with GDPR when accessing personal data is illegal not only within the European Union, but also when being used to count EU citizens living or travelling outside the EU.
The General Data Protection Regulation also applies if the data is processed and stored pseudonymised.
Pseudonymisation is the processing of personal data where additional information is needed to connect the data to a person. Pseudonymised data can still be used to single individuals out and combine their data from different records. It remains personal data and processing is subject to data protection regulations – GDPR.
MAC (Media Access Control) addresses are considered pseudonymised personal data.
GDPR Compliance & Legitimate Interest
One facet of GDPR is “legitimate interest” as the legal basis for processing user data. However, if there is a less intrusive method to gather data – like our video people counting – then legitimate interest does not apply.
For more information contact sales@retailsensing.com
