University vending machine error reveals use of secret facial recognition | A malfunctioning vending machine at a Canadian university has inadvertently revealed that a number of them have been usin…::Snack dispenser at University of Waterloo shows facial recognition message on screen despite no prior indication
If they’re taking enough data to determine age, gender, race, they’re taking enough data to uniquely identify individual people.
That’s not true. They’re likely using a model that identifies some demographic attribute and associating that with a purchase. It’s 2024, this can all be done on the machine. The machine doesn’t need to store the individuals data etc. If the vending is storing enough data to identify individuals then it wouldn’t be GDPR compliant.
I said collecting, as in taking photo/video closeup of faces and eyes. Whether they are storing and cataloguing against individual profiles is another question, and must be checked against how GDPR requirements are actually written about personal data being processed.
“We’re GDPR compliant” means absolutely nothing coming from a company’s PR response to this sort of event.
Consent is a requirement for GDPR compliance. They are likely taking an image from the camera, extracting semantic attributes from the image, and then discarding the image. The length of time the individual is standing there making the purchase is likely longer than the image is stored in memory while extracting the attributes.
I bet there is no button “consent to biometrics collection”
And it most definitely isn’t. GDPR requires explicit consent for collecting OR processing personal information. As per the European Commission, just taking the picture and extracting some metrics off of it already counts as processing personal information:
https://commission.europa.eu/law/law-topic/data-protection/reform/what-constitutes-data-processing_en