Skip to content

Menu

Network by SubjectChannelsBlogsHomeAboutContact
AI Legal Journal logo
Subscribe
Search
Close
PublishersBlogsNetwork by SubjectChannels
Subscribe

“Smile, You’re on Camera”: Meets GDPR and U.S. Privacy Law in the retail context

By Odia Kagan on October 23, 2025
Email this postTweet this postLike this postShare this post on LinkedIn

A Bavarian court held that a store’s private security guard lawfully used a body-worn camera under Article 6(1)(f) GDPR to protect property, maintain order, and ensure staff safety, in a decision that provides actionable insights for U.S.-based retailers as well.

The court blessed the recording because the store took a number of privacy-protective measures:

  • The guard activated the camera only after the shopper repeatedly refused to leave a restricted seating area.
  • The guard verbally informed the shopper before recording.
  • The camera included a visible red indicator light.
  • The footage was deleted after the individual was identified for possible civil action.

In view of that, the court found the recording proportionate and limited, emphasizing transparency and purpose limitation.

U.S. Retail Implications

While U.S. privacy laws differ, several key themes resonate:

  • Notice and consent. States with two-party consent laws require both sides’ approval for audio recording. A clear verbal notice and red-light indicator can support implied consent when the individual continues to engage.
  • Transparency. Even without recording, notifying individuals that personal information is being collected is required under the U.S. State privacy laws; store signage and privacy notices help address the disclosure requirement.
  • Data minimization. Under U.S. State privacy laws and FTC guidance, businesses must collect only what is necessary and consider less invasive options first. This has been reiterated by regulators and is now more strictly addressed in laws like the Maryland MODPA. In this case, the recording was a last resort after attempt to calm the individual down had failed. 
  • Retention limits. U.S. State laws, like GDPR, required you to keep footage only as long as needed for the stated purpose. Here, the store deleted the footage after the purpose of identifying the individual had been met.
  • Biometric and AI use. Smart cameras with facial recognition add another level of complexity by triggering biometric and sensitive-data rules. True opt-in consent is generally impractical in this context, so organizations should seek to rely on an applicable exception, if available, document their rationale, and perform a data-protection impact assessment.

See the original decision here: VGH München – 5 ZB 23.1778 (GDPRhub)

  • Posted in:
    Privacy & Data Security
  • Blog:
    Privacy Compliance & Data Security
  • Organization:
    Fox Rothschild LLP
  • Article: View Original Source
LexBlog logo
Copyright © 2025, LexBlog. All Rights Reserved.
Legal content Portal by LexBlog LexBlog Logo