Skip to main content
Blog·Engineering

Retail facial recognition: how a watchlist match actually works

Most of the fear around facial recognition comes from systems that act on their own. Retail facial recognition, done responsibly, is narrower: it compares a face to a list you built, flags a possible match, and asks a person to check. Here is exactly what happens, step by step, with a 47-second walk-through.

SESam Erpik · Co-founder & CTO6 min read
A watchlist match, reviewed by a person. Illustrative data; the face is QuantumEye's own demo persona.

'Facial recognition' covers a lot of ground, and most of the worry around it comes from systems that identify strangers or act on their own. Retail facial recognition, done responsibly, is narrower and a lot less dramatic than the headlines. It compares a face the camera has already seen against a list the retailer built, and it asks a person to check before anything happens. Here is exactly what happens, step by step. The 47-second walk-through shows the same flow.

What a watchlist actually is

A retailer using QuantumEye maintains two lists of its own. A watchlist of individuals previously involved in incidents at their stores, added under the retailer's own lawful basis, and a whitelist of staff, contractors and trusted visitors. Face recognition only ever compares a detected face against these lists. It does not try to identify members of the public against a national or third-party database. If a face is not on your list, there is no match and nothing to review.

How a match is made, step by step

  1. The camera sees a face. Detection runs on a small edge device in the store, on the CCTV you already have. Only the face is used, not the whole scene.
  2. The face becomes a number. The image is converted into a mathematical vector, a numeric representation of the face. That vector, not the photo, is what gets compared.
  3. It is compared to your list. The vector is checked against the vectors of the people on your watchlist, and the system returns a similarity score against the closest entry.
  4. A threshold decides whether to flag. If the score clears the threshold you set, the system raises a possible match, marked 'review required'. Below it, nothing is raised.
  5. A person reviews it. The alert lands on the dashboard and on the manager's phone, showing the detected face beside the reference, the score, the store and the time.
  6. A human decides. They tap Confirm match or Not a match. Only a confirmed match can lead to any action. The algorithm never acts on its own.
  7. Everything is logged. The alert, who reviewed it, the decision and the timestamp all write to an append-only audit trail.
The similarity score is a triage aid, not a verdict. In the demo above it reads 98%, an illustrative figure. In a real deployment you set the threshold, and a person still confirms every match. The score decides what a human looks at, not what happens to anyone.

Your own watchlist

Matched against a list you built, never a public or national database.

A person confirms

Every possible match is reviewed and confirmed by a human before anything happens.

Everything logged

The alert, the reviewer and the decision write to an append-only audit trail.

Why the face is stored separately from the video

A face vector is biometric data under UK GDPR, and the video it came from is sensitive personal data too. QuantumEye stores them apart on purpose: the vectors live in a vector index, the video lives in object storage, and the only link between them is an authorisation-gated reference. That separation is what makes a right-to-erasure request clean to honour, and it keeps the two most sensitive assets from sharing a single access boundary.

GDPR-safe face recognition in retail: how we built it
The architecture behind the separation, in more depth

Is retail facial recognition GDPR-compliant?

It can be, but only if the architecture and the process are right from the start. QuantumEye is ICO-registered and ISO/IEC 27001 certified, matches against your own list rather than a public one, keeps a human in every consequential decision, separates vectors from video, and supports retention limits and erasure. A Data Protection Impact Assessment is part of every deployment, not an afterthought. Face recognition that acts on its own, or matches strangers against an opaque database, is a different and far riskier thing, and it is not what this is.

The line that matters

Strip away the detail and retail facial recognition, done responsibly, comes down to one sentence: AI flags, people decide, everything is logged. The model narrows millions of frames down to the handful a person should look at. The person makes the call. And the whole chain is provable after the fact. That is the version worth having in a shop.

Face Recognition on the platform
Watchlist and whitelist, designed to be GDPR-safe, human review on every match
Facial recognition vs behaviour detection
Which you need, and when

Frequently asked questions

Does retail facial recognition work on existing CCTV?

Yes. QuantumEye runs detection on a small edge device in the store, using the IP cameras already on the wall, so there is no rip-and-replace and your cameras are not streamed continuously to the cloud. Only the short event clips needed for review and evidence are uploaded, to secure storage in the EU.

Does the system take action automatically?

No. A possible match is always marked 'review required' and sent to a person, who taps Confirm match or Not a match. Nothing happens to anyone without a human decision, and every decision is logged.

Whose faces does it compare against?

Only the retailer's own watchlist of individuals previously involved in incidents at their stores, added under the retailer's lawful basis, and its whitelist of staff and trusted visitors. It does not match members of the public against a national or third-party database.

Is retail facial recognition GDPR-compliant?

It can be, if the architecture is right. QuantumEye is ICO-registered and ISO/IEC 27001 certified, stores face vectors separately from video, keeps a human in every consequential decision, and supports retention limits and erasure. A DPIA is part of every deployment.

How accurate is the face match?

Every match is confirmed by a person, so the human decision is the accuracy that matters. The system returns a similarity score against your watchlist and only flags matches above a threshold you set. The score decides what a person reviews, not what happens next.

Get the monthly brief.

One email a month. The post-of-the-month, the retail-trends summary, and one customer-success snippet. No sales pitches, no event invites. Opt out in one click.