Facial Recognition Is Everywhere. Who's Watching?

Key Takeaways

• Facial recognition has moved well beyond law enforcement; it's now used in schools, retail, airports, and healthcare.
• The FTC banned Rite Aid from using AI facial recognition after the retailer misidentified customers and caused harm.
• Regulators in the UK and EU have raised concerns, especially when biometric data is collected from children.
• Meta's plans to add facial recognition to consumer smart glasses signal the next wave, where anyone could scan anyone, anywhere, at any time.

There's a camera at the school canteen. It scans the faces of children as they queue for lunch, matches them to a database, and deducts the cost from a pre-loaded account. No card. No PIN. No choice.

That's not a scene from a dystopian novel. It happened in North Ayrshire, Scotland, and it's far from the only case. Facial recognition has left the police station. It's moved into everyday life, and it's doing so quietly, dressed up as convenience.

It Didn't Start With Schools

For years, facial recognition was mostly talked about in the context of policing. Civil liberties groups raised alarms. Courts weighed in. There were debates about accuracy and racial bias. All important. But while that conversation was happening, the technology was finding its feet in far less scrutinized places.

Today, facial recognition shows up in retail stores to flag suspected shoplifters, at airport gates to verify passengers, in sports stadiums to manage crowds, and in healthcare settings to identify patients at intake. Each deployment comes with a reasonable-sounding justification, including faster checkout, smoother boarding, and better security. That's how normalization works. It doesn't announce itself. It just becomes the default.

I think the real danger isn't a single use case. It's the pattern. When a technology becomes infrastructure, it stops being questioned.

The Rite Aid Case Should Have Been a Warning

In December 2023, the U.S. Federal Trade Commission took action against Rite Aid, banning the pharmacy chain from using AI-powered facial recognition for five years. 

The FTC found that Rite Aid had deployed the technology in hundreds of stores without reasonable safeguards and that the system had wrongly flagged customers as suspected shoplifters, causing real harm. People were stopped, embarrassed, and in some cases falsely accused, often because the system struggled more with darker-skinned and female faces.

The FTC's findings are worth reading carefully. Rite Aid didn't run some fringe experiment. It rolled facial recognition out across a significant portion of its store network. Customers had no idea it was happening. There were no meaningful oversight mechanisms. The harms weren't theoretical; they were documented and real.

This is exactly the kind of outcome you get when convenience leads, and accountability follows, slowly and only after people get hurt.

Kids Aren’t a Special Case. They're the Point.

The UK's Information Commissioner's Office (ICO) has looked specifically at facial recognition in schools. Their assessment is uncomfortable. Biometric data collected from children is sensitive by definition; children can't meaningfully consent to its collection, and they have no real power to opt out if the system is the only way to pay for lunch.

The ICO's guidance on facial recognition in schools makes clear that schools must have a clear lawful basis for collecting this kind of data, that consent must be freely given, and that less intrusive alternatives should be considered first. In practice, those conditions are rarely met cleanly. Parents are often given a form and a deadline, not a real choice.

What bothers me most about the school canteen case isn't just the privacy issue. It's what it teaches kids about their relationship with surveillance. If you grow up being scanned, you normalize being scanned. That's not a healthy baseline for a generation that's going to have to make decisions about this technology as adults.

The Part Where It Gets Wearable

Here's where things get sharper. Facial recognition in a supermarket or a school is at least fixed in place. You can, in theory, choose not to go there or fight to change the policy. What happens when it becomes wearable?

EPIC, a U.S.-based digital rights nonprofit, has urged the FTC and lawmakers to block Meta's plans to integrate facial recognition into its consumer smart glasses. The concern is straightforward: if a pair of glasses can scan faces in a crowd and pull up personal information, the nature of the problem changes entirely. You can't opt out of walking down a street. You can't consent to every stranger who happens to be wearing the hardware.

It's not a hypothetical concern, either. Harvard students demonstrated in 2024 that existing smart glasses, combined with publicly available facial recognition APIs, could already identify strangers on the street and surface their personal details in seconds. The technology exists. The question is whether it’ll be packaged and sold to millions of consumers before regulators have anything meaningful to say about it.

At Mysterium VPN, we believe this is one of the clearest examples of why privacy can't be an afterthought. When surveillance becomes part of everyday products, it stops being a niche concern and becomes a structural problem. Everyone is affected, whether they know it or not.

Why "Nothing to Hide" Still Misses the Point

The most common pushback to all of this is the "nothing to hide" argument. If you're not doing anything wrong, why does it matter if your face is in a database?

It matters for several reasons. First, these systems make mistakes, and when they do, the consequences fall hardest on people who are already vulnerable to over-scrutiny, including people of color, women, and low-income communities. The Rite Aid case showed that clearly.

Second, biometric data is different from a password. If your login information gets leaked, you can change it. You can't change your face. Once it's in a database, it's there for good. Any future breach, any change in policy, any shift in who controls that data, you have no recourse.

Third, normalizing mass identification changes behavior even when nothing goes wrong. When people know they're being watched, they act differently. They self-censor. They avoid certain places. They make choices based on being observed rather than on what they actually want to do. That's a cost to freedom that doesn't show up in any infrastructure efficiency study.

If you're thinking about your own data privacy and what you can actually do about it, this is a good place to start. The face is just the most visible example of a much broader pattern of digital tracking that most people don't see happening.

The Regulation Is Real, But It's Lagging

It's not that regulators are asleep. The EU AI Act places facial recognition used for real-time remote biometric identification in public spaces in the highest-risk category, with narrow exceptions. The EDPB has pushed for meaningful consent and individual control at airports. The FTC has shown it's willing to act when harm is documented.

But enforcement is reactive by nature. A company deploys the technology, harm accumulates, someone files a complaint, and eventually (sometimes years later) there's a ruling. By then, the behavior has been normalized. The data has been collected. The damage is done.

I don't think the answer is to wait for a perfect regulatory framework before pushing back. The answer is to treat facial recognition like what it is: a technology that fundamentally changes the relationship between individuals and institutions, and between individuals and each other. It needs to be questioned at every deployment, not just the controversial ones.

Where This Goes Next

The trajectory is pretty clear. Facial recognition is getting cheaper, faster, and more accurate. The number of use cases is growing. The pressure to adopt it, from vendors, from insurers, from competitive pressures in retail, is only increasing.

What isn't keeping pace is the public conversation about whether any of this is actually what we want. Not just whether it's legal. Whether it's acceptable.

That's a conversation worth having loudly, before your face becomes just another piece of public infrastructure that nobody thought to ask you about.