During its position statement on July 11, the CNIL reminded of a central principle of the GDPR: any processing of personal data must meet a criterion of necessity and proportionality. In the case of so-called augmented cameras deployed by some tobacco shops to estimate the age of customers before selling them products prohibited to minors, such as cigarettes, alcohol, or gambling, the authority considers that these conditions are not met.
A Technological Use Without Proven Purpose?
These devices use AI algorithms to scan customers' faces and estimate, in real-time, whether they are of legal age or not. In practice, a red or green light will illuminate to guide the tobacconist's decision. But the CNIL points out that these cameras can only provide an estimation, subject to error, and that, even in the case of an algorithmic green light, the law continues to require verification of an identity proof.
Not aiming to allow customers to prove their majority, the Commission nationale de l'informatique et des libertés therefore judges their use "neither necessary nor proportionate."
Risks to Fundamental Rights
Beyond the question of effectiveness, the CNIL emphasizes the systemic implications. By analyzing all faces, continuously, without explicit consent or immediate possibility of opposition, these cameras cross a threshold: that of omnipresent algorithmic processing in everyday places. The risk, according to the authority, is that their deployment "contributes to a risk of trivialization and habituation to a form of surveillance reinforced by the multiplication of such tools."
Alternatives Under Construction
Far from rejecting all innovation, the CNIL reminds that other solutions are emerging, more respectful of privacy. Mobile applications like the future "mini-wallet" developed by the European Commission, a prototype of which is expected this summer, allow users to prove their majority by displaying only the necessary information for age verification.