What facial recognition detection is
Facial recognition detection uses trained biometric models to convert a face captured on camera into a mathematical template and compare it against a database of enrolled templates. A match generates an event; a non-match does not.
In commercial security this is almost always a one-to-many match against a small, defined watchlist — not mass identification of the general public passing a camera.
Credible commercial use cases
The three most common commercial applications are known-offender detection in retail loss prevention, banned-person detection in venues and hospitality, and authorised-personnel verification at controlled access points where a token alone is not sufficient assurance.
- Retail — repeat offender alerting with human review before action
- Venues — banned-person detection linked to door refusal workflows
- Access control — biometric verification alongside a physical credential
- Investigations — forensic search of recorded footage against a template
Accuracy in real conditions
Independent NIST FRVT testing shows top-tier commercial facial recognition algorithms performing at very high accuracy on frontal, well-lit images. Real-world deployment accuracy falls below lab performance because of angle, motion blur, low light, occlusion (masks, hats) and demographic bias in poorly trained models.
Credible deployment design controls capture conditions — camera height, angle, lighting — rather than relying on the algorithm to compensate for everything.
UK and US compliance obligations
In the UK facial recognition processes special-category biometric data under UK GDPR, requiring a lawful basis, a Data Protection Impact Assessment (DPIA), signage, and demonstrable proportionality. ICO guidance and enforcement history make clear that speculative or over-broad deployments are not lawful.
In the US, obligations vary by state. Illinois BIPA, Texas CUBI, Washington HB 1493 and a growing number of city-level ordinances create material civil-liability exposure. Deploying facial recognition without state-by-state legal review is a serious commercial risk.
Operational governance
Every credible facial recognition deployment includes: a documented watchlist policy, defined enrolment and removal processes, mandatory human review before action on a match, audit logging of all matches and reviewer decisions, and a scheduled bias and accuracy review.
Without these controls, the technology is legally indefensible even where the underlying algorithm is accurate.
Frequently asked questions
Is facial recognition legal in commercial security?
In the UK it is lawful where there is a documented lawful basis, a completed DPIA, appropriate signage and demonstrable proportionality under UK GDPR. In the US it depends on state law — Illinois BIPA, Texas CUBI and comparable statutes impose strict biometric consent requirements with meaningful civil-liability exposure. Legal review is a prerequisite in every jurisdiction.
How accurate is facial recognition in real deployments?
Top NIST-tested algorithms perform at very high accuracy on well-lit, frontal captures. Real-world accuracy is usually lower because of angle, motion blur, occlusion and demographic bias in weaker models. Credible deployments control the capture environment — camera height, angle, lighting — rather than expecting the algorithm to compensate for poor conditions.
What is a watchlist and who manages it?
A watchlist is a controlled set of enrolled facial templates the system compares live captures against. In commercial security it is typically small — known offenders, banned individuals, authorised personnel. A named data controller must own enrolment and removal decisions, and audit records must document why each individual is on the list and when they should be removed.
Does a match automatically trigger action?
In a compliant deployment, no. A match generates an alert for human review before any action such as challenge, refusal of entry or referral to security. Automated action on a raw match creates unacceptable risk from false positives and demographic bias, and is inconsistent with ICO guidance in the UK and reasonable-care standards in most US jurisdictions.
How is bias controlled?
Vendor selection should reference independent NIST FRVT results across demographic groups, not just headline accuracy. Deployment monitoring should sample match decisions to detect emerging bias in the live environment. Where measurable bias exists, deployment should be paused or restricted rather than accepted as a background risk of the technology in general commercial operation.
Can facial recognition run on existing CCTV cameras?
Sometimes, but rarely well. General overview cameras are optimised for coverage rather than face capture. Credible facial recognition uses dedicated cameras placed at head height at chokepoints — entrances, tills, access lanes — with lighting engineered for even facial illumination. Retrofitting analytics to unsuitable cameras typically produces false-negative-dominated performance that fails audit.
What happens to unmatched face captures?
Under a compliant policy, unmatched face templates should be discarded immediately or within a short defined retention window. Retaining unmatched biometric data indefinitely converts a targeted watchlist system into speculative mass identification and is unlikely to remain lawful under UK GDPR or several US state biometric statutes. Retention policy is a required part of the DPIA record.
Continue in the intruder detection hub
The intruder detection hub sets out how this technology fits alongside the other layers of a complete commercial design.
Speak to a specialist about facial recognition detection
Tell us about your site and we'll connect you with a commercial security specialist who understands your detection, monitoring and response requirements.