Tobacco Shop Cameras Break GDPR Rules, Says CNIL

The use of tobacco shop cameras that estimate customers’ ages breaks GDPR rules, according to France’s privacy authority CNIL.

These so-called “augmented cameras” rely on AI to scan people’s faces and guess their age. A red or green light indicates whether a person is likely a minor or adult. Shop owners introduced the technology to prevent selling tobacco to underage buyers. But the CNIL found the approach unjustified and excessive.

Facial Analysis Triggers Privacy Concerns

The CNIL received multiple complaints from customers across France. Many expressed discomfort after seeing their faces scanned without warning. In response, the regulator opened a legal and technical review to determine whether these systems met GDPR and French data protection standards.

The CNIL concluded that tobacco shop cameras represent a form of biometric data processing. This means the systems must follow strict rules, including the need to prove the measure is necessary and proportionate. The regulator said this standard was not met.

Shopkeepers Have Better Alternatives

According to the CNIL, tobacco retailers already have lawful ways to verify age—such as checking ID. The agency emphasized that cameras should not be used as a first-level filter. Instead, visual inspection or direct interaction can ensure legal compliance without invasive data collection.

The watchdog also raised concerns that shop owners may trust the camera’s output blindly, without verifying results or questioning inaccuracies.

Customers Can’t Opt Out

One of the most serious issues identified was the lack of choice. Tobacco shop cameras analyze everyone who enters—regardless of age or consent. This undermines the right to object to automated decision-making, which is protected under the GDPR.

Even if a person is legally allowed to buy tobacco, the system still collects data on their face without permission.

---

Conclusion

The CNIL ruled that tobacco shop cameras used for age estimation violate key GDPR principles. The tech fails to meet the legal standards of necessity, proportionality, and user consent. While CNIL didn’t explicitly order shops to remove the cameras, the message is clear: biometric surveillance at tobacco counters has no legal basis. Retailers must rely on less invasive, human-driven methods to meet age verification requirements.