One-Way-Mirror Society: What are the specific privacy issues posed by digital signage networks / what risks exist?

Report home | Read the report (PDF) | Previous section | Next section


Specific and substantive policy issues and privacy risks exist in modern digital signage networks. This section summarizes those issues and risks.

Security Camera Footage: Repurposing footage for marketing and profit

Perhaps the most egregious repurposing of data is the use of security camera footage for store marketing purposes. From the industry literature, this appears to be an established business practice at this point. It is one that needs to be examined closely.

For example, researchers who specialize in studying shopping patterns, in describing their process of gaining shopper insight, include the option of using existing security cameras to collect shopping research data on consumers:

“The research is usually implemented by setting up one or more video cameras, recording consumer shopping activity for several hours a day, and then coding behavior at a later time, either with human-research assistant or machine – vision tools. Existing security cameras may be used to collect the data if they provide adequate visual coverage and fidelity.” (emphasis added) [79]

The POPAI Recommended Code of Conduct for Tracking Consumers specifically mentions this issue:

Using video or image data from surveillance, security, or loss-prevention systems may violate Federal, State and/or local laws, and is generally not recommended. If this practice is allowed by law, marketers must use separate computer systems and storage devices from those used to store the security/surveillance data. These computer systems and storage devices must be password protected with different passwords used than for the security/surveillance systems. (See Appendix A of this report for document.)

There is a lack of transparency around the use of surveillance footage for marketing purposes.

Lack of Transparency or Notice to consumer

Transparency and Consumer notice in the digital signage ecosystem is woefully lacking.
First, the collection of consumer images can be extremely difficult to detect, if not nearly impossible. Digital signage does not usually come with a notice to the consumer that they are being recorded when they look at the screen. Digital signage does not usually come with any notice that facial recognition technology is being used to target ads to the consumer based on gender, age, and possibly ethnicity. And while some digital signage has obvious cameras affixed to it, other signage uses pinhole cameras that are extremely difficult to detect.

One manufacturer touted its pinhole cameras, one of which was shown tucked into an end-cap display in a way that would not be noticeable to most consumers:

At the heart of the platform will be a custom-designed DSP chip that will receive incoming visual data from an attached pinhole camera. The screen display unit will then be able to log viewer statistics based on their age, gender, and ethnicity and will be capable of reacting to these details based on the demands of the site display. [80]

Second, even when consumers are expressly asked to interact with digital signage and give information (such as calling a mobile number to play a game or to sign up for a coupon) the amount of meaningful information a consumer receives about the collection and use of the data is generally absent. As discussed earlier, privacy policies posted on web sites generally do not discuss digital signage installations or networks. Even if they do, it is unreasonable to provide notice to consumers of digital signage privacy issues on a web site instead of providing notice directly at the place the cameras or sensors are located.

Thirdly, when consumers are notified about recording, the notification can be euphemistic at best. A notification sign under a security TV at one Wal-Mart in Oceanside, California stated: “in order to bring you low prices, we use closed circuit televisions and electronic merchandise tagging systems.” That notice strongly suggests that the camera is for security and says nothing about collecting consumer information, and no other signs discussed the myriad other video and consumer tracking activity occurring at Wal-Mart.

A Walgreens in Encinitas, California, labeled each security camera with a large card that said “security camera.” One screen was not labeled this way, but instead said: “Providing safety and savings: video recording in process.” (Figure 6). What do these kinds of notices mean to consumers? Do the notices correspond to the reality of how the footage is actually being used? Do the notices cover all instances of consumer tracking in the retail space? Are the notices deliberately misleading?


Figure 6
A video recording notice in a retail store. Is the video used only for security purposes?

In a blog discussion of notice to consumer and what consumers would accept regarding gaze tracking tools, one industry expert had this to say:

Mark Lilien of the Retail Technology Group had an interesting perspective, feeling that gaze tracking tools would be accepted as long as the retailer posts a sign telling folks that the store uses video surveillance. But rather than making it seem like an invasion of privacy, convey it in a positive light such as, “we’re using the finest technology in the world to help us stock what our customers want most. [81]

Lack of Consent, Opt-in, Opt-Out

In some instances, for example, in some loyalty card programs tied to digital signs, there are opt-in and opt-out structures available for consumers. For example, Hot Topic’s loyalty program offers such a structure for text messages and other marketing messages. But how does a consumer consent to being recorded and analyzed and targeted by digital signs that employ hidden or pinhole-sized cameras or sensors? How does a consumer opt out of being recorded in the first place? How does a consumer opt out of having her image captured by a camera and then analyzed by facial recognition software and then used for demographic marketing analysis or feedback on ad effectiveness? How does a consumer opt out of being offered targeted ads based on what her age is, or gender, or ethnicity? Does a consumer “passively consent” to this activity by simply walking into a store, or passing by a digital signage installation?

In many if not most instances, digital signage installations that capture images of customers or individuals have no consent structures in place. The only meaningful opt out available to people is to wear clothing that obscures their face, such as a hoodie and sunglasses. In the preponderance of situations, consumers images are being captured and analyzed without their consent, knowledge, or understanding.

Identifiable data capture – anonymity

As discussed throughout this report, digital signage networks can use advanced video analytics to capture, record, and analyze images of individuals. That this is occurring is unambiguous. What is ambiguous is the way industry defines privacy and anonymity. The digital signage industry has come up with non-standard and self-serving statements about anonymity and privacy. Somehow, there are widespread views in the industry that video images of identifiable individuals are neither considered to be private information nor identifiable information.

It is difficult to argue that a camera collecting and analyzing images with facial recognition technology to glean audience characteristics such as gender and age is not using personally identifiable information. An individual’s face is personally identifiable information. Period.82 As long as the digital signage industry uses its own convenient definitions of personally identifiable, stored, and recorded, then the industry will be out of step with consumers. .

Discrimination by Age, gender, and ethnicity

There is no question that age discrimination is a possibility with this technology. Targeting by age, gender and in some cases ethnicity is happening right now. One company selling technology capable of accomplishing this targeting wrote:

“The latest version of the company’s iCapture audience-measurement system can instantly identify older shoppers; earlier versions of the software could delineate between an adult and a child as well as determine gender and ethnicity. Coupled with the company’s PROM (proactive Merchandising) software, iCapture allows retailers and marketers to target senior shoppers by serving up ads that are interesting and relevant to them.

“We believe we have come up with a breakthrough in targeted marketing by allowing retailers and marketers to display age-appropriate content on a real-time basis, said George Murphy, CEO, TruMedia.” [83]

This “breakthrough” came in 2008, and the technology has matured even further since that time. The question becomes: how does a senior being targeted by his or her age consent to that activity? How do they opt in or opt out of the targeted ad? The ad is being targeted to them because of how they look in the camera. There is no hiding behind a computer or deleting a cookie or downloading an “opt-out cookie.” A sign telling a consumer they may see ads based on their race, gender and age might inform them of the program, but how can a person effectively give their permission for being targeted by their demographics?

It is not difficult to envision improper uses of this targeting capability. There are not appropriate or even any apparent controls in place to prevent this from happening.

Data retention issues

Some companies in the digital signage space state they do not store images collected from digital signage that captures images for video analytics, and they conclude therefore that privacy is protected. However, even in 2008 companies acknowledged in a New York Times article that image retention could be accomplished:

“The companies that make these systems, like Quividi and TruMedia Technologies, say that with a slight technological addition, they could easily store pictures of people who look at their cameras.” [84]

There is no enforceable standard that would force companies to erase data captured from digital signs and billboards, either facial recognition data, aggregate statistics, images, or other data. If a company wanted to put up digital signage that recorded every passerby or shopper, and stored that footage for later marketing or other use, it could. Who would know?

Sensitive information

When digital signage is used in areas where sensitive information such as financial or medical data could be captured, privacy concerns become more pointed. An example is use of images of individuals purchasing health products or prescriptions. Some in industry have raised additional security concerns in this area.

When Cardinal Health launched its Pharmacy Health Network in August 2009, the launch included flat-panel LCD screens placed in independent and franchised pharmacies throughout the United States. The idea was that video advertisements would run on the screens while people waited for prescriptions to be filled. Cardinal Health stated it would make the Pharmacy Health Network (PHNTV) available to more than 5,000 independent retail and franchised pharmacies throughout the United States. [85] The screens do not appear to record images of consumers. Nevertheless, the launch of the network attracted the attention of a CEO of a digital signage company, who wrote an open letter to the Chairman and CEO of Cardinal Health warning the company of broader potential security issues with digital signage installations.

“Because the PHNTV media player device is likely to sit on the same network segment as confidential patient information, any mildly capable hacker who is able to penetrate the digital signage player (especially one running Windows and using unencrypted HTTP transfers) now has a rogue device within the trusted Pharmacy Network from which they may attempt to access confidential patient information.” [86]

The author suggested three ways to solve the problem, and also noted that he did not want the significant security risks raised by the deployment of a third party system in any trusted medical or health network to become a “Canary in the coalmine example we all look back on in 10 years and recall as the great big lawsuit that made security a real topic in Out Of Home Digital.”

One blog commenter on the letter voiced the opinion that the system as implemented was not likely to fall afoul of best practices because the implementation did not collect data from the signs. [87]

Another issue related to digital sign deployment is wireless security. Many digital sign networks send information using wireless connections at some point in the infrastructure. [88] There are no available statistics on wireless security practices in the digital signage industry, but it is an area of concern for spying and for data breach. An intriguing concept to consider is how – or even if — a company using a digital signage vendor that was compromised would give consumers notice of data breach.

Information Captured on Children and Teens

Digital signage that captures data from teens and especially from children under the age of 13 may run afoul of the policy that is the basis for Children’s Online Privacy Protection Act, or COPPA. [89] COPPA applies to information collected online and requires affirmative parental consent, but online is ambiguously defined in COPPA. Most companies with digital signage networks appear to be silent on COPPA compliance in regards to, for example, audience measurement techniques and ad targeting.

Some companies with digital signage installations have acknowledged that targeting teens and children is inappropriate in general terms, but not in terms specific to the digital signage program.

Generally, taking images of children for audience surveillance purposes raises multiple issues that have not been addressed yet.

Combination of offline and online data and data from digital signage

One of the goals of placing advanced video analytics into digital signage networks is to tie that data to other data sources. This is understood within the industry:

“More sophisticated shopper analytics will be combined with other data sources, including loyalty programs and inventory management systems…” [90]

Loyalty programs are fairly simple to link to digital signage, as are mobile telephone numbers. The Castrol case in the UK shows how marketers will, if they can, link digital signage governmental databases for marketing purposes. The linking of digital video signage data to additional data sources is particularly sensitive because of the issue of identifiability.





[79] Raymond R. Burke, Retail Shoppability: A Measure of the Worlds Best Stores, 2005. p. 13. Originally published in Future Retail Now: 40 of the World’s Best Stores, Retail Industry Leaders Association. <>. 80 1-2-1 View Developing Audience Measurement Chip, Dec. 16, 2008. <http;//>.

[81] Laura Davis-Taylor, The In-Store Profiling Debate, May 20, 2008. <>.

[82] See, for example, the Privacy Act of 1974 that provides that a photograph is a record about an individual. 5 U.S.C. § 552a(a)(4) (definition of record).

[83] Digital signage today, TruMedia’s PROM software targets digital signage ads, August 19, 2008. <>.

[84] Stephanie Clifford, Billboards That Look Back, New York Times, May 31, 2008.

[85] Cardinal Health launches in-store retail pharmacy digital advertising program. August 11, 2009, Press Release. <>. See also a more detailed description of the network and a demo video loop at <>.

[86] An Open Letter from Chris Riegel, CEO STRATACACHE to Mr. Goeorge Barrett., Chairman and CEO, Cardinal Health, August 13, 2009. Available at <>.

[87] Id.

[88] Deena M. Amato-McCoy, Stepping it Up: Traffic-Counting Technology Improves Marketing, Sales, Chain Store Age, Vol. 84, No. 5, May 2008. “By eliminating the cabling expense required with wired solutions, wireless options can be used in new settings, including across store departments and fitting rooms.”

[89] Children’s Online Privacy Protection Act, <>.

[90] Deena M. Amato-McCoy, Stepping it Up: Traffic-Counting Technology Improves Marketing, Sales, Chain Store Age, Vol. 84, No. 5, May 2008. Quote from John Szczygiel, president, Mate Intelligent Video.



Roadmap: The One-Way-Mirror Society – Privacy Implications of the new Digital Signage Networks: VI. What are the specific privacy issues posed by digital signage networks / what risks exist?


Return to Index