Gone are the days when the CCTV outside the dressing room was only there to dissuade – or help prosecute – shoplifters.

Bricks-and-mortar retailers are increasingly moving from the real world to the virtual world as they collect more and more data about current and would-be customers, and engage specialists to analyse the implications of that data.

In-store video, localization tracking through Wi-Fi, Bluetooth and mobile app data can be meshed with more traditional data sources such as social media, payment cards and seasonal sales to build increasingly accurate predictive and analytical models. Whereas in-store behaviors (essentially, purchasing data) were once merely the driver of optimized stocking and re-order strategies, today the analysis of in-store behaviours can be the kernel of more profitable pricing strategies, improved traffic patterns and higher conversion ratios: what exactly moves the shopper from window to cash register?

The use of big data analytics, and particularly in-store data analytics, represents a significant change for a retail industry where physical stores’ data collection has lagged behind the pure players’, and where the bottom-line potential of multiplying data sources, data outputs and sophisticated algorithms is only starting to be realized.

Use of CCTV and other visual inputs is of particular interest, but also of particular concern. CCTV images that record in-store footfall to help optimize store displays may not raise issues, but CCTV also holds the power of facial recognition. Google found the need to step away from the facial recognition capabilities of its now-defunct GoogleGlass project; similarly, facial recognition in retail outlets may raise a host of concerns about store visitor privacy, particularly in Europe.

Under EU data protection laws, photos and video are considered personal data if a person can be directly or indirectly identified, meaning that images of faces are personal data, which in turn implicates all the legal conditions and limitations attached to the processing of personal data.

But even short of identifying shoppers, whether by CCTV images, use of a loyalty card, or in-store Wi-Fi, the prevailing attitude among EU data protection regulators is that the purview of data protection laws encompasses information that can be used to differentiate one individual consumer from another – even without any specific identifying data. The implications are huge, as one of the principal promises of big data analytics is not only to understand a particular audience or population segment, but to craft personalized offerings that both answer and spur consumer need.

As the law currently stands, the solutions will need to rely on the tried-and-true: consumer consent. The savvy retailer will know how to leverage consent as another valuable touch point to glean consumer desires.