A Field Study on Data Protection and IT Security in AI-supported Cashierless Stores

Abstract: The retail sector is undergoing profound structural change. This is being driven largely by digital technologies. Applications such as online ordering, click & collect, self-checkout, and mobile payment methods have become firmly established as part of the modern shopping experience in recent years and are now taken for granted by many consumers. They are changing not only operational processes, but also expectations in terms of convenience, speed, and flexibility.One example of a new technological development in retail is the so-called cashierless store, which is introduced in many countries, primarily in large cities. Cashierless stores allow customers to take products from the shelf and then leave the store without going through the checkout process. Billing is automated in the background. Technically, this concept is based on the interaction of cameras, sensors, and AI-supported evaluation, which allows customers' movements and product removals to be recorded and assigned.In addition to efficiency gains, retail enterprises expect to gain insights from the data collected: movement patterns, purchasing behavior, and product range interests can be precisely analyzed and targeted for marketing. Digitalization thus serves not only to improve the shopping experience of customers, but also a better control of the retail economic processes on the basis of collected data.Consumer studies show that digital solutions are becoming increasingly accepted. A survey cites the elimination of queues as the most important advantage of cashierless systems. Of the approximately 1,000 respondents, 84% saw this as a decisive added value. Another study also emphasizes the desire of many consumers to combine the speed and convenience of online shopping with the immediate availability of brick-and-mortar stores, i.e., to combine digital ease and convenience with physical presence.Regardless of the advantages that cashierless stores offer to customers and retail companies, key questions about data protection and IT security remain unanswered in many cases. In particular data generated by skeleton-based tracking which is afterwards stored for biometric movement profiles can be considered highly sensitive. European data protection experts warn that current cashierless shopping concepts are not always compatible with applicable data protection regulations, as customers have little insight into what data is collected and how long recorded images, for example, are stored or evaluated. In addition, the system’s dependence on complex IT systems poses a considerable security risk. Processing large amounts of data always carries with it potential risks of misuse, for example through system errors, inadequate protective measures, or cyberattacks.This paper presents an analysis of the technical fundamentals and data protection challenges of cashierless store systems, taking German supermarkets as an example. The focus is particularly on the investigation of skeleton-based tracking and sensor fusion, which are used to identify and track customers. It has been found that the systems – despite the assurance of privacy by design – collect and store potentially sensitive movement profiles. Customers are often unaware of this. Field observations, customer surveys and an expert interview are used to analyze both technical and legal issues. The results show that data protection is often inadequately implemented in these systems and that users are hardly informed about data collection. Based on the results, potential areas of action for providers and supervisory authorities are identified.

Keywords: IT security, Data protection, Cashierless store, Artificial intelligence, Field study

DOI: 10.54941/ahfe1007190

Cite this paper:

​