For a decade, AP made the business case for surveillance technology. Facial recognition. Behavioral analytics. License plate readers. Biometric matching at the door.
The case was always framed as risk reduction.
In 2026, that same technology is one of the fastest-growing sources of legal risk in retail — and AP signed the purchase orders.
The litigation is already here
Illinois' Biometric Information Privacy Act (BIPA) lets individuals sue for $1,000 to $5,000 per violation, with no requirement to prove actual harm. The filings have become a flood.
107 new BIPA class actions were filed in Illinois in 2025 alone (The Lyon Firm, 2026)
Charlotte Tilbury settled a facial recognition BIPA claim for $2.9 million in late 2024
MAC Cosmetics settled a BIPA facial-scanning case in 2026; multiple Estée Lauder brands — Bobbi Brown, Too Faced — faced parallel challenges
Target was hit with a proposed class action in Illinois over facial recognition used to combat shoplifting
Clearview AI — the facial recognition vendor used by retail and law enforcement — settled for a stake valued at roughly $51.75 million (final approval March 2025)
The pattern: the technology marketed to AP as a loss-prevention tool is being litigated as a privacy violation. And the early dismissals that protected retailers — cases thrown out because plaintiffs couldn't prove they were scanned in Illinois — are being engineered around. The MAC filing in 2026 was specifically written to clear those jurisdictional hurdles (Bill Jones Law, 2026).
The "wild west of unregulated facial scanning in retail," in the words of one firm tracking the cases, is closing.
The regulatory wall lands in August
This is not only a U.S. plaintiff's-bar story. The EU AI Act is phasing in, and the dates matter for any retailer with EU operations or EU customers.
Since February 2, 2025, several practices are already banned outright, with penalties up to €35 million or 7% of global annual turnover: untargeted scraping of CCTV or internet images to build facial recognition databases, emotion recognition in workplaces, and biometric categorization to infer protected characteristics (race, religion, union membership)
A retailer using AI cameras to infer customer ethnicity for marketing analytics has been operating an already-prohibited system since February 2025 (eyreACT case file, 2026)
August 2, 2026 — seven weeks out — high-risk AI system obligations take full effect: conformity assessment, technical documentation, human oversight, post-market monitoring, all required before deployment
The penalty ceiling is not theoretical. For a global retailer, 7% of worldwide turnover is a number that gets a CFO and a board fully engaged — which means it is about to become an AP conversation whether AP wants it or not.
The accountability question
Here is the uncomfortable part for the function.
The surveillance stack inside most large retailers was specified, justified, and championed by AP. The ROI decks that approved facial recognition and behavioral analytics carried AP's name. Almost no retail AP team has a Chief Privacy Officer embedded in it, a biometric data retention standard written down, or a documented consent and notice protocol that would survive a BIPA filing.
AP built the capability. AP did not build the discipline that the capability now legally requires.
That gap is the liability. And it is closing fast in two directions at once: a U.S. plaintiff's bar that has found retail a rich target, and an EU regulatory regime with penalties large enough to reach the boardroom.
A perspective from the field
Every security technology I have ever deployed across our operations came with a question I learned to ask early and never skip: not "can we," but "can we defend this in front of a regulator or a court two years from now?"
The teams that asked that question before buying surveillance technology are calm right now. The teams that asked only whether the technology reduced shrink are about to spend the next two years in remediation and settlement.
Surveillance capability without a governance framework is not an asset. It is an unfunded liability sitting on the balance sheet, waiting for a filing.
Three practical moves for the next 90 days
Inventory every biometric and AI surveillance system you operate, by jurisdiction. Facial recognition, behavioral analytics, license plate readers, anything that captures or infers identity. Map each against where it is deployed. You cannot manage exposure you have not catalogued, and most AP teams have never made this list.
Find out whether you have written consent, notice, and retention policies — today, not after a filing. BIPA liability flows almost entirely from missing notice, missing consent, and missing retention schedules. If those documents do not exist for each system, that is the gap a plaintiff's firm is looking for. Flag it to Legal now.
Get Privacy and Legal into the room before your next surveillance purchase — and make it permanent. The era of AP specifying surveillance technology alone is over. The function that brings Privacy and Legal into procurement proactively becomes the function that leadership trusts with the harder enterprise-risk conversations. The one that keeps buying alone becomes the one named in the next complaint.
Closing note
AP didn't set out to build a surveillance liability. It set out to reduce loss, and the technology that promised to do it arrived faster than the rules governing it.
But the rules have arrived now — in courtrooms in Illinois and in regulation landing across the EU this August. The capability AP built is now a liability AP owns. The only question left is whether the function gets ahead of it or waits to be named in the filing.
I'd like to hear from AP leaders who have already brought Privacy and Legal into their surveillance decisions. What did it change? Reply with anything you can share, anonymized if you prefer.
Forward this to one LP or AP leader who should be reading it.
— Gabriel
The LP Brief is a weekly intelligence read for senior loss prevention and asset protection leaders. Free. No vendor noise.
Not yet subscribed? thelpbrief.com