Real-time facial recognition in retail stores doesn’t look like the distant future anymore: for example, age prompts at self-checkout are being seen more and more often. What makes the current trend worth studying is not the camera itself, but the job it is being asked to do.
Some companies use retail age verification as a filter for age-restricted goods, while others use face matching as a customer credential for payments. Moreover, some retailers choose to scan everyone at the entrance to spot people on store watchlists.
In this article, we will walk through five deployments of age verification/face recognition in retail, including successful rollouts and attempts that failed. Read more to learn all about what the customer sees, what staff do when the system flags someone, what gets stored, what gets deleted, and which design choices made regulators ask hard questions.
Get posts like this in your inbox with the bi-weekly Regula Blog Digest!
Germany (EDEKA Jäger): In-store age gating
In April 2024, EDEKA announced a very specific change at the 24/7 EDEKA Jäger store at Stuttgart Airport: age-restricted items at self-checkout no longer needed an employee to approve the sale.
Now, when a restricted item is scanned, the self-checkout kiosk asks the shopper if they want automatic age recognition. If they accept, the camera estimates their age and compares it to a preset threshold, letting the transaction continue when the estimate is above that threshold. The technology was seen as an operational throughput fix: it was estimated that age checks were required in about 22% of retail transactions, and the automation would take this load off the staff as a practical form of retail age verification.
During the first week, more than 80% of age-restricted purchases were approved via the automated check.
By the end of 2024, there were already three EDEKA Jäger locations with self-checkouts and AI-supported age verification. As of early 2026, it’s an active, expanding implementation with additional EDEKA sites, including Stuttgart-Plieningen, Waltershofen, and Düsseldorf.
As for the practical impact, EDEKA reported that the deployment reduced the need for human intervention by 75%, and shortened average age verification time from about two minutes to under 10 seconds.
Europe-wide (British American Tobacco): Age gating for kiosks
In April 2025, British American Tobacco rolled out an age-gating pilot to prevent underage buyers from purchasing nicotine products in iNovine kiosks in Croatia. The system prompts the shopper to take a selfie, and the retailer then receives a yes/no answer about meeting a minimum age threshold, with the pilot set to 20. If the shopper does not meet the threshold, staff revert to conventional proof-of-age checks.
The initial phase saw 240 kiosks bolstered with the new technology, a number that has since increased not only in Croatia, but in other countries too. For example, Bosnia and Herzegovina now also boasts about 400 modernized kiosks across BAT’s iNovine and Lafka kiosk network.
Elsewhere, BAT started showing the same mechanism in more conventional retail formats. One example is the in-store program in Jersey (the Channel Islands). In October 2025, age-gating technology was implemented in ten Coop stores.
Serbia, Italy, and Poland are also among the countries mentioned in the wider rollout program, now either piloting the solution or only entering the pilot stage.
As for performance, BAT cites early results of “99% accuracy,” plus the more decision-relevant statement that 99.3% of 13–17-year-olds would be estimated as under 21, which mirrors how buffer thresholds are typically set in retail. They also state that selfie images are deleted once the age is determined, and that the method does not identify who the shopper is.
South Korea (Toss Facepay): Pay-by-face system
In some cases, it’s not about if the buyer is old enough — it’s about if they are who they claim to be. Pay-by-face systems that are tied to biometric templates of individuals are seeing more and more use as a valid payment authentication method.
In February 2025, the financial app Toss announced the release of a pay-by-face system that would be placed at convenience stores all across South Korea. The solution was meant to use a dedicated device installed at checkout counters that would scan the buyer’s face and verify it.
Toss claimed accurate verification “in just a second,” and that Facepay data is encrypted and stored on a separate server. It also stated that their liveness detection would screen out spoofing attempts that use images or video, which is the same fraud problem that shows up in ecommerce identity verification, for instance.
Facepay started in March 2025 at selected CU and GS25 locations, and later was made available at 7-Eleven in the second quarter of 2025.
The plans for 2026 are even more ambitious, as the fintech company is looking at a nationwide rollout, with one million stores served. To provide some context, it is estimated that 300,000 stores used Facepay by the end of 2025.
New Zealand (Foodstuffs North Island): Scrutiny from regulators, positive outcome
Due to the sensitive nature of watchlist-style systems, facial recognition in retail stores can attract attention from governing bodies when it looks like it is drifting into mass surveillance.
Foodstuffs ran a facial recognition trial in 25 supermarkets, starting on 8 February 2024.
The system captured faces at store entry and compared them to a watchlist, then sent an alert to trained staff when it flagged a potential match.
However, only two months later, on 4 April 2024, the Privacy Commissioner formally opened an inquiry to assess whether the use of facial recognition was justified compared with less privacy-intrusive options.
But the trial didn’t go smoothly for every customer: in one case, a Maori woman, Te Ani Solomon, was approached in a store because staff believed she matched someone who had previously trespassed. Solomon said staff continued to insist even after she offered identification, and she described staff referring to an image on a phone that did not appear to be her. Foodstuffs later described the incident as human error, said it would apologise and retrain staff, and pointed to its procedure requiring two trained team members to verify an alert before acting.
Still, on June 4, 2025, the Privacy Commissioner said the trial model complied with the Privacy Act, while also stressing that the privacy intrusion was high because every visitor’s face was collected. The report published the trial’s headline numbers: 225,972,004 face scans (including repeat captures), 99.999% deleted within one minute, 1,742 alerts, and 1,208 confirmed matches — all within the norm.
The inquiry report also documented that the trial settings and procedures were tightened after misidentifications. Staff action on an alert was initially allowed at a 90% match level, but then the operational threshold was lifted to 92.5% after two people were misidentified. The report warned that there is still residual risk around bias, which requires strong operational checks. It also recommended adjusting the algorithm so that alerts would trigger at a minimum of 92.5% — that way, staff won’t be pushed to act on lower-confidence prompts.
The trial itself ended in September 2024, but all the 25 stores that participated have continued to use the technology in the same manner as they did during the testing period.
Australia (Kmart): Scrutiny from regulators, negative outcome
In contrast to the case above, Kmart’s case shows how quickly a retail crime-prevention rationale collapses once a system starts scanning everyone.
Kmart used facial recognition in 28 stores between June 2020 and July 2022, placing cameras at entrances and at returns counters to try to spot people suspected of refund fraud or theft. The key point of contention for privacy law was the scope: everyone who walked in and everyone who tried to return an item had their face captured and analyzed — not just people already suspected of wrongdoing.
The Office of the Australian Information Commissioner (OAIC) started looking into the case, and Kmart stopped deploying the system once the investigation started. After the process concluded, Privacy Commissioner Carly Kind released a public statement in September 2025 saying Kmart’s use of facial recognition to tackle refund fraud was unlawful and breached the Privacy Act.
In the OAIC’s reasoning, collecting biometric information on every shopper in those stores was disproportionate when only a small fraction of customers would ever be linked to refund fraud concerns. The Commissioner also said the system had limited value for the stated goal, and that other less privacy-intrusive options existed.
“The human rights to safety and privacy are not mutually exclusive; rather, both must be preserved, upheld and promoted. Customer and staff safety, and fraud prevention and detection, are legitimate reasons businesses might have regard to when considering the deployment of new technologies. However, these reasons are not, in and of themselves, a free pass to avoid compliance with the Privacy Act,” she stated.
So the takeaway is that the claimed benefits of facial recognition in retail are not enough on their own. Retailers still need a tight justification, strict data handling, and a design that is not built around scanning everyone by default.
How Regula’s age estimation and face verification protect customers and businesses
Regulations are tightening, but people’s tolerance for privacy intrusion is wearing thin. That’s why retailers need to be careful when implementing retail facial recognition and retail age verification systems. In practice, face tech tends to succeed when it is tied to a specific moment (e.g., an age-gated scan at self-checkout) and when the data footprint stays narrow.
Regula Face SDK is built to support all kinds of checks that retailers can justify operationally and document for compliance: age estimation for eligibility routing, and biometric verification for repeat customers or account actions, backed by public benchmarking and third-party testing.
Top ranked age estimation performance (according to NIST): Highly reliable outcomes, confirmed by government-run testing that you can cite in your compliance documentation.
Advanced facial recognition with liveness detection: The SDK uses precise facial recognition algorithms with active and passive liveness detection to verify users in real time, preventing biometric fraud including photos or videos injections, screen replays, masks, deepfakes, etc.
iBeta-confirmed spoof resistance: Regula has successfully passed iBeta’s Presentation Attack Detection (PAD) Level 1 and Level 2 tests according to ISO 30107-3 standards.
1:1 face matching for authentication: a live selfie comparison to a trusted reference (document primary or secondary portraits, chip portrait, or a customer record) for payments, account recovery, or high-risk in-store actions.
1:N identification for a database or watchlists: Search against a database you control, with the expectation that your policies handle signage, retention, access controls, and staff action thresholds.
Capture quality and decision stability: Face capture and image quality checks (pose, blur, occlusion signals) help prevent low-quality input from becoming a “pass” near a threshold.
Privacy-aware deployment options: Regula Face SDK can run entirely on your infrastructure (and, where appropriate, on the client device), so you control biometric data handling, storage, and retention end to end.
