they don't know necessary who are you and what are you buying. I don't think also for big shops with many customers that techonology and reliably do instance segmentation - this is not face id.
They don't, but there is a significant chance that their "security solution" uploads all the data to a cloud provider (Amazon, Google, Oracle) which will be more than happy to analyze the data for them.
That's possible but would be completely and highly illegal, the EU regularly fines companies violating GDPR, and those fines are not trivial at all, they can be quite hefty.
I was talking about the reality of the US, but even if I was talking about Europe: how does the GDPR even enter this equation here? I was never asked for consent to have my face recorded when I get into a shop in Germany. Were you?
