Information Commissioner probes facial recognition case where shopper was wrongly accused of theft

Martin Shipton

The Information Commissioner’s Office has launched an investigation into the apparent misuse of facial recognition technology by the discount retail chain B&M following an incident in Wales where a shopper was wrongly accused of theft.

In September 2025 Nation.Cymru reported the case of Byron Long, who was subjected to public humiliation in the chain’s Cardiff store following the false allegation.

Mr Long, 66, entered the B&M store in Cardiff Bay Retail Park on April 29 2025 when he was stopped by a member of staff and told in front of other customers that he was barred and would have to leave because he was a thief. According to the staff member, CCTV images captured by a facial recognition firm contracted to the store called Facewatch had shown him stealing goods to the value of £75 during a previous visit on April 9.

In fact Mr Long had bought cat treats at a cost of £7 and had stolen nothing.

He said: “Eventually I got access to the CCTV footage which clearly showed me wearing a Red Bull Formula 1 jacket and paying for the cat treats.

“It was a horrible experience and I haven’t been back to the store since. The incident has had a very serious impact on my mental health, which is very fragile anyway, and I am now very anxious whenever I go shopping.” B&M Customer Services wrote to Mr Long apologising. They stated: “Our B&M store and security teams have a duty of care to all our customers and to our company, and this includes challenging people that they believe are potentially shop lifting. This is an extremely difficult task, and sadly we don’t always get it right; your case would be one of these instances.

“We can confirm your data has been removed from Facewatch.

“On behalf of B&M please accept my sincere apologies for any embarrassment, inconvenience and upset caused. We would never want this for one of our valued customers, and we hope that in time this incident does not deter you from shopping with B&M.”

They offered Mr Long a voucher worth £25, which he rejected as an insult.

Suspended

Responding to Mr Long’s complaint, Michele Bond, Facewatch’s Head of Incident Review and Data Protection Enquiries, stated: “Facewatch Incident data is submitted by authorised users, who must confirm the accuracy of the information provided. Once the error was identified, the user responsible was immediately suspended from using the Facewatch system.”

Since we reported the story it has been featured in a number of European news outlets, including the French television channel TF1.

The Information Commissioner’s Office (ICO) has confirmed to Mr Long that it is seeking information from both B&M and Facewatch.

In 2023 the ICO wrote to Facewatch after investigating an earlier incident that had been referred to it by the campaign group Big Brother Watch.

In its letter, the ICO stated: “We understand that the purpose of Facewatch is to assist businesses to minimise unlawful acts from occurring in their premises. By using their Live Facial Recognition (“LFR”) service to process the personal data of individuals who are suspected of having committed a criminal act, Facewatch aims to alert their subscribers to criminal activity in order to prevent and deter the act before it takes place.

“A key element of Facewatch’s service is the shared national facial recognition watchlist. This enables subscribers to receive an alert when a subject of interest (“SOI”) has been identified and uploaded to a watchlist by another organisation.

“We have investigated whether Facewatch has complied with the requirements of the data protection legislation … During the course of our investigation, the ICO sent Facewatch a Compliance Assessment letter dated 09 February 2022 which outlined the ICO’s position in relation to Facewatch’s compliance with the data protection legislation, based on the documentation Facewatch had provided.

“We concluded that Facewatch’s processing of personal data failed to balance the legitimate interest of Facewatch and their subscribers against the rights and freedoms of individuals. The ICO advised Facewatch that the following data protection legislation had been breached:

* Article 5(1)(a) – lawfulness, fairness and transparency;

* Article 5(1)(b) – purpose limitation;

* Article 5(1)(e) – storage limitation;

* Article 6 – lawfulness of processing;

* Article 9 – processing of special categories of data;

* Article 10 – processing of personal data relating to criminal convictions and offences; and

* Recital 38 – the rights of children

Schedule 1, Part 2, s10 of the Data Protection Act 2018.

Nevertheless, on the basis of assurances given by Facewatch and its acceptance of detailed advice given by the ICO, no penalty was imposed on the company.

Now, however, it may face further action from the ICO, which told Facewatch in 2023: “Please note that if further information relating to this incident comes to light, or if any further incidents involving Facewatch are reported to us, we will revisit this matter, and enforcement action may be considered as a result.”