AI-Powered Biometrics: Innovation That Empowers, Not Compromises

Biometric technology has moved well beyond fingerprint scanners on laptops. AI-powered systems can now analyse foot traffic patterns, recognise returning customers, flag unusual behaviour, and help retailers understand how people actually move through a store. The capabilities are genuinely useful. But useful technology and responsible technology are not automatically the same thing.

In New Zealand, any business considering biometrics needs to start with the Privacy Act 2020 — not as a compliance checkbox, but as a genuine design constraint. The Act's 13 Information Privacy Principles govern how personal information is collected, stored, used, and disclosed. Biometric data — facial recognition data, behavioural patterns tied to individuals — sits squarely within that framework. The Office of the Privacy Commissioner has been clear: if you're collecting it, you need to be able to justify it.

The practical question for most NZ businesses isn't whether biometrics are legal. It's whether the use case actually requires identifying individuals, or whether aggregate data would do the job just as well. Foot traffic analysis — counting how many people enter a store, when, and which areas they gravitate toward — can be done without capturing anything that links back to a specific person. That distinction matters enormously, both legally and ethically.

Here's what genuinely useful, privacy-safe biometric analysis looks like in a retail context. You can measure dwell time in specific zones without knowing who is standing there. You can analyse peak foot traffic periods to inform staffing rosters. You can understand which store layout changes actually improved flow, and which ones people ignored. You can spot patterns that suggest loss prevention issues without running a surveillance state. None of this requires a database of faces.

Loss prevention is one area where the technology gets more sensitive. AI systems that flag unusual behaviour — repeated visits to high-value areas without purchases, for instance — can reduce theft without the confrontational and legally fraught approach of stopping people based on appearance. Done well, this is less discriminatory than human judgment, not more. Done poorly, it amplifies existing biases. The difference is in the design and the ongoing oversight.

This is why we start every biometrics conversation the same way: with a scoping session before anyone writes a line of code. We want to understand what business problem you're actually trying to solve, what data you genuinely need to solve it, and whether biometrics is the right tool or just the most interesting one. Sometimes the answer is that a simpler sensor-based solution gets you 90% of the outcome with none of the privacy exposure.

What that consultation looks like in practice: we walk through your use case, map it against the Privacy Principles, identify what data you'd be collecting and why, look at whether you need individual-level data or aggregate data, and help you draft a privacy impact assessment if one's warranted. If you have existing privacy policies, we look at whether they'd need updating. If you're in a regulated sector — healthcare, financial services — we factor in the additional obligations those sectors carry.

There are projects we'll walk away from. If a client wants to use facial recognition to build profiles on individual customers without their knowledge or consent, we won't do it. If the goal is monitoring employees in ways that go beyond legitimate business need, we're not the right partner. If the system being proposed would require us to compromise on informed consent or data minimisation, we'll say so plainly and decline. This isn't about being precious — it's about building systems we'd be comfortable defending in front of the Privacy Commissioner.

The NZ business context matters here. We're a small country with a real culture of trust between businesses and their communities. The reputational cost of getting this wrong — a news story, a complaint to the OPC, a customer backlash — is significant, especially for small and mid-sized businesses that don't have a PR team to manage the fallout. The businesses that get this right will build genuine competitive advantage. The ones that move fast and break things will find the thing they broke was customer trust.

Done right, AI-powered analytics — including biometrics where it's appropriate and consented — gives NZ businesses insights they couldn't access before, without compromising the people they serve. That's the standard we hold ourselves to, and the standard we'd encourage you to hold us to.