Overview

• The CNIL determined that AI cameras activated by default violate GDPR by scanning all customers’ faces without consent or a right to object.
• The authority judged that the technology fails necessity and proportionality tests under the GDPR and carries an inherent margin of error.
• It warned that reliance on machine estimations could replace proper age verification and undermine existing tobacco sale regulations.
• The Confédération nationale des buralistes has agreed to phase out the cameras and resume manual ID checks for under-age customers.
• The decision highlights broader privacy concerns over biometric surveillance and the risk of normalizing pervasive monitoring in everyday settings.