{"id":87560,"date":"2026-03-17T16:58:22","date_gmt":"2026-03-17T15:58:22","guid":{"rendered":"https:\/\/flameanalytics.com\/?p=87560"},"modified":"2026-04-11T20:34:24","modified_gmt":"2026-04-11T19:34:24","slug":"gdpr-video-analytics-compliance-guide-shopping-malls","status":"publish","type":"post","link":"https:\/\/flameanalytics.com\/en\/gdpr-video-analytics-compliance-guide-shopping-malls\/","title":{"rendered":"GDPR and Video Analytics: complete compliance guide for shopping malls"},"content":{"rendered":"<figure style=\"margin: 0 0 36px;\"><img decoding=\"async\" style=\"width: 100%; height: auto; border-radius: 8px;\" title=\"GDPR and video analytics: compliance guide for shopping malls - Flame Analytics\" src=\"https:\/\/flameanalytics.com\/wp-content\/uploads\/2026\/03\/gdpr-video-analytics-hero-en-3.webp\" alt=\"GDPR and video analytics: complete compliance guide for shopping malls with Flame Hypersensor\" \/><\/figure>\n<div class=\"fa-lead\" style=\"border-left: 4px solid #31b1f8; padding: 4px 0 4px 20px; margin-bottom: 32px;\">\n<p style=\"font-size: 16px; line-height: 1.75; color: #374151;\">Shopping malls collect more visitor data than ever before \u2014 footfall counts, dwell times, zone heatmaps, queue lengths. Yet many still operate in a legal grey area when it comes to <strong>GDPR video analytics<\/strong> compliance. The paradox is clear: retailers need granular data to compete, but the regulation that protects consumers can also shut down entire analytics programmes overnight. This guide breaks down exactly what the GDPR requires for video analytics in shopping malls, where the real risks lie, and how to achieve full compliance without sacrificing insight.<\/p>\n<\/div>\n<div class=\"fa-meta\" style=\"border-top: 1px solid #E5E7EB; border-bottom: 1px solid #E5E7EB; padding: 14px 0; margin-bottom: 36px; display: flex; gap: 24px; flex-wrap: wrap; font-size: 13px; color: #6b7280;\">\ud83d\udcc5 March 2026<br \/>\n\u23f1 11 min read<br \/>\n\ud83d\udcca Sources: GDPR, EDPB Guidelines, EU AI Act, Flame Analytics<\/div>\n<div style=\"display: flex; gap: 16px; margin-bottom: 40px; flex-wrap: wrap;\">\n<div style=\"flex: 1; min-width: 180px; background: #f3f4f6; border-radius: 8px; padding: 24px 20px; text-align: center;\">\n<div style=\"font-size: 36px; font-weight: bold; color: #0c6fd5;\">\u20ac20M<\/div>\n<div style=\"font-size: 13px; color: #6b7280; margin-top: 4px;\">max GDPR fine<br \/>\n(or 4% of annual turnover)<\/div>\n<\/div>\n<div style=\"flex: 1; min-width: 180px; background: #f3f4f6; border-radius: 8px; padding: 24px 20px; text-align: center;\">\n<div style=\"font-size: 36px; font-weight: bold; color: #0c6fd5;\">0<\/div>\n<div style=\"font-size: 13px; color: #6b7280; margin-top: 4px;\">biometric data points<br \/>\nwith Flame Hypersensor<\/div>\n<\/div>\n<div style=\"flex: 1; min-width: 180px; background: #f3f4f6; border-radius: 8px; padding: 24px 20px; text-align: center;\">\n<div style=\"font-size: 36px; font-weight: bold; color: #0c6fd5;\">50+<\/div>\n<div style=\"font-size: 13px; color: #6b7280; margin-top: 4px;\">shopping malls trust<br \/>\nFlame\u2019s privacy-first approach<\/div>\n<\/div>\n<\/div>\n<nav class=\"fa-toc\" style=\"background: #f9fafb; border: 1px solid #e5e7eb; border-radius: 8px; padding: 24px 28px; margin-bottom: 40px;\">\n<p style=\"font-weight: bold; font-size: 16px; color: #15163a; margin-bottom: 12px;\">Table of Contents<\/p>\n<ol style=\"margin: 0; padding-left: 20px; font-size: 14px; line-height: 2; color: #374151;\">\n<li><a style=\"color: #0c6fd5; text-decoration: none;\" href=\"#compliance-paradox\">The compliance paradox: data vs. privacy<\/a><\/li>\n<li><a style=\"color: #0c6fd5; text-decoration: none;\" href=\"#gdpr-fundamentals\">GDPR fundamentals for video analytics<\/a><\/li>\n<li><a style=\"color: #0c6fd5; text-decoration: none;\" href=\"#biometrics-line\">The biometrics line: why most retailers cross it unknowingly<\/a><\/li>\n<li><a style=\"color: #0c6fd5; text-decoration: none;\" href=\"#three-levels\">3 levels of GDPR compliance in video analytics<\/a><\/li>\n<li><a style=\"color: #0c6fd5; text-decoration: none;\" href=\"#hypersensor-approach\">Hypersensor: analytics without biometrics<\/a><\/li>\n<li><a style=\"color: #0c6fd5; text-decoration: none;\" href=\"#compliance-checklist\">15-point GDPR compliance checklist<\/a><\/li>\n<li><a style=\"color: #0c6fd5; text-decoration: none;\" href=\"#common-mistakes\">Common mistakes that lead to sanctions<\/a><\/li>\n<li><a style=\"color: #0c6fd5; text-decoration: none;\" href=\"#faq\">Frequently asked questions<\/a><\/li>\n<\/ol>\n<\/nav>\n<h2 id=\"compliance-paradox\" style=\"font-size: 32px; font-weight: bold; color: #15163a; margin-bottom: 18px;\">1. The compliance paradox: retailers need data but fear GDPR<\/h2>\n<p style=\"font-size: 14px; line-height: 1.75; color: #374151;\">Shopping mall managers face a difficult tension. On one side, tenants demand footfall reports, conversion metrics, and zone-level performance data to justify rents and optimise store placement. On the other, data protection authorities across Europe are increasing scrutiny of video surveillance systems used for purposes beyond basic security.<\/p>\n<p style=\"font-size: 14px; line-height: 1.75; color: #374151;\">The result? Many malls either avoid analytics altogether \u2014 losing competitive intelligence \u2014 or deploy systems without proper legal review, exposing themselves to fines of up to <strong>\u20ac20 million or 4% of global annual turnover<\/strong>. Neither approach is sustainable.<\/p>\n<p style=\"font-size: 14px; line-height: 1.75; color: #374151;\">The good news: <strong>GDPR compliance and powerful retail analytics are not mutually exclusive<\/strong>. The key lies in understanding what the regulation actually prohibits versus what it permits \u2014 and choosing technology designed with privacy at its core.<\/p>\n<div class=\"fa-callout\" style=\"background: rgba(12,111,213,0.05); border-left: 4px solid #0c6fd5; border-radius: 0 8px 8px 0; padding: 16px 20px; margin: 28px 0;\">\n<p style=\"font-size: 14px; line-height: 1.7; color: #374151; margin: 0;\"><strong>Key insight:<\/strong> The GDPR does not ban video analytics. It bans the processing of personal data without a lawful basis. The distinction between analytics that process personal data and those that don\u2019t is where compliance \u2014 or non-compliance \u2014 begins.<\/p>\n<\/div>\n<h2 id=\"gdpr-fundamentals\" style=\"font-size: 32px; font-weight: bold; color: #15163a; margin: 40px 0 18px;\">2. GDPR fundamentals for video analytics<\/h2>\n<p style=\"font-size: 14px; line-height: 1.75; color: #374151;\">Before diving into compliance strategies, it is essential to understand which GDPR articles directly affect video analytics in retail environments.<\/p>\n<div class=\"fa-table-wrap\" style=\"border-radius: 8px; overflow: hidden; margin-bottom: 36px;\">\n<table style=\"width: 100%; border-collapse: collapse; font-size: 14px;\">\n<thead>\n<tr style=\"background: #15163A; color: #fff;\">\n<th style=\"padding: 12px 16px; text-align: left; font-weight: 600;\">GDPR Article<\/th>\n<th style=\"padding: 12px 16px; text-align: left; font-weight: 600;\">What it covers<\/th>\n<th style=\"padding: 12px 16px; text-align: left; font-weight: 600;\">Impact on video analytics<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr style=\"background: #f3f3f3;\">\n<td style=\"padding: 10px 16px;\"><strong>Art. 6<\/strong> \u2014 Lawful basis<\/td>\n<td style=\"padding: 10px 16px;\">Six legal grounds for processing personal data<\/td>\n<td style=\"padding: 10px 16px;\">Legitimate interest is the most common basis for CCTV; analytics requires separate assessment<\/td>\n<\/tr>\n<tr>\n<td style=\"padding: 10px 16px;\"><strong>Art. 9<\/strong> \u2014 Special categories<\/td>\n<td style=\"padding: 10px 16px;\">Biometric data processed to uniquely identify a person<\/td>\n<td style=\"padding: 10px 16px;\">Triggers strict prohibition unless explicit consent or specific exemptions apply<\/td>\n<\/tr>\n<tr style=\"background: #f3f3f3;\">\n<td style=\"padding: 10px 16px;\"><strong>Art. 13\/14<\/strong> \u2014 Transparency<\/td>\n<td style=\"padding: 10px 16px;\">Information to be provided to data subjects<\/td>\n<td style=\"padding: 10px 16px;\">Signage, privacy notices, and layered information required at every entry point<\/td>\n<\/tr>\n<tr>\n<td style=\"padding: 10px 16px;\"><strong>Art. 25<\/strong> \u2014 Data protection by design<\/td>\n<td style=\"padding: 10px 16px;\">Privacy embedded into system architecture<\/td>\n<td style=\"padding: 10px 16px;\">Analytics platform must minimise data collection by default<\/td>\n<\/tr>\n<tr style=\"background: #f3f3f3;\">\n<td style=\"padding: 10px 16px;\"><strong>Art. 35<\/strong> \u2014 DPIA<\/td>\n<td style=\"padding: 10px 16px;\">Data Protection Impact Assessment<\/td>\n<td style=\"padding: 10px 16px;\">Mandatory for large-scale video monitoring of publicly accessible areas<\/td>\n<\/tr>\n<tr>\n<td style=\"padding: 10px 16px;\"><strong>Art. 37<\/strong> \u2014 DPO<\/td>\n<td style=\"padding: 10px 16px;\">Data Protection Officer appointment<\/td>\n<td style=\"padding: 10px 16px;\">Required when core activities involve large-scale monitoring<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<p style=\"font-size: 14px; line-height: 1.75; color: #374151;\">The European Data Protection Board (EDPB) published <strong>Guidelines 3\/2019<\/strong> specifically addressing video surveillance. These guidelines clarify that video footage of identifiable individuals constitutes personal data \u2014 even if you never intend to identify anyone. This is a critical point: <strong>intent does not determine compliance; capability does<\/strong>.<\/p>\n<p style=\"font-size: 14px; line-height: 1.75; color: #374151;\">For shopping malls, the EDPB guidelines explicitly state that a Data Protection Impact Assessment (DPIA) is mandatory when deploying video analytics in publicly accessible spaces. This applies regardless of whether the system uses AI or simple motion detection.<\/p>\n<h2 id=\"biometrics-line\" style=\"font-size: 32px; font-weight: bold; color: #15163a; margin: 40px 0 18px;\">3. The biometrics line: why most retailers cross it unknowingly<\/h2>\n<p style=\"font-size: 14px; line-height: 1.75; color: #374151;\">Article 9 of the GDPR places <strong>biometric data<\/strong> in the \u201cspecial categories\u201d \u2014 the same tier as health data, political opinions, and religious beliefs. Processing biometric data to uniquely identify a natural person is prohibited by default, with only narrow exceptions (explicit consent, substantial public interest, etc.).<\/p>\n<p style=\"font-size: 14px; line-height: 1.75; color: #374151;\">Here is where many retailers unknowingly cross the line. Some video analytics platforms use techniques that technically qualify as biometric processing under GDPR definitions:<\/p>\n<div style=\"display: flex; flex-direction: column; gap: 12px; margin: 20px 0 36px;\">\n<div class=\"fa-tier-item\" style=\"background: #fff0f0; border-left: 4px solid #dc2626; border-radius: 6px; padding: 14px 16px;\"><strong style=\"color: #dc2626;\">Re-identification tracking<\/strong><br \/>\n<span style=\"font-size: 14px; color: #374151;\">Generating a unique \u201csignature\u201d from a person\u2019s appearance (clothing, body shape, gait) to track them across cameras or visits. Even without storing a face template, if the system can re-identify a specific individual, it may constitute biometric processing.<\/span><\/div>\n<div class=\"fa-tier-item\" style=\"background: #fff0f0; border-left: 4px solid #dc2626; border-radius: 6px; padding: 14px 16px;\"><strong style=\"color: #dc2626;\">Demographic classification via face analysis<\/strong><br \/>\n<span style=\"font-size: 14px; color: #374151;\">Estimating age and gender from facial features. While not \u201cidentification\u201d in the traditional sense, the EDPB has indicated that processing facial images to extract demographic data can fall under Article 9 if it involves biometric processing techniques.<\/span><\/div>\n<div class=\"fa-tier-item\" style=\"background: #fff0f0; border-left: 4px solid #dc2626; border-radius: 6px; padding: 14px 16px;\"><strong style=\"color: #dc2626;\">Emotion detection<\/strong><br \/>\n<span style=\"font-size: 14px; color: #374151;\">Analysing facial expressions to gauge shopper mood or satisfaction. The EU AI Act (effective August 2025) explicitly bans emotion recognition in workplaces and educational institutions, and retail applications face severe restrictions.<\/span><\/div>\n<\/div>\n<div class=\"fa-callout\" style=\"background: rgba(220,38,38,0.05); border-left: 4px solid #dc2626; border-radius: 0 8px 8px 0; padding: 16px 20px; margin: 28px 0;\">\n<p style=\"font-size: 14px; line-height: 1.7; color: #374151; margin: 0;\"><strong>Warning:<\/strong> If your video analytics vendor mentions \u201cunique visitor counting,\u201d \u201creturn visitor detection,\u201d or \u201cdemographic profiling,\u201d ask them exactly how these features work. If the answer involves generating any form of individual signature \u2014 even a temporary one \u2014 you may be processing biometric data under GDPR Article 9.<\/p>\n<\/div>\n<h2 id=\"three-levels\" style=\"font-size: 32px; font-weight: bold; color: #15163a; margin: 40px 0 18px;\">4. Three levels of GDPR compliance in video analytics<\/h2>\n<p style=\"font-size: 14px; line-height: 1.75; color: #374151;\">Not all video analytics carry the same regulatory risk. Understanding where your current setup falls on the compliance spectrum is the first step toward closing gaps.<\/p>\n<div class=\"fa-table-wrap\" style=\"border-radius: 8px; overflow: hidden; margin-bottom: 36px;\">\n<table style=\"width: 100%; border-collapse: collapse; font-size: 14px;\">\n<thead>\n<tr style=\"background: #15163A; color: #fff;\">\n<th style=\"padding: 12px 16px; text-align: left; font-weight: 600;\">Level<\/th>\n<th style=\"padding: 12px 16px; text-align: left; font-weight: 600;\">Technology<\/th>\n<th style=\"padding: 12px 16px; text-align: left; font-weight: 600;\">Data processed<\/th>\n<th style=\"padding: 12px 16px; text-align: left; font-weight: 600;\">GDPR risk<\/th>\n<th style=\"padding: 12px 16px; text-align: left; font-weight: 600;\">Typical setup<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr style=\"background: #f3f3f3;\">\n<td style=\"padding: 10px 16px;\"><strong>Basic CCTV<\/strong><\/td>\n<td style=\"padding: 10px 16px;\">Recording only<\/td>\n<td style=\"padding: 10px 16px;\">Video footage (personal data)<\/td>\n<td style=\"padding: 10px 16px; color: #d97706;\"><strong>Medium<\/strong><\/td>\n<td style=\"padding: 10px 16px;\">Standard security cameras with NVR; legitimate interest basis; signage required<\/td>\n<\/tr>\n<tr>\n<td style=\"padding: 10px 16px;\"><strong>Enhanced analytics<\/strong><\/td>\n<td style=\"padding: 10px 16px;\">AI with individual tracking<\/td>\n<td style=\"padding: 10px 16px;\">Appearance signatures, demographics, re-ID<\/td>\n<td style=\"padding: 10px 16px; color: #dc2626;\"><strong>High<\/strong><\/td>\n<td style=\"padding: 10px 16px;\">Dedicated sensors or software that creates individual profiles; likely triggers Art. 9<\/td>\n<\/tr>\n<tr style=\"background: #f3f3f3;\">\n<td style=\"padding: 10px 16px;\"><strong>Privacy-first analytics<\/strong><\/td>\n<td style=\"padding: 10px 16px;\">AI without biometrics<\/td>\n<td style=\"padding: 10px 16px;\">Aggregate counts, flows, heatmaps \u2014 no individual signatures<\/td>\n<td style=\"padding: 10px 16px; color: #16a34a;\"><strong>Low<\/strong><\/td>\n<td style=\"padding: 10px 16px;\">Processes video frames to extract statistics, discards imagery immediately; no Art. 9 trigger<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<p style=\"font-size: 14px; line-height: 1.75; color: #374151;\">The critical difference between Level 2 and Level 3 is whether the system generates any data that can be linked back to a specific individual. Privacy-first platforms process video frames to produce <strong>aggregate, anonymous metrics<\/strong> \u2014 and then discard the raw footage. No templates, no signatures, no profiles. This is the approach that aligns with GDPR\u2019s data minimisation principle (Article 5.1c) by design.<\/p>\n<figure style=\"margin: 24px 0 32px;\"><img decoding=\"async\" style=\"width: 100%; height: auto; border-radius: 8px;\" src=\"https:\/\/flameanalytics.com\/wp-content\/uploads\/2026\/03\/gdpr-biometric-vs-privacy-first-en-2.webp\" alt=\"Biometric analytics vs privacy-first Hypersensor comparison for GDPR retail compliance\" \/><\/figure>\n<h2 id=\"hypersensor-approach\" style=\"font-size: 32px; font-weight: bold; color: #15163a; margin: 40px 0 18px;\">5. Flame Hypersensor: how to do video analytics without biometrics<\/h2>\n<p style=\"font-size: 14px; line-height: 1.75; color: #374151;\"><a style=\"color: #0c6fd5; text-decoration: none;\" href=\"\/en\/traffic-insights\/\">Flame\u2019s Hypersensor<\/a> was engineered from the ground up to solve the compliance paradox. It delivers the analytics that shopping malls need \u2014 footfall, heatmaps, zone dwell time, queue monitoring, occupancy \u2014 while operating entirely below the biometrics threshold defined by the GDPR.<\/p>\n<p style=\"font-size: 14px; line-height: 1.75; color: #374151;\">Here is how it works at a technical level:<\/p>\n<div style=\"display: flex; flex-direction: column; gap: 12px; margin: 20px 0 36px;\">\n<div class=\"fa-tier-item\" style=\"background: #f3f3f3; border-radius: 6px; padding: 14px 16px; display: flex; gap: 12px; align-items: flex-start;\">\n<p><span style=\"background: #15163A; color: #fff; border-radius: 50%; width: 28px; height: 28px; display: flex; align-items: center; justify-content: center; font-size: 13px; font-weight: bold; flex-shrink: 0;\">1<\/span><\/p>\n<div><strong style=\"color: #15163a;\">Edge processing<\/strong><br \/>\n<span style=\"font-size: 14px; color: #374151;\">Video frames are analysed locally (on-premise or at the edge). Raw footage never leaves the mall\u2019s infrastructure and is not stored by the analytics platform.<\/span><\/div>\n<\/div>\n<div class=\"fa-tier-item\" style=\"background: #f3f3f3; border-radius: 6px; padding: 14px 16px; display: flex; gap: 12px; align-items: flex-start;\">\n<p><span style=\"background: #15163A; color: #fff; border-radius: 50%; width: 28px; height: 28px; display: flex; align-items: center; justify-content: center; font-size: 13px; font-weight: bold; flex-shrink: 0;\">2<\/span><\/p>\n<div><strong style=\"color: #15163a;\">Object detection, not individual identification<\/strong><br \/>\n<span style=\"font-size: 14px; color: #374151;\">The AI model detects the presence of people as objects in the frame. It counts them, tracks movement direction and speed, and measures time spent in defined zones. It does <strong>not<\/strong> generate any biometric template, appearance signature, or individual identifier.<\/span><\/div>\n<\/div>\n<div class=\"fa-tier-item\" style=\"background: #f3f3f3; border-radius: 6px; padding: 14px 16px; display: flex; gap: 12px; align-items: flex-start;\">\n<p><span style=\"background: #15163A; color: #fff; border-radius: 50%; width: 28px; height: 28px; display: flex; align-items: center; justify-content: center; font-size: 13px; font-weight: bold; flex-shrink: 0;\">3<\/span><\/p>\n<div><strong style=\"color: #15163a;\">Immediate data abstraction<\/strong><br \/>\n<span style=\"font-size: 14px; color: #374151;\">Within milliseconds, the raw frame is discarded and only aggregate numerical data is transmitted to the cloud dashboard: \u201cZone A had 347 visitors between 10:00 and 11:00 with an average dwell time of 4.2 minutes.\u201d No image, no video, no personal data.<\/span><\/div>\n<\/div>\n<div class=\"fa-tier-item\" style=\"background: #f3f3f3; border-radius: 6px; padding: 14px 16px; display: flex; gap: 12px; align-items: flex-start;\">\n<p><span style=\"background: #15163A; color: #fff; border-radius: 50%; width: 28px; height: 28px; display: flex; align-items: center; justify-content: center; font-size: 13px; font-weight: bold; flex-shrink: 0;\">4<\/span><\/p>\n<div><strong style=\"color: #15163a;\">Works with existing CCTV<\/strong><br \/>\n<span style=\"font-size: 14px; color: #374151;\">No new cameras or dedicated sensors required. Hypersensor connects to the mall\u2019s existing <a style=\"color: #0c6fd5; text-decoration: none;\" href=\"\/en\/en-blog-cctv-analytics-turn-existing-cameras-business-intelligence\/\">CCTV infrastructure<\/a>, reducing both cost and the physical footprint of the data processing operation.<\/span><\/div>\n<\/div>\n<div class=\"fa-tier-item\" style=\"background: #f3f3f3; border-radius: 6px; padding: 14px 16px; display: flex; gap: 12px; align-items: flex-start;\">\n<p><span style=\"background: #15163A; color: #fff; border-radius: 50%; width: 28px; height: 28px; display: flex; align-items: center; justify-content: center; font-size: 13px; font-weight: bold; flex-shrink: 0;\">5<\/span><\/p>\n<div><strong style=\"color: #15163a;\">Zero biometric storage<\/strong><br \/>\n<span style=\"font-size: 14px; color: #374151;\">There is no database of faces, no library of appearance templates, no mechanism for re-identifying returning visitors through biometric means. The system is architecturally incapable of biometric identification.<\/span><\/div>\n<\/div>\n<\/div>\n<div class=\"fa-callout\" style=\"background: rgba(12,111,213,0.05); border-left: 4px solid #0c6fd5; border-radius: 0 8px 8px 0; padding: 16px 20px; margin: 28px 0;\">\n<p style=\"font-size: 14px; line-height: 1.7; color: #374151; margin: 0;\"><strong>Why this matters for compliance:<\/strong> Because Hypersensor never creates data that can identify or re-identify a specific person, the output falls outside the scope of GDPR Article 9 (special categories). The DPIA process is significantly simplified, and the legal basis (legitimate interest) is straightforward to justify. Over 50 shopping malls \u2014 including properties managed by Cushman &amp; Wakefield \u2014 rely on this approach across Spain, Mexico, the UK, Czech Republic, and beyond.<\/p>\n<\/div>\n<figure style=\"margin: 24px 0 32px;\"><img decoding=\"async\" style=\"width: 100%; height: auto; border-radius: 8px;\" src=\"https:\/\/flameanalytics.com\/wp-content\/uploads\/2026\/03\/gdpr-hypersensor-pipeline-en-2.webp\" alt=\"How Flame Hypersensor works: 4-step privacy-first pipeline for GDPR compliance\" \/><\/figure>\n<h2 id=\"compliance-checklist\" style=\"font-size: 32px; font-weight: bold; color: #15163a; margin: 40px 0 18px;\">6. GDPR compliance checklist: 15 items for video analytics in shopping malls<\/h2>\n<p style=\"font-size: 14px; line-height: 1.75; color: #374151;\">Whether you are deploying a new <a style=\"color: #0c6fd5; text-decoration: none;\" href=\"\/en\/en-blog-people-counting-systems-complete-guide\/\">people counting system<\/a> or auditing an existing video analytics installation, use this checklist to assess your GDPR readiness.<\/p>\n<div class=\"fa-table-wrap\" style=\"border-radius: 8px; overflow: hidden; margin-bottom: 36px;\">\n<table style=\"width: 100%; border-collapse: collapse; font-size: 14px;\">\n<thead>\n<tr style=\"background: #15163A; color: #fff;\">\n<th style=\"padding: 12px 16px; text-align: left; font-weight: 600; width: 40px;\">#<\/th>\n<th style=\"padding: 12px 16px; text-align: left; font-weight: 600;\">Compliance item<\/th>\n<th style=\"padding: 12px 16px; text-align: left; font-weight: 600;\">Category<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr style=\"background: #f3f3f3;\">\n<td style=\"padding: 10px 16px;\">1<\/td>\n<td style=\"padding: 10px 16px;\"><strong>Conduct a DPIA<\/strong> before deploying any video analytics in public areas (Art. 35)<\/td>\n<td style=\"padding: 10px 16px;\">Legal<\/td>\n<\/tr>\n<tr>\n<td style=\"padding: 10px 16px;\">2<\/td>\n<td style=\"padding: 10px 16px;\"><strong>Document your lawful basis<\/strong> \u2014 legitimate interest requires a balancing test (Art. 6.1f)<\/td>\n<td style=\"padding: 10px 16px;\">Legal<\/td>\n<\/tr>\n<tr style=\"background: #f3f3f3;\">\n<td style=\"padding: 10px 16px;\">3<\/td>\n<td style=\"padding: 10px 16px;\"><strong>Verify the system does not process biometric data<\/strong> \u2014 request a written technical declaration from your vendor<\/td>\n<td style=\"padding: 10px 16px;\">Technical<\/td>\n<\/tr>\n<tr>\n<td style=\"padding: 10px 16px;\">4<\/td>\n<td style=\"padding: 10px 16px;\"><strong>Install visible signage<\/strong> at all entry points with the controller\u2019s identity, purpose, and link to full privacy notice<\/td>\n<td style=\"padding: 10px 16px;\">Transparency<\/td>\n<\/tr>\n<tr style=\"background: #f3f3f3;\">\n<td style=\"padding: 10px 16px;\">5<\/td>\n<td style=\"padding: 10px 16px;\"><strong>Publish a layered privacy notice<\/strong> \u2014 first layer on signage, second layer online with full Art. 13 information<\/td>\n<td style=\"padding: 10px 16px;\">Transparency<\/td>\n<\/tr>\n<tr>\n<td style=\"padding: 10px 16px;\">6<\/td>\n<td style=\"padding: 10px 16px;\"><strong>Define and enforce retention periods<\/strong> \u2014 CCTV footage typically 72 hours max; analytics data can be longer if anonymised<\/td>\n<td style=\"padding: 10px 16px;\">Data management<\/td>\n<\/tr>\n<tr style=\"background: #f3f3f3;\">\n<td style=\"padding: 10px 16px;\">7<\/td>\n<td style=\"padding: 10px 16px;\"><strong>Implement access controls<\/strong> \u2014 restrict who can view live\/recorded footage vs. analytics dashboards<\/td>\n<td style=\"padding: 10px 16px;\">Security<\/td>\n<\/tr>\n<tr>\n<td style=\"padding: 10px 16px;\">8<\/td>\n<td style=\"padding: 10px 16px;\"><strong>Sign a Data Processing Agreement (DPA)<\/strong> with your analytics vendor (Art. 28)<\/td>\n<td style=\"padding: 10px 16px;\">Legal<\/td>\n<\/tr>\n<tr style=\"background: #f3f3f3;\">\n<td style=\"padding: 10px 16px;\">9<\/td>\n<td style=\"padding: 10px 16px;\"><strong>Verify data transfer mechanisms<\/strong> \u2014 if analytics data goes outside the EU\/EEA, ensure adequate safeguards (SCCs, adequacy decision)<\/td>\n<td style=\"padding: 10px 16px;\">Legal<\/td>\n<\/tr>\n<tr>\n<td style=\"padding: 10px 16px;\">10<\/td>\n<td style=\"padding: 10px 16px;\"><strong>Appoint a DPO<\/strong> if large-scale monitoring of public areas is a core activity (Art. 37)<\/td>\n<td style=\"padding: 10px 16px;\">Governance<\/td>\n<\/tr>\n<tr style=\"background: #f3f3f3;\">\n<td style=\"padding: 10px 16px;\">11<\/td>\n<td style=\"padding: 10px 16px;\"><strong>Establish a process for data subject access requests<\/strong> \u2014 people have the right to request footage of themselves<\/td>\n<td style=\"padding: 10px 16px;\">Rights<\/td>\n<\/tr>\n<tr>\n<td style=\"padding: 10px 16px;\">12<\/td>\n<td style=\"padding: 10px 16px;\"><strong>Ensure data minimisation by design<\/strong> \u2014 only collect what is strictly necessary for the stated purpose<\/td>\n<td style=\"padding: 10px 16px;\">Technical<\/td>\n<\/tr>\n<tr style=\"background: #f3f3f3;\">\n<td style=\"padding: 10px 16px;\">13<\/td>\n<td style=\"padding: 10px 16px;\"><strong>Encrypt data in transit and at rest<\/strong> \u2014 both video streams and analytics outputs<\/td>\n<td style=\"padding: 10px 16px;\">Security<\/td>\n<\/tr>\n<tr>\n<td style=\"padding: 10px 16px;\">14<\/td>\n<td style=\"padding: 10px 16px;\"><strong>Conduct annual compliance reviews<\/strong> \u2014 reassess the DPIA when technology or purposes change<\/td>\n<td style=\"padding: 10px 16px;\">Governance<\/td>\n<\/tr>\n<tr style=\"background: #f3f3f3;\">\n<td style=\"padding: 10px 16px;\">15<\/td>\n<td style=\"padding: 10px 16px;\"><strong>Check EU AI Act obligations<\/strong> \u2014 if your system uses AI for real-time analysis of public spaces, classification as \u201chigh-risk\u201d may apply<\/td>\n<td style=\"padding: 10px 16px;\">Legal<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<h2 id=\"common-mistakes\" style=\"font-size: 32px; font-weight: bold; color: #15163a; margin: 40px 0 18px;\">7. Common mistakes that lead to sanctions<\/h2>\n<p style=\"font-size: 14px; line-height: 1.75; color: #374151;\">Data protection authorities across Europe have issued significant fines related to video surveillance and analytics. Here are the most common pitfalls shopping malls should avoid:<\/p>\n<div style=\"display: flex; flex-direction: column; gap: 12px; margin: 20px 0 36px;\">\n<div class=\"fa-tier-item\" style=\"background: #fff0f0; border-left: 4px solid #dc2626; border-radius: 6px; padding: 14px 16px;\"><strong style=\"color: #dc2626;\">Mistake 1: No DPIA before deployment<\/strong><br \/>\n<span style=\"font-size: 14px; color: #374151;\">The Spanish DPA (AEPD) fined Mercadona \u20ac2.5 million in 2021 for deploying a system in stores without adequate impact assessment. The system processed biometric data without meeting Art. 9 requirements.<\/span><\/div>\n<div class=\"fa-tier-item\" style=\"background: #fff0f0; border-left: 4px solid #dc2626; border-radius: 6px; padding: 14px 16px;\"><strong style=\"color: #dc2626;\">Mistake 2: Insufficient signage and transparency<\/strong><br \/>\n<span style=\"font-size: 14px; color: #374151;\">Multiple authorities have sanctioned businesses for having CCTV cameras without proper notices. A simple \u201cCCTV in operation\u201d sign is not enough \u2014 GDPR requires the controller\u2019s identity, purpose, and reference to the full privacy notice.<\/span><\/div>\n<div class=\"fa-tier-item\" style=\"background: #fff0f0; border-left: 4px solid #dc2626; border-radius: 6px; padding: 14px 16px;\"><strong style=\"color: #dc2626;\">Mistake 3: Excessive retention periods<\/strong><br \/>\n<span style=\"font-size: 14px; color: #374151;\">Storing CCTV footage for 30, 60, or 90 days \u201cjust in case\u201d violates the storage limitation principle. Most DPAs recommend 72 hours maximum for security purposes unless a specific incident requires extended retention.<\/span><\/div>\n<div class=\"fa-tier-item\" style=\"background: #fff0f0; border-left: 4px solid #dc2626; border-radius: 6px; padding: 14px 16px;\"><strong style=\"color: #dc2626;\">Mistake 4: Using analytics features without understanding the data flow<\/strong><br \/>\n<span style=\"font-size: 14px; color: #374151;\">Mall operators often enable \u201cadvanced\u201d analytics features offered by their CCTV vendor \u2014 heat mapping, demographic analysis, dwell time \u2014 without realising these may involve biometric processing. If the vendor cannot provide a clear technical explanation of how data is anonymised, assume it is not.<\/span><\/div>\n<div class=\"fa-tier-item\" style=\"background: #fff0f0; border-left: 4px solid #dc2626; border-radius: 6px; padding: 14px 16px;\"><strong style=\"color: #dc2626;\">Mistake 5: Missing DPA with the analytics vendor<\/strong><br \/>\n<span style=\"font-size: 14px; color: #374151;\">If your analytics platform processes personal data on your behalf, you need a Data Processing Agreement under Art. 28. Without it, both the controller (the mall) and the processor (the vendor) are exposed to sanctions.<\/span><\/div>\n<\/div>\n<div class=\"fa-callout\" style=\"background: rgba(12,111,213,0.05); border-left: 4px solid #0c6fd5; border-radius: 0 8px 8px 0; padding: 16px 20px; margin: 28px 0;\">\n<p style=\"font-size: 14px; line-height: 1.7; color: #374151; margin: 0;\"><strong>Pro tip:<\/strong> When evaluating a video analytics vendor for your shopping mall, ask three questions: (1) Does the system generate any individual-level identifier, even temporarily? (2) Where is video data processed and is any footage transmitted off-site? (3) Can you provide a pre-completed DPIA template for your platform? A <strong>privacy-first vendor<\/strong> will have clear, documented answers to all three.<\/p>\n<\/div>\n<figure style=\"margin: 24px 0 32px;\"><img decoding=\"async\" style=\"width: 100%; height: auto; border-radius: 8px;\" src=\"https:\/\/flameanalytics.com\/wp-content\/uploads\/2026\/03\/gdpr-real-sanctions-en-2.webp\" alt=\"Real GDPR sanctions: Mercadona 2.5M, Clearview AI 20M, Rite Aid 25M vs Flame Hypersensor\" \/><\/figure>\n<h2 id=\"faq\" style=\"font-size: 32px; font-weight: bold; color: #15163a; margin: 40px 0 18px;\">8. Frequently asked questions<\/h2>\n<style>\n.fa-faq details {border-bottom: 1px solid #e5e7eb;}\n.fa-faq summary {padding: 20px 0; font-size: 15px; font-weight: bold; color: #15163a; cursor: pointer; list-style: none; display: flex; justify-content: space-between; align-items: center;}\n.fa-faq summary::-webkit-details-marker {display: none;}\n.fa-faq summary::after {content: \"\"; width: 10px; height: 10px; border-right: 2px solid #6b7280; border-bottom: 2px solid #6b7280; transform: rotate(45deg); flex-shrink: 0; transition: transform 0.3s; margin-left: 16px;}\n.fa-faq details[open] summary::after {transform: rotate(-135deg);}\n.fa-faq .fa-faq-answer {font-size: 15px; line-height: 1.75; color: #374151; margin: 0; padding: 0 0 20px;}\n.fa-faq .fa-faq-answer a {color: #0c6fd5; text-decoration: none;}\n<\/style>\n<div class=\"fa-faq\" style=\"border-top: 1px solid #e5e7eb;\">\n<details>\n<summary>Is people counting with video cameras GDPR-compliant?<\/summary>\n<p class=\"fa-faq-answer\">Yes, when done correctly. <a style=\"color: #0c6fd5; text-decoration: none;\" href=\"\/en\/en-blog-people-counting-systems-complete-guide\/\">People counting<\/a> that produces only aggregate numbers (e.g., \u201c142 visitors entered between 14:00 and 15:00\u201d) without identifying or tracking individuals is compatible with GDPR. The key is that the system processes video frames to extract counts and immediately discards the imagery, never generating personal data as output. A DPIA is still recommended given the use of cameras in public spaces.<\/p>\n<\/details>\n<details>\n<summary>Do I need consent to use video analytics in a shopping mall?<\/summary>\n<p class=\"fa-faq-answer\">Not necessarily. Most video analytics in retail rely on \u201clegitimate interest\u201d (Art. 6.1f) rather than consent, since obtaining explicit consent from every visitor entering a mall is impractical. However, you must conduct a legitimate interest assessment (LIA), ensure proper signage, and demonstrate that the processing does not override visitors\u2019 rights and freedoms. If your system processes biometric data (Art. 9), legitimate interest alone is insufficient \u2014 explicit consent or another Art. 9 exemption is required.<\/p>\n<\/details>\n<details>\n<summary>What is the difference between GDPR and the EU AI Act for video analytics?<\/summary>\n<p class=\"fa-faq-answer\">The GDPR regulates the processing of personal data regardless of the technology used. The EU AI Act (Regulation 2024\/1689) specifically regulates AI systems by risk level. Real-time biometric identification in publicly accessible spaces is banned outright under the AI Act. AI-based video analytics that do not involve biometric identification may still be classified as \u201chigh-risk\u201d under Annex III, requiring conformity assessments, transparency obligations, and human oversight. Both regulations apply simultaneously \u2014 compliance with one does not guarantee compliance with the other.<\/p>\n<\/details>\n<details>\n<summary>Can I use heatmaps in my shopping mall without violating GDPR?<\/summary>\n<p class=\"fa-faq-answer\">Yes. Heatmaps that show aggregate foot traffic patterns across zones \u2014 without tracking or identifying specific individuals \u2014 are fully compatible with GDPR. The technology counts the density of people in defined areas over time and produces a visual overlay. As long as the underlying system does not generate individual trajectories linked to biometric or personal identifiers, heatmaps represent anonymised statistical output. Flame\u2019s Hypersensor generates heatmaps using exactly this approach.<\/p>\n<\/details>\n<details>\n<summary>How long can I store video analytics data under GDPR?<\/summary>\n<p class=\"fa-faq-answer\">It depends on what type of data. Raw CCTV footage containing identifiable individuals should typically be retained for no more than 72 hours (per most EU DPA guidance), unless a specific security incident justifies longer retention. Anonymised analytics data \u2014 aggregate counts, heatmaps, dwell time averages \u2014 is not personal data and therefore falls outside GDPR retention limits entirely. You can store anonymised analytics data indefinitely for trend analysis and benchmarking.<\/p>\n<\/details>\n<\/div>\n<div class=\"fa-cta\" style=\"background: linear-gradient(135deg, #15163a 0%, #1e3a5f 100%); border-radius: 12px; padding: 40px 32px; text-align: center; margin: 48px 0 24px;\">\n<h2 style=\"font-size: 28px; font-weight: bold; color: #fff; margin-bottom: 12px;\">Ready for GDPR-compliant video analytics?<\/h2>\n<p style=\"font-size: 16px; color: rgba(255,255,255,0.85); margin-bottom: 24px; max-width: 560px; margin-left: auto; margin-right: auto;\">Discover how Flame Hypersensor delivers footfall, heatmaps, and occupancy data for your shopping mall \u2014 with zero biometric processing. Trusted by 50+ malls worldwide.<\/p>\n<p><a style=\"display: inline-block; background: #31b1f8; color: #fff; font-weight: 600; padding: 14px 36px; border-radius: 6px; text-decoration: none; font-size: 16px;\" href=\"#contact\">Request a demo<\/a><\/p>\n<\/div>\n<p><script type=\"application\/ld+json\">{\"@context\": \"https:\/\/schema.org\", \"@type\": \"FAQPage\", \"mainEntity\": [{\"@type\": \"Question\", \"name\": \"Is people counting with video cameras GDPR-compliant?\", \"acceptedAnswer\": {\"@type\": \"Answer\", \"text\": \"Yes, when done correctly. People counting that produces only aggregate numbers (e.g., \u201c142 visitors entered between 14:00 and 15:00\u201d) without identifying or tracking individuals is compatible with GDPR. The key is that the system processes video frames to extract counts and immediately discards the imagery, never generating personal data as output. A DPIA is still recommended given the use of cameras in public spaces.\"}}, {\"@type\": \"Question\", \"name\": \"Do I need consent to use video analytics in a shopping mall?\", \"acceptedAnswer\": {\"@type\": \"Answer\", \"text\": \"Not necessarily. Most video analytics in retail rely on \u201clegitimate interest\u201d (Art. 6.1f) rather than consent, since obtaining explicit consent from every visitor entering a mall is impractical. However, you must conduct a legitimate interest assessment (LIA), ensure proper signage, and demonstrate that the processing does not override visitors\u2019 rights and freedoms. If your system processes biometric data (Art. 9), legitimate interest alone is insufficient \u2014 explicit consent or another Art. 9 exemption is required.\"}}, {\"@type\": \"Question\", \"name\": \"What is the difference between GDPR and the EU AI Act for video analytics?\", \"acceptedAnswer\": {\"@type\": \"Answer\", \"text\": \"The GDPR regulates the processing of personal data regardless of the technology used. The EU AI Act (Regulation 2024\/1689) specifically regulates AI systems by risk level. Real-time biometric identification in publicly accessible spaces is banned outright under the AI Act. AI-based video analytics that do not involve biometric identification may still be classified as \u201chigh-risk\u201d under Annex III, requiring conformity assessments, transparency obligations, and human oversight. Both regulations apply simultaneously \u2014 compliance with one does not guarantee compliance with the other.\"}}, {\"@type\": \"Question\", \"name\": \"Can I use heatmaps in my shopping mall without violating GDPR?\", \"acceptedAnswer\": {\"@type\": \"Answer\", \"text\": \"Yes. Heatmaps that show aggregate foot traffic patterns across zones \u2014 without tracking or identifying specific individuals \u2014 are fully compatible with GDPR. The technology counts the density of people in defined areas over time and produces a visual overlay. As long as the underlying system does not generate individual trajectories linked to biometric or personal identifiers, heatmaps represent anonymised statistical output. Flame\u2019s Hypersensor generates heatmaps using exactly this approach.\"}}, {\"@type\": \"Question\", \"name\": \"How long can I store video analytics data under GDPR?\", \"acceptedAnswer\": {\"@type\": \"Answer\", \"text\": \"It depends on what type of data. Raw CCTV footage containing identifiable individuals should typically be retained for no more than 72 hours (per most EU DPA guidance), unless a specific security incident justifies longer retention. Anonymised analytics data \u2014 aggregate counts, heatmaps, dwell time averages \u2014 is not personal data and therefore falls outside GDPR retention limits entirely. You can store anonymised analytics data indefinitely for trend analysis and benchmarking.\"}}]}<\/script><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Shopping malls collect more visitor data than ever before \u2014 footfall counts, dwell times, zone heatmaps, queue lengths. Yet many still operate in a legal grey area when it comes to GDPR video analytics compliance. The paradox is clear: retailers need granular data to compete, but the regulation that protects consumers can also shut down entire analytics programmes overnight. This guide breaks down exactly what the GDPR requires for video analytics in shopping malls, where the real risks lie, and how to achieve full compliance without sacrificing insight. \ud83d\udcc5 March 2026 \u23f1 11 min read \ud83d\udcca Sources: GDPR, EDPB Guidelines, EU AI Act, Flame Analytics \u20ac20M max GDPR fine (or 4% of annual turnover) 0 biometric data points with Flame Hypersensor 50+ shopping malls trust Flame\u2019s privacy-first approach Table of Contents The compliance paradox: data vs. privacy GDPR fundamentals for video analytics The biometrics line: why most retailers cross it unknowingly 3 levels of GDPR compliance in video analytics Hypersensor: analytics without biometrics 15-point GDPR compliance checklist Common mistakes that lead to sanctions Frequently asked questions 1. The compliance paradox: retailers need data but fear GDPR Shopping mall managers face a difficult tension. On one side, tenants demand footfall reports, conversion metrics, and zone-level performance data to justify rents and optimise store placement. On the other, data protection authorities across Europe are increasing scrutiny of video surveillance systems used for purposes beyond basic security. The result? Many malls either avoid analytics altogether \u2014 losing competitive intelligence \u2014 or deploy systems without proper legal review, exposing themselves to fines of up to \u20ac20 million or 4% of global annual turnover. Neither approach is sustainable. The good news: GDPR compliance and powerful retail analytics are not mutually exclusive. The key lies in understanding what the regulation actually prohibits versus what it permits \u2014 and choosing technology designed with privacy at its core. Key insight: The GDPR does not ban video analytics. It bans the processing of personal data without a lawful basis. The distinction between analytics that process personal data and those that don\u2019t is where compliance \u2014 or non-compliance \u2014 begins. 2. GDPR fundamentals for video analytics Before diving into compliance strategies, it is essential to understand which GDPR articles directly affect video analytics in retail environments. GDPR Article What it covers Impact on video analytics Art. 6 \u2014 Lawful basis Six legal grounds for processing personal data Legitimate interest is the most common basis for CCTV; analytics requires separate assessment Art. 9 \u2014 Special categories Biometric data processed to uniquely identify a person Triggers strict prohibition unless explicit consent or specific exemptions apply Art. 13\/14 \u2014 Transparency Information to be provided to data subjects Signage, privacy notices, and layered information required at every entry point Art. 25 \u2014 Data protection by design Privacy embedded into system architecture Analytics platform must minimise data collection by default Art. 35 \u2014 DPIA Data Protection Impact Assessment Mandatory for large-scale video monitoring of publicly accessible areas Art. 37 \u2014 DPO Data Protection Officer appointment Required when core activities involve large-scale monitoring The European Data Protection Board (EDPB) published Guidelines 3\/2019 specifically addressing video surveillance. These guidelines clarify that video footage of identifiable individuals constitutes personal data \u2014 even if you never intend to identify anyone. This is a critical point: intent does not determine compliance; capability does. For shopping malls, the EDPB guidelines explicitly state that a Data Protection Impact Assessment (DPIA) is mandatory when deploying video analytics in publicly accessible spaces. This applies regardless of whether the system uses AI or simple motion detection. 3. The biometrics line: why most retailers cross it unknowingly Article 9 of the GDPR places biometric data in the \u201cspecial categories\u201d \u2014 the same tier as health data, political opinions, and religious beliefs. Processing biometric data to uniquely identify a natural person is prohibited by default, with only narrow exceptions (explicit consent, substantial public interest, etc.). Here is where many retailers unknowingly cross the line. Some video analytics platforms use techniques that technically qualify as biometric processing under GDPR definitions: Re-identification tracking Generating a unique \u201csignature\u201d from a person\u2019s appearance (clothing, body shape, gait) to track them across cameras or visits. Even without storing a face template, if the system can re-identify a specific individual, it may constitute biometric processing. Demographic classification via face analysis Estimating age and gender from facial features. While not \u201cidentification\u201d in the traditional sense, the EDPB has indicated that processing facial images to extract demographic data can fall under Article 9 if it involves biometric processing techniques. Emotion detection Analysing facial expressions to gauge shopper mood or satisfaction. The EU AI Act (effective August 2025) explicitly bans emotion recognition in workplaces and educational institutions, and retail applications face severe restrictions. Warning: If your video analytics vendor mentions \u201cunique visitor counting,\u201d \u201creturn visitor detection,\u201d or \u201cdemographic profiling,\u201d ask them exactly how these features work. If the answer involves generating any form of individual signature \u2014 even a temporary one \u2014 you may be processing biometric data under GDPR Article 9. 4. Three levels of GDPR compliance in video analytics Not all video analytics carry the same regulatory risk. Understanding where your current setup falls on the compliance spectrum is the first step toward closing gaps. Level Technology Data processed GDPR risk Typical setup Basic CCTV Recording only Video footage (personal data) Medium Standard security cameras with NVR; legitimate interest basis; signage required Enhanced analytics AI with individual tracking Appearance signatures, demographics, re-ID High Dedicated sensors or software that creates individual profiles; likely triggers Art. 9 Privacy-first analytics AI without biometrics Aggregate counts, flows, heatmaps \u2014 no individual signatures Low Processes video frames to extract statistics, discards imagery immediately; no Art. 9 trigger The critical difference between Level 2 and Level 3 is whether the system generates any data that can be linked back to a specific individual. Privacy-first platforms process video frames to produce aggregate, anonymous metrics \u2014 and then discard the raw footage. No templates, no signatures, no profiles. This is the<\/p>\n","protected":false},"author":11,"featured_media":87699,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[563,616],"tags":[595],"class_list":["post-87560","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blog","category-shopping-malls","tag-blog"],"acf":[],"_links":{"self":[{"href":"https:\/\/flameanalytics.com\/en\/wp-json\/wp\/v2\/posts\/87560","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/flameanalytics.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/flameanalytics.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/flameanalytics.com\/en\/wp-json\/wp\/v2\/users\/11"}],"replies":[{"embeddable":true,"href":"https:\/\/flameanalytics.com\/en\/wp-json\/wp\/v2\/comments?post=87560"}],"version-history":[{"count":11,"href":"https:\/\/flameanalytics.com\/en\/wp-json\/wp\/v2\/posts\/87560\/revisions"}],"predecessor-version":[{"id":93267,"href":"https:\/\/flameanalytics.com\/en\/wp-json\/wp\/v2\/posts\/87560\/revisions\/93267"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/flameanalytics.com\/en\/wp-json\/wp\/v2\/media\/87699"}],"wp:attachment":[{"href":"https:\/\/flameanalytics.com\/en\/wp-json\/wp\/v2\/media?parent=87560"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/flameanalytics.com\/en\/wp-json\/wp\/v2\/categories?post=87560"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/flameanalytics.com\/en\/wp-json\/wp\/v2\/tags?post=87560"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}