From 2012 to 2020, Rite Aid deployed AI-based facial recognition technology in hundreds of retail pharmacy locations to identify customers who might be shoplifting. The system worked by capturing live images of shoppers and matching them against an enrollment database of individuals Rite Aid had previously flagged as suspected or confirmed shoplifters. When a match was detected, the system generated an alert and sent it to store employees with instructions on how to handle the supposed match. According to the Federal Trade Commission's complaint filed in December 2023, those instructions were acted on without verification. Employees followed customers around the store, searched them, banned them from making purchases, publicly accused them of past criminal activity in front of friends and family, and called the police. In numerous instances, the match was wrong. The FTC documented thousands of false positive alerts between December 2019 and July 2020 alone, a period representing only a fraction of the deployment's eight-year run.
The FTC's theory matters here because it never has to prove a single match was wrong. The complaint charges Rite Aid under Section 5 of the FTC Act with an unfair practice: running facial recognition without reasonable steps to keep it from hurting people. What failed wasn't the model, it was everything around it. Rite Aid didn't test the system's accuracy before launch or after, didn't hold the line on the image quality the technology needed to work, didn't train staff to read or check a match alert, and set no rule for telling a confident match from a shaky one. Employees got alerts and acted. The output worked as a verdict when it was, at most, a tip worth a second look.
So the system's error rate turned into Rite Aid's liability rate. Every false positive an employee ran with, unchecked, was a wrongful accusation, a public scene, or a call to the police. The FTC's proposed settlement barred Rite Aid from facial recognition for surveillance for five years and ordered every photo, video, and derived record from the program deleted. The company admitted no fault, but the settlement left the program dead.
Target is fighting a different but related set of cases. In May 2024, four Illinois residents filed a class action in the Northern District of Illinois alleging that Target violated the Illinois Biometric Information Privacy Act by using facial recognition cameras to capture and store customers' facial geometry across its stores without written notice or consent. A similar complaint was filed in New York under the city's biometric identifier law. Target denies using facial recognition technology. The court allowed the Illinois case to proceed past a motion to dismiss in November 2024, finding the allegations plausible. One detail in the complaint stands out: plaintiff Lindsay Schumm received a notification that a Target Asset Protection Operations Manager had viewed her LinkedIn profile approximately thirty-three minutes after she entered a Target store in Normal, Illinois. The complaint reads that as cross-database identification, the scan feeding an effort to work out who she was and look into her life well past the store.
Rite Aid and Target sit at two different layers of one problem. BIPA and New York's biometric law are about collection: can a company capture biometric data off the public with no notice and no consent. The Rite Aid action is about what comes next: can a company act on what the AI puts out with no written standard for what an employee has to check before treating a match as a reason to do anything. The two don't depend on each other. A retailer that gets consent before scanning faces still has the Rite Aid problem if it hands staff alerts and no procedure. A retailer that never tells anyone it's collecting at all has both problems at once.
What makes the case reach past Rite Aid is its logic about any AI an employee acts on. The FTC didn't call facial recognition unfair in itself; it called running the thing without safeguards unfair. And the safeguards it pointed to weren't technical, they were operational: test the accuracy, hold to image-quality standards, train the staff, set a real process for what to verify before acting on an alert. Put plainly, the missing human review standard was the violation. Whether a given alert happened to be right never came into it. The question was whether anyone on the floor had a basis for judgment before acting, and whether a trace of that judgment was kept anywhere. Neither was.
The missing paperwork deepens the exposure here the same way it does in the Prenuvo case. A wrongfully accused customer sues, and what can the company hand over? The alert log. It shows a match was flagged and nothing else: not the confidence behind it, not what the employee looked at first, not whether the employee was trained to read it, not whether anyone checked the image was even good enough to compare. The one record that exists says the AI flagged a person and the employee moved on it. That helps the plaintiff, not the company.
The takeaway from Rite Aid isn't that loss-prevention AI can't be insured. It's that any AI whose output drives what an employee does carries a human review liability that has nothing to do with whether the AI was right. The FTC called the practice unfair because nothing reasonable stood between the AI's output and the employee's action. That space, between what the AI said and what the worker did about it, is where companies get caught.
Proof of Review records what fills that gap: what the employee was shown, what standard governed their response, and whether any verification happened before they acted.