New York City Council members are pushing legislation to prohibit stores from collecting facial recognition and other biometric data from shoppers. If passed, it would make NYC one of the first major American cities to outright ban corporate biometric surveillance in retail environments.

The timing is significant. Five years ago, this would have been about preventing future abuse. Today, we're playing catch-up with technology that's already deployed in stores across the country.

Facial recognition and biometric tracking have gotten cheap. Really cheap. What used to require specialized hardware and expertise can now be implemented with off-the-shelf cameras and cloud AI services. That accessibility is exactly what makes this legislation necessary - and also what makes enforcement so challenging.

The proposed ban covers more than just facial recognition. We're talking about gait analysis (identifying people by how they walk), fingerprint scanning at checkout, voice recognition systems, and any other technology that uniquely identifies individuals based on biological characteristics.

Retailers have been quiet about just how extensively they're using this technology, which tells you something. When companies are eager to talk about their tech, it's usually because they think consumers will like it. When they're quiet, it's often because they know consumers won't.

The retail industry's argument for biometric surveillance usually centers on theft prevention and customer experience. They want to identify known shoplifters before they steal. They want to recognize VIP customers for personalized service. These aren't inherently unreasonable goals.

But here's the problem: you can't collect biometric data on just the shoplifters. To identify the one person you're looking for, you need to scan everyone who walks through the door. That's mass surveillance, even if the stated goal is narrow.

And once that data exists, it has a way of finding new uses. Today it's for loss prevention. Tomorrow it's sold to data brokers. Next year it's in a leak on a hacking forum. The history of corporate data collection suggests that once companies have information, it rarely stays contained to its original purpose.

The legislation faces practical enforcement challenges. How do you verify that a store isn't collecting biometric data? The cameras are already there for legitimate security purposes. The AI runs in the cloud. Unlike a visible recording sign, biometric surveillance is invisible to shoppers.