Your Grocery Store Works for the Police Now
They send the wanted photos. The store scans every face that walks in. No warrant needed.
Introduction
Wegmans is scanning your face against police wanted photos every time you walk in. Not as incidental security. Law enforcement submits specific BOLO photographs to the store, and the store scans every customer against them. When a face matches, an employee is told to call 911, and police get the surveillance output without ever filing for a warrant. The grocery store says it's a private company, so the Fourth Amendment doesn't apply. Rite Aid ran the same system for eight years across hundreds of stores until the FTC banned it in 2023. Most retailers doing it now have no equivalent ban.
How a Police Photo Reaches the Checkout Line
Start with the mechanism, because it's the part that sounds made up. A police department has someone it wants to find. Running its own facial recognition would put the government on the hook for a warrant, so instead it sends the photo to a retailer as a "Be On the Look Out" alert. The store drops that face into the same private watchlist it keeps for shoplifters. Its cameras then check every person who walks through the door against the whole list. A hit pings an employee, the employee calls police, and the department gets a live location on someone it had no legal cause to track. The store ran the surveillance while the government just placed the order.
That inversion is the thing the whole arrangement runs on. Retailers are doing the government's warrantless surveillance for it: accepting law enforcement wanted photos, scanning millions of shoppers against them, and reporting the matches back to police. The Constitution bars the government from operating a system like that itself, but says nothing about a grocery chain running the same thing on the government's behalf.
The confirmation came from Wegmans itself. In January it told the ACLU that its persons-of-interest list is built by its own asset protection team and, "on a case-by-case basis, by information from law enforcement." The chain says it uses face recognition "for criminal or missing persons cases" and treats a match as "one investigative lead for us." Gothamist reporters found the biometric-collection signs at the entrances of its Manhattan and Brooklyn stores, worded to read like ordinary loss prevention. When the ACLU surveyed 20 major retailers in 2018, all but two refused to say whether they used it, and only Lowe's admitted scanning for "known shoplifters." The fullest account of how the system behaves in practice comes from a federal complaint against the company that ran it longest.
What 38 Pages on Rite Aid Show
From 2012 to 2020, Rite Aid deployed face recognition in hundreds of stores and built a watchlist of, in the FTC's words, "at least tens of thousands of individuals." Some were people the company had accused of theft. Others were on it because Rite Aid had obtained law enforcement BOLO information about them. The complaint the FTC filed in December 2023 is what turns the BOLO pipeline from a privacy-advocate inference into a documented fact. Managers were told to "push for as many enrollments as possible." Employees were instructed not to reveal the surveillance to customers or the press.
Each match came with an instruction. The categories ran from "Approach and Identify" up to a "911 Alert" labeled "Potentially Violent – Notify Law Enforcement and Observe." That last category is the pipeline in one line of software: a private camera flags a face, and a store clerk dials the government.
The accuracy was about what you'd expect from a system nobody outside the company was auditing. Over roughly seven months, Rite Aid's software generated more than 5,000 match alerts in stores located over 100 miles from wherever the original enrollment was created. One enrollment alone set off more than 900 alerts in five days across over 130 stores in different cities. More than 2,000 alerts flagged the same person in places too far apart for that to be physically possible. Both vendors running the technology had disclaimed accuracy in their own contracts, and employees usually weren't shown the confidence score behind a match.
The errors didn't fall evenly, and the deployment made it worse. About 80% of Rite Aid's stores sat in plurality-White areas, but roughly 60% of the stores actually using face recognition were in plurality non-White neighborhoods. NIST tested 189 algorithms in 2019 and found false positives running 10 to 100 times higher for Black and Asian faces than for white men, depending on the algorithm. In one incident the FTC documented, the software matched a Black woman to an enrollment image that employees themselves described as "a white lady with blonde hair," and police were called before anyone realized the match was wrong. The ACLU counts at least 10 publicly reported wrongful arrests tied to face recognition, nearly all of them Black.
Rite Aid got caught because the FTC built a case against it. The technology didn't go anywhere. In 2018, FaceFirst CEO Peter Trepp told BuzzFeed News his company was the "dominant retail vendor" for this software, deployed in "hundreds of locations, growing to thousands very soon," with retail close to half its business. Its cameras could read a face from 50 to 100 feet away. Asked whether shoppers had agreed to any of it, Trepp didn't dress it up: "There is not currently consent for this." The model runs on NDAs, which is why you can stand in a checkout line with no way to know whose software is reading your face.
The Theft Story Is the Cover
Retailers get two stories, a public one and a private one. The public one is theft. The National Retail Federation reported retail crime up 19% from 2023 to 2024, which hands any chain a reason to point at the cameras, even in a city like New York where police reported retail theft falling 14% last year. The private story is in Rite Aid's own internal presentation, quoted in the complaint, which identified exactly one risk from running face surveillance on customers: "media attention and customer acceptance." Not the false arrests, not the lawsuits. The only downside the company wrote down was getting caught. A watchlist also lets a store ban people on its own say-so, with no hearing and no appeal.
Police get the thing the Fourth Amendment is supposed to make them work for. A department can't legally stand up its own face-scanning dragnet at a store entrance without tripping the warrant requirement, but it can email a photo to the store and let the store's dragnet do the work. The output is identical, a real-time hit on where someone is, and no warrant ever enters the picture. Georgetown's Perpetual Lineup study found that half of American adults, more than 117 million people, already sit in some law enforcement face recognition network, and one in four departments can run these searches. The retail channel extends that reach to every store entrance willing to cooperate.
The vendors get paid no matter how it shakes out. FaceFirst built close to half its business on retail while keeping its client list under NDA, so the contracts stay invisible even when the cameras don't, and the FTC redacted both of Rite Aid's vendors from the public complaint. The surveillance is documented in granular detail; the companies selling it mostly aren't named at all.
The Loophole Nobody Has Closed
The legal move at the center of this is almost 50 years old. In Smith v. Maryland, decided in 1979, the Supreme Court held that information you hand to a third party loses its Fourth Amendment protection. That case was about the phone numbers you dial through the phone company, and the principle got stretched to cover most of what you share with a business. Apply it to a store camera and the logic is grim but clean: the instant your face is captured, it's data in a private company's hands, and whatever that company chooses to pass to police carries no warrant requirement at all.
Courts have mostly let this stand. No federal court has ruled that police pulling a match from a retailer's face database need a warrant, and the cases that have touched public-space face recognition have tended to treat it as fair game, on the theory that a camera only captures what's already exposed to public view. Nobody on the bench is straining to close this loophole; as the law sits today, it runs in the retailers' and the police's favor.
Congress could write a warrant requirement into statute, and it keeps not doing it. Four federal bills have taken a run at this since 2019. A commercial consent bill died in committee that year, and a 2023 moratorium bill died there too. The Facial Recognition Act of 2025 is still parked without a vote. In April 2026, Representatives Thomas Massie and Lauren Boebert introduced the Surveillance Accountability Act, which would require warrants for government-initiated face searches and close the third-party loophole by name. It went to the House Judiciary Committee — the same endpoint previous federal efforts have reached without advancing.
Cross the Atlantic and the same scan is mostly illegal. Europe has no dedicated face recognition statute either, and doesn't need one. Under Article 9 of the GDPR, biometric data is a protected category that a company can't process without your explicit consent, and posting a sign at the door doesn't clear that bar. The blanket entrance scanning Wegmans runs in Brooklyn would expose a grocery chain in Rome to real liability, and the EU's AI Act layers on a separate ban on real-time police face surveillance in public spaces — a prohibition already in force since February 2025, more than a year before U.S. legislation has cleared a committee. The American version is a patchwork: Illinois requires written consent, 23 states have some biometric law, and not one federal rule touches the police-photo-to-retailer handoff.
The Bottom Line
The reason this works is that nobody actually built it. No legislature voted to let grocery stores run warrant-free surveillance for the police. The arrangement grew in the gap between a Constitution that only restrains the government and a market happy to sell the government a way around it. Rite Aid got five years on the bench because the FTC decided its particular execution was sloppy enough to count as "unfair" under consumer protection law. The handoff itself, police photo to private camera to 911 call, was never the thing it got punished for.
The technology works. The open question is whether anyone with the power to act decides the handoff itself is the problem. The EU decided your face is data you have to consent to share. Congress has taken four runs at deciding and parked every one in committee. Until one of those committees sends a bill to the floor, the honest answer to who your grocery store is scanning your face for is that you aren't entitled to know, and neither am I.