Commercial facial recognition: what it is and what it involves Facial recognition in commercial contexts covers two distinct deployment modes with different technical requirements, accuracy profiles, and legal implications: We find that 1:1 verification β confirming that a person presenting themselves is who they claim to be. The system compares the captured face against a single reference image (the enrolled identity). Used in access control, time-and-attendance, and identity verification workflows. We find that 1:N identification β searching a captured face against a gallery of N enrolled identities to find a match. Used in watchlist applications, loss prevention, visitor management. Significantly harder: false match probability increases with gallery size, and the system must handle the case where the subject is not in the gallery at all. For the production pipeline context behind these deployments, see building a production SKU recognition system β many of the same inference pipeline and confidence threshold principles apply to face recognition production systems. What does this mean in practice? The enrollment database is the foundation of any recognition system. Its quality directly determines system accuracy β garbage in, garbage out applies rigorously to face recognition. Enrollment quality requirements: Minimum face size in enrollment image: 120Γ inter-ocular distance or higher (higher resolution than operational matching threshold) Illumination: even, diffuse frontal lighting; avoid strong shadows or backlighting Expression: neutral; avoid smiling or squinting that changes feature geometry Occlusion: clear β no glasses with strong tint, no face covering, no hair obscuring facial landmarks Multiple angles: enrolling 3β5 images per identity (slightly different poses and lighting conditions) improves operational matching accuracy by 10β20% compared to single-image enrollment Gallery maintenance: Enrollment images must be updated periodically β face appearance changes over years due to ageing, weight change, facial hair, glasses In long-duration deployments (access control systems in use for 5+ years), stale enrollment images are a common cause of declining match rates Deletion workflows for departed employees, former members, or resolved watchlist entries must be implemented and followed Gallery Size Typical 1:N FAR at 95% TPR Operational Implication <50 identities <0.1% Very low false alert rate; viable for most use cases 50β500 identities 0.1β0.5% Manageable with human review workflow 500β5,000 identities 0.5β2% Alert volume requires prioritisation; threshold calibration critical 5,000β50,000 identities 2β5% High false alert burden; consider tiered matching >50,000 identities >5% Not operationally viable without cascaded filtering False acceptance rate requirements by application FAR (False Acceptance Rate) β the probability that an impostor is incorrectly matched to an enrolled identity β must be calibrated against the consequences of a false match in the deployment context. Access control to a general office building: FAR of 0.1β1% is typically acceptable, with a secondary verification step (PIN, card tap) for borderline confidence scores. Access control to secure areas (server room, pharmaceutical storage, restricted lab): FAR must be below 0.01%, which typically requires secondary authentication for all but the highest-confidence matches. Loss prevention watchlist matching: FAR must be low enough that human review staff can process the alert volume. At 5000 daily face captures and 1% FAR, that is 50 false alerts per day β borderline operationally manageable. At 0.1% FAR, it is 5 false alerts β manageable. The FAR/FRR tradeoff is real: lowering FAR (fewer false matches) raises FRR (more genuine matches missed). The operating threshold is a business decision that must be made explicitly, not left to default model settings. Consent and legal framework Commercial facial recognition sits in a complex and actively evolving legal landscape. In the EU: GDPR Article 9 classifies biometric data processed for identification purposes as special category data, requiring explicit legal basis: Explicit consent (Article 9(2)(a)): the most common path for employment-context use (access control for enrolled employees). Must be freely given, specific, and revocable β in employment contexts, power imbalance may compromise the βfreely givenβ requirement; DPAs have ruled against consent in some employment scenarios. Legitimate interests (Article 6(1)(f) + Article 9(2)(f)): contested; not generally accepted by EU DPAs as a standalone basis for biometric surveillance. Substantial public interest (Article 9(2)(g)): requires specific national law authorisation. In the US, several states have biometric-specific laws: Illinois BIPA: requires written consent, prohibits sale of biometric data, creates a private right of action β most litigation-generating biometric law in the world Texas CUBI: similar to BIPA, without private right of action Washington My Health MY Data Act: includes biometric data; health context focused but broadly drafted Practical compliance minimum for commercial deployments: Complete a DPIA before deployment Establish a specific legal basis for the specific use case Create enrollment consent documentation appropriate to the legal basis Implement enrollment data security (encrypted database, access controls, audit logging) Define and enforce retention periods Implement subject access and deletion rights Post transparency notices at points of data capture Camera specification checklist Camera resolution: minimum 2MP at the capture distance; 4β8MP recommended for reliable recognition Face size at intended operating distance: minimum 120 pixels inter-ocular distance at operational distance Frame rate: minimum 15 fps to ensure adequate capture of moving subjects; 25β30 fps preferred Global shutter: required for moving subjects; rolling shutter causes face geometry distortion Illumination: IR illuminator integrated or co-located for consistent night performance Lens: appropriate for operating distance; avoid wide-angle lenses that distort face geometry at edges of frame IP rating: appropriate for outdoor deployment (IP66 minimum for exterior) Operating temperature: verified against deployment environment range Capture environment design: The biggest predictor of commercial face recognition accuracy is whether the capture environment is designed for recognition or whether recognition is being retrofitted onto a general surveillance installation. Designed environments control lighting, constrain approach angle, set a defined operating distance, and use appropriate camera hardware. Retrofitted recognition on standard CCTV typically delivers unsatisfactory results. Edge vs server inference: For access control (1:1 verification), edge inference on the camera or a co-located mini-PC is appropriate β low latency, no network dependency, simple integration with access control hardware. For watchlist matching (1:N search in a large gallery), server-side inference on a GPU-accelerated system is typically required β the gallery search is computationally intensive and benefits from hardware acceleration that exceeds what embedded cameras provide. What commercial deployments actually look like Across commercial deployments, the configurations that work are specific and constrained: a camera at an entry point at 1β2 metres, deliberately placed at face height, with controlled lighting, connected to a server running the recognition engine and integrated with access control hardware. The scenarios that do not work: recognition from standard overhead CCTV with no modifications, recognition at range in uncontrolled environments, and recognition in environments with highly variable lighting without IR supplementation. Set expectations accordingly before committing to a commercial facial recognition deployment β and verify accuracy under your specific conditions, not vendor benchmark conditions, before signing off on the system.
