In the old days, when a store caught someone stealing, a detective would march the thief to a backroom and take his picture with a Polaroid camera. The photo would be added to the retailer’s in-house rogues gallery to help store security keep an eye out for bad guys.

But earlier this year, Walmart WMT showed how times have changed. It tested a system that scanned the face of everyone entering several of its stores, identified suspected shoplifters, and instantly alerted store security on their mobile devices.

The potential of such facial recognition technology has been discussed for years. But now some stores are actually using it.

Walmart’s experiment, which it ended after several months, highlights the powerful high-tech tools available to retailers to reduce theft. However, it also raises questions about whether stores should have to follow rules when using the technology to protect shoppers’ privacy.

“Put a grid on their face”

Joe Rosenkrantz, CEO of FaceFirst, a Southern California company that sells a facial recognition system to retailers, promises to “transform security at every store.” He says FaceFirst software is being used by several Fortune 500 retailers, which he declined to name because on non-disclosure agreements.

“The system is smart enough to notify a loss prevention associate on their iPhone within seven seconds,” says Rosenkrantz,

The automated notifications can include a profile of the suspect, as well as a “corporate directive” of how to respond. All store security has to do is scout the aisles to find the person in question and confront them.

Retailers using FaceFirst do not, however, save a photo record of everyone coming in the store. Instead, the software is set to find matches against an existing gallery of alleged offenders. Images of innocent shoppers are discarded. Stores only retain photos of suspects (or people who resemble them) who security staff have previously flagged.

“We give them a mobile app,” says Rosenkrantz. “It makes it so they can zap someone’s face. It puts a grid on their face [for future identification]”

Images from FaceFirst’s marketing material show how this might work in practice. Here is a screenshot from its brochure for retailers (the company also sells software to law enforcement and the military):

Here is another image from the same brochure, which depicts how the technology can match an image of someone who enters a store against the store’s database, and then transmit the relevant information to a computer or phone:

Screenshot 2015-10-29 02.36.42

So who is actually using FaceFirst? The topic is a sensitive one and retailers are skittish about discussing it.

A handful of national retailers contacted by Fortune revealed little: Home Depot says it does not use face scanning software. Walgreens says it has no contract with FaceFirst, and added it does not discuss specific security measures. Target, meanwhile, would not confirm or deny if the company uses the software.

The only company that acknowledged using the software was Walmart. According to a spokesperson, the retailer tested facial recognition software in stores across several states for several months, but then discontinued the practice earlier this year.

“We were looking for a concrete business rationale … It didn’t have the ROI,” or return on investment, the spokesperson says.

The explanation suggests that any savings Walmart had by reducing shoplifting failed to offset the cost of deploying and using the technology. The company declined to discuss any specifics about how many suspected shoplifters it identified or describe the accuracy of the software.

Biometrics and who owns your face

Facial recognition software is hardly new. Casinos have used it for years as has the military and law enforcement, but it has remained controversial A program giving facial recognition-equipped iPads and smartphones to all San Diego police officers is under scrutiny, in part due to a New York Times report that suggested police may be forcing innocent people to be scanned.

Meanwhile, tech giants like Facebook FB and Google are becoming increasingly accurate at automatic face “tagging.” Their computers learn to recognize individuals based on certain features in their face by creating a “faceprint.” The services can then prompt users to identify people in social media photos. In some cases like Facebook’s “Moments”, they simply add names to faces automatically.

However, not everyone is comfortable with companies using their face like this. In Illinois, consumers have filed class action suits against Facebook and photo-service Shutterfly for violating a state law related to biometrics. In European countries and Canada, meanwhile, automated photo tagging features are unavailable because regulators are uneasy about their privacy implications.

Such controversies over facial recognition could become more common. The reason is that the technology has improved significantly in recent years, leading more companies to adopt it for consumer purposes. Although the technology is most commonly used by retailers for detecting shoplifters, some stores are exploring whether facial recognition could serve as a way to identify and reward loyal customers. Indeed, a site called “Facedeals” invites people to submit a scan of their face in return for discounts from local businesses.

Despite the marketing, however, the accuracy of facial recognition in retail stores is unclear. While Rosenkrantz, of FaceFirst, says his company’s software is accurate in the 98% to 100% range, others are skeptical. A source familiar with experiments by major retailers and unaffiliated with FaceFirst says that companies have concluded that facial recognition is “not ready for prime time.”

This may because computer computers can have trouble recognizing faces when shadows obscure them or when people wear hats or glasses. The success rate also depends on having good quality photos of suspects to compare to. In the case of retailers, FaceFirst offers to help its clients build an initial database of suspects based on a store’s existing photo records (including Polaroids).

Whatever the state of the technology, however, U.S. retailers are likely to continue their experiments, especially as there are few laws that prevent them from doing so.

Legal vacuum

“The whole issue of facial recognition and biometrics has been discussed for a while, and there’s no consensus of how the privacy structure should work,” says Jeffrey Neuburger, a lawyer who heads the privacy and data security group at Proskauer in New York.

He explained that the debate turns on whether companies must notify shoppers that they are using the technology, or offer opt-out options. However, an initiative to create rules fell apart last summer when nine privacy groups quit a Commerce Department working group, saying industry would not agree to even basic boundaries on facial recognition. Since then, civil liberties groups like the Electronic Frontier Foundation continue to decry the lack of oversight.

A spokesperson for the the Commerce Department group that is overseeing the policy process said in a statement: “While NTIA is disappointed that some stakeholders chose to stop participating in this effort aimed at developing a privacy code of conduct related to commercial uses of facial recognition technology, other stakeholders told NTIA that they want to continue to make progress on this issue and so the process is moving forward. In response, NTIA held a meeting on July 28, and we expect to convene another meeting in December or early January.”

As for Wal-Mart, the company declined to comment on the privacy implications of the technology.

The upshot is that, for now, companies have more or less free rein to operate as they wish in the U.S. when it comes to using facial recognition tools. The only exceptions are Illinois and Texas, where state laws limit collection of biometric data. California, which is typically active on consumer privacy issues, is considering a bill that would prevent online vendors from collecting students’ biometric information, but does not have more wide-ranging laws.

As for the federal government, Neuburger says the Federal Trade Commission could conceivably try to regulate the industry under its unfair trade practice authority, but that the agency is not able to create news laws on its own. Meanwhile, he says Congress is unlikely to pass sweeping laws about privacy and facial recognition anytime soon.

“I don’t think people are fully aware of it,” Neuburger says. “People see tagging in Facebook and Shutterfly. But I don’t think they’re fully aware that when they walk into a retailer, their face might be scanned and added to a database.”

This story was updated on 11/10 to include Commerce Department statement.

To learn more about how tech is changing daily life, see how Facebook’s CEO wants to create AI systems “that are better than humans.”