Like it or not (and many people don’t), retailers, airports, and other businesses are increasingly tracking people’s faces and mobile devices as they walk through their premises, to better organize store layouts and provide tailored advertising.
That obviously comes with privacy risks, and the Berlin Group, made up of privacy watchdogs and academics from around the world, has detailed them in a pair of new reports published Thursday.
For those following the non-stop increase in surveillance these days, there’s a lot to worry about. Wi-Fi and Bluetooth signals emanating from smartphones and tablets make it possible to secretly monitor where individuals go, particularly if their location can be tracked across different networks.
If people don’t religiously turn off their Wi-Fi and Bluetooth as they wander around, and if their location data can be cross-referenced with store loyalty programs, it’s possible to build very detailed pictures of individuals without them being aware. On the facial recognition front (where the creepy future set out in Minority Report is always the touchstone), there are also risks like racial profiling. Authorities can use the data to track individuals or groups of people, while hackers may steal it if it’s not securely stored.
That’s why the Berlin Group (more properly known as the International Working Group on Data Protection in Telecommunications) has come up with recommendations for businesses deploying such systems, as well that those that build them in the first place.
Get Data Sheet, Fortune’s technology newsletter.
Now, it’s important to note that the group’s recommendations are non-binding and represent a middle ground that’s based on many different legal systems. Still, it’s a good—if rather hopeful—guide to how things should play out in this new world of ubiquitous tracking.
First off, businesses should check what their local privacy laws to see what is and isn’t allowed, according to the group. Those operating in the European Union will, of course, be under a much stricter laws than in the U.S.
Businesses should also ask for people’s consent before collecting information about them, and then only collect data that’s necessary. They should also store that information for as short a time as possible and remove any personally identifying information that is unneeded.
Again, new image-recognition technologies require extra care:
“In order for the processing to be fair, no automated individual decisions should be taken based on evaluations of behavior or conduct as analyzed by intelligent video analytics systems (especially in case of profiling based on sensitive personal data, such as race or health). Such decisions at least require human intervention.”
In other words, machines shouldn’t decide on their own whether someone might be up to no good.
A lot of this is behind-the-scenes, but where shoppers and travellers might see a visible difference is in the creation of new symbols and signs to inform them about the fact that they’re being tracked. They should also be told what’s going to happen to that data — a bit like an evolution of the symbols that tell people they are being watched by a security camera.
“Privacy zones” may also become a thing, giving people respite from tracking when they’re in the bathroom, a first-aid room, or a room dedicated to worship.
Again, there’s no guarantee that anyone will pay attention to these recommendations. However, even though they’re non-binding, they do provide an interesting insight into the consensus opinion of regulators worldwide, who are increasingly cooperating. Technology generally knows no borders, after all, and regulators aren’t blind to the speed with which it’s developing.
They certainly provide some useful guidelines for businesses that might want to use the latest technology to improve their business, but don’t want to creep out their customers.