The most common question from procurement and legal teams. The short answer: neither Standard nor Deep identifies anyone. Standard doesn't look at faces at all. Deep analyses muscle movements — not identity.
Facial recognition identifies individuals by comparing facial geometry against a database of known faces. It produces an identity match. Under GDPR, this is Special Category biometric data under Article 9, requiring explicit consent. The EU AI Act classifies real-time remote biometric identification as high-risk or prohibited AI.
Standard tier doesn't look at faces. It measures behavioural signals: how many people are in a zone, how long they stay, whether they're moving or still, how crowds cluster. This is functionally equivalent to an advanced people counter combined with a motion detector. No facial analysis takes place at any point.
Deep tier analyses facial muscle movements using the Facial Action Coding System (FACS) — a taxonomy of 44 discrete muscle group movements that combine to form human facial expressions. AU4 is the brow lowerer. AU12 is the lip corner puller. These are movements, not identity markers. Every person produces the same AU4 pattern when they furrow their brow, regardless of who they are.
The engine extracts AU activation values from video frames and immediately discards the frame. What persists is a set of numbers representing muscle activation intensities — not an image, not a face template, not anything that could identify the person who generated them.
Deep tier requires delegate consent (opt-in via event registration) because it processes signals derived from facial analysis. It does not require consent under Article 9 (biometric identification), because it is not identifying anyone. Consent is collected under Article 6(1)(a) as a matter of transparency and best practice.
| Capability | Facial Recognition | Standard | Deep |
|---|---|---|---|
| Identifies individuals | Yes | No | No |
| Stores face images | Yes | No | No |
| Facial analysis | Yes | No | Muscle movements only |
| EU AI Act high-risk | Yes | No | No |
| Consent required | Yes (Art. 9) | No | Yes — opt-in (Art. 6) |
No. Standard produces population-level zone metrics — people counts, dwell times, movement patterns. Deep produces aggregated emotional signal scores per zone. Neither system tracks individuals, creates individual records, or can identify who produced a given signal.
Deep processes signals derived from facial analysis. Even though it doesn't identify anyone and doesn't store biometric templates, we collect delegate opt-in as a matter of transparency and best practice. The consent basis is Article 6(1)(a) — not the more onerous Article 9. A single checkbox at event registration is sufficient.
No. The EU AI Act's high-risk classification covers real-time remote biometric identification systems. Deep does not identify individuals — it analyses emotional signals at a population level and does not fall within the high-risk or prohibited categories.