If you run footfall analytics anywhere in the EU, the GDPR question arrives fast, usually from a legal or procurement colleague: does counting people trigger data-protection law, and if so, what does that oblige you to do? The honest answer is that it depends entirely on one thing, and the thing is not the vendor's marketing. It is whether the counting method captures personal data at all.

That single test decides almost everything else. A method that records only anonymous counts sits largely outside the heaviest GDPR machinery. A method that records faces or device identifiers sits squarely inside it, with all the obligations that follow. This post works through the plain GDPR question rather than the adjacent ones: for the AI-specific classification, see how the EU AI Act treats people counting, and for the assessment document itself, see a DPIA for a people-counting rollout. Here the subject is scope: is footfall data personal data, and when does GDPR attach.
Is people counting GDPR compliant?
People counting can be fully GDPR compliant, and whether GDPR applies at all depends on one question: does the system capture personal data? GDPR (Regulation (EU) 2016/679) governs the processing of personal data, meaning information relating to an identifiable person. A method that records only anonymous counts, with no camera, no MAC address, no device ID, and no biometric data, does not process personal data in the first place, so the heaviest GDPR obligations do not attach. Camera-based counters and Wi-Fi MAC-collection counters are different: they can capture personal data and pull the deployment into full GDPR scope. This is general information, not legal advice; confirm your specific setup with your DPO or counsel.
What GDPR actually regulates: personal data and processing
GDPR does not regulate "data" in the abstract. It regulates the processing of *personal* data, and both words carry specific weight. Personal data, in the definitions GDPR sets out, is information relating to an identified or identifiable natural person. Processing is more or less any operation you perform on that data, from collection through storage to deletion. If there is no personal data in play, there is nothing for the processing rules to bite on.
So the whole question collapses into a single test: is the data you hold capable of identifying a person, directly or indirectly? A face in a video frame is personal data because a person can be recognised from it. A device MAC address is treated as personal data because it can single out and follow a specific device, and through it a person, even if you never learn their name. A count of "142 people entered between 09:00 and 10:00" is not personal data, because nothing in that number relates to any identifiable individual. It is a statistic about a crowd.
This is why two footfall systems that look identical from the outside can land on opposite sides of the law. Both tell you how busy a store was. One got there by recognising and following people; the other got there by measuring shapes crossing a threshold. The output looks similar. The legal footing could not be more different, and the difference is set entirely by what was captured at the point of measurement.
Which counting methods capture personal data, and which do not
It helps to sort the common counting technologies by that identifiability test rather than by brand or price. The table below groups the main methods by whether they capture personal data in normal operation.
| Counting method | What it captures | Personal data under GDPR? | Practical consequence |
|---|---|---|---|
| Camera with facial recognition | Faces, recognisable images | Yes | Full GDPR scope; likely also biometric-data rules |
| Plain video counting (no recognition) | Video frames of people | Yes, while footage exists | In scope; obligations apply even if you count then delete |
| Wi-Fi MAC sniffing | Device MAC addresses | Yes | In scope; a MAC singles out and follows a device |
| Bluetooth beacon device IDs | Device identifiers | Yes | In scope; identifiers relate to an identifiable device |
| Depth or Time-of-Flight geometry counting | Shapes crossing a line, no image | No | Anonymous counts; no identifiable person captured |
| Signal sensing with no MAC stored | Movement pattern, no identifier | No | No identifier held, so no personal data for the count |
The pattern is consistent. Methods that record an image of a person, or an identifier tied to their device, capture personal data and pull the deployment into full GDPR scope. Methods that measure the physical fact of a body moving through space, without an image or an identifier, do not. A camera counter that "only counts and does not store footage" still processed personal data while the frame existed, which is why the timing of deletion does not remove it from scope. A Wi-Fi counter that collects MAC addresses is handling personal data even if it never links a MAC to a name, because the identifier can single out a device and follow it. For a closer look at that specific case, see why Wi-Fi MAC sniffing captures personal data, and for the broader modality split, biometric vs non-biometric counting.
How Ariadne stays out of personal-data scope
The cleanest way to stay out of GDPR's heaviest obligations for the count is not to scrub personal data after collecting it. It is to never capture personal data in the first place. That is worth stating precisely, because the industry often blurs it: there is a real difference between a system that collects identifiers and then anonymises them, and a system that captures no identifier at all. The first processed personal data, even briefly. The second never did. There is nothing to anonymise because nothing identifying was captured.
Ariadne measures this with Hybrid Fusion, its patented camera-free method. Time-of-Flight depth sensing counts every visitor at the entrances, capturing geometry rather than images, while patented phone signal sensing follows movement through the interior, detecting the signals a phone emits even in airplane mode, and tracks that movement to about one-metre precision. The sensor streams both feeds to Ariadne, where Hybrid Fusion combines them into one trajectory per visit and computes counts, dwell, and paths. The streams carry no identifier: no MAC address, no device ID, no biometric data, and no camera is involved. Identifiers are stored only when a visitor explicitly opts in, which keeps the method GDPR-friendly and outside biometric territory.
Read against the identifiability test, that flow does not process personal data for the count. No image is recorded, so there is no face to be recognised. No MAC address is stored by default, so there is no device identifier to single out a person. The fusion step happens centrally in the Ariadne platform, on two feeds that already carry no identifier, which means combining them does not manufacture personal data either. The only route to identity is an explicit opt-in feature that a visitor chooses, such as a guest Wi-Fi login, and that feature is a separate, consented layer rather than part of the anonymous count. This is what privacy-first people counting means in concrete terms: the privacy comes from what is not captured, not from a cleanup step applied afterward.
What still applies even to a no-PII deployment
Staying outside the heaviest personal-data obligations is not the same as having nothing to do. A no-PII counting deployment should still meet a few sensible standards, and it is worth treating these as general good practice rather than as a checklist that makes the deployment "compliant" on its own.
- Transparency signage. Even where a method captures no personal data, telling visitors that a space is measured, and how, is good practice and often expected. A short notice that counting is camera-free and captures no personal data is honest and reassuring, and it costs nothing.
- Vendor due diligence. Confirm what the vendor actually captures rather than taking a "privacy-friendly" label at face value. Ask specifically whether images or device identifiers are stored, by default and in every mode, and get the answer in writing.
- Records for opt-in features. The moment a deployment turns on an identified feature, such as a guest Wi-Fi login that ties a visit to a person, that feature does process personal data and carries its own obligations. Keep those features documented and separate from the anonymous count so the scope of each is clear.
- A written basis for the assessment. Documenting why the count is out of personal-data scope, and what would change that, is the kind of record that makes a later review straightforward.
None of this is legal advice, and none of it substitutes for your own assessment. Data-protection law turns on the specific facts of a deployment, and reasonable people can read an edge case differently. Confirm your particular setup, and especially any opt-in feature, with your DPO or legal counsel before you rely on it.
FAQ
Is people counting GDPR compliant?
It can be. GDPR applies to the processing of personal data, so the question is whether the counting method captures personal data. A method that records only anonymous counts, with no camera, no MAC address, no device ID, and no biometric data, does not process personal data for the count, so the heaviest obligations do not attach. Camera counters and Wi-Fi MAC-collection counters can capture personal data and fall into full scope.
Is footfall data personal data under GDPR?
It depends on how the footfall was measured. A plain count such as "142 people entered this hour" is a statistic about a crowd and is not personal data. A count derived from recognisable faces or from device identifiers like MAC addresses does involve personal data, because a person or their device can be singled out. The measurement method decides the answer, not the fact that you are counting.
Do I need consent to count footfall with a no-PII method?
For the anonymous count itself, there is no personal-data processing to seek consent for, so a consent banner or opt-in is not required for the count. Consent becomes relevant only for optional identified features, such as a guest Wi-Fi login, which a visitor chooses to give. This is general information; confirm your specific deployment with your DPO or counsel.
Does Ariadne anonymise the data it collects?
No, and the distinction matters. Ariadne does not collect personal data and then anonymise it. It captures no camera image, no MAC address, no device ID, and no biometric data for the count, so there is nothing identifying to anonymise. Identifiers exist only when a visitor explicitly opts in to a feature that uses them.
Do I need cameras to count people under GDPR?
No. Ariadne counts with Hybrid Fusion: Time-of-Flight depth sensing plus patented phone signal sensing, never cameras. Time-of-Flight captures geometry rather than images, and signal sensing captures no MAC address by default, so the measurement involves no video, no faces, and no biometric data.

---



