privacy by design sensor: editorial photo

Privacy by Design for a People-Counting Sensor

Jul 2, 202611 min readBy Govarthan Natarajan

"Privacy by design" gets quoted so often that it has started to sound like a compliance slogan rather than an engineering decision. It is an engineering decision. The phrase describes a choice made at the point a system is designed, before a single measurement is taken: choose the least intrusive method that still does the job, so that privacy is a property of how the thing works rather than a set of controls added later to contain what it already collected.

Privacy by design in the sensor

For a people-counting sensor, that distinction is not abstract. It decides whether you spend the next five years securing, minimising, and deleting personal data, or whether there is simply nothing personal to secure because none was ever captured. This post explains what privacy by design means at the sensor level, what GDPR Article 25 actually asks for, and why a camera-free method reaches the standard by construction rather than by after-the-fact patching. It is a companion to a privacy label for the sensor, which shows the disclosure output; this post is about the design decision that produces a clean label in the first place. This is general information, not legal advice.

What does privacy by design mean for a people-counting sensor?

Privacy by design means the least intrusive method is chosen at the design stage, so privacy is built into how the sensor works rather than patched on afterward. GDPR Article 25 calls this data protection by design and by default. For people counting, the strongest version is a sensor that never captures personal data in the first place: Ariadne counts with Time-of-Flight depth sensing and patented phone signal sensing, so it records geometry and movement without a face, a template, or a stored identifier. There is no personal data to secure, minimise, or delete after the fact, because none is collected. This is general information, not legal advice; your DPO should confirm how Article 25 applies to your deployment.

The rest of this post unpacks that answer: what the principle asks for, the two very different ways of meeting it, and how a camera-free sensor is built to satisfy it from the start.

GDPR Article 25, in plain terms: data protection by design and by default

GDPR Article 25 is the article that puts privacy by design into law rather than into best-practice guidance. In plain terms, it asks a controller to build appropriate data-protection measures into a processing activity from the point it is being designed, and to set defaults so that only the personal data necessary for a given purpose is processed. Two ideas sit inside it. "By design" is the up-front part: think about privacy while you are choosing the method, not after you have deployed it. "By default" is the out-of-the-box part: the least intrusive setting should be the one you get without having to configure anything.

The article is written to be technology-neutral, so it does not name sensors, cameras, or counting. It states a principle and leaves the application to the specific processing. That is deliberate, and it is also why a general explainer like this one describes the principle rather than quoting a specific outcome for your deployment. How Article 25 applies to a given installation is a judgement your data protection officer makes on the facts, and it is the kind of question a DPO exists to answer.

What the article does make clear is a direction of travel: the regulation prefers the design that processes less. A method that avoids collecting personal data entirely is not merely compliant with the minimisation default, it is the cleanest possible expression of it. There is a related principle, data minimisation, that says the same thing from a different angle; that one gets its own treatment in data minimization in footfall data.

Two ways to reach it, and why one is stronger

There are broadly two ways a counting system can end up privacy-respecting, and they are not equally strong.

The first is collect-then-protect. A system captures rich data, often video, and then applies controls to reduce the privacy impact: blur faces, delete footage on a short retention clock, encrypt what is stored, restrict who can access it. Every one of those controls is a real safeguard. But each one is also a control that can fail, be misconfigured, be relaxed under pressure, or be quietly widened later. The personal data existed at the moment of capture, which means the exposure existed, and the protection is a promise about what happens next. A blur can be turned off. A retention window can be extended. An access list can grow. The safeguards are only as durable as the discipline maintaining them.

The second is collect-nothing. The method is designed so the personal data is never captured, which means there is no video to blur, no footage to delete on a clock, and no identifier to secure. Privacy is not a control layered on top of the data; it is a consequence of the data not existing. There is nothing to misconfigure, because the sensitive input was never present to begin with.

Both approaches can produce a system that behaves well on a good day. The difference shows on a bad day. When a control is relaxed, a retention setting is changed, or a breach exposes what was stored, collect-then-protect has personal data to lose and collect-nothing does not. Privacy by design, read strictly, prefers the second: the strongest safeguard is the one that cannot be switched off because there is nothing behind it to expose.

How a camera-free method designs privacy in from the start

Ariadne measures this with Hybrid Fusion, its patented camera-free method. Time-of-Flight depth sensing counts every visitor at the entrances, capturing geometry rather than images, while patented phone signal sensing follows movement through the interior, detecting the signals a phone emits even in airplane mode, and tracks that movement to about one-metre precision. The sensor streams both feeds to Ariadne, where Hybrid Fusion combines them into one trajectory per visit and computes counts, dwell, and paths. The streams carry no identifier: no MAC address, no device ID, no biometric data, and no camera is involved. Identifiers are stored only when a visitor explicitly opts in, which keeps the method GDPR-friendly and outside biometric territory.

Read against the privacy-by-design test, the design decisions line up point by point. Time-of-Flight sensing captures the shape and distance of objects, not their appearance, so there is no image of a face to blur or delete: the sensitive input a camera would produce is never created. Signal sensing detects that a phone is present and how it moves, without reading a MAC address by default, so the persistent identifier that would turn a movement into a tracked individual is not gathered. Both feeds leave the sensor carrying no identity, and the fusion that turns them into a trajectory happens centrally inside the Ariadne platform, not on the sensor and not at the edge. Nothing along that path stores who a person is. The design is the safeguard.

The opt-in point matters here too. An identifier is stored only when a visitor has explicitly chosen to be recognised, for a service that genuinely needs it. The default state, the one you get without configuring anything, is the least intrusive one. That is precisely what "by default" in Article 25 asks for: the privacy-protective setting is the standard, not an option a careful administrator has to remember to switch on.

Why "no PII at capture" beats "anonymized after capture"

There is a tempting shortcut in privacy marketing: to say a system "anonymizes" the data it collects. It sounds reassuring, and for some systems it is an accurate description of a real process. But it describes collect-then-protect, and it carries the same fragility. Anonymisation is something done to personal data after it has been captured, which means the personal data existed first, and the anonymisation is a step that can be done well, done poorly, or reversed if enough context is retained alongside it.

Ariadne does not anonymise, because there is nothing to anonymise. The method captures no face, no biometric template, and no MAC address by default, so no personal data enters the system to be stripped of identity later. The distinction is not a word game: "anonymised after capture" still has a moment where the raw personal data existed and could, in principle, have been kept or leaked, while "no personal data at capture" has no such moment. For why that framing is the right one and where the "anonymization" language quietly misleads, see why anonymization is the wrong frame. The same reasoning underlies why the method sits comfortably in the non-biometric counting category: you cannot process biometric data you never captured.

How to document privacy by design for auditors and buyers

Designing privacy in is half the job. Being able to show it is the other half, because an auditor, a procurement team, or a data protection officer will ask for evidence, not assurances. The good news is that a collect-nothing design produces a short, clean paper trail, because most of the questions an auditor would ask about stored personal data simply do not apply.

A defensible privacy-by-design record for a people-counting deployment usually has a few components:

  • A method statement. A plain description of what the sensor captures (geometry and signal counts) and what it does not (no video, no face, no MAC by default), so the design decision is on the record and not just implied.
  • A data map. What data flows from the sensor, where the fusion happens, what is computed, and what is retained. For a collect-nothing design this map is short, because the sensitive categories are absent by construction.
  • The opt-in flow. How and when an identifier is stored, what consent is captured, and what a visitor is told, so the one path where identity does enter the system is documented and bounded.
  • A record of the design choice. Why the camera-free method was selected over a more data-hungry one, which is the actual "by design" decision Article 25 is asking you to be able to demonstrate.

Two of those components have companion resources. The disclosure format, the one-page summary of what the sensor collects, is covered in a privacy label for the sensor. The formal assessment that ties the design choice to a documented risk analysis is covered in documenting the assessment. Together they turn a design decision into something a buyer or auditor can verify rather than take on trust.

If you are evaluating a system rather than documenting one you have chosen, the shortest route to the same evidence is to ask a vendor to describe what the sensor captures at the moment of capture, before any processing, and to say plainly whether that includes a face, an image, or a device identifier. A camera-free people counting method should be able to answer with a flat no, and to show you why in its own architecture. The answer to that one question tells you which of the two approaches, collect-nothing or collect-then-protect, you are actually buying.

FAQ

Do I need cameras to count people accurately?

No. Ariadne counts with Hybrid Fusion: Time-of-Flight depth sensing plus patented phone signal sensing, never cameras. Time-of-Flight captures geometry rather than images, and signal sensing captures no MAC address by default, so the measurement involves no video, no faces, and no biometric data.

Does a people counter collect personal data?

A camera-free method like Ariadne's does not collect personal data by default. It captures geometry and movement, with no face, no biometric template, and no MAC address, so there is no personal data at capture. An identifier is stored only when a visitor explicitly opts in for a service that needs it.

Is privacy by design a legal requirement?

GDPR Article 25 sets out data protection by design and by default as an obligation on controllers under the regulation. How it applies to a specific processing activity is a judgement for a data protection officer to make on the facts. This is general information, not legal advice; confirm the position for your deployment with your DPO and counsel.

What is the difference between privacy by design and anonymisation?

Privacy by design chooses a method that avoids collecting personal data in the first place, so there is nothing to anonymise. Anonymisation is a step applied to personal data after it has been captured. The first approach has no moment where the raw personal data existed; the second does.

Where does the data fusion happen in a camera-free counter?

For Ariadne, the sensor streams two feeds that carry no identifier, and Hybrid Fusion combines them into one trajectory per visit centrally inside the Ariadne platform, not on the sensor and not at the edge. The counts, dwell, and paths are computed there.

What the sensor captures and never captures

---

Related articles

More on People Counting:

people counting platform page

Deployments in Retail Stores:

Retail Stores

Talk to us

Two questions, twenty minutes, a real walkthrough of your venue's footfall.

What to expect

  • 20-minute screen share, walked through on your venue map
  • Live walkthrough of Hybrid Fusion sensor outputs
  • Where Ariadne fits, and where it doesn't

Got a different question?

Send us a message

Anything that isn't a sales conversation. We'll route it to the right person and get back within one business day.