Indians have expressed concern after it emerged that a popular cafe chain - Chaayos - is using facial recognition software to bill customers.

Nikhil Pahwa, the editor of media watchdog MediaNama,posted a video on Twitterafter he said staff took his picture to bill him without consent.

"This is unnecessarily intrusive and there was no opt-out option, which is problematic," Mr Pahwa told the BBC.

Chaayos defended its system, saying it was committed to protecting customers.

"We are extremely conscious about our customer's data security and privacy," the company said in a statement to the BBC. 

The chain also said that customers could choose to opt out of using the facial recognition feature and instead use their phone numbers to pay bills.

However, Mr Pahwa told the BBC that the facial recognition system was a mandatory requirement for joining its loyalty programme. He added that his picture had been taken despite the fact he was not a part of it.

More worryingly, according to Mr Pahwa, Chaayos' terms and conditions - also seen by the BBC - says that customers "should not expect that personal information should always remain private".

How does facial recognition technology work?

 

The terms also say that by joining the loyalty programme, users authorise it to "disclose information to government authorities or competent authorities or credit bureaus or third persons".

However, in its statement, Chaayos said "there is no third party sharing of the data for any purpose. And Chaayos does not use or process this information for any other purpose".

Mr Pahwa said his worry was that "customers are not made aware of the implications of giving out this data, so this is not informed consent."

Mr Pahwa's tweets about his experience picked up traction on social media, with a number of users coming forward to share their experiences at the chain, while others described similar incidents elsewhere.

India does not have laws governing the collection of biometric data and experts warn that this is not a phenomenon limited to Chaayos alone.

"This trend of private companies collecting vast volumes of biometric data with photos linked to user identity, phone numbers and other details is deeply worrying. Hundreds of companies collect and store biometric data, often with no visible checks and balances, and no published privacy policies. In the absence of any privacy law in India, this is extremely worrying," technology expert Prasanto K Roy told the BBC.

"For instance DLF, one of north India's top real-estate developers which has built and manages dozens of commercial buildings, demands that a visitor first authenticate herself using a text message (OTP) password, and then on camera-equipped tablets placed at the entrance, gets photographs taken of her face and her government-issued identity card, and sign off on the page.

"They thus have a database which has my name, face, driving license, authenticated phone number, and signature. There is no option to opt out if I want to enter one of their buildings, or to delete my information. Such databases tend to leak, be sold for considerable sums of money, and be misused." BBC