Face masking is the automatic blurring or pixelation of faces (and sometimes whole bodies) in video to protect the identity of people who are not the subject of interest. It can be applied live, in recordings, or — most commonly and most usefully — at the moment footage is exported or shown, so an operator can share a clip of an incident without exposing every uninvolved bystander. It is the workhorse of privacy-preserving disclosure.
Mechanically it relies on detection to find faces or people and then obscures those regions, ideally while leaving the rest of the scene intact and useful. Good implementations distinguish reversible masking (the original is preserved and the unmasking is access-controlled and logged, for authorised investigation) from irreversible redaction (the identifying detail is destroyed in the output copy, for public or third-party release). This supports data minimisation (GDPR Article 5(1)(c)) and makes it practical to honour a subject-access request without handing over other people's images.
The pitfalls are over-trusting the masking and confusing the two modes. Masking depends on detection, which is never 100% — a missed face leaves someone identifiable, so a redacted export for public release needs human verification, not blind trust in the automation. And releasing a "masked" copy that is actually only reversibly obscured, or whose blur can be undone, defeats the purpose. Use irreversible redaction with a verification step for anything leaving the organisation, reserve reversible masking for controlled internal use with logging, and never assume the automatic pass caught everything. This is engineering guidance, not legal advice.
