they don't know necessary who are you and what are you buying. I don't think also for big shops with many customers that techonology and reliably do instance segmentation - this is not face id.
They don't, but there is a significant chance that their "security solution" uploads all the data to a cloud provider (Amazon, Google, Oracle) which will be more than happy to analyze the data for them.
That's possible but would be completely and highly illegal, the EU regularly fines companies violating GDPR, and those fines are not trivial at all, they can be quite hefty.
I was talking about the reality of the US, but even if I was talking about Europe: how does the GDPR even enter this equation here? I was never asked for consent to have my face recorded when I get into a shop in Germany. Were you?
Its not. Especially when using US Cloud services. And people do that. Hell even government run schools us GDRP-violating software and force the students to BUY them. The law is nice, the reality is different...
Do you not pay for you groceries? Then the store probably has a good idea about your identity. In any case, they payment processor knows exactly who you are, and the store and anyone else who cares can buy this information online, albeit in a slightly obfuscated form.
Unless you live at some place where they still accept cash of course, but the writing is on the wall already.