A code of practice should govern when police forces deploy facial recognition technology, the information commissioner has said.
It comes after South Wales Police was found to have acted lawfully when a shopper complained his human rights were breached when he was photographed.
An investigation by commissioner Elizabeth Denham has raised "serious concerns" over use of the technology.
Ms Denham called on the government to introduce a statutory code of practice.
Ed Bridges had brought a legal challenge after he was photographed shopping in Cardiff in 2017, and the following year at a peaceful protest against the arms trade.
While the High Court ruled in September that South Wales Police had followed the rules, civil rights group Liberty said it was akin to the unregulated taking of DNA or fingerprints without consent, and it is campaigning for an outright ban of the practice.
Ms Denham said the use of facial recognition tools represents a "step change" in policing techniques.
"Never before have we seen technologies with the potential for such widespread invasiveness," she said in a blog post.
"The results of that investigation raise serious concerns about the use of a technology that relies on huge amounts of sensitive personal information."
Ms Denham said current laws and practices will not truly manage the risks presented by the technology.
Her investigation also found the lack of a statutory code increases the likelihood of legal failures, undermining public confidence in its use.
Ms Denham will now liaise with the Home Office, the Investigatory Powers Commissioner, the Biometrics Commissioner, the Surveillance Camera Commissioner and policing bodies on how to progress a binding code of practice.