An M&M branded vending machine at the University of Waterloo in Canada revealed that it was, unbeknownst to the users, collecting facial recognition data. A student noticed an error message in an app called "Invenda.Vending.FacialRecognitionApp.exe", and investigation determined that this was in fact a marketed feature of these vending machines: to record and report the likely age and gender of each person who used the machine.
The company claims that the machine is GDPR compliant, but it’s hard to see how that can be the case if it’s collecting faces without consent. Here’s hoping the Canadian regulators throw the book at them.