Face value: Retailers must carefully manage Privacy risks related to facial recognition technology

Introduction

In recent years, the increased use of security technologies, such as facial recognition technology (FRT) in retail settings, has raised ethical questions and privacy risks.

The Office of the Australian Information Commissioner (OAIC) defines FRTs as the collection of a digital image of an individual’s face and the extraction of distinct features into a biometric template, which is used to compare against one or more pre-extracted biometric templates for the purpose of facial verification or identification. Biometric templates are considered sensitive information under the Privacy Act 1988 (Cth) (Privacy Act).

On 28 February 2025, during her speech at the Retail Risk conference, the Australian Privacy Commissioner reminded retailers to strike a balance between achieving security and meeting privacy obligations when using technologies. 

Referring to her recent determination against Bunnings Group Limited (Bunnings) (discussed further below) which is currently the subject of an appeal in the Administrative Review Tribunal, the Commissioner emphasised the four key privacy principles retailers must comply with when adopting security technologies, which we break down in this alert.

What Retailers Need to Consider When Using FRTs

For retails who decide to use or are considering using FRTs, the key principles to consider are:

• Necessity and proportionality (APP 3) – Is the collection of personal information for use in the FRT necessary and proportionate in the circumstances, and can the purpose be reasonably achieved by a less privacy-intrusive means?
• Consent and transparency (APP 3 and 5) – Are customers proactively provided with sufficient notice and information to allow them to provide meaningful consent to the collection of their information?
• Accuracy, bias and discrimination (APP 10) – Is the biometric information used in FRT accurate? What steps are being taken to address any risk of bias?
• Governance and ongoing assurance (APP 1) - Are there clear governance arrangements in place, including privacy risk management practices and policies which are effectively implemented? If so, are they regularly reviewed?

As outlined in the OAIC’s guidance on the use of facial recognition technology, it is best practice for retailers considering using FRTs to undertake a privacy impact assessment (PIA) to identify potential privacy impacts at the outset.

The importance of the four principles above was discussed in the Bunnings determination (discussed below).

Lessons from the Bunnings Determination

On 29 October 2024, the Commissioner found that Bunnings had disproportionately interfered with the privacy of individuals who had entered its 63 stores in Victoria and New South Wales between 2018 to 2021, through its deployment of FRT.

In the premises, Bunnings’ CCTV captured the facial images of hundreds of thousands of individuals, which was analysed by the FRT system to create a ‘real-time facial image’ of each individual. These images were used in an algorithm to create ‘searchable data’, which was then compared against a database of previously extracted images of individuals identified as posing a risk due to histories of engaging in theft, criminal conduct, actual or threatened violence or suspicion of committing organised retail crime.

The collection and search operations occurred without obtaining the individuals’ consent. Bunnings claimed that where there was no match, the facial image was automatically deleted on an average of 4.17 milliseconds, which could not be retrieved or re-accessed by Bunnings.

The Commissioner found that:

• while Bunnings had good intentions to protect its staff and customers to prevent other unlawful activity in its stores, the FRT in this instance was not proportionate to the risks (e.g., the FRT would not have enhanced Bunnings’ ability to address the issue if the perpetrator wore a balaclava, had a knife or was physically aggressive on entry); and
• the FRT had interfered with the privacy of children and other vulnerable people by enabling covert and indiscriminate surveillance.

Further, the Commissioner held that Bunnings had lacked transparency by:

• failing to take reasonable steps to notify individuals about the facts, circumstances, and purposes of their personal information being collected, as well as the consequences for them if their personal information was not collected (even if the customer had briefly entered the store);
• failing to take reasonable steps to implement practices, procedures, and systems to ensure it complied with the APPs; and
• failing to include in its privacy policies information about the kinds of personal information it collected and held, and how it collected and held that personal information.

The outcome of the appeal of her determination in October will provide further clarity on the position on FRTs.

Conclusion

In light of the regulator’s current stance and guidance on FRTs, retailers are encouraged to proactively manage and/or mitigate any privacy risks arising from any security technology that collects personal information used in retail and commercial premises. Considerations for retailers include:

• Privacy by design;
• Necessity and proportionality;
• Consent and transparency;
• Accuracy and bias; and
• Governance and ongoing assurance.

For retailers seeking further guidance on navigating privacy and security challenges, the experts at Bird & Bird are available to provide tailored advice and support. Contact us to discuss how we can assist you in ensuring compliance with privacy laws whilst safeguarding your business.