Businesses are increasingly using facial recognition technology. You should not fear incorporating facial recognition technology as part of your business. However, ensure you comply with privacy laws when doing so. This article will help you understand other businesses’ mistakes and the three key considerations you should keep in mind to avoid making the same mistakes.
What is Facial Recognition Technology?
Facial recognition software maps, analyses, and confirms the identity of a face in a photograph or video. It can detect faces, analyse their features and create data identifying a person. You can then use this data to find a match with other known faces.
It is a powerful tool that government bodies and businesses use for its surveillance capabilities. In the business context, some have used facial recognition technology for several purposes, such as:
- customer feedback;
- searching the web;
- security;
- streamlining log-ins; and
- reducing in-store retail crime.
What Went Wrong?
Facial recognition is an incredible technology, but it carries considerable privacy considerations.
Commonly, a rule of thumb in privacy law is that if no individual is reasonably identifiable, privacy laws do not apply. Thus, you can publicly disclose, sell, match with other data or use the information for a purpose unrelated to the original purpose for which you collected it. However, you must be careful as it can be unclear whether or not an individual is reasonably identifiable.
The issue of identifiability proved problematic for 7-Eleven. 7-Eleven used facial recognition technology to collect customer feedback through tablet surveys that took facial images to understand customer demographics. When they claimed this was not personal information, the court found that since the technology collected biometric data, it was possible to distinguish between individuals. Accordingly, this meant the face prints were reasonably identifiable.
Another business, Clearview AI, had a similar issue. It allowed customers to compare mathematical representations of their faces to others. The manufacturers developed this technology for law enforcement and national security purposes. However, the Office of the Australian Information Commissioner (OAIC) found that parties were collecting personal information unfairly, and those who had their data collected had no reasonable notice of collection.
Continue reading this article below the formUsing Facial Recognition Technology Safely
Understand the Possible Scope of Personal Information
Privacy law can have a broad scope. Moreover, it can be challenging to ascertain what is protected personal information and what is not. In the past, it was assumed that information was only protected when you could ascertain someone’s identity by looking at it in isolation. For example, this might include someone’s name or contact details. When you look at them alone, you can identify someone.
However, the cases above illustrate that even an image of someone’s face can be enough to identify them. In a data set, an individual is uniquely distinguishable from others. Their face looks different to all the other faces. Therefore, you can identify them, meaning the image can be considered personal information.
Undertake a Privacy Impact Assessment
Where you are undertaking high privacy impact activities, conduct a privacy impact assessment (PIA). A high-impact privacy activity is any activity that may have privacy implications. Accordingly, the use of facial recognition technology will fall into this category.
In the 7-Eleven case, a PIA might have identified the software’s privacy risks. Accordingly, it would have included solutions to mitigate the risks and proposed alternatives for the customer satisfaction survey. The PIA would have also considered whether the project’s benefits are necessary, reasonable and proportionate to the privacy risks for individuals.
In any event, undertaking a PIA in high-risk privacy activities can be essential. Where you have a process for triggering PIA, you further protect your business from mishandling personal information.
Only Collect Necessary Information
Compliance with the APPs involves collecting personal information only where that information is reasonably necessary for the functions of your business. Furthermore, it is essential to consider how you will notify people of the collection. For example, 7-Eleven had signs at the entry to the shops. However, only some of these signs had text on them, and the signs did not explain that they would use facial recognition on the survey. The OAIC found these signs were insufficient and that it would have been easy (and more appropriate) to provide a notice at the space where the collection was going to occur and before it ever happened.

It’s now easier than ever to start a business online. But growing and sustaining an online business requires a great deal of attention and planning.
This How to Start an Online Business Manual covers all the essential topics you need to know about starting your online business.
The publication also includes eight case studies featuring leading Australian businesses and online influencers.
Key Takeaways
Privacy considerations in a world of new technology are constantly evolving. If your business plans to use facial recognition technology, it is essential to know where others have gone wrong and how to avoid it. For example, this may involve undertaking a Privacy Impact Assessment where necessary, only collecting essential information and notifying individuals of data collection.
If you need assistance with using facial recognition technology as part of your business, our experienced privacy lawyers can assist as part of our LegalVision membership. For a low monthly fee, you will have unlimited access to lawyers to answer your questions and draft and review your documents. Call us today on 1300 544 755 or visit our membership page.
Frequently Asked Questions
The Australian Privacy Principles form part of the Privacy Act, which describes how your business may collect, use, disclose and store personal information. There are specific circumstances where you must comply with the APPs, but it is always best practice to comply regardless.
The OAIC is the Office of the Australian Information Commissioner. They are the independent national regulator for privacy and freedom of information. They can receive privacy complaints, help with data breaches and help you when you want to undertake a freedom of information review.
We appreciate your feedback – your submission has been successfully received.