Skip to content

Three Legal Considerations for Using Facial Recognition Technology

Businesses are increasingly using facial recognition technology. You should not fear incorporating facial recognition technology as part of your business. However, ensure you comply with privacy laws when doing so. This article will help you understand other businesses’ mistakes and the three key considerations you should keep in mind to avoid making the same mistakes. 

What is Facial Recognition Technology?

Facial recognition software maps, analyses, and confirms the identity of a face in a photograph or video. It can detect faces, analyse their features and create data identifying a person. You can then use this data to find a match with other known faces. 

It is a powerful tool that government bodies and businesses use for its surveillance capabilities. In the business context, some have used facial recognition technology for several purposes, such as: 

  • customer feedback; 
  • searching the web;
  • security; 
  • streamlining log-ins; and 
  • reducing in-store retail crime. 

What Went Wrong? 

Facial recognition is an incredible technology, but it carries considerable privacy considerations

The Privacy Act defines personal information as:

“Information or an opinion about an identified individual, or an individual who is reasonably identifiable, whether the information or opinion is true or not; and whether the information or opinion is recorded in a material form or not.”

Commonly, a rule of thumb in privacy law is that if no individual is reasonably identifiable, privacy laws do not apply. Thus, you can publicly disclose, sell, match with other data or use the information for a purpose unrelated to the original purpose for which you collected it. However, you must be careful as it can be unclear whether or not an individual is reasonably identifiable.

The issue of identifiability proved problematic for 7-Eleven. 7-Eleven used facial recognition technology to collect customer feedback through tablet surveys that took facial images to understand customer demographics. When they claimed this was not personal information, the court found that since the technology collected biometric data, it was possible to distinguish between individuals. Accordingly, this meant the face prints were reasonably identifiable. 

Another business, Clearview AI, had a similar issue. It allowed customers to compare mathematical representations of their faces to others. The manufacturers developed this technology for law enforcement and national security purposes. However, the Office of the Australian Information Commissioner (OAIC) found that parties were collecting personal information unfairly, and those who had their data collected had no reasonable notice of collection. 

Continue reading this article below the form
Loading form

Using Facial Recognition Technology Safely

Understand the Possible Scope of Personal Information 

Privacy law can have a broad scope. Moreover, it can be challenging to ascertain what is protected personal information and what is not. In the past, it was assumed that information was only protected when you could ascertain someone’s identity by looking at it in isolation. For example, this might include someone’s name or contact details. When you look at them alone, you can identify someone. 

However, the cases above illustrate that even an image of someone’s face can be enough to identify them. In a data set, an individual is uniquely distinguishable from others. Their face looks different to all the other faces. Therefore, you can identify them, meaning the image can be considered personal information.

It is always best to err on the side of caution and seek legal advice regarding the nature of the data you collect from facial recognition technology. However, there are steps you can take to inform people who may be impacted by your use of the technology and allow them to make informed decisions about their privacy, including a privacy impact assessment.

Undertake a Privacy Impact Assessment

Where you are undertaking high privacy impact activities, conduct a privacy impact assessment (PIA). A high-impact privacy activity is any activity that may have privacy implications. Accordingly, the use of facial recognition technology will fall into this category. 

Although a PIA is not expressly required (apart from for government agencies), part of the demands of the Australian Privacy Principles (APPs) is to put in place policies and practices to ensure compliance. Consequently, PIAs should be part of companies’ privacy practices and business decisions, particularly when facial recognition comes into play.

In the 7-Eleven case, a PIA might have identified the software’s privacy risks. Accordingly, it would have included solutions to mitigate the risks and proposed alternatives for the customer satisfaction survey. The PIA would have also considered whether the project’s benefits are necessary, reasonable and proportionate to the privacy risks for individuals.

In any event, undertaking a PIA in high-risk privacy activities can be essential. Where you have a process for triggering PIA, you further protect your business from mishandling personal information. 

Only Collect Necessary Information

Compliance with the APPs involves collecting personal information only where that information is reasonably necessary for the functions of your business. Furthermore, it is essential to consider how you will notify people of the collection. For example, 7-Eleven had signs at the entry to the shops. However, only some of these signs had text on them, and the signs did not explain that they would use facial recognition on the survey. The OAIC found these signs were insufficient and that it would have been easy (and more appropriate) to provide a notice at the space where the collection was going to occur and before it ever happened. 

Front page of publication
The Ultimate Guide to Starting an Online Business

It’s now easier than ever to start a business online. But growing and sustaining an online business requires a great deal of attention and planning.

This How to Start an Online Business Manual covers all the essential topics you need to know about starting your online business.

The publication also includes eight case studies featuring leading Australian businesses and online influencers.

Download Now

Key Takeaways

Privacy considerations in a world of new technology are constantly evolving. If your business plans to use facial recognition technology, it is essential to know where others have gone wrong and how to avoid it. For example, this may involve undertaking a Privacy Impact Assessment where necessary, only collecting essential information and notifying individuals of data collection.

If you need assistance with using facial recognition technology as part of your business, our experienced privacy lawyers can assist as part of our LegalVision membership.  For a low monthly fee, you will have unlimited access to lawyers to answer your questions and draft and review your documents. Call us today on 1300 544 755 or visit our membership page.

Frequently Asked Questions

What are the Australian Privacy Principles?

The Australian Privacy Principles form part of the Privacy Act, which describes how your business may collect, use, disclose and store personal information. There are specific circumstances where you must comply with the APPs, but it is always best practice to comply regardless.

Who is the OAIC?

The OAIC is the Office of the Australian Information Commissioner. They are the independent national regulator for privacy and freedom of information. They can receive privacy complaints, help with data breaches and help you when you want to undertake a freedom of information review. 

Register for our free webinars

ACCC Merger Reforms: Key Takeaways for Executives and Legal Counsel

Online
Understand how the ACCC’s merger reforms impact your legal strategy. Register for our free webinar.
Register Now

Ask an Employment Lawyer: Contracts, Performance and Navigating Dismissals

Online
Ask an employment lawyer your contract, performance and dismissal questions in our free webinar. Register today.
Register Now

Stop Chasing Unpaid Invoices: Payment Terms That Actually Work

Online
Stop chasing late payments with stronger terms and protections. Register for our free webinar.
Register Now

Managing Psychosocial Risks: Employer and Legal Counsel Responsibilities

Online
Protect your business by managing workplace psychosocial risks. Register for our free webinar.
Register Now
See more webinars >
Stephanie Long

Stephanie Long

Senior Lawyer | View profile

Stephanie is a Senior Lawyer in LegalVision’s Corporate and Commercial team. She specialises in commercial contracts and business structuring to assist clients in achieving their ambitions with their startups and SMEs.

Qualifications: Bachelor of Laws, Bachelor of Social Sciences, Macquarie University.

Read all articles by Stephanie

About LegalVision

LegalVision is an innovative commercial law firm that provides businesses with affordable, unlimited and ongoing legal assistance through our membership. We operate in Australia, the United Kingdom and New Zealand.

Learn more

We’re an award-winning law firm

  • Award

    2025 Future of Legal Services Innovation Finalist - Legal Innovation Awards

  • Award

    2025 Employer of Choice - Australasian Lawyer

  • Award

    2024 Law Company of the Year Finalist - The Lawyer Awards

  • Award

    2024 Law Firm of the Year Finalist - Modern Law Private Client Awards

  • Award

    2022 Law Firm of the Year - Australasian Law Awards