As a business, you may consider installing video surveillance on your premises to discourage theft or ensure the safety of your customers and personnel. However, your business may suffer significant legal implications if you do not adhere to legal requirements around filming or recording customers that enter your store. This article explains the legal requirements around the use of optical surveillance devices. Additionally, it considers the potential consequences of breaching customers’ privacy, as demonstrated by the 7-Eleven case.
Is it Legal to Record Customers Who Enter My Business?
There are certain situations where it is not illegal to collect the personal information of individuals. This includes collecting their images or identity information. Installing optical surveillance devices, such as CCTV, which collect videos or images of customers that enter your business is legal. However, if you elect to record customers through these devices, you must comply with certain laws.
Restrictions
The Privacy Act 1998 (‘Privacy Act’) applies to personal information and governs how businesses can handle their customers’ personal information. The Act will apply to a business if the business:
- has an annual turnover of over $3 million;
- provides a health service, or holds health information;
- is a contractor for the Commonwealth government; or
- trades in personal information (e.g. sells personal information to other parties).
Such businesses will be ‘APP entities’ that must comply with the provisions of the Privacy Act.
Suppose your business is covered under the law. Then any personal information that you collect through your surveillance devices must comply with the Australian Privacy Principles under the Act, which require you to:
- inform customers that you may capture their images before recording takes place. For example, you may post clear signage at the entrance of and throughout your premises, and install cameras in clearly visible locations on your premises to ensure adequate notification to customers that they may be under surveillance;
- ensure that any personal information recorded is stored securely, and either destroyed or de-identified when you no longer require the information. For example, you may delete CCTV footage of customers every month; and
- only use or disclose the information recorded for the primary collection purpose, for example, to seek action against a person who committed theft on your premises (or for a secondary purpose if an exemption applies).
Additional Considerations
Additionally, you should consider what obligations you may have to your employees. Each state and territory has different laws and regulations around the surveillance of employees. Generally, businesses should only monitor employees when they are ‘at work’. This means when they are at their workplace or elsewhere whilst performing work for the employer.
In addition to installing surveillance devices in visible places, a business needs to have appropriate policies around surveillance. Additionally, it must adequately communicate and explain this to employees. In certain states, such as NSW, you may also need to give your employees a certain period of notice regarding the implementation of the surveillance.

If you are a company director, complying with directors’ duties are core to adhering to corporate governance laws.
This guide will help you understand the directors’ duties that apply to you within the Australian corporate law framework.
7-Eleven Case
In 2021, the Office of the Australian Information Commissioner (‘OAIC’) began investigations into the convenience store group 7-Eleven for collecting facial images of customers who entered their store and completed surveys relating to their in-store experience. Between June 2020 and August 2021, over 1.6 million surveys were completed on tablets with built-in cameras in store to understand and improve customers’ store experience.
In addition to taking pictures of their customers’ faces, 7-Eleven used the images to create algorithmic representations or ‘faceprints’. They held them for seven days and compared to other faceprints. This allowed 7-eleven to eliminate ingenuine survey responses from their results. Additionally, it gave them a broad comprehension of the surveyed customers’ demographic profiles. To notify their customers that their images may be subject to facial recognition technology, 7-eleven stores placed a notice at the store’s entrance and a message on their website.
In October 2021, the OAIC found the business had interfered with the privacy of its customers. In taking the customers’ face prints, 7-Eleven has collected sensitive biometric information. This was not necessary for the purpose stated and ‘not proportional to the impact on privacy’.
Additionally, 7-Eleven did provide sufficient notice or acquire adequate customer consent. Therefore, they were acting in breach of their obligations under the law.

If you are a company director, complying with directors’ duties are core to adhering to corporate governance laws.
This guide will help you understand the directors’ duties that apply to you within the Australian corporate law framework.
Key Takeaways
Before you install devices to record customers and their activity in your store, you must understand the legal restrictions and implications of installing such devices on your premises. Suppose you wish to record customers in store. In that case, you should seek advice before installing optical surveillance devices to ensure that you comply with your legal obligations. These include providing sufficient notice to your customers and other individuals who may be affected.
If you require assistance with understanding your privacy obligations, our experienced contract lawyers can assist as part of our LegalVision membership. For a low monthly fee, you will have unlimited access to lawyers to answer your questions and draft and review your documents. Call us today on 1300 544 755 or visit our membership page.
Frequently Asked Questions
Yes, but there are legal restrictions that you must comply with. Such legislation differs depending on your state or territory. If you choose to install optical surveillance on your premises, generally, you should ensure that you provide adequate notice to your customers that their image may be recorded, that any personal information recorded is securely stored and that any information is recorded, used and disclosed only as necessary.
The Privacy Act 1998 (‘Privacy Act’) governs how businesses can handle their customers’ personal information. Additionally, you may be subject to State laws.
We appreciate your feedback – your submission has been successfully received.