In Short:
Facial recognition technology can be used in retail stores to help prevent crime, but there are strict legal requirements. Under Australian privacy law, businesses must either obtain consent or meet specific exceptions to collect biometric data. Recent legal cases, like Bunnings, show the importance of transparency, consent, and privacy safeguards when using this technology.
Tips for Businesses:
Before using facial recognition technology, assess whether other security alternatives are available. Ensure you have a clear and updated privacy policy that informs customers about the data you collect and why. You must also display prominent notices in-store and ensure the technology is used securely, deleting data when not needed.
Summary
This article explains the legal requirements for using facial recognition technology in retail stores in Australia. LegalVision’s business lawyers specialise in advising clients on privacy law compliance and provide this guide to help businesses understand their obligations when considering the use of this technology.
As a retail business owner, you may be considering using facial recognition technology to address security concerns in your stores. You should consider the legal requirements under Australian privacy law prior to implementing this technology. For example, a recent decision regarding Bunning’s use of facial recognition technology provides guidance on use of the technology.
This article explains what facial recognition technology is, why it became controversial and what the Bunnings case means for your business.
What is Facial Recognition Technology?
Facial recognition technology captures biometric information to match faces to a database. Australian privacy law considers this as sensitive information. Therefore, it provides a higher degree of protection than other types of personal information.
Why Are Businesses Using Facial Recognition Technology?
As a retail business owner, you must be aware of the increase in retail crime. For this reason, using facial recognition technology is useful to detect these crimes. Facial recognition technology is effective in addressing crimes as it identifies known offenders in real-time.
Continue reading this article below the formCall 1300 544 755 for urgent assistance.
Otherwise, complete this form, and we will contact you within one business day.
Why is Facial Recognition Technology Controversial?
Facial recognition technology captures biometric information to match faces to a database. As this is considered sensitive information, therefore, it receives a higher degree of protection than other types of personal information.
When your business uses facial recognition, it captures the sensitive biometric information of every person entering the store. This causes controversy as the technology captures the facial features of ordinary customers without their knowledge or consent.
You need to take reasonable steps to notify individuals when collecting personal information. This includes the reason and types of personal information for collection. Among other things, your privacy policy must be transparent about how and why you collect the different types of personal information.
If you use facial recognition technology in your business, you must comply with Australian privacy law. This means you must obtain consent or have a lawful reason to collect biometric information. You must also notify individuals that you are collecting their sensitive information or explain your practices clearly in your privacy policy. Because many businesses fail to meet these obligations, the use of facial recognition technology remains controversial.
Bunnings Case
Between 2018 and 2021, Bunnings used facial recognition technology in 62 of its stores to identify repeat offenders who had previously engaged in theft, violence or threatening behaviour. They did not seek or obtain consent to collect biometric information. Bunnings also did not initially disclose that they were using facial recognition technology.
However, the tribunal recently overturned this decision and concluded that Bunnings could capture biometric information without consent because an exception applied. Bunnings had reason to suspect unlawful activity, and the implementation of facial recognition technology was appropriate given:
- the serious nature of the retail crime problem;
- the effectiveness of facial recognition technology in reducing theft (approximately 13% reduction); and
- staff felt considerably safer.
It was also relevant that the facial recognition technology system deleted biometric information if it did not find a match, which reduced the privacy intrusion.
Failure to Comply With the Privacy Act
However, Bunnings also failed to comply with other requirements of the Privacy Act. In particular, the company failed to properly notify individuals about its use of facial recognition technology. For example:
- its original privacy collection notice only referred to video surveillance, not facial recognition technology;
- customers were not informed that their sensitive biometric information was being collected;
- a later notice referring to facial recognition technology did not clearly explain the purpose of the collection; and
- Bunnings did not disclose its use of facial recognition technology or biometric information in its privacy policy.
The tribunal also found that Bunnings failed to implement adequate privacy governance. For example, the company:
- did not conduct a privacy impact assessment before implementing the system; and
- operated the technology for nearly two years without minimum internal standards governing its use.
What This Means For Your Business
You will only be permitted to use facial recognition technology under certain conditions. Before implementing facial recognition technology, you should:
- consider whether other alternatives are available and conduct a privacy impact assessment;
- obtain legal advice about whether you can collect sensitive information without consent;
- ensure that you have an up-to-date privacy policy that is transparent about your use of the technology and collection of biometric information; and
- prominently display collection notices that explain that you are collecting sensitive biometric information and the reason for this.
You should only use facial recognition technology systems that delete customers’ sensitive information if they do not find a match. You should also ensure that the facial recognition technology has robust security measures to protect against cyber threats and unauthorised access.
Starting or managing a retail business? Download this free guide to learn the key legal essentials, from contracts and employment to data protection and brand protection.
Key Takeaways
The Bunnings decision shows that facial recognition technology can be used to reduce retail crime while still respecting individuals’ privacy rights. As a business you must ensure the technology is necessary and implement it with appropriate safeguards and privacy measures. You must consider that this is an emerging area and can only be used in limited circumstances. While Bunnings was able to use facial recognition technology, they still had to spend time and money challenging the original decision and failed to comply with other privacy obligations.
If you plan to use facial recognition technology in your retail business, you should first understand your obligations under the Privacy Act. LegalVision provides ongoing legal support for businesses through our fixed-fee legal membership. Our experienced retail lawyers help businesses manage contracts, employment law, disputes, intellectual property, and more, with unlimited access to specialist lawyers for a fixed monthly fee. To learn more about LegalVision’s legal membership, call 1300 544 755 or visit our membership page.
Frequently Asked Questions
You may be able to use facial recognition without obtaining individual consent if an exception exists under the Privacy Act. If you are a retail businesses, the exception is where you have reason to suspect unlawful activity in your stores and reasonably believe that using facial recognition technology is necessary to address it. However, as this is an exception to the rule, you should obtain legal advice before collecting sensitive information without consent.
Both CCTV and facial recognition technology capture images of individuals, facial recognition technology goes further by analysing facial features to create biometric templates and comparing these against a database to identify specific individuals. These biometric templates are sensitive information under the Privacy Act, which receives a higher level of privacy protection than ordinary personal information collected by standard CCTV. As a result, using facial recognition technology will significantly increase your compliance measures.
We appreciate your feedback – your submission has been successfully received.
