Retail giant Bunnings has breached privacy laws by using facial recognition technology on its customers, according to a landmark finding by the Privacy Commissioner.
The decision on Tuesday is the result of a two-year investigation by the regulator.
"Individuals who entered the relevant Bunnings stores at the time would not have been aware that facial recognition technology was in use and especially that their sensitive information was being collected, even if briefly," Australian Privacy Commissioner Carly Kind said.
The case is expected to have major implications for how Australian businesses use the technology in future.
"Facial recognition technology, and the surveillance it enables, has emerged as one of the most ethically challenging new technologies," Commissioner Kind said.
Tech used to protect stores from 'violent and organised crime', Bunnings says
The Privacy Commissioner found Bunnings interfered with the privacy of hundreds of thousands of customers across 63 of its New South Wales and Victorian stores, between November 6, 2018 and November 30, 2021.
The regulator said Bunnings did not gain proper consent to use the technology on them.
Bunnings is seeking a review of the Commissioner's decision, saying it was "deeply disappointed" with the determination.
Managing director Mike Schneider said the company's use of facial recognition technology was "never about convenience or saving money but was all about safeguarding our business and protecting our team, customers, and suppliers".
He said 70 per cent of incidents in Bunnings stores were caused by the same group of people, and that facial recognition proved the fastest and most accurate way of identifying and quickly removing these individuals.
Mr Schneider said stores were seeing "increasing exposure to violent and organised crime" and if just one person could be protected from trauma the use of facial recognition would be "justifiable".
The retailer maintains customer privacy was not at risk.
"The electronic data was never used for marketing purposes or to track customer behaviour," Mr Schneider said.
The company has been ordered not to repeat the practice in the future and destroy the personal and sensitive information that was collected within a year.
Bunnings will have to publish a statement on its website within 30 days explaining what it did wrong, how it was using the technology, and provide advice to customers on how to make a complaint.
"This decision should serve as a reminder to all organisations to proactively consider how the use of technology might impact privacy," Commissioner Kind said.
How Bunnings was using facial recognition
Facial recognition technology captures and stores people's unique "faceprints", which are considered highly sensitive biometric data under Australian privacy law.
The national regulator for privacy, the Office of the Australian Information Commissioner (OAIC), said Bunnings was using a system that scanned the faces of customers in store and cross-checked them against a list of "enrolled individuals" who it knew or suspected had been a security risk in the past, either by behaving violently or stealing.
In cases where the system found a match, an alert was generated.
Bunnings told investigators that when there wasn't a match, the customer's facial data was collected but then automatically deleted within an average of 4.17 milliseconds.
Bunnings used the technology in more than 60 stores between 2018 and 2021. (ABC News: Billy Cooper)
The unique nature of facial data means it is considered highly sensitive under Australian privacy law, and special consent is therefore required.
"We can't change our face," Commissioner Kind said.
"Any possible benefits [of facial recognition technology] need to be weighed against the impact on privacy rights."
Carly Kind says the decision doesn't constitute an outright ban on facial recognition but customer consent is key. (ABC News: Billy Cooper)
The practice first came to the attention of the OAIC when consumer advocacy group Choice revealed in 2022 that Bunnings, Kmart and The Good Guys were using facial recognition technology in stores.
All three stores halted the practice in the wake of Choice's report.
Kmart is also being investigated by the regulator for in-store use of facial recognition technology, but a finding is yet to be made.
The regulator ultimately didn't proceed with an investigation into The Good Guys.
Good security or overkill? Why businesses use facial recognition tech
When Bunnings' use of facial recognition technology was first exposed Mr Schneider said Choice had "mis-characterised" the issue.
"When we have customers berate our team, pull weapons, spit, or throw punches, we ban them from our stores — but a ban isn't effective if it's hard to enforce," he said at the time.
"Facial recognition gives us a chance to identify when a banned person enters a store so we can support our team to handle the situation before it escalates."
Bunnings managing director Mike Schneider said the stores that used the technology saw a reduction in theft. (Supplied: Bunnings)
The Privacy Commissioner gave consideration to the security benefits, but ultimately decided it didn't justify the invasion of privacy.
"Just because a technology may be helpful or convenient, does not mean its use is justifiable," Commissioner Kind said.
"In this instance, deploying facial recognition technology was the most intrusive option, disproportionately interfering with the privacy of everyone who entered its stores, not just high-risk individuals."
Consumer data advocate Kate Bower said based on the investigation she was confident Bunnings was not using customer biometrics with ill intent, but the surveillance needed to be reasonable.
"Nobody wants to see anti-social behaviour or crime happen in stores … but essentially what Bunnings is doing is putting us all in a police line-up ... they are comparing you to people who they've identified as criminals," she said.
Kate Bower said the decision served as a warning to other businesses. (ABC News: Patrick Stone)
She said she was disappointed Bunnings wasn't hit with a financial penalty by the OAIC but hoped the decision was a warning shot for Australian businesses using or planning to use this technology.
"I would encourage any business that is thinking about using [facial recognition] to think about much less intrusive ways of potentially meeting the same aims," she said.
"That includes other types of venues, like nightclubs, gaming venues, stadiums. They'll all be looking to this as the kind of landmark ruling on what's allowable under the law."
Commissioner Kind said she didn't think Bunnings deserved to be financially penalised as they had good intentions when they rolled out the technology and were cooperative with the investigation.
Loading...