Bunnings customers were unwittingly subjected to facial recognition technology when shopping between late 2018 and late 2021, and Australia’s Privacy Commissioner has found this use was in violation of national privacy laws due to failure to obtain proper consent.
Bunnings tested out facial recognition technology in 63 of its New South Wales locations between November 6, 2018 and November 30, 2021, in what they said was a bid to deter a rash of crime. The national privacy laws regard facial data as highly sensitive biometric information subject to special protections, which requires both consent and that the collection be the least invasive way of achieving the specific stated purpose.
NSW Bunnings facial recognition systems draw rebuke, but no fine
Though the facial recognition system is thought to have processed the biometric data of hundreds of thousands of people during this period, Bunnings is not looking at any sort of fine. The Privacy Commissioner instead ordered the retail giant to never again deploy the system, to destroy all collected data within a year, and to publish a statement on its website explaining how it was using the technology and how customers can file a complaint.
The investigation had gone on for two years, commencing in 2022 after consumer rights advocacy group Choice published an expose of the undisclosed use of facial recognition systems by Bunnings, Kmart and The Good Guys. Kmart is similarly being investigated by the Privacy Commissioner, but a decision has yet to be reached.
Bunnings is seeking a review of the Commissioner’s decision. The store defended its practices by saying that they were implemented in response to a wave of crime that sometimes involved violence and threats to its employees, and that “70%” of it was being caused by members of organized retail crime rings and repeat offending individuals that the facial recognition system was meant to detect as they entered locations. The system fell afoul of privacy laws in taking “face profiles” of anyone entering the store and checking them against a list of these previously identified individuals.
Bunnings says that in all cases, the people on this list had either previously been caught stealing or being violent in a store in some way. It further says that the data of all shoppers that did not match someone on the list was deleted nearly instantly, with an average time of 4.17 milliseconds. Bunnings managing director Mike Schneider has said that the technology was meant to enforce bans on individuals that had assaulted others in the store, pulled weapons, spit on employees or made violent threats and did not involve the collection or use of the data of other shoppers.
The Privacy Commissioner said that it took this use into consideration in its decision, but ultimately found the system fell afoul of privacy laws. In addition to failing to obtain required consent for use of biometric information, the office found that facial recognition was not completely necessary for the purpose and that alternate less invasive measures might have been used to identify banned individuals.
Decision could set precedent under national privacy laws
Though the Bunnings decision does not seem to pack much of a punishment, the retailer is calling for a review. Its importance will likely be as a precedent for future regulatory actions under the privacy laws. Bunnings’ specific defense of its failure to collect consent was that it had signs up advising visitors that video surveillance was in place, a technique that other retailers have also used. The ruling may clarify that these signs are not an adequate replacement for express user consent to be profiled.
Bunnings might have faced fines ranging up to AUD 50 million had the Privacy Commissioner chosen to go that route. With a decision on this specific matter now in the books, future deployment of facial recognition systems in this way might bring an actual financial penalty. The privacy laws had already begun to solidify on this issue with a 2023 decision against Clearview AI, which established that even photographs qualify as protected biometric information of this category.
The decision also establishes that marketing considerations do not have to enter into the picture for a violation of the privacy laws to have taken place, nor does the data have to be shared or even stored for any particular length of time. Any act of capturing a profile of a shopper’s biometrics without their consent can now be expected to be penalized. This would extend to all types of public businesses such as sports arenas and concert venues, even pubs and nightclubs.
However, the story is not yet over as Bunnings has said it will seek a review by the Administrative Review Tribunal. The retailer signalled that it will continue to argue that the facial recognition system is an appropriate and the most cost-effective means to enforce its store bans of known threats. The Privacy Commissioner’s office has told media outlets that it is nearly finished with its similar investigation of Kmart.