Retail giant Bunnings has breached privacy laws by using facial recognition technology on its customers, according to a landmark finding by the Privacy Commissioner.
Today’s decision is the result of a two-year investigation by the regulator.
“Individuals who entered the relevant Bunnings stores at the time would not have been aware that facial recognition technology was in use and especially that their sensitive information was being collected, even if briefly,” Australian Privacy Commissioner Carly Kind said.
The case is expected to have major implications for how Australian businesses use the technology in future.
“Facial recognition technology, and the surveillance it enables, has emerged as one of the most ethically challenging new technologies,” Commissioner Kind said.
The Privacy Commissioner found Bunnings interfered with the privacy of hundreds of thousands of customers across 62 of its New South Wales and Victorian stores, between November 6, 2018 and November 30, 2021.
The regulator said Bunnings did not gain proper consent to use the technology on them.
The company has been ordered not to repeat the practice in the future and destroy the personal and sensitive information that was collected within a year.
Bunnings will have to publish a statement on its website within 30 days explaining what it did wrong, how it was using the technology, and provide advice to customers on how to make a complaint.
“This decision should serve as a reminder to all organisations to proactively consider how the use of technology might impact privacy,” Commissioner Kind said.
How Bunnings was using facial recognition
Facial recognition technology captures and stores people’s unique “faceprints”, which are considered highly sensitive biometric data under Australian privacy law.
The national regulator for privacy, the Office of the Australian Information Commissioner, said Bunnings was using a system that scanned the faces of customers in store and cross-checked them against a list of “enrolled individuals” who it knew or suspected had been a security risk in the past, either by behaving violently or stealing.
In cases where the system found a match, an alert was generated.
Bunnings told investigators that when there wasn’t a match, the customer’s facial data was collected but then automatically deleted within an average of 4.17 milliseconds.
LoadingLoading…
