Bunnings Warehouse
Image: Ryan Smith via Flickr / CC BY-NC-SA 2.0

Landmark ruling by Australian regulator sets guardrails for commercial use of facial recognition tech

Australia’s data privacy regulator announced Tuesday that a large chain of home improvement stores violated citizens’ privacy by collecting their personal information through deployment of in-store facial recognition technology without notification or consent.

The company’s program used a closed circuit system of cameras to capture the faces of all customers who shopped in its 63 stores between 2018 and 2021, according to a press release from the Office of the Australian Information Commissioner (OAIC). 

The commission said it believes hundreds of thousands of individuals who entered Bunnings Group Limited stores were likely impacted.

The regulator has ordered Bunnings to stop the program and delete the personal information collected. 

Bunnings said it wants the landmark ruling — which followed a two-year OAIC probe — to be reviewed, according to local Australian news reports. The agency said organizations nationwide should be conscious of whether their use of emerging technology “aligns with community expectations and regulatory requirements.”

The ruling requires the retail chain to disclose its mishandling of facial recognition technology and explain its mistakes on its website within 30 days, local news reports said. It also must tell customers how to submit a complaint.

The OAIC focused not only on what the press release called the “proportionality and necessity” of the system, but also on the fact that Bunnings did not notify customers of the practice and did not disclose the program in its privacy policy.

Bunnings’ system was deployed after a string of violent incidents in its stores, but privacy commissioner Carly Kind said the company’s motives were an insufficient justification for deploying facial recognition technology on a mass scale without subjects’ consent.

“Just because a technology may be helpful or convenient, does not mean its use is justifiable,” Kind said in a statement. “In this instance, deploying facial recognition technology was the most intrusive option, disproportionately interfering with the privacy of everyone who entered its stores, not just high-risk individuals.” 

Kind cited the country’s Privacy Act which she said requires a high level of privacy protection as well as consent for the collection of facial and other biometric information.

“We can’t change our face,” her statement said. 

The OAIC has released a new privacy guide for industry to consult when weighing whether to use facial recognition in commercial venues.

Bunnings responds

The retailer says the technology was deployed to protect staff and customers from "increasing exposure to violent and organized crime,” according to local news reports.

Australia’s ABC News reported that Bunnings said it was "deeply disappointed" by the decision.

Managing director Mike Schneider told the news outlet that Bunnings’ deployment of facial recognition technology was "never about convenience or saving money but was all about safeguarding our business and protecting our team, customers, and suppliers."

Schneider told ABC News that the same people cause 70% of violent, illegal and disruptive incidents in Bunnings stores. He called facial recognition technology the most efficient and accurate way to find and kick out violent criminals and shoplifters.

"The electronic data was never used for marketing purposes or to track customer behavior," Mr Schneider told ABC News.

The OAIC said Bunnings compared the face prints it gathered against people it placed in a database of high risk individuals and received alerts from its system when matches were found.

Bunnings told investigators that when no match was made they erased the face prints in less than a second, according to ABC News. Neither the government nor news reports have specified the type of facial recognition technology Bunnings was using.

American retailers under fire

Facial recognition technology deployments also have been controversial at American retailers.

In December, the Federal Trade Commission ordered Rite Aid to stop using an often inaccurate facial recognition system harnessing AI to profile customers and remove them from stores, often in a harassing manner.

Meanwhile, Rep. Rashida Tlaib (D-MI) on Monday published a letter she and seven other members of Congress sent to the grocery chain Kroger asking how it is protecting the private data of customers whose face prints it is capturing at digital displays.

The letter, posted on X, said Kroger is “refusing to respond to Congress, but we won't stop until we get answers.”

Last month, Tlaib sent Kroger a letter demanding answers about how it planned to use the face prints it collects to potentially use surge pricing and target advertising to customers based on their appearance.

Do you know about any facial recognition technology programs that you consider to be newsworthy? Please be in touch if so. Message Suzanne Smalley on Signal, which is end-to-end encrypted, at Suzanne.236 or send an email to [email protected].

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
No previous article
No new articles
Suzanne Smalley

Suzanne Smalley

is a reporter covering privacy, disinformation and cybersecurity policy for The Record. She was previously a cybersecurity reporter at CyberScoop and Reuters. Earlier in her career Suzanne covered the Boston Police Department for the Boston Globe and two presidential campaign cycles for Newsweek. She lives in Washington with her husband and three children.