Kmart and Bunnings will be called before the Information Commissioner to explain exactly how their use of facial recognition to monitor customers in their stores is in line with Australian privacy laws following last month’s revelations that retailers had quietly begun using the controversial surveillance technology.
On Tuesday, the Office of the Australian Information Commissioner (OAIC) announced it had begun formal investigations into “the personal information handling practices” of Kmart and Bunnings.
The investigation was triggered by a report from consumer advocacy group Choice which brought to light the covert introduction of facial recognition technology in Australian retail stores.
A trio of retailers – namely Bunnings, Kmart, and the Good Guys – were named in that report but the Good Guys has since said it has put its trial of mass biometric data collection on hold.
The OAIC said it has “commenced preliminary inquiries” with the Good Guys as well.
Prior to Tuesday’s announcement – the OAIC has a policy of not publicly commenting on ongoing investigations – Privacy Commissioner Angeline Falk said retail stores ought to “consider the impact on privacy, the community’s expectations, and the need to comply with privacy law” before collecting personal information about people.
“The Privacy Act generally requires retailers to only collect sensitive biometric information if it’s reasonably necessary for their functions or activities, and where they have clear consent,” she said in a statement from mid-June.
“While deterring theft and creating a safe environment are important goals, using high privacy impact technologies in stores carries significant privacy risks.
“Retailers need to be able to demonstrate that it is a proportionate response to collect the facial templates of all of their customers coming into their stores for this purpose.”
Biometric data, such as faceprints, are classified as ‘sensitive information’ under the Privacy Act and carry stricter requirements than other types of personal information.
Bunnings has stood by its use of facial recognition in certain stores.
The company’s COO, Simon McDowell told Choice the is used “to help identify persons of interest who have previously been involved in incidents of concern” at Bunnings stores.
“It's really important to us that we do everything we can to discourage poor behaviour in our stores,” he said.
“And we believe this technology is an important measure that helps us to maintain a safe and secure environment for our team and customers.”
McDowell said Bunnings informs customers about facial recognition being used in “through signage at [its] store entrances” and in the company’s online privacy policy.
Last October, the OAIC took convenience store chain 7-Eleven to task for wrongfully collecting faceprints of customers who filled out an in-store survey on a tablet.
In that instance, it found boilerplate in-store notices and references to an online privacy policy were insufficient to establish consent from customers who were giving away their sensitive information.
For all its ill-gotten biometric data, 7-Eleven received little more than a slap on the wrist in the form of an order to delete all faceprints and promise not to do it again.
