Bunnings Group has been rapped by Australia’s privacy watchdog for using facial recognition technology at 62 stores over three years.
The Office of the Australian Information Commissioner (OAIC) found the retailer had analysed the faces of “hundreds of thousands” of customers in NSW and Victoria between November 2018 and November 2021.
Individuals’ facial images were compared against those of individuals Bunnings had enrolled in a database who had been identified as posing a risk, for example, due to past crime or violent behaviour, according to the OAIC.
Facial recognition and biometric information are both classed as sensitive information under the Privacy Act.
As such, the commissioner found that Bunnings breached customers’ privacy by capturing their sensitive information without consent.
Bunnings also failed “to take reasonable steps to notify Individuals” about their personal information being collected as well as “implement practices, procedures and systems” to comply with Australia’s privacy laws.
Lastly, the retailer did not include its collection, holding and use of personal information in its existing privacy policies.
Bunnings has now been ordered to destroy all personal and sensitive information collected via the facial recognition technology system that it still holds after one year.
It was ordered to make a public statement in the next 30 days on the issue and refrain from using the technology again.
The OAIC opened the case in 2022 following a CHOICE investigation of the country’s 25 largest retailers, which included Kmart and The Good Guys.
“We can’t change our face,” the OAIC’s commissioner Carly Kind said. “The Privacy Act recognises this, classing our facial image and other biometric information as sensitive information, which has a high level of privacy protection, including that consent is generally required for it to be collected.”
“Facial recognition technology may have been an efficient and cost-effective option available to Bunnings at the time in its well-intentioned efforts to address unlawful activity, which included incidents of violence and aggression,” she added. “However, just because a technology may be helpful or convenient, does not mean its use is justifiable.”