Australia’s privacy watchdog will likely investigate Bunnings, Kmart and The Good Guys after a consumer group uncovered the retailers’ use of facial recognition technology on customers.
It comes after years of delay to Australian privacy law reform, sparking calls for more urgency and a dedicated facial recognition law.
But the retail giants’ argument for using the privacy invading technology is unlikely to even satisfy the current legal requirements for collecting sensitive biometrics and has “strong parallels” with a finding against 7-Eleven eight months ago, according to privacy experts.
Bunnings, Kmart and The Good Guys defended their use of facial recognition as a way of minimising theft and threatening behaviour in stores, claiming customers are made “aware” of it through signage and privacy policies.
On Wednesday consumer group Choice reported the three retailers are capturing biometric data of customers without properly informing them or receiving clear consent.
The practice is at odds with consumer expectations and a potential breach of privacy laws. Only one in four Australians are comfortable with the use of biometric information for the purpose of shopping in a retail store.
According to the Choice investigation, this is a now a practice in Bunnings, Kmart and The Good Guys stores, with it being a condition of entry and only disclosed in online privacy policies and “small, inconspicuous” signs at storefronts.
The companies use the facial recognition technology to capture and store customers’ unique biometric information such as facial features, known as a “faceprint”.
In October last year, Australian Information Commissioner and Privacy Commissioner Angelene Falk determined 7-Eleven stores had breached customers’ privacy by covertly collecting images of customers’ faces – also described as faceprints – when they filled out feedback forms on tablets in stores.
The regulator found the convenience store chain had a legitimate business function in improving customers experience and protecting their feedback systems from fraud, but the use of biometrics and the privacy impacts was not commensurate to it, nor had customers been properly informed or given appropriate consent.
The 7-Eleven case has “very clear parallels” with what is reported to have occurred in Bunnings, Kmart and The Good Guys, according to Salinger Privacy founder and principal, Anna Johnston.
It is disappointing retailers have not fully heeded the warning from the regulator’s determination, she told InnovationAus.com.
“The ramifications of that decision clearly have not rippled out through the broader economy or even across the retail sector. Because there’s very clear parallels and some very clear lessons to be learned from 7-Eleven case,” Ms Johnston said.
Under Australian law, to justify collecting personal information retailers need to demonstrate it is for a legitimate business function and is proportionate to the privacy impact it creates. Retailers also need to inform customers about the collection and obtain consent, Ms Johnston said.
In the case of facial recognition, the data being collected is biometric and considered sensitive under the law. It means the privacy impact is much greater and the consent requirements higher.
“That means every single customer needs to proactively agree to the collection of biometrics. It must be proactive, not passive,” Ms Johnston said.
“So seeing a notice and then entering a store does not meet the requirements for consent. [Consent] also must be voluntary. It cannot be a condition of entering the store.”
The 7-Eleven case, and others before it, have clarified “vague notices” and terms in privacy policies do not constitute this consent, Ms Johnston said.
Bunnings told Choice it used facial recognition to “identify persons of interest” to prevent theft and anti-social behaviour.
A spokesperson for The Good Guys told InnovationAus.com it is “trialing” the technology in two store for a similar reason.
“This technology is used solely for the purposes of loss prevention and the safety of our store team members and customers,” the company spokesperson told InnovationAus.com.
Choice on Wednesday afternoon indicated it will be filing a complaint to the Office of the Australian Information Commissioner (OAIC) for a potential privacy breach.
The OAIC is required to consider the complaint, and a spokesperson for the regulator confirmed it would.
“We will consider the information from Choice in line with our regulatory action policy,” an OAIC spokesperson told InnovationAus.com.
If an investigation follows, the retailers will have a hard time persuading the regulator their use of the technology is proportionate to the business function and privacy impacts, and that it has collected appropriate consent, according to Ms Johnston.
“That’s the argument these retailers will have to have with the Information Commissioner’s office if they investigate,” she said.
“I personally think it’s going to be very difficult for them to sustain that argument.”
Former Australian Human Rights Commissioner Ed Santow said the reported use of facial recognition by retailers showed how the technology is being used by companies with “inadequate protection for people’s privacy and other human rights”.
“Australia needs a dedicated law dealing with facial recognition,” Mr Santow, now a UTS Industry Professor for Responsible Technology, told InnovationAus.com.
“Our law should encourage positive innovation, while protecting against harmful use of new technologies.
“A dedicated Australian law on facial recognition should set ‘red lines’ to prohibit harmful activity; it should set stronger human rights protections for higher-risk uses of facial recognition; and it should enable facial recognition that has a clear public benefit.”
The Attorney General’s Department is currently conducting a review of Australia’s Privacy Act, which advocates hope will address some of these issues. But the review has been underway for more than two years and was running late before the change of government.
Separate changes to hand new enforcement powers to the regulator and increase penalties for data breaches and misuse of personal information were also promised by the Coalition more than three years ago in the wake of the Cambridge Analytica scandal. However, the bill was never introduced.
The reforms are desperately needed to add the tougher penalties as determents, update Australia’s privacy laws and drive greater awareness of organisations’ responsibilities when collecting personal information, Ms Johnston said.
“Until we get a reform of the Privacy Act that puts it more front and centre in [organisations’] mind, I think we’ll continue to see practices around collecting people’s personal information,” Ms Johnston said.
“Including really sensitive categories like biometrics [being collected] in a fairly, unfortunately, really loose way that doesn’t involve critical thinking about what’s appropriate, let alone what’s lawful as well.”
Do you know more? Contact James Riley via Email.