Retailers must ensure compliance with privacy laws

16 June 2022

The OAIC will consider information from consumer advocacy group CHOICE about retailers’ use of facial recognition technology in line with its regulatory action policy.

“It is important that all retail stores, when they are deciding whether to use technology to collect personal information, consider the impact on privacy, the community’s expectations and the need to comply with privacy law,” Australian Information Commissioner and Privacy Commissioner Angelene Falk said.

“The Privacy Act generally requires retailers to only collect sensitive biometric information if it’s reasonably necessary for their functions or activities, and where they have clear consent.

“While deterring theft and creating a safe environment are important goals, using high privacy impact technologies in stores carries significant privacy risks. Retailers need to be able to demonstrate that it is a proportionate response to collect the facial templates of all of their customers coming into their stores for this purpose.”

According to the OAIC-commissioned 2020 Australian Community Attitudes to Privacy Survey the majority of Australians are uncomfortable with the collection of their biometric information to shop in a retail store (52% uncomfortable, 25% comfortable).

“In line with community attitudes, retailers should consider whether they can achieve their goals in a less privacy intrusive way,” Commissioner Falk said.

Retailers should carefully consider the OAIC’s determination in October 2021, where the OAIC found that retailer 7-Eleven interfered with customers’ privacy by collecting sensitive biometric information that was not reasonably necessary for its functions and without adequate notice or consent.

Commissioner Falk found that the large-scale collection of sensitive biometric information through 7-Eleven’s customer feedback mechanism was not reasonably necessary for the purpose of understanding and improving customers’ in-store experience.

In its submission to the Attorney-General's Department's Discussion Paper as part of the review of the Privacy Act 1988, the OAIC proposed that the Privacy Act be amended to prohibit commercial uses of one-to-many facial recognition technology, with limited public interest exceptions. The OAIC also recommended introducing a requirement that all personal information handling is fair and reasonable.