Bunnings: facial recognition technology is secure

by | Jun 20, 2022

Bunnings has justified the use of its facial recognition technology on retail customers within selected stores after consumer advocacy group, CHOICE, released a report that Bunnings, along with Kmart and The Good Guys had captured consumer’s biometric data.

Choice reports facial recognition is being used by Bunnings Hardware, The Good Guys, Kmart on retail customers

In a statement to the Australian Hardware Journal, Bunnings Chief Operating Officer, Simon McDowell said that Bunnings was disappointed by CHOICE’s inaccurate characterisation of its use of facial recognition technology in selected stores. 

“This technology is used solely to keep team and customers safe and prevent unlawful activity which is consistent with the Privacy Act. There are strict controls around the use of the technology which can only be accessed by a specially trained team. This technology is not used for marketing, consumer behaviour tracking, and images of children are never enrolled,” Mr McDowell said.

Bunnings also reiterated to AHJ that the technology was important in helping selected stores to responsibly prevent incidents of concern, such as the physical assault of team/customers and verbal abuse of team/customers. 

Facial recognition templates are only collected for specific individuals who were previously banned from a store, or otherwise involved in a suspected threatening situation for Bunnings’ team and customers, or involved in suspected criminal activity in our stores, the big box stated.

“In recent years we have seen an increase in the number of challenging interactions our team has had to handle in our stores and this technology is an important tool in helping us to prevent repeat abuse and threatening behaviour towards our team and customers. We let customers know if the technology is in use through signage at our store entrances and also in our privacy policy, which is available via the homepage of our website,” Mr McDowell said.

The use of the system is restricted to trained and authorised loss prevention specialists only, according to Bunnings and all CCTV footage is stored and managed securely and automatically destroyed after a period of time, which is normally around 30 days.

Bunnings stated that the images of individuals enrolled in the facial recognition system are internally monitored, reviewed, and reported on in accordance with Bunnings’ standards. Images are also regularly reviewed to determine if they should be removed, with Bunnings stating that any match detected by the technology is checked manually by a specially trained team member before any action is taken.

Speaking exclusively to the Australian Hardware Journal, CHOICE Senior Policy Advisor Amy Pereira said the Privacy Act is principals based and is also, “unfortunately open to interpretation”.

“We believe that within the Privacy Act, the use of facial recognition technology to prevent theft and anti-social behaviour – which is what Bunnings says it is using it for – is disproportionate to the harms posed. It is really up to the Information Commissioner who has oversight of the privacy regulation to make this decision.”

Ms Pereira said that using this technology is not only disproportionate to the harms posed but is unnerving for consumers when a business does not provide sufficient notice and consent.

“The fact that this is news is a key measure that people did not know about it. Businesses do have to give sufficient notice and obtain sufficient consent within the Privacy Act. The fact that no one knew about this indicates that Bunnings has not fulfilled its obligations under the Privacy Act. If people knew about it, it would not be news,” she said.

“The Privacy Act states that you have to provide sufficient notice and this is usually contained in the Privacy Policy – which is what all of the retailers that use this technology have done. But it is a lot to expect a customer to go in-store, then go on-line and read a Privacy Policy. In terms of the signage at the store’s entry points, there is a brief mention of the use of the technology but I doubt the signs are big enough for consumers to read while walking into the store.”

“Facial recognition technology collects sensitive information. Under the Privacy Act sensitive information is more protected and has a special classification which means organisations that collect this type of information need to take more actions to gain consent. Yes, Bunnings did provide notice but they have not sourced the consumer’s actual consent. This is why this story has hit the mainstream because if people had given consent – then they would already know about this,” Ms Pereira said.

Just last year 7-Eleven was found to be in breach of the Act, by the Information Commissioner, after it used facial recognition technology in-store. While the well-known convenience chain did display signs at store entry points, the chain collected face prints instore without the majority of consumer’s knowing. 7-Eleven has since ceased using the technology, Ms Pereira said.

“While Bunnings has taken reasonable steps to inform the consumer, face prints are as sensitive and unique to individuals as a fingerprint or DNA. Not only is the sensitivity and risk of using this data a lot higher to the consumer it is a lot of information to gather on a consumer who simply wants to purchase gardening supplies,” she said.

CHOICE believes there is technology that can be used that is much less invasive and can achieve the same objective.

“While facial recognition technology is used widely in the US for commercial settings, it can be prone to inaccuracy which is when the harm arises. We have seen what has happened in the US when businesses roll out certain technologies without sufficient oversight, testing and safety. People need to know about this so they know they can trust businesses and be reassured the data is used appropriately,” she said.

When asked if customers can verify if the information is being used correctly, Ms Pereira said it is up to the consumer to trust that the businesses is using the data correctly.

“What was interesting throughout the investigation was the Good Guys’ Privacy Policy constantly changed. While they said the data was being used for anti-theft and anti-social behaviour, they also said it was being used to improve the customer experience and this could mean anything. Bunnings was the only company to respond to our research where as the Good Guys and Kmart did not bother to respond. There are also cyber security risks with this type of technology so a line needs to be drawn somewhere in using facial recognition,” she said.

For now, the outcome of the investigation by CHOICE is in the hands of the Information Commissioner who has since released a statement saying that any business interested in using the technology should seek advice and consider the risks to the business and consumers.

“I assume these retailers will be meeting with the Information Commissioner’s office to seek clarity on where the law sits on this. In terms of this investigation, we were not intending to target any retailer, we just wanted to inform consumers that this was in the Privacy Policy of these retailers. And the fact that consumers did not know about this speaks volumes. The investigation and regulatory action of the Information Commissioner’s office will be undertaken over the next year so all evidence may be considered,” Ms Pereira said.