Bunnings has justified the use of its facial recognition technology on retail customers within selected stores after consumer advocacy group, CHOICE, released a report that Bunnings, along with Kmart and The Good Guys had captured consumer’s biometric data.
In a statement to the Australian Hardware Journal, Bunnings Chief Operating Officer, Simon McDowell said that Bunnings was disappointed by CHOICE’s inaccurate characterisation of its use of facial recognition technology in selected stores.
“This technology is used solely to keep team and customers safe and prevent unlawful activity which is consistent with the Privacy Act. There are strict controls around the use of the technology which can only be accessed by a specially trained team. This technology is not used for marketing, consumer behaviour tracking, and images of children are never enrolled,” Mr McDowell said.
Bunnings also reiterated to AHJ that the technology was important in helping selected stores to responsibly prevent incidents of concern, such as the physical assault of team/customers and verbal abuse of team/customers.
Facial recognition templates are only collected for specific individuals who were previously banned from a store, or otherwise involved in a suspected threatening situation for Bunnings’ team and customers, or involved in suspected criminal activity in our stores, the big box stated.
The use of the system is restricted to trained and authorised loss prevention specialists only, according to Bunnings and all CCTV footage is stored and managed securely and automatically destroyed after a period of time, which is normally around 30 days.
Bunnings stated that the images of individuals enrolled in the facial recognition system are internally monitored, reviewed, and reported on in accordance with Bunnings’ standards. Images are also regularly reviewed to determine if they should be removed, with Bunnings stating that any match detected by the technology is checked manually by a specially trained team member before any action is taken.
Speaking exclusively to the Australian Hardware Journal, CHOICE Senior Policy Advisor Amy Pereira said the Privacy Act is principals based and is also, “unfortunately open to interpretation”.
“We believe that within the Privacy Act, the use of facial recognition technology to prevent theft and anti-social behaviour – which is what Bunnings says it is using it for – is disproportionate to the harms posed. It is really up to the Information Commissioner who has oversight of the privacy regulation to make this decision.”
Ms Pereira said that using this technology is not only disproportionate to the harms posed but is unnerving for consumers when a business does not provide sufficient notice and consent.
“The fact that this is news is a key measure that people did not know about it. Businesses do have to give sufficient notice and obtain sufficient consent within the Privacy Act. The fact that no one knew about this indicates that Bunnings has not fulfilled its obligations under the Privacy Act. If people knew about it, it would not be news,” she said.
“Facial recognition technology collects sensitive information. Under the Privacy Act sensitive information is more protected and has a special classification which means organisations that collect this type of information need to take more actions to gain consent. Yes, Bunnings did provide notice but they have not sourced the consumer’s actual consent. This is why this story has hit the mainstream because if people had given consent – then they would already know about this,” Ms Pereira said.
Just last year 7-Eleven was found to be in breach of the Act, by the Information Commissioner, after it used facial recognition technology in-store. While the well-known convenience chain did display signs at store entry points, the chain collected face prints instore without the majority of consumer’s knowing. 7-Eleven has since ceased using the technology, Ms Pereira said.
“While Bunnings has taken reasonable steps to inform the consumer, face prints are as sensitive and unique to individuals as a fingerprint or DNA. Not only is the sensitivity and risk of using this data a lot higher to the consumer it is a lot of information to gather on a consumer who simply wants to purchase gardening supplies,” she said.
CHOICE believes there is technology that can be used that is much less invasive and can achieve the same objective.
“While facial recognition technology is used widely in the US for commercial settings, it can be prone to inaccuracy which is when the harm arises. We have seen what has happened in the US when businesses roll out certain technologies without sufficient oversight, testing and safety. People need to know about this so they know they can trust businesses and be reassured the data is used appropriately,” she said.
When asked if customers can verify if the information is being used correctly, Ms Pereira said it is up to the consumer to trust that the businesses is using the data correctly.
For now, the outcome of the investigation by CHOICE is in the hands of the Information Commissioner who has since released a statement saying that any business interested in using the technology should seek advice and consider the risks to the business and consumers.