Hundreds of thousands of Australians had their privacy breached when Bunnings used facial recognition technology across dozens of stores, the privacy commissioner has found.
Privacy commissioner Carly Kind said Bunnings Group Limited collected customers' personal and sensitive information by capturing images of their faces without consent.
Bunnings will seek a review of the finding, its managing director has confirmed.
The system, which captured the faces of customers through CCTV, was deployed across 63 Bunnings stores in Victorian and NSW between 2018 and 2021.
Ms Kind said while the use of facial technology may have been well-intentioned as a way to stop violence and theft, this did not justify its use.
"In this instance, deploying facial recognition technology was the most intrusive option, disproportionately interfering with the privacy of everyone who entered its stores, not just high-risk individuals," she said.
The privacy commissioner also highlighted the lack of transparency around the use of the technology.
She said Bunnings collected customers' sensitive information without consent, failed to take reasonable steps to notify people that their information was being collected and did not disclose it in its privacy policy.
"Individuals who entered the relevant Bunnings stores at the time would not have been aware that facial recognition technology was in use and especially that their sensitive information was being collected, even if briefly," Ms Kind said.
The commissioner declared Bunnings must not repeat or continue the practices, must publish a statement about its conduct and destroy all personal information that it still holds.
Bunnings to seek review
Bunnings managing director Mike Schneider said the group will seek a review of the determination through the Administrative Review Tribunal.
He said the retailer used the technology to protect customers, staff and suppliers against crime and violent behaviour.
"Our use of FRT was never about convenience or saving money but was all about safeguarding our business and protecting our team, customers, and suppliers from violent, aggressive behaviour, criminal conduct and preventing them from being physically or mentally harmed by these individuals," Mr Schneider said.
"It was not used in isolation but in combination with various other security measures and tools to deliver a safer store environment."
Decision on privacy breach too slow: Choice
Consumer advocacy group Choice conducted an investigation into the issue in 2022.
Choice senior campaigns and policy adviser Rafi Alam said the landmark decision would prompt all businesses to think carefully about facial recognition.
However more work was needed to protect consumers, he said.
"Australia's current privacy laws are confusing, outdated and difficult to enforce," Mr Alam said.
"Choice first raised the alarm on Bunnings' use of facial recognition technology over two years ago, and in the time it took to reach today's determination the technology has only grown in use."
Choice wants the government to introduce specific laws that would hold businesses accountable as soon as they breached customer privacy.
