Two major Australian retailers are being investigated by the Office of the Australian Information Commissioner (OAIC) for using facial recognition technology (FRT) without getting informed consent from patrons.

In Australia, retailers are not permitted to use biometric information for profiling and surveillance purposes without the person’s knowledge.

The OAIC is set to decide whether the retailers have breached the Privacy Act 1988 (Cth) (Act) and to assess whether collecting face prints is a ‘reasonable’ response by business to protect their commercial interests when balanced against the right of individuals to have their privacy protected.

The investigations reflect growing concerns among consumers that business is prioritising its own interests over safeguarding individual privacy. On the one hand, it is estimated by the National Retail Association that retail crime costs Australian businesses $9 billion each year. However, it is unclear whether prevention of retail crime through the use of FRT is reasonable given the privacy concerns.

This is not the first time retailers have been in trouble for collecting face prints without consent. The OAIC has investigated retailers in the past for collecting facial images and faceprints from customers without valid consent. As a result, those retailers were ordered to delete all faceprints collected and suffered considerable reputational damage.


What is facial recognition technology?

FRT captures a person’s face print and compares it to other digital images and face prints to identify an individual.

There are two primary forms of FRT in use around the world:

  1. one to one comparison – a new image is compared to a saved face print to confirm identity. The most common example is the use of face id to unlock a personal device; and
  2. one to many identification – capturing and comparing a face print to a database of images to find a match. This can be used for criminal surveillance and by retailers and others to monitor customer satisfaction by assessing facial expressions.

The software draws shapes around identified faces in the live surveillance feed and extracts the key features and compares these features to a facial image which is stored in the retailer’s own database. Using this technology allows retailers to efficiently sort through images of customers to determine their satisfaction instantly, instead of having to manually sort through surveillance footage, or conduct market research by directly communicating with customers face-to-face.


How are companies using facial recognition technology?

Business is using FRT to confirm the identity of patrons or for surveillance purposes. Retailers claim customer face prints are only collected to reduce in-store theft and to measure customer satisfaction. However, the use of technology to collect and use biometric data does not stop there.

Face prints are now being used as payment methods in stores and parts of public transport systems in China and this practice is expected to become more widespread.

A major credit card merchant is currently trialling a program they intend to roll out globally that will allow retailers to offer biometric payment authentication methods including facial recognition and fingerprint scanning.

Regulators around the world including the European Union, California and China all regulate facial recognition and biometric data in their data privacy laws.


Biometric data can generate powerful insights for business

Face print data can be combined with other data sets that a business holds about an individual to build a detailed profile on a person. These detailed profiles are valuable information for retailers who can then target consumers personally through personalised marketing campaigns.

However, when this kind of targeted marketing is done without a consumer’s awareness or consent this can lead to a breach of trust, ultimately impacting business revenue, especially if consumers feel they have been manipulated into unnecessary purchases.


Why are Australian consumers concerned?

Australian consumer watchdog, CHOICE reported that consumers found facial recognition by retailers ‘creepy and invasive’ and were concerned that stores may be using their information to create profiles which could cause them harm. Consumers have indicated they don’t want to be monitored or recorded purchasing goods or services.

The Australian Community Attitudes to Privacy 2020 Report found that “two-thirds (66%) of Australians are reluctant to provide biometric information to a business, organisation or government agency and a quarter (24%) are more reluctant to provide biometric information than any other type of information”.

Consumer concerns about the inappropriate privacy practices of retailers who collect and use biometric data raise valid questions under privacy laws in Australia such as:

  1. Are retailers doing enough to seek informed consent from customers?
  2. Is collecting face prints to prevent and reduce theft a reasonable use of sensitive information?


Why is the OAIC interested in Facial Recognition Technology?

Apart from the community expectations of privacy, the OAIC is interested in FRT because it has considered this issue previously and warned retailers that the common practice of notifying customers that FRT is in use through a poster alone is not adequate to obtain consent.

Retail stores will usually disclose that they use FRT in the Conditions of Entry, which are posted at the front of a store. Instead, of a poster, the OAIC have indicated that a request for consent should:

  1. clearly identify the kind of information to be collected, the recipients and the purpose of the collection;
  2. be sought expressly and separately at the time of collection; and
  3. fully informed and freely given.


How is biometric data regulated in Australia?

A face print is biometric data. Biometric data which also includes fingerprints and voice identification is regarded as sensitive information under the Act and the Australian Privacy Principles (APPs). In Australia, biometric data must be collected, stored and used in accordance with the Act and the APPs.

The APPs impose a higher threshold to protect sensitive information that relates to those types of information that people feel intrinsically more sensitive about, as prejudice and discrimination can prevail. For example, sexual orientation, racial or ethnic origin, political and religious beliefs are all classified as ‘sensitive information’ under the Act.

Under the Act business can only collect a face print without consent if:

  • they are identifying you as a part of an automated verification process, if it is authorised by law; or
  • the business is required to collect it to prevent a serious threat to life, safety or health of any individual.

These exceptions set a high threshold for a business to establish that it has collected valid consent and has reasonable grounds for the collection of personal information.


What do you need to do if your business uses Facial Recognition Technology?

Businesses considering implementing FRT and related data handling, collection or processing practices must consider if this technology is reasonably necessary for their business to function.

If you want to collect biometric data using FRT you must seek express consent to collect and handle sensitive information unless you fall within the permitted exceptions. Undertaking a Privacy Impact Assessment (PIA) is one way you can determine if facial recognition is suitable for your businesses.  If the PIA concludes that using FRT is proportionate, you must still solicit informed consent, implement transparent data handling processes and security infrastructure to ensure you comply with the Australian Privacy Principles.

It is also important for businesses to stay vigilant to privacy developments as the Act is under reform. The Attorney General is currently reviewing the Act and is considering feedback from the public. As a part of the review, the Attorney General will consider whether the Act effectively protects personal and sensitive information. Any changes to the Act may impact how businesses are permitted to use FRT.


Facing the Technology

FRT is developing rapidly. Experts predict the industry to be worth $9.6 billion US by the end of 2022.

However, businesses that use FRT need to carefully consider the commercial benefits of the technology against consumer privacy concerns and the importance of protecting sensitive biometric information.

If your business wants to use FRT, you must ensure that you obtain informed consent from customers, but we will wait to see how the OAIC responds to the investigations.

This article by Sainty Law was originally published on OneTrust DataGuidance which you can access here. Please get in touch with us to understand your obligations regarding use of facial recognition technology.