The OAIC is set to decide whether the retailers have breached the Privacy Act 1988 (No. 119, 1988) (as amended) ('the Privacy Act') and to assess whether collecting face prints is a 'reasonable' response by businesses to protect their commercial interests when balanced against the right of individuals to have their privacy protected.

The investigations reflect growing concerns among consumers that businesses are prioritising their own interests over safeguarding individual privacy. On the one hand, it is estimated by the National Retail Association that retail crime costs Australian businesses AUD 9 billion (approx. €6 billion) each year. However, it is unclear whether prevention of retail crime through the use of FRT is reasonable given the privacy concerns.

This is not the first time retailers have been in trouble for collecting face prints without consent. The OAIC has investigated retailers in the past for collecting facial images and faceprints from customers without valid consent. As a result, those retailers were ordered to delete all faceprints collected and suffered considerable reputational damage.

What is FRT?

FRT captures a person's face print and compares it to other digital images and face prints to identify an individual.

There are two primary forms of FRT in use around the world:

• One to one comparison - a new image is compared to a saved face print to confirm identity. The most common example is the use of face ID to unlock a personal device.
• One to many identification - capturing and comparing a face print to a database of images to find a match. This can be used for criminal surveillance and by retailers and others to monitor customer satisfaction by assessing facial expressions.

The software draws shapes around identified faces in the live surveillance feed, extracts the key features, and compares these features to a facial image which is stored in the retailer's own database. Using this technology allows retailers to efficiently sort through images of customers to determine their satisfaction instantly, instead of having to manually sort through surveillance footage, or conduct market research by directly communicating with customers face-to-face.  

How are companies using FRT?

Businesses are using FRT to confirm the identity of patrons or for surveillance purposes. Retailers claim customer face prints are only collected to reduce in-store theft and to measure customer satisfaction. However, the use of technology to collect and use biometric data does not stop there.

Face prints are now being used as payment methods in stores and parts of public transport systems in China and this practice is expected to become more widespread.

A major credit card merchant is currently trialling a program they intend to roll out globally that will allow retailers to offer biometric payment authentication methods, including facial recognition and fingerprint scanning.

Regulators around the world including the EU, California, and China all regulate facial recognition and biometric data in their data privacy laws.

Biometric data can generate powerful insights for business

Face print data can be combined with other data sets that a business holds about an individual to build a detailed profile on a person. These detailed profiles are valuable information for retailers who can then target consumers personally through personalised marketing campaigns.

However, when this kind of targeted marketing is done without a consumer's awareness or consent, it can lead to a breach of trust, ultimately impacting business revenue, especially if consumers feel they have been manipulated into unnecessary purchases.

Why are Australian consumers concerned?

Australian consumer watchdog, CHOICE, reported¹ that consumers found facial recognition by retailers 'creepy and invasive' and were concerned that stores may be using their information to create profiles which could cause them harm. Consumers have indicated they do not want to be monitored or recorded purchasing goods or services.

The Australian Community Attitudes to Privacy Survery 2020 report² found that 'two-thirds (66%) of Australians are reluctant to provide biometric information to a business, organisation or government agency and a quarter (24%) are more reluctant to provide biometric information than any other type of information'.

Consumer concerns about the inappropriate privacy practices of retailers who collect and use biometric data raise valid questions under privacy laws in Australia such as:

• Are retailers doing enough to seek informed consent from customers?
• Is collecting face prints to prevent and reduce theft a reasonable use of sensitive information?

Why is the OAIC interested in FRT?

Apart from the community expectations of privacy, the OAIC is interested in FRT because it has considered this issue previously and warned retailers that the common practice of notifying customers that FRT is in use through a poster alone is not adequate to obtain consent.

Retail stores will usually disclose that they use FRT in the 'Conditions of Entry', which are posted at the front of a store. Instead of a poster, the OAIC has indicated that a request for consent should:

• clearly identify the kind of information to be collected, the recipients, and the purpose of the collection;
• be sought expressly and separately at the time of collection; and
• be fully informed and freely given.

How is biometric data regulated in Australia?

A face print is biometric data. Biometric data which also includes fingerprints and voice identification is regarded as sensitive information under the Privacy Act and the Australian Privacy Principles ('APPs'). In Australia, biometric data must be collected, stored, and used in accordance with the Privacy Act and the APPs.

The APPs impose a higher threshold to protect sensitive information that relates to those types of information that people feel intrinsically more sensitive about, as prejudice and discrimination can prevail. For example, sexual orientation, racial or ethnic origin, political, and religious beliefs are all classified as 'sensitive information' under the Privacy Act.

Under the Privacy Act, businesses can only collect a face print without consent if:

• the business is identifying the person as a part of an automated verification process, if it is authorised by law; or
• the business is required to collect it to prevent a serious threat to life, safety, or health of any individual.

These exceptions set a high threshold for a business to establish that it has collected valid consent and has reasonable grounds for the collection of personal information.

What do you need to do if your business uses FRT?

Businesses considering implementing FRT and related data handling, collection, or processing practices must consider if this technology is reasonably necessary for their business to function.

If you want to collect biometric data using FRT you must seek express consent to collect and handle sensitive information, unless you fall within the permitted exceptions. Undertaking a Privacy Impact Assessment ('PIA') is one way you can determine if facial recognition is suitable for your businesses. If the PIA concludes that using FRT is proportionate, you must still solicit informed consent, and implement transparent data handling processes and security infrastructure to ensure you comply with the APPs.

It is also important for businesses to stay vigilant to privacy developments as the Privacy Act is under reform. The Attorney General is currently reviewing the Privacy Act and is considering feedback from the public. As a part of the review, the Attorney General will consider whether the Privacy Act effectively protects personal and sensitive information. Any changes to the Privay Act may impact how businesses are permitted to use FRT.

Facing the technology

FRT is developing rapidly. Experts predict the industry to be worth $9.6 billion by the end of 2022.

However, businesses that use FRT need to carefully consider the commercial benefits of the technology against consumer privacy concerns and the importance of protecting sensitive biometric information.

If your business wants to use FRT, you must ensure that you obtain informed consent from customers, but we will wait to see how the OAIC responds to the investigations.

Katherine Sainty Director
[email protected]
Aisling Hamilton Graduate Lawyer
[email protected]
Sainty Law, Sydney

1. See: https://www.choice.com.au/consumers-and-data/data-collection-and-use/how-your-data-is-used/articles/kmart-bunnings-and-the-good-guys-using-facial-recognition-technology-in-store
2. See: https://www.oaic.gov.au/__data/assets/pdf_file/0015/2373/australian-community-attitudes-to-privacy-survey-2020.pdf