Australia's Bunnings Facial Recognition Ruling Reshapes Retail Privacy Law

Australia's Office of the Australian Information Commissioner (OAIC) has upheld a finding that Bunnings Group Limited breached the Privacy Act 1988 by deploying facial recognition technology across its stores without meeting the consent and transparency requirements the Act imposes on sensitive biometric data. The decision — which has been upheld following a legal challenge — is the most significant retail privacy ruling in Australian history.

The Commissioner found that Bunnings collected sensitive information without adequate notice and that a reasonable person would not expect their biometric data to be captured during a routine hardware purchase.

Bunnings installed facial recognition cameras across a network of stores in New South Wales and Victoria. The cameras captured biometric faceprints of customers entering the stores and compared them against a database of known shoplifters and banned individuals. Customers were not informed that their facial geometry was being captured and processed, beyond generic "CCTV in use" signage at store entrances.

The OAIC found that the generic signage was insufficient notice for the collection of sensitive biometric data, which carries a higher consent standard under Australian privacy law than ordinary personal information.

The Privacy Act 1988 classifies biometric information and biometric templates as "sensitive information" subject to stricter handling obligations, including a requirement that collection is reasonably necessary and that individuals are given clear notice and an opportunity to consent. The OAIC found Bunnings met neither requirement.

Legal commentators note that the ruling aligns Australian facial recognition law more closely with the EU's GDPR framework, which imposes explicit consent requirements for biometric processing in public spaces.

The ruling has immediate implications for any Australian business using facial recognition for loss prevention, access control, or customer analytics. Legal advisers have recommended that organisations audit their existing deployments, implement explicit opt-in consent mechanisms, and publish detailed data retention and deletion policies for any biometric data collected.

The Australian Retailers Association has called for clearer legislative guidance on permissible uses of facial recognition in retail, arguing that loss prevention is a legitimate security interest that current privacy frameworks do not adequately accommodate.