Bunnings’s Widespread Use of Facial Recognition Technology Raises Concerns About Customer Privacy Violations
Without their knowledge, hundreds of thousands of customers of Bunnings, Australia’s dominant hardware retailer, were scanned.
An investigation spanning two years led Australia’s privacy commissioner to issue a groundbreaking finding against Bunnings, the country’s largest hardware retailer. They used facial recognition technology in 387 stores without notifying customers.
“Individuals who entered the relevant Bunnings stores at the time would not have been aware that facial recognition technology was in use and especially that their sensitive information was being collected, even if briefly,” Australian Privacy Commissioner Carly Kind said.
The commissioner found that Bunnings interfered with the privacy of hundreds of thousands of customers across 63 of its New South Wales and Victoria stores between Nov. 6, 2018 and Nov. 30, 2021.
Bunnings Responds
Bunnings published a statement (pdf) in response to the allegations, but it’s not the mea culpa the commissioner demanded.
The conglomerate states it will seek a review of OAIC’s ruling before the Administrative Review Tribunal and justifies using the technology to prioritize the safety of their team, customers, and suppliers.
“Our use of [facial recognition technology] was never about convenience or saving money but was all about safeguarding our business and protecting our team, customers, and suppliers from violent, aggressive behavior, criminal conduct, and preventing them from being physically or mentally harmed by these individuals.
Related Stories
“It was not used in isolation but in combination with various other security measures and tools to deliver a safer store environment.”
In July, after consumer watchdog group Choice alerted OAIC to the practice, the OAIC initiated investigations into the personal information handling practices of Bunnings, Kmart Australia, and Good Guys Discount Warehouses, both owned by Wesfarmers.
A finding is pending in the case of Kmart, and the investigation into the Good Guys was terminated.
Privacy Policy Not Enough: Commissioner
Wesfarmers’ privacy policy warns customers about the ways it collects data, including “images from video surveillance, body cameras, and other cameras used in and around our stores (including in car parks, pick up areas, store entrances, and publicly accessible spaces),” as well as “images from facial recognition software.”
The privacy commissioner deemed this policy inadequate since most people will not visit a store’s website to read that information. Bunnings was obligated by law to obtain proper consent to use the technology on them.
Data Deleted in Less Than a Second: Bunnings
Bunnings utilized software that scanned customers’ faces in the store and then compared the biometric data against a list of “enrolled individuals” who were known or suspected to be a security risk in the past.
In cases of a match, an alert was generated, but if not, the data was automatically deleted in “0.00417 seconds,” according to Bunnings.
When Choice initially made the allegation, Bunnings Managing Director Mike Schneider defended the technology, citing incidents of aggressive behavior towards their staff.
The commissioner considered the security benefits but concluded that they did not justify the invasion of privacy.
Sixty-six percent said they would be reluctant to provide biometric information to a business, organization, or government.
