Australia: Issued Privacy Commissioner ruling in investigation into Bunnings Group Ltd's use of facial recognition technology

On 19 November 2024, the Australian Privacy Commissioner ruled that Bunnings Groups Ltd had breached consumer privacy through the use of facial recognition technology to capture the personal and sensitive information of every individual who entered 63 stores in Victoria and New South Wales. The investigation determined that these data collection practices were in breach of the Australian Privacy Act based on a lack of proportionality, necessity, and transparency. The Privacy Commissioner found that Bunnings had collected sensitive information without consent, did not include required information in its privacy policy, and claims the company failed to take reasonable steps to notify individuals of its data collection practices. As a result of the investigation, the Privacy Commissioner ordered that Bunnings must not repeat or continue the acts and practices that compromised individual privacy, publish a statement about its conduct, and destroy all personal and sensitive information collected via the facial recognition system that it still holds after one year. Bunnings can seek a review of this determination.