The language is far from reassuring. Despite being caught red handed using facial recognition technology unbeknownst to customers, a number of Australia’s large retail companies have given a meek assurance that they will “pause” their use. The naughty will only show contrition in the most qualified of ways.
It all began with an investigation by CHOICE which found that the department store chain Kmart, and household warehouse chain Bunnings, were using FRT to ostensibly protect customers and staff while reducing theft in select stores. The group also found a third retailer, The Good Guys, had not lived up to its distinctly smug name, using technology that stores the unique biometric information of its customers.
According to the investigation, 25 major Australian companies were asked whether they used FRT and how their privacy policies stacked up. Based upon the findings, the three big culprits were identified.
FRT navigates some rather treacherous terrain. There is the broader question of privacy and issues of consent. CHOICE consumer data advocate Kate Bower put her finger on the issue by noting that the privacy policies of such companies were usually buried in vast online undergrowth and “often not easy to find.” Given the operating nature of such stores – being in person and retail – it was also unlikely that anyone was “reading a privacy policy” before entering.
At some of their outlets, Kmart and Bunnings did sport signs at entrances informing customers that such technology was being used. There are also prevailing problems with bias and racial discrimination. The evident concern here was that the signs themselves were barely noticeable to patrons, placed in strategically innocuous spots. For any toiling student seeking to understand the law of contract and the incorporation of contractual terms, such signs are virtually worthless in drawing attention to any individual entering the store.
In a survey of over 1,000 Australians between March and April this year, CHOICE found a general lack of awareness about the nature of the technology being used. Three out of four (76%) claimed with less than blissful ignorance they did not know retailers were using facial recognition. Those who did smell a rat identified the wrong parties – namely supermarket chains Coles and Woolworths.
The percentage of those surveyed claiming that retail stores should disclose to customers about the use of FRT before entering the store was 83% while 78% expressed concern about the security of any faceprint data secured by the companies.
Bunnings has, unsurprisingly, accused CHOICE of misrepresenting their case. In the carefully chosen words of chief operating officer Simon McDowell, such “technology is used solely to keep team and customers safe and prevent unlawful activity in our stores, which is consistent with the Privacy Act.”
Through the annals of history, when laws are breached and principles are violated, the principle of necessity gets saddled up and ridden into debates. In this case, its staff who might be endangered by reprobates (“repeat abuse and threatening behaviour,” McDowell calls it), or customers who need protection when going about their shopping. And even when used, there are “strict controls around the use of the technology which can only be accessed by [a] specially trained team.”
Bunnings managing director, Mike Schneider, reiterates the security element of the enterprise. FRT aided in identifying banned customers and undesirables. “We don’t use it for marketing or customer behaviour tracking, and we certainly don’t use it to identify regular customers who enter our stores as CHOICE has suggested.”
On July 12, the Office of the Australian Information Commissioner (OAIC) announced that it was opening investigations into the way personal information is handled by Kmart and Bunnings, with specific reference to the use of FRT. The body’s director of strategic communications, Andrew Stokes, explains that biometric information, as collected by FRT, “is sensitive personal information under the Privacy Act.”
Any organisation that falls within the operation of the Privacy Act 1988 (Cth) is not entitled to collect sensitive information in the absence of consent from the individual. Any information gathered must also be reasonably necessary for the organisation’s functions or activities.
Consent and the law have not always been on the best of terms. Often strangers, they sometimes converge, or miss each other altogether. In terms of Australian privacy law, hardly impressive and often disappointing in its lack of bite, the OAIC will note the following elements to determine whether genuine consent was given to the use of FRT: whether the individual was adequately informed before granting consent; whether it was done voluntarily; whether it was current and specific; and whether the individual had the capacity to comprehend and communicate that consent.
The reaction from the three retail outlets has, for the most part, been tactical, and more likely a case of waiting for the OAIC’s verdict. According to Bower, “customers will welcome the news that Bunnings and Kmart are joining The Good Guys in pausing the use of facial recognition technology in their stores, but we know that what customers really want is for them to stop using it altogether.” To do so would be very much against the ill-spirited nature of Australian corporate culture, as privateering as any that can be found on this warming planet. They may have been bruised and slightly embarrassed, but they are unlikely to be compliant.