The language is far from reassuring. Despite being caught red handed using facial recognition technology (FRT) unbeknown to customers, a number of Australia’s large retail companies have given a meek assurance that they will “pause” their use.
The naughty will only show contrition in the most qualified of ways.
It all began with an investigation by consumer advocacy group CHOICE, that found that the department store chain Kmart and household warehouse chain Bunnings were using FRT to ostensibly protect customers and staff while reducing theft in select stores. The group also found a third retailer, The Good Guys, had not lived up to its smug name, using technology that stores the unique biometric information of its customers.
According to the investigation, 25 major Australian companies were asked whether they used FRT and how their privacy policies stacked up. Based on the findings, the three big culprits were identified.
FRT navigates some rather treacherous terrain. There is the broader question of privacy and issues of consent. CHOICE consumer data advocate Kate Bower put her finger on the issue by noting that the privacy policies of such companies were usually buried in vast online undergrowth and “often not easy to find”.
Given the operating nature of such stores — in person and retail — it was also unlikely that anyone was “reading a privacy policy” before entering. Kmart and Bunnings did sport signs at some of their outlets’ entrances informing customers that such technology was being used.
There are also prevailing problems with bias and racial discrimination. The evident concern was that the signs themselves were barely noticeable to patrons, placed in strategically innocuous spots.
For any student seeking to understand the law of contract and the incorporation of contractual terms, such signs are virtually worthless in drawing attention to any individual entering the store.
A CHOICE survey of more than 1000 people, between March and April, found a general lack of awareness about the nature of the technology being used. Three out of four (76%) claimed with less than blissful ignorance they did not know retailers were using facial recognition. Those who did smell a rat identified the wrong parties — namely Coles and Woolworths.
The percentage of those surveyed claiming that retail stores should disclose to customers about the use of FRT before entering the store was 83%, while 78% expressed concern about the security of any face print data secured by the companies.
Bunnings has, unsurprisingly, accused CHOICE of misrepresenting its case. In the carefully chosen words of chief operating officer Simon McDowell such “technology is used solely to keep team and customers safe and prevent unlawful activity in our stores, which is consistent with the Privacy Act”.
Through the annals of history, when laws are breached and principles are violated, the principle of necessity gets saddled up and ridden into debates.
In this case, its staff might be endangered by reprobates (“repeat abuse and threatening behaviour,” is how McDowell described it) or customers who need protection when going about their shopping. Even when it is used, there are “strict controls around the use of the technology which can only be accessed by [a] specially trained team”.
Bunnings managing director Mike Schneider reiterated the security element of the enterprise: FRT aided in identifying banned customers and undesirables. “We don’t use it for marketing or customer behaviour tracking, and we certainly don’t use it to identify regular customers who enter our stores as CHOICE has suggested.”
The Office of the Australian Information Commissioner (OAIC) announced on July 12 that it was opening investigations into the way personal information is handled by Kmart and Bunnings, with specific reference to the use of FRT.
Andrew Stokes, OAIC director of strategic communications, explained that biometric information, as collected by FRT “is sensitive personal information under the Privacy Act”.
Any organisation that falls within the operation of the Privacy Act 1988 is not entitled to collect sensitive information in the absence of consent from the individual. Any information gathered must also be reasonably necessary for the organisation’s functions or activities.
Consent and the law have not always been on the best of terms. Often strangers, they sometimes converge or miss each other altogether.
In terms of Australian privacy law, hardly impressive and often disappointing in its lack of bite, the OAIC will note the following elements to determine whether genuine consent was given to the use of FRT: whether the individual was adequately informed before granting consent; whether it was done voluntarily; whether it was current and specific; and whether the individual had the capacity to comprehend and communicate that consent.
The reaction from the three retail outlets has, for the most part, been tactical: more likely it has been a case of waiting for the OAIC’s verdict.
According to Bower, “customers will welcome the news that Bunnings and Kmart are joining The Good Guys in pausing the use of facial recognition technology in their stores, but we know that what customers really want is for them to stop using it altogether”.
To do so would be very much against the ill-spirited nature of corporate culture. They may have been bruised and slightly embarrassed but they are unlikely to be compliant.
[Binoy Kampmark lectures at RMIT University.]