Bunnings Breached Privacy Laws by Using Facial Recognition on Customers, Privacy Commissioner Finds

HamBoi69 on 19/11/2024 - 10:35

Pretty poor form from Bunnings/Hammerbarn.

In short
A landmark decision by the Privacy Commissioner has found hardware chain Bunnings breached privacy laws by using facial recognition technology on its customers.
Retailers argue the technology helps prevent theft, but the Privacy Commissioner says Bunnings did not gain proper consent to capture people's unique biometric data.

What's next?
The Commissioner has ordered Bunnings not to repeat the behaviour and to destroy all personal information collected.

ABC article

Shame there won’t be a financial penalty.

General Discussion

Related Stores

Bunnings Warehouse
Bunnings Warehouse
Marketplace

Comments

    • HangryCakeStore on 20/11/2024 - 21:33
      -1

      Is it suprising? Most look like bogan tradies with mullet hair driving utes

      • SpainKing on 21/11/2024 - 14:31

        How many times are you going to make the same comment?

    • [Deactivated] on 22/11/2024 - 08:50

      It’s a huge chain store of course people will rob it.

  • doctordv8 on 20/11/2024 - 12:41

    Don't shoot the messenger, but….perhaps the Law needs to change.
    Is being recognised on Security cameras really going to hurt you? I doubt it, but it will help find ya partner that wandered off bored to death in store. It will reduce thieves getting away so often & it will help against theft Inflation.

    My Store = My Rules…. after I would ensure I meet all AU Rules, permissions and signage etc.
    (My customers came into my workshop for years, and followed my rules).

    Then it is your choice to come into MY store, with cameras watching every aisle for Stock Control for finding the lost souls.
    You being in that Aisle is purely coincidental and YOUR choice.

    If the System can use FRS and it is legally allowed, and my store Security team need/use it, then we will use it.

    Excepting I am retiring to a hermit on an island life, so I don't really care but I have nothing to hide,although I do understand some do, and some do take this Privacy Attitude seriously…. Again that is your choice.

    On the other hand, I do NOT understand why some have this serious Privacy Attitude.

    Cameras are everywhere nearly, and regardless of your own personal reasons, surely this tech helping to find a missing persons - good or bad - should take priority over your personal fears?

    It comes down to the same logical retort on complaints against Speed, Red Light, Mobile Phone& Seat Belt cameras etc,…. you have nothing to fear if you are not breaking the Law.

    • blitz on 20/11/2024 - 20:32
      +3

      you have nothing to fear if you are not breaking the Law.

      This is a simplistic interpretation of privacy and could be used to justify almost anything. You should read this:

      Solove, D. J. (2007). I've got nothing to hide and other misunderstandings of privacy. San Diego Law Review, 44, 745.

      • gyrex on 20/11/2024 - 22:17

        I'm not going to read the entire paper but it appears at first glance this is relating to Government encroachment on privacy which I'm pretty sure most people vehemently object to. In this case, this is a private company which is undertaking surveillance on their own properties in order to protect staff, customers and property which is an entirely different argument.

        • SailorGoon on 21/11/2024 - 02:11
          +3

          Arguably government and companies are just different forms of organisation. If I have a right to privacy, it should operate equally against all peoples (individuals or organised collectives).
          Also bunning’s market share and the practices they’ve taken to build and protect that market share mean it’s difficult for the average Australian to avoid it. If a business is positioned in such a way in a country, such that it’s very difficult for a citizen to avoid transacting with it (or at least not without incurring decent expense), do they still earn all the protections that any private enterprise might - or has it become too far embedded in the lives of the public to really be in the private domain….
          Bed time for me, sleeping soundly, knowing my face isn’t training BunningsGPT

          • gyrex on 21/11/2024 - 11:22
            -1

            @SailorGoon: Attempting to conflate Government and businesses is an asinine argument.

        • blitz on 21/11/2024 - 09:28

          which is an entirely different argument.

          How so?

          • gyrex on 21/11/2024 - 11:19
            -1

            @blitz: I'm sorry, but if you're incapable of making the distinction between Chinese style surveillance on all its citizens anywhere, anytime and a private company who's conducting surveillance on their own property, it's not worth my time or energy continuing the discussion.

        • Friendly Troll on 21/11/2024 - 10:58
          +2

          Private companies can do whatever but cannot override the law which is the case for Bunnings.

  • gyrex on 20/11/2024 - 16:56

    With the outrageous amount of theft from societal degenerates these days, I'm not surprised at them using technology to catch recidivous offenders. And guess who pays for the millions of dollars of theft each year from stores? The law abiding public.

    • faricity on 21/11/2024 - 14:36

      yea i guess next step for Bunnings is to start hiring private security guards instead of a poor teenager at the front of the store like everyone else eg Pharmacies, electronic stores but not sure how much power they will have or care

    • MrFrugalSpend on 21/11/2024 - 22:59

      100% - the majority getting on the bandwagon here.
      If they put up a sign as condition of entry - all good IMO. We aren't being forced to shop at Bunnings and they have so many d#%kheads come in that they need to be aware of with all the items that can be used as a weapon in a hardware store. Totally logical balance of safety and privacy provided they keep it secure and delete anything un-needed.

  • gromit on 20/11/2024 - 17:12
    +3

    It is completely moronic that this was treated as a breach. If anything this was a demonstration of correct and safe use of the technology in a non damaging way to peoples privacy.

    • GordonD on 20/11/2024 - 18:20
      +3

      Totally agree.

      What sort of example does it set when a company does the right thing for its employees and good customers, and the only people who are inconvenienced are shoplifters and ones who are violent, and the company is punished.

      • gyrex on 20/11/2024 - 19:36
        +2

        Our broken injustice system only serves criminals and their interests and the taxpayers/businesses and victims who fund this system are largely forgotten about. This system is self perpetuating and continues to feed itself by allowing the lawyers, magistrates and judges who all have their snouts in the trough to prosper at the expense of victims. The whole system needs to be investigated yesterday and magistrates and judges who have a history of failing to protect the public should be sacked immediately and prosectured for failing in their duty.

  • bobbieb on 20/11/2024 - 17:38
    +1

    LOL…what a media beat up.

    Oh no, won't you please think of the saw-off shotgun wielding thugs. They have the right to privacy too.

    Yeah, nah.

    • jaimex2 on 21/11/2024 - 12:13

      Yeah cos they'll come in with their faces exposed.

    • [Deactivated] on 22/11/2024 - 08:53

      How would facial recognition have helped? He was wearing a balaclava.

  • BuddhaBoy on 20/11/2024 - 18:55
    +4

    Well done Bunnings - giving safety as top priority for its staff. Hope they can sort whatever the breach is with the commission and continue the facial recognition in all stores.
    People complaining should look into their Apple and Android devices.

    • Friendly Troll on 21/11/2024 - 11:07
      +1

      They can still use CCTV which is everywhere.

      People complaining should use GrapheneOS for their phones.

  • Fredfloresjr on 20/11/2024 - 20:55
    -5

    Ahaahahahahahahahahaha only losers and weirdos in real life are against this. Ahahahaahaha imagine you are affected because camera is recognising your face on a Public. Ffs ahahaahahah

    Never go to Singapore and China too. Ahahah

    • HangryCakeStore on 20/11/2024 - 21:34
      -5

      Ikr? It’s the winged aggressive looking bogan tradies driving utes in mullets that complain 😂

    • Friendly Troll on 21/11/2024 - 11:11
      +1

      Camera "recording" and "software recognising" are different things.

  • juki on 20/11/2024 - 21:24
    +1

    for once it doesnt bother me so much, its for theft, they arent changing prices based on me showing up, i dont take my mistresses or conduct illegal activities in bunnings, and cant imagine a scenario in which it would be detrimental. All my neighbours have security cams up, floodlights pointing on their driveway, it doesnt seem to matter (while it would be illegal and torn down in most of europe). meh - maybe emergency departments and hospitals should do this too

  • King Tightarse on 20/11/2024 - 22:09
    +2

    The problem is data aggregation. If it was just for safety, they could just record normally.
    With facial recognition they have your face and payment method - easy to add it to in your socials, they record cars & number plates so they add that, note family and friend associations. Hover time with certain products, average spend, probable wealth etc tec.
    In no time there is massive, accurate file on you.

    • SailorGoon on 21/11/2024 - 02:16
      +3

      Not sure why you’d be negged. Very valid and already in the works (in other places). People forget the protections established to prevent indirect discrimination in mortgages.
      People also seem to think our faces would not merely sit in Bunnings databases… they will inevitably be leaked and the associated data exploited. Identity theft… deepfake scams…

      • gromit on 21/11/2024 - 07:11
        +1

        probably because he added a lot of irrelevant information as did you. The data was not being aggregated or stored, it wasn't being matched against anything except the known offenders and then deleted. So nothing to leak or associate or create deepfakes, Your picture is already stored on thousands of security camera recorders everywhere, that presents far more risk than what they were doing here.

        • resisting the urge on 21/11/2024 - 10:07
          +2

          Until they decide to send data elsewhere for data-matching services and automation, made available by third parties.

          And if they are not already sharing it. Which (it seems from the findings), the privacy commissioner has failed to ask- along with exactly how many parties are actually able to connect to the devices in the CCTV and FRT system, let alone access the data they provide, emit, and store. Or to consider whether Bunnings' controls (as in place at the start) were appropriate from the perspective of the customers from which the data was stolen.

          Of course all that is assuming the IoT devices they use are not somehow compromised, and are appropriately maintained and checked, to ensure they remain secure and do not leak data.

        • King Tightarse on 21/11/2024 - 11:38

          @gromit How do you know that?
          There are all kinds of possibilities that open up with facial recognition. For example, they may hash the key data points of your face data and store that but not 'technically' store the image, like they do with credit and debit cards and then keep that data and match it for marketing. They do that every day.
          Cameras with facial recognition bring a world of new marketing possibilities.

          • gromit on 21/11/2024 - 11:46
            +1

            @King Tightarse: well I can only go by what the report said and what bunnings said. If you think the privacy commissioner and bunnings are all lieing then I think that is on you to prove.

            • King Tightarse on 21/11/2024 - 11:47
              +2

              @gromit: It is a well crafted PR release with an emphasis on the employee safety angle.
              I am talking about what is possible and what might happen. I am not saying it definitely is but it opens up the possibility and Bunnings are not saying. Did you ever hear Flybuys say "oh yes we hash your credit card numbers and the match data wherever you shop over our network?"
              You might hear Coles say 'we never keep credit card numbers' , but that is misleading because they do hash the numbers and store them but no press release will ever mention it.

              • gromit on 21/11/2024 - 12:51
                +1

                @King Tightarse: Sure, they could also put up auto cannons and mow down suspected shoplifters. They could do lots of things, but that is why we have laws about what they can and cannot do. This one fell on a very hazy line where what they are doing appears logical and to comply with the law, however the commissioner took a different view. Personally in this case I see Bunnings as in the right, if they do something different next time that view may change.

                • King Tightarse on 21/11/2024 - 13:06
                  -1

                  @gromit: ' they could also put up auto cannons and mow down suspected shoplifters'
                  C'mon Gromit that is a ridiculous statement and in no way match to the real world examples I gave.

                  Flybuys are doing it right now and have been for years with credit card data. It is no stretch at all to suggest they would do it with hashed facial recognition data too. It happens in many other places. There is a strong precedent and obvious advantages for them.

                  Also they may well have one position with regarding the data now to get customers used to it and then change their approach after a few years.
                  That also would be quite possible as people get used to the idea.

                  • gromit on 21/11/2024 - 13:23

                    @King Tightarse: Your real world examples were also a blatant breach of laws so yes it is as realistic. If a company wants to breach laws then absolutely go after them, but pretending "oh shit they are evil as they theoretically 'could' do X or Y" is just dumb.

                    • King Tightarse on 21/11/2024 - 13:52

                      @gromit: My Coles and Flybuys examples are actual not theoretical! They are not beaching any current laws that i know of.
                      Nothing 'dumb' about discussing reasonably likely possibilities with other stores.
                      https://www.smh.com.au/technology/coles-reveals-customers-da…

                      • gromit on 21/11/2024 - 14:07
                        +1

                        @King Tightarse: Coles and Flybuys you have given permissions for them to use your data in this way. When you sign up it is in their privacy and terms of use that they get to use your data that way and hence are not a breach as you have allowed them to do that by signing up. Were they to do that without permission it would absolutely be a breach.

                        • King Tightarse on 21/11/2024 - 14:30
                          +1

                          @gromit: Yes thats true. It is hidden deep in the terms of service - most people do not read it or realise what is actually happening with their data when they tick 'yes' to the T&S with a simple click

                          • gromit on 21/11/2024 - 15:33
                            +2

                            @King Tightarse: absolutely true. still if people want to care about their privacy then that is on them for not reading those terms. I seem to be one of the rare people that actually read all the T's & C's for insurance, contracts, privacy, security, data sharing etc. If people don't care enough to read then they have no one to blame but themselves.

  • Cheap Gamer on 20/11/2024 - 23:44
    -1

    The spin is that it protects staff, but it could also be used to track staff. Just imagine what AI could do with it. Orwell, what can you do?

  • 2027 on 21/11/2024 - 00:02
    -1

    Wow I was born with inbuilt facial recognition, hope I don’t get asked to destroy all the data in my brain

    Some of the assistants at the shops recognise me. That’s a gross breach of privacy laws, remembering my biometric data and name like that.

    Even the guy next door recognises me. I never gave him permission to do that.

    • SailorGoon on 21/11/2024 - 02:18

      You can’t be serious…
      You’re drawing an analogy between the ordinary memory of individuals and sophisticated facial recognition / behavioural analytics?

      • 2027 on 21/11/2024 - 07:35

        sophisticated facial recognition / behavioural analytics

        Hate to break it to you but humans have been doing that for millennia

        • resisting the urge on 21/11/2024 - 10:13
          -1

          And humans been attacking each other for Millenia too.

          Do you mean to suggest that the coming robot army is fine, because it will only do what we've been doing to each other all this time?

          Or that it is okay for Corporations to remotely attack entire cohorts/populations?

          • 2027 on 21/11/2024 - 11:21

            @resisting the urge: I don’t go out in public and expect or tolerate being attacked, so no, the robot army can go home.

            On the other hand, I have no problem showing my face in public and totally expect to be recognised or judged, infact humans are more judgy than any machine I’ve seen.

            • resisting the urge on 21/11/2024 - 23:45

              @2027: Tthe machines are far faster at judging pretty much anything than us already. Certainly there'll be no need for a jury in an Court run an AI judge

  • ShMiCk on 21/11/2024 - 09:10

    I’m all for protecting the workers, as the Bunnings manager mentioned in the interview to the reasoning.

    But if that is the case, why don’t they have big signs at the front while you’re walking in that you’ll be subjected to this tech? Signage is a huge deterrent, footage is after the fact.

    Its all BS about “protecting” their workers.

    • lovafo on 21/11/2024 - 10:14
      +1

      they have signs everywhere at banks and it's a known fact that 99% of the population would know but we still have bank robbery

  • bobolo on 21/11/2024 - 09:10

    This is the real reason why people wear masks. Throw on a pair of sunglasses and you cannot be recognized.

    • JIMB0 on 21/11/2024 - 18:31

      Add a stone in your shoe so they can't identify your walk.

  • lovafo on 21/11/2024 - 10:11

    Personally if they communicate this well with customers and the public they would not have had any issue with the laws. And I don't mind this at all if it's true my image is only stored for a fraction of a second to be scanned against known criminals knowing that none of those fwits is in the store at the same time as me.

    IF this is done at airports or public transport places to prevents another 9/11 I bet everyone would say that's a good idea?

    Cameras are everywhere now you are seen and recorded almost every time you go out of your house. You even have your own security cameras at your house recording other people.

  • Nebargains on 21/11/2024 - 11:34
    +2

    I frankly don't understand this decision. CCTV/recording is OK, but facial recognition is not OK?

  • squaredonut on 21/11/2024 - 16:28

    I think what they've done is wrong, by capturing the information without allowing people to agree to it, even though the premises are owned by them.

    If they are genuinely just trying to identify problematic people from returning, I wonder if it's ok to put it simply at the front door just before you enter and put a disclaimer. I wouldn't want the recognition to be active throughout the entire store so it can create a profile on what I am purchasing and what not.

    Or maybe with the high theft they would just have to do what Home Depot does in the US and just put everything behind locked cages.

    It's usually the tools that's stolen and worth the most.

  • pegasusx on 21/11/2024 - 20:51
    +1

    Wow. This is a blast from the past, as this technology is not new. It's been at Bunnings / JBHifi for just under 10 years. As I was involved in rolling out this trial for CCTV "Proactive Loss Prevention" in 2016, which ran until 2018. Back then, machine learning biometrics was done via facial and body mechanics. I think its called Orion Ai now. JB Hifi turned it off because, precisely because of this, their HQ legal counsel decided the $$ loss vs the lawsuits wasn't worth it. I wasn't aware Bunnings they turned it back on for security purposes.

    • King Tightarse on 21/11/2024 - 22:46

      My understanding is that things are comprehensively more integrated these days
      Many use an outside company called Auror. https://www.auror.co/role/loss-prevention
      The trick that they do passively, not actively, by scanning face lists against their captured vision afterwards to build profile with offenders and also sometimes in real time using in store cameras and car park licence plate capture in cahoots with Vic Police.
      They claim they do not use active facial recognition, but they do use facial recognition on captured vision.

      • pegasusx on 21/11/2024 - 23:44
        +1

        It seems like its come a long way since I developed the intergration of the platforms. It was cutting edge stuff as CCTV feed + ML would send a notification to the custom App we had for our Guard issue mobiles. Shows them the photo of a suspect for "high probable" theft. This was what tanked the project, too much PII and Privacy red flag for legal.

  • gentlekoala5906 on 22/11/2024 - 07:27
    +2

    What a dystopian country we are becoming.

  • nephilim on 22/11/2024 - 08:53

    In Hong kong they now use these cameras to catch jaywalking, for those saying it's fine to use for shop lifting aka crime.

  • [Deactivated] on 22/11/2024 - 08:54

    Bunnings doesn’t give a hoot about safety of their staff. If they did, they would hire security instead of expecting 17 year old girls to stand at the door checking receipts.

    • MrFrugalSpend on 22/11/2024 - 23:19

      I've seen both security guards at my local and normally the most senior person (that usually seems to be managing the checkout area) standing checking receipts as well as coordinating people at the service desk and registers, asking when they are due for break, asking them to do things etc. I'm fairly sure they have a fairly advanced safety culture from what I've seen. If for nothing else but avoidance of liability but from what I hear they seem to be a great place to work … except for the odd d..h.. customers.

  • Crickets on 22/11/2024 - 10:40

    Classic…

  • EmployeeEmCKay @ Bunnings Warehouse on 22/11/2024 - 22:46
    +2

    I had a reciprocating saw blade held to my throat. It was about 6 years ago but it still affects me.

    • MrFrugalSpend on 22/11/2024 - 23:14

      Thanks for sharing, I'm sorry this happened to you, and I hope your story like the numerous others helps lobby for a way this sort of thing can be used provided there is clear disclosure / consent on condition of entry and locked-down security on what it can be used for. I think it was beneficial Bunnings released some videos as it helped me understand the balance of what should be allowed.

      As I've been saying earlier on this thread - I believe Bunnings should be allowed to use this tech in a sensible way.

      • EmployeeEmCKay @ Bunnings Warehouse on 22/11/2024 - 23:42
        +1

        Thank you for your kind words.

  • Miss B on 23/11/2024 - 05:40

    If it's true that (from my understanding) they just uploaded photos/videos of those who had been violent or stolen, scanned them, then just scanned everyone who came in for a match and if it's not a match deleted it in milliseconds I'm okay with it. It's just a more effective version of stores that have photos of these people and have staff keep an eye out for them.

    I may be misunderstanding. But based on them saying the data is deleted within a few milliseconds if they're not a match and talking about an enrolled list, I don't see how else it would work.

    I'm not so convinced about the 'knew or suspected had been a security risk in the past', depending on why they were suspected.

  • Vita85 on 23/11/2024 - 11:01
    +1

    Bunning Warehouse! Facial recognition is just the beginning!

Login or Join to leave a comment
Login Join