Facial recognition in Retail: how to balance innovation with privacy and ethics

How comfortable are you with facial recognition? 

In Australia, retail organisations are exploring the use of facial recognition technology (FRT) to bolster security, verify age, reduce stock loss and identify shoplifters. In doing so, many struggle to understand their privacy obligations, attempting to balance regulation, community benefit and customer expectations. Increased use is leading to several emerging challenges, how these are addressed will shape its future impact globally.

• Privacy and ethical concerns: Facial recognition raises issues of mass surveillance, privacy infringement and biases related to race and gender, prompting demands for fairness and transparency.
• Regulatory challenges: Governments, including Australia, are reforming privacy regulations to enhance oversight and individual rights.
• Varied global approaches: Countries adopt different strategies based on cultural, legal and political factors. Some are embracing it for smart city initiatives and others are imposing strict controls.

As global attitudes towards privacy and surveillance evolve, retailers must navigate the delicate balance between harnessing the benefits of FRT and adhering to ethical standards. Often, guidance offered to ensure regulatory compliance can be vague and difficult to implement. This is especially challenging in countries like Australia where privacy legislation is ‘principle based’ and steps organisations must take need to be ‘reasonable’. 

To responsibly and ethically implement facial recognition, organisations may consider the following activities:

1. Understand regulatory obligations: ensure consumer trust and security by embracing regulations like the Australian Privacy Principles (APPs) and regulator guidance, such as the OAIC Facial Recognition Technology: a guide to assessing the privacy risks.
2. Conduct a review of personal information (PI) and minimise collection: Understand the data flows of the FRT, to understand where and how consumer information is being captured, the type of data and why it’s being captured. If it’s not serving a purpose and not linked to benefits don’t collect it.
3. Inventorise all use cases: Identify all use cases of FRT within the organisation. Where facial recognition is found and used for automated decision making it must be included in your Privacy Policies under the Privacy Bill (December 2024).
4. Notice and consent: Communication should be clear about what data will be collected, how it will be used and who will have access to it. Determining what is ‘reasonable’ can be challenging – consider if signage within stores or premises adequately and transparently communicates the purpose of FRT. Take additional efforts in raising awareness and engaging customers to build transparency and trust, such as campaigns on social media and in-store.
5. Secure data: deploy robust security measures to protect any sensitive biometric data collected in FRT from unauthorised access or breaches. This includes multifactor authentication, encryption, access controls and regular security audits to safeguard sensitive information. Where third-party technologies or cloud solutions are used, proactively define and monitor data security settings regularly.
6. Proactively dispose of data: retain FRT data only as long as necessary to fulfill the purpose for which it was collected. Establish clear data retention policies and procedures for secure data disposal, including automated schedules to regularly purge data.
7. Assess ethical and privacy implications: balance innovation with ethics and risk management. Follow Privacy Impact Assessment (PIA) practices before deployment to identify potential privacy harms and mitigations, and extend this to cover ethical risks and safeguards. Engage consumers and focus groups to validate the perceived benefits and downsides of FRT.