Should Your Face Be Scanned?

Thesis

Bunnings’ face recognition case shows that privacy in contemporary digital life cannot be simplified into a door sign or a vague concept of implicit consent, because the deeper question is whether companies should be allowed to turn ordinary customers into biometric data subjects in areas that exceed reasonable expectations and weaken digital rights.

The Office of the Australian Information Commissioner (OAIC) opened an investigation into Bunnings in 2022. (ABC News: Lindsay Dunbar)

Introduction

When most people walk into a hardware store, they don’t realize that they are stepping into a discussion about privacy, power and digital rights. For most customers, going to the hardware store is just to buy paint, light bulbs, potted soil, screws, or to add a new drill bit for small repairs at home. This kind of shopping experience is usually pragmatic, ordinary, and will soon be forgotten after leaving the store. It is also because of this that Bunnings’ face recognition case is particularly worthy of attention. It takes place in an ordinary offline commercial space, not in a highly technological platform environment far away from ordinary people. It is this routine that makes the questions it raises more acute. At what point will a seemingly ordinary shopping place slide from reasonable security to more invasive digital monitoring?

At first glance, this question seems to be not difficult to answer. Of course, stores need to protect employees and prevent violence, abuse, destruction and theft. Many people have long been accustomed to the existence of closed-circuit television in retail space, so a certain degree of monitoring seems to have long become a part of the modern business environment. However, face recognition is not as simple as installing an more camera. Ordinary cameras usually work after the fact. They record the scene in order to trace the facts after the incident. The face recognition system is different. It will actively extract people’s facial features, convert them into computable and matchable biometric information, and compare them with objects in the database in real time. That is to say, it not only sees a person, but also begins to identify a person the moment it enters the store. This change means that the very meaning of customers entering the store has been redefined.

Therefore, the Bunnings case is not just a legal dispute in a narrow sense. It is more like a tocketstone to test how Australia should understand privacy in the context of digital systems constantly infiltrating daily life. What is really worth asking is not only whether Bunnings provides a clear enough notice, but also whether the enterprise has the right to regard every enter as a potential data object in a place where ordinary people only want to shop, and then regard them as customers.

Why did the Bunnings incident cause controversy?

The key to the widespread controversy in this case is that what Bunnings has done is not just the traditional video surveillance. According to the Australian Information Commissioner’s Office, Bunnings deployed face recognition technology in more than 60 stores between 2018 and 2021 to identify individuals on the list of internal priority personnel to deal with serious repeated crimes, violent incidents, Coercion and organized retail crimes (OAIC, 2024). From the point of view of the enterprise alone, this seems to be a security measure for a few high-risk objects, but what really complicates the problem is that the system is not launched after locking a few clear targets, but on the premise of capturing and processing the faces of all people entering the store. At the same time, the survey of CHOICE, a consumer rights organization, also shows that many customers do not know that large retailers, including Bunnings, are using this kind of technology, and even if there are relevant signs in stores, they are often not eye-catching, and it is difficult for ordinary customers to really realize What kind of data processing process are you in? (Blakkarly, 2022)

This is very important because it reveals two completely different security logics. It is one thing for security guards to stand at the door and observe the crowd, because this kind of observation can be understood in social experience. People usually know that they are in a public or semi-public space where they will be seen. But if the store further uses the technical system to capture faces, extract features, generate biometric data, and then automatically compare it with the internal database, it will no longer just look at you, but include you in a digital program for classification, screening and early warning. Automatic customs clearance at the airport is an easier reference to understand. The reason why many passengers are willing to accept face recognition at the airport is that they know that they are entering a place with high security requirements, clear rules and strict supervision, and identity verification is the core logic of the space. However, a hardware store in the suburbs is obviously not an airport. When ordinary customers walk into Bunnings, they usually do not expect themselves to be undergoing some kind of border inspection-like identity screening.

In November 2024, the Australian Information Commissioner’s Office determined that Bunnings collected sensitive information without consent, failed to take reasonable measures to notify the relevant individuals, and did not properly reflect this practice in its privacy management framework, thus constituting an infringement of the right to privacy (OAIC, 2024). By February 2026, the Administrative Review Court partially overturned the ruling. The court held that in limited situations involving serious threats and crime prevention, Bunnings could invoke specific legal exceptions to provide a certain basis for its practice, but at the same time pointed out that the company was obviously insufficient in notification obligations and should have completed a formal, structured and written privacy. Risk assessment to fully examine the possible impact of this system (OAIC, 2026a). A month later, Privacy Commissioner Carly Kind further emphasized that the ruling does not mean that Australia’s regulatory threshold for face recognition technology has been lowered. On the contrary, it reaffirms that such technologies are still highly invasive in the sense of privacy law (OAIC, 2026b).

It is also because the legal judgment before and after is not completely consistent that this case is more worth analyzing. It is not a story that can be simply summarized as a complete mistake of the enterprise or the complete correctness of supervision, but a real security anxiety is put together with another equally real biometric monitoring risk, forcing people to face the tension between the two.

Privacy is not just a sign on the door

When understanding this case, one of the most common and easily misleading ways is to simplify the question to whether the notice is sufficient. According to this point of view, the main problem of Bunnings seems to be that the logo is not made larger, the language is written more clearly, or the customer does not know clearly enough when entering the door that the system is running. However, this understanding is still too superstensible, because it implies that as long as there is some form of notification, the privacy problem can be regarded as resolved. In fact, the real question is not just whether it is said or not, but whether the practice itself meets people’s reasonable expectations of the flow of information in the scenario.

The situational integrity theory proposed by Helen Nissenbaum provides a very important framework for understanding this point. She pointed out that privacy depends not only on whether the information is collected, but also on the way the information is collected, used and disseminated, and whether it conforms to the norms, role relationships and reasonable expectations in specific social situations. In other words, people will not have the same concept of privacy everywhere. A person will have very different expectations about how his information should flow at home, in the hospital, on social media platforms, at school, in court, or in supermarkets and hardware stores. Therefore, privacy is not an abstract control that is detached from the scene, but a social norm deeply embedded in specific life situations (Nissenbaum, 2018).

Once we look back at the Bunnings case from this perspective, the problem will be much clearer. Most customers may be able to accept the existence of ordinary surveillance cameras in the store, and may also understand that employees retrieve videos to check the history after violence, disputes or theft, because this practice is still generally consistent with people’s daily understanding of retail security. However, customers usually do not reasonably expect that their faces will be extracted as biometric information at the moment of entering the store and automatically included in the real-time matching process with the internal list. That is to say, the key to the problem is not whether Bunnings has mentioned this system somewhere, but that the system itself has changed what it meant to enter a store. It reshaped a scene that was originally shopping into a space based on digital recognition (Nissenbaum, 2018).

This is also the reason why it is difficult for face recognition to obtain full legitimacy through tacit consent. Selinger and Hartzog believe that the reason why facial monitoring is often difficult to be truly agreed is that individuals usually neither understand the full consequences of the operation of such technologies nor are able to negotiate equally with organizations on relevant conditions (Selinger & Hartzog, 2020). If a person enters the store just to buy necessary goods, then the so-called inconspicuous sign is seen, so even if it is agreed, it is actually very fragile. It is more like a formal self-protection mechanism that allows enterprises to claim that they have fulfilled their obligation to inform, but it is not enough for customers to truly understand, measure and make free choices (Selinger & Hartzog, 2020).

A simple comparative example can illustrate this more intuitively. Using Face ID to unlock your mobile phone is the same as being scanned by a face recognition system in a retail store. On the surface, it involves facial information, but the two are completely different in nature. The former is a function that users actively enable, which occurs on their own devices and serves their own purpose of use. The latter is deployed by a third party to serve third-party business and security goals, and is embedded in a data environment that ordinary people are not fully aware of. Although both use human faces, the meaning of information flow, the power relationship and the logic of the scene are completely different. This is also the key that the situational integrity theory wants to emphasize. The destruction of privacy is not only the data being taken away, but the information flow is reorganized in an untimely, scene and role-related way (Nissenbaum, 2018).

From store policies to digital rights

The significance of the Bunnings case is not only about privacy itself, but also about who has the right to decide the rules of digital society. Suzor pointed out that in the contemporary digital environment, more and more important rules affecting people’s daily lives are not formed through open, transparent and accountable democratic procedures, but are formulated by private institutions themselves. Even if these institutions do not belong to social media platforms in the traditional sense, they are more and more like private governors. They design systems, set boundaries, allocate risks, and decide what kind of monitoring or control methods can be normalized (Suzor, 2019).

From this perspective, Bunnings is not simply a tool, but in fact redefines the conditions for entering the store. It decided that any customer who just came to buy wood, tools or gardening supplies could be placed in a biometric analysis process. This decision seems to be just an internal operation arrangement of the enterprise, but in fact it has a clear governance meaning, because it changes the way people are observed, identified and classified in the daily commercial space (Suzor, 2019).

Flew’s discussion is particularly inspiring here, because he emphasizes that digital governance is not only managed by the state through laws, but also by private infrastructure itself. As long as enterprises can control data flow, visibility and entry rules, they are no longer just market subjects, but actually participate in shaping social order. The Bunnings case shows that this governance is not limited to mobile phone applications, social platforms or Internet services, but will also appear in the increasingly data-based physical space. It is usually easier for people to understand digital governance as something on the screen, but in fact, it can also happen after the automatic door of a hardware store (Flew, 2021).

This also makes the issue of digital rights in Australia more prominent. Goggin and others pointed out that the reason why digital rights are important is that access, privacy, participation and control have become more and more deeply embedded in people’s daily communication and social life, but individuals often lack real control over how their data is processed (Goggin et al., 2017). Bunnings’ case clearly reflects this inequality. Enterprises master technology, databases, rule-making power and institutional resources, and can decide how the system is designed, how to operate, and how to interpret its legitimacy. Ordinary customers have almost no ability to be equal to them. They can’t review the model, can’t question the matching process, can’t negotiate conditions with merchants, and can’t achieve a really effective rejection while maintaining normal shopping (Goggin et al., 2017).

Therefore, the core issue of this case is not only whether Bunnings violates the privacy law. It touches on such a problem more deeply. In a society where digital systems continue to enter the real space, do ordinary people have to successfully complete their most daily business activities at the expense of making themselves identifiable, computable and traceable?

Conclusion

The Bunnings case is important not because it shows how advanced a new technology is, but because it transforms an ordinary shopping experience into a public question about what privacy means in the biometric era. It reminds people that what is really vigilant is not the technology itself that is hidden in the corner, although this is of course important. The deeper danger is that these systems may be unknowingly normalized and gradually redefine what people have to give in to complete their daily lives.

If privacy is compressed into a bulletin board at the door, then individuals have to take on excessive responsibility to manage the risks that they have neither created nor really able to control. A more reasonable starting point should be that people should not be automatically converted into biometric data subjects just because they want to buy a hammer, a water pipe or a bag of potted soil. Therefore, the lessons of the Bunnings case do not belong to just one retail enterprise, but actually point to the larger problems that the whole society must face. Once face recognition becomes a matter of course in daily space, the already unstable boundary between security and monitoring will become more difficult to defend.

Reference List

Aniulis, H. (2022). Facial recognition technology, privacy and administrative law. UNSW Law Journal, 45(4), 1513–1555.

Conde, J., & Svantesson, D. J. B. (2024). The five generations of facial recognition usage and the Australian privacy law. International Data Privacy Law, 14(3), 247–258. https://doi.org/10.1093/idpl/ipae007

Flew, T. (2021). Regulating platforms. Polity.

Goggin, G., Vromen, A., Weatherall, K., Martin, F., Webb, A., Sunman, L., & Bailo, F. (2017). Digital rights in Australia. Department of Media and Communications, University of Sydney. https://ses.library.usyd.edu.au/handle/2123/17587

Kugler, M. B. (2019). From identification to identity theft: Public perceptions of biometric privacy harms. UC Irvine Law Review, 10(1), 107–152.

Marwick, A. E., & boyd, d. (2018). Understanding privacy at the margins—Introduction. International Journal of Communication, 12, 1157–1165. https://ijoc.org/index.php/ijoc/article/view/7053

Migliorini, S. (2023). Biometric harm. Law, Technology and Humans, 5(2), 238–251.

Nissenbaum, H. (2018). Respecting context to protect privacy: Why meaning matters. Science and Engineering Ethics, 24(3), 831–852. https://doi.org/10.1007/s11948-015-9674-9

Office of the Australian Information Commissioner. (2026a, February 4). OAIC statement on Administrative Review Tribunal’s Bunnings decision. https://www.oaic.gov.au/news/media-centre/oaic-statement-on-administrative-review-tribunals-bunnings-decision

Office of the Australian Information Commissioner. (2026b, March 5). Privacy Commissioner statement on Administrative Review Tribunal’s Bunnings decision. https://www.oaic.gov.au/news/media-centre/privacy-commissioner-statement-on-administrative-review-tribunals-bunnings-decision

Selinger, E., & Hartzog, W. (2020). The inconsentability of facial surveillance. Loyola Law Review, 66(1), 33–54.

Suzor, N. P. (2019). Who makes the rules? In Lawless: The secret rules that govern our digital lives (pp. 10–24). Cambridge University Press.

Blakkarly, J. (2022, July 12). Kmart, Bunnings and The Good Guys using facial recognition technology in stores. CHOICE. https://www.choice.com.au/data-protection-and-privacy/data-collection-and-use/how-your-data-is-used/articles/kmart-bunnings-and-the-good-guys-using-facial-recognition-technology-in-store

Office of the Australian Information Commissioner. (2024, November 19). Bunnings breached Australians’ privacy with facial recognition tool. https://www.oaic.gov.au/news/media-centre/bunnings-breached-australians-privacy-with-facial-recognition-tool