Facial Recognition Laws In Australia: Compliance Guide For Businesses
TL;DR
- Facial recognition is legal in Australia, but only when collection is necessary, proportionate, and transparently disclosed under the Privacy Act 1988.
- Collection happens the moment a system reads a face, not when data is stored. Even a 4-millisecond scan counts as “collection” under APP 3.
- Bunnings (4 Feb 2026): Tribunal upheld transparency and notification breaches (APP 1, APP 5) but ruled Bunnings’ targeted, evidence-backed use for security was proportionate (APP 3 breach set aside).
- Kmart (18 Sept 2025): OAIC found Kmart breached all three APP grounds by scanning every customer for refund fraud, a blanket, disproportionate approach with no individual suspicion.
- Before deploying FRT, businesses need a documented privacy impact assessment, a written necessity/proportionality case, and APP 5-compliant in-store signage (a privacy policy alone isn’t enough).
- Penalties for serious breaches can reach AUD $50 million or 30% of adjusted annual turnover, whichever is greater.
On 4 February 2026, the Administrative Review Tribunal handed Bunnings a partial reprieve on its facial recognition case, overturning one Privacy Act breach finding while affirming two others. For Australian businesses weighing the same technology, the ruling is not necessarily a green light.
The Tribunal drew a narrow compliance corridor with precise legal boundaries, and the Office of the Australian Information Commissioner (OAIC) has confirmed that enforcement of the Privacy Act 1988 (Cth) continues regardless of the outcome. The global facial recognition technology market reached USD $8.83 billion in 2025, with uptake accelerating across retail and enterprise sectors. This FRT legal guide to Australia covers what the law requires, what the cases decided, and what compliant deployment looks like in practice.
What counts as a ‘collection’ of biometric data under the Privacy Act?
The threshold for Australian Privacy Act facial recognition obligations is narrower than most businesses expect. Under the Privacy Act and the Australian Privacy Principles (APPs), biometric data and sensitive information in Australia falls into a sensitive-information category that carries heightened obligations regardless of whether data is retained. The OAIC and the Administrative Review Tribunal have both confirmed that collection under APP 3 occurs at the point a system reads a face, not when a record is saved. That timing distinction catches businesses unprepared more than any other aspect of the law.
Biometric templates as sensitive information
Under APP 3, biometric templates and APP biometric data in Australia more broadly qualify as sensitive information under the Act, placing them in the same legal tier as health records and racial origin. An organisation seeking to collect sensitive information without consent must demonstrate that collection is directly necessary for a specific function or activity. General retail security rationales do not satisfy that standard on their own, and the OAIC has confirmed that a documented, specific necessity case is required before any collection proceeds. The biometric authentication technology overview covers how these systems function technically, which informs what needs to be documented at the compliance layer.
When a facial scan qualifies as a collection event
The aspect of Australian Privacy Principles FRT interpretation that most consistently surprises businesses is that collection does not require data retention. Collection under APP 3 occurs at the processing step, not the storage step. The OAIC’s guidance confirmed this position, and the Administrative Review Tribunal reinforced it in the Bunnings proceedings. A facial identification system that reads a face and discards the biometric template in four milliseconds has still collected sensitive information in the legal sense. Businesses that assumed no storage meant no collection have been operating under a misreading of the statute, and regulators have now confirmed that interpretation is incorrect. The practical implication is that every facial scan a system performs requires a lawful basis, not just every record stored.
What do the Bunnings and Kmart cases mean for your business?
Two enforcement actions have defined the facial recognition Australia compliance landscape since 2024. The Bunnings facial recognition case and the Kmart FRT breach produced separate Privacy Act findings against major Australian retailers for running facial identification systems in stores without adequate legal basis. Together, they offer the most concrete guidance Australian businesses have for assessing their own compliance risk, including what evidence base is required and where proportionality arguments succeed or fail.
The Bunnings ruling
Between November 2018 and November 2021, Bunnings ran a facial identification system across 62 stores in Victoria and New South Wales. The Privacy Commissioner issued a determination in October 2024 finding three contraventions, covering APP 1 (transparent management), APP 3 (collection of sensitive information), and APP 5 (notification at collection). On 4 February 2026, the Administrative Review Tribunal affirmed the APP 1 and APP 5 findings but set aside the APP 3 breach, accepting that Bunnings had presented sufficient documented evidence of specific, localised threats to staff and customers to justify proportionate use of the technology. For businesses without an equivalent formally recorded threat evidence base, this partial ruling provides limited precedent for similar deployments.
The Kmart determination
In September 2025, the OAIC found Kmart in breach of the Privacy Act across all three APP grounds. The Kmart FRT breach involved collecting biometric data from every individual entering 28 stores between June 2020 and July 2022, deploying the system against the entire customer population rather than individuals subject to specific suspicion. The OAIC found the collection disproportionate, noting that less privacy-intrusive methods for addressing refund fraud had not been adequately evaluated before deployment. The proposed removal of the small business exemption for biometric data collection means this level of scrutiny will extend to a broader range of businesses when the next wave of amendments takes effect. Corporate penalties for serious or repeated breaches under the current Act can reach up to AUD $50 million, or 30% of adjusted annual turnover for the relevant period.

What businesses must do before deploying facial recognition?
The OAIC facial recognition guidance published in November 2024 consolidates the lessons from the Bunnings and Kmart determinations into a practical pre-deployment framework for organisations considering biometric software in Australia for identification purposes. It identifies four core principles as the baseline for compliant FRT use, covering necessity and proportionality, consent and transparency, accuracy and bias management, and ongoing governance and assurance. Businesses that work through this process before launch are in a substantially stronger position when a regulator or tribunal reviews their decisions later.
Conduct a privacy impact assessment
A privacy impact assessment (PIA) process in Australia formally identifies risks before a system goes live, documenting what data is collected, why it is collected, how long it is retained, and what safeguards are in place. Under the Privacy and Other Legislation Amendment Act 2024 (Royal Assent December 2024), completing a PIA is expected to become mandatory for high-privacy-risk activities, including facial identification in publicly accessible spaces. The proposed removal of the small business exemption for biometric data collection means this obligation will extend to businesses below the current turnover threshold. OAIC compliance service guidance treats the absence of a documented PIA as evidence of inadequate privacy management, making it a de facto pre-deployment requirement for any organisation that expects to defend its practices under scrutiny.
Document a necessity and proportionality case
Both the Bunnings and Kmart cases turned substantially on whether the technology was necessary for the stated purpose and proportionate to its privacy impact on individuals. A business deploying FRT for loss prevention must record in writing that less privacy-intrusive alternatives were evaluated and found insufficient for the specific threat at hand. General loss prevention rationales are not sufficient. Many organisations working through this step engage a facial recognition compliance consultant in Australia to map OAIC requirements against their existing privacy frameworks, particularly where the necessity argument intersects with workplace safety obligations or contractual security requirements. For context on how facial recognition in the workplace intersects with employment law obligations, that guide covers the employment context in detail.
Meet APP 1 and APP 5 notification obligations
Both cases confirmed that APP 5 notification obligations and APP 1 transparency requirements demand clear, prominent in-store signage when facial identification technology is operating on premises. A privacy policy on a website does not satisfy APP 5. Signage must state that FRT is in use, the purpose of collection, and how individuals can make enquiries or raise complaints. FRT law Australia 2025 enforcement guidance confirms these as legal minimums rather than aspirational best practice. This is the aspect of face recognition compliance in Australia where businesses most consistently generate regulatory exposure and also the most straightforward obligation to address at the design stage rather than after launch. For a broader view of how responsible use and legal landscape principles apply across international FRT frameworks, that analysis covers global parallels in depth.

How Shufti helps businesses deploy FRT compliantly
Businesses that have completed a PIA, documented a necessity case, and met APP 1 and APP 5 obligations often encounter a gap between the compliance framework they have built and the technical controls their chosen platform actually provides. A facial identification system that lacks configurable retention policies, produces no timestamped audit trail, or cannot demonstrate genuine data minimisation represents a compliance exposure regardless of its accuracy rate.
Shufti’s face verification was built for regulated deployment environments. The platform covers 56+ anti-spoofing attack vectors, including deepfake presentation attacks, supports on-premises deployment for organisations where biometric data sovereignty is a non-negotiable requirement under Australian law, and produces timestamped decision records suitable for regulatory audit review. Configurable data retention controls align with the four OAIC guidance principles covering necessity, proportionality, accuracy, and ongoing governance, so the technical stack supports the compliance case rather than creating new exposure within it.
See how Shufti’s verification controls map to your pre-deployment PIA and OAIC requirements by Booking a demo.
Frequently Asked Questions
Is facial recognition legal in Australia?
Yes, but only under specific conditions. The Privacy Act 1988 permits facial recognition technology when collection is necessary, proportionate to the purpose, and organisations maintain transparent management and APP 5 notification obligations. Blanket deployment for general security without documented justification is unlikely to survive regulatory review.
What did the Bunnings facial recognition case decide?
On 4 February 2026, the Administrative Review Tribunal affirmed APP 1 and APP 5 breaches but set aside the APP 3 finding. The Tribunal accepted that Bunnings had sufficient documented threat evidence to justify proportionate use of facial identification technology at its stores. Two of three Privacy Act breach findings were upheld.
Do Australian businesses need consent for facial recognition?
Under the Privacy Act 1988, consent is the primary legal basis for collecting sensitive biometric information. An exception applies where collection is reasonably necessary for a legitimate function, but the bar is high. The Kmart determination confirmed that general loss prevention without individualized suspicion does not meet the necessity threshold on its own.
What is a Privacy Impact Assessment under Australian law?
A privacy impact assessment is a documented process identifying how a project affects individuals' privacy, what risks arise, and how those risks will be mitigated. Under proposed Privacy Act reforms, PIAs are expected to become mandatory for high-privacy-risk activities including facial identification in publicly accessible spaces.
Can Australian retailers use facial recognition for loss prevention?
Yes, but only with a documented necessity and proportionality case, a completed PIA, explicit APP 5-compliant in-store signage, and clear data governance controls. The Kmart determination established that collecting biometric data from all shoppers to detect a small number of fraud suspects fails the proportionality test.
