The Administrative Review Tribunal (ART) has overturned the Privacy Commissioner’s determination that use of facial recognition technology (FRT) in Bunnings stores contravened key requirements of privacy laws regarding the collection of sensitive personal information. In doing so, the ART’s decision in Bunnings Group Limited and Privacy Commissioner [2026] ARTA 130 provides useful guidance on how and when a business may utilise CCTV equipped with FRT to identify individuals. While the Privacy Commissioner’s original determination had been taken to suggest very limited scope to use FRT, the ART ruling confirms that consent-free use of FRT can be possible under a narrow statutory exception, whilst also reaffirming that strong privacy governance and transparent communication remain mandatory. Although this decision may influence the future of store security, it is not a blanket approval of FRT-enabled CCTV systems in retail settings.

BACKGROUND

Between late 2018 and November 2021, Bunnings deployed CCTV cameras equipped with FRT in 63 selected stores. The system generated facial templates at entry and compared them against a list of high-risk individuals associated with violence, abuse, and organised retail crime. Where there was no match, data was deleted within milliseconds. Where a potential match appeared, staff were notified to undertake a manual review before taking further action.

After conducting an investigation in 2024, the Privacy Commissioner found that in deploying this technology, Bunnings had breached a number of Australian Privacy Principles (APPs), being:

• APP 3.3, with respect to the collection of sensitive information;
• APP 5.1, which requires steps to notify individuals of certain matters when collecting their personal information;
• APP 1.3, which requires an entity to have a clearly expressed and up-to-date privacy policy; and
• APP 1.2, which requires an entity to take reasonable steps to implement practices, procedures and systems to ensure they comply with the APPs.

Most significantly, the facial profiles used in the FRT system are biometric information, which constitutes sensitive information for the purposes of the APPs. Notwithstanding that this sensitive information was, for the overwhelming majority of persons captured on CCTV, discarded within a fraction of a section, the Privacy Commissioner considered that Bunnings ‘collected’ that information. Under APP 3.3, organisations are generally required to have the consent of an individual when collecting sensitive information about them, unless certain narrow exceptions apply. The Privacy Commissioner was of the view that none of those exceptions were applicable to Bunnings’ systems, and that its FRT system could not be conducted in compliance with APP 3.3.

Bunnings subsequently appealed the determination to the ART.

THE ART’S DECISION

On 4 February 2026, the ART delivered a judgment largely in favour of Bunnings. The ART was satisfied that Bunnings had ‘collected’ information, despite the FRT system only holding relevant facial recognition data for approximately 0.004 of a second. However, contrary to the Commissioner’s determination, the ART allowed Bunnings to rely on a statutory exception for the collection of sensitive information without consent for the limited purpose of preventing unlawful activity and harm to staff and customers. At the same time, the ART affirmed the Commissioner’s view that Bunnings fell short on transparency and notice.

USE OF CCTV-BASED FRT

The ART’s central finding was that Bunnings’ use of CCTV-based facial recognition did not breach APP 3.3, despite involving the collection of sensitive biometric information. APP 3.3 generally prohibits collecting sensitive information without consent. However, an exception applies under APP 3.4(a) where a ‘permitted general situation’ exists. One such permitted general situation applies where:

• an entity has reason to suspect that unlawful activity, or misconduct of a serious nature, that relates to the entity’s functions or activities has been, is being or may be engaged in; and
• the entity reasonably believes that the collection, use or disclosure of sensitive information is necessary in order for the entity to take appropriate action in relation to the matter.

The Commissioner considered this permitted general situation did not apply. While she recognised that Bunnings ‘had reason to suspect that unlawful activity that related to its functions or activities had been, was being, or may be engaged in‘ via theft and threatening behaviour toward staff, she did not consider that the second limb was satisfied. While FRT was ‘an additional and complementary tool available to’ Bunnings, that did not mean that it was reasonable to believe that it was ‘necessary‘, especially given the ‘significant volume of personal information collected‘ to take ‘action in respect of unlawful activity on a relatively small number of occasions and in respect of a relatively small number of individuals‘.

The ART disagreed, and accepted that a permitted general situation existed, because:

• obtaining consent from every customer entering a large, high traffic retail environment was impracticable; and
• Bunnings reasonably believed that using FRT was necessary to combat unlawful activity (‘very significant retail crime‘) and reduce serious threats to the safety of staff and customers.

The ART’s reasoning relied heavily on evidence of repeated violence, threats, and organised crime. It also placed weight on the design of the FRT system, which deleted non-matches almost immediately and required human verification before taking further action. These constraints persuaded the ART that the data collection was proportionate and appropriately minimised the intrusion into customers’ privacy.

This outcome confirms that CCTV equipped with FRT may be lawful without consent in limited, well-justified contexts where the statutory criteria are met.

COMPLIANCE WITH THE OTHER APPs

Although Bunnings’ collection of sensitive information was found to be permissible, the ART agreed with the Privacy Commissioner’s assessment that Bunnings had failed to comply with certain other requirements of the APPs in adopting its FRT system.

Notice

The ART observed that Bunnings breached APP 5.1, which imposes an obligation to take reasonable steps to notify individuals of relevant matters before or at the time of collecting personal information about them. The ART found that Bunnings’ signage and customer‑facing statements did not clearly inform customers that FRT was operating, what information it captured, or the purpose of its use. Phrasing such as ‘video surveillance, which may include facial recognition‘ was considered too vague and unlikely to alert customers to the fact that sensitive biometric information was being captured. This failure to adequately notify customers was sufficient to contravene APP 5.1.

Privacy policy

The ART similarly upheld the Commissioner’s finding that Bunnings breached APP 1.3, which requires organisations to have a privacy policy that clearly sets out the kinds of personal information is collected, held, and used, and how this occurs. During the relevant period, Bunnings’ privacy policy did not mention the operation of FRT, describe the collection of biometric information, or acknowledge how that information would be managed. This omission meant that individuals had no meaningful way to understand the nature of the personal information being collected. The ART noted that APP 1.3 requires specific disclosure, and that general statements about CCTV or store security are not an adequate substitute.

Practices and systems

The ART also observed that Bunnings did not meet its obligations under APP 1.2, which requires organisations to take reasonable steps to establish and maintain practices and systems that ensure compliance with the APPs. The ART found that Bunnings had introduced FRT without carrying out a formal, structured, and documented assessment of the privacy impacts associated with the system. Instead of adopting a methodical approach, Bunnings relied on informal and ad hoc internal enquiries. The ART held that this fell short of the standard expected for a technology that collects sensitive biometric information.

PRIVACY COMMISSIONER’S RESPONSE

The Privacy Commissioner has confirmed that she has not filed an appeal of the ART’s decision.

The Commissioner’s statement emphasises that the decision should be viewed ‘as a useful case study, rather than a green light for deployment of biometric technologies’, and that businesses looking to utilise these technologies ‘must meet a high bar to be considered lawful under the Privacy Act’.

The Commissioner has undertaken to make ‘Specific updates to existing guidance… to reflect the Tribunal’s decision and ensure that retailers have up-to-date information’ about the application of privacy laws, which will likely include a ‘need to conduct a detailed risk assessment specific to their circumstances before deploying the technology’.

WHAT THE DECISION MEANS FOR BUSINESSES

The ART’s decision provides somewhat more scope for businesses to consider adopting FRT than previously suggested by the Privacy Commissioner’s determination, but does not provide an unrestricted ability to do so in all circumstances. The decision indicates that businesses using CCTV-based FRT must adopt strong privacy governance and documentation standards that are proportionate to the privacy impact. The outcome demonstrates that CCTV equipped with FRT can be lawful without consent, but only in narrow circumstances supported by evidence of unlawful activity including significant theft, or staff or customer safety concerns. Businesses will need to justify such collection with detailed incident records, evaluation of alternative risk‑mitigation measures, and careful reasoning that shows why biometric identification is both necessary and proportionate.

The ART’s findings reinforce that transparent communication and rigorous privacy management are equally important. Even if an APP 3 exception applies, businesses must maintain precise and informative privacy notices, undertake structured privacy assessments before implementation, and ensure that privacy policies accurately describe data collection practices. Organisations should conduct robust internal review processes, implement ongoing oversight mechanisms, and ensure customers are aware of FRT deployment.

Importantly, whilst this decision relates specifically to FRT, it does not diminish privacy requirements for ordinary CCTV usage. APP 5 notice obligations still apply to CCTV generally, particularly when footage may be used for investigative or enforcement purposes. The more advanced or intrusive the CCTV technology, the higher the governance expectations will be. CCTV systems can also bve subject to State and Territory surveillance legislation, such as the Surveillance Devices Act 2007 (NSW).

A PRACTICAL COMPLIANCE BLUEPRINT

The following actions are now expected features of responsible CCTV-based facial recognition in Australia:

• Begin with a clearly documented safety justification. Demonstrate the unlawful activity, misconduct, harm, or safety concern that is being addressed, why biometric collection is necessary, and why consent cannot realistically be obtained. Document options considered and why alternatives are insufficient.
• Conduct a formal privacy assessment before deployment. Test necessity, proportionality, system design, data retention and access, and conduct due diligence in respect of the vendor and its technologies and practices.
• Minimise data collection and retention. Delete non‑matches immediately, limit watchlists to current risk cases, require human verification, and maintain detailed logs.
• Provide specific and prominent notices explaining that FRT is being used, what information it collects, why it is needed, and how individuals can raise concerns.
• Maintain ongoing privacy governance. Regularly review incidents, assess system accuracy, and revisit the necessity of biometric collection.
• Maintain compliance with adjacent APP obligations by ensuring watchlist accuracy (APP 10), strong security measures (APP 11), minimal data retention, and accessible pathways for individuals to seek access or correction (APPs 12 and 13).
• Consider guidance issued by the Privacy Commissioner in respect of the use of commercially available AI products.

NEXT STEPS

The ART’s decision demonstrates that CCTV-based FRT can be used in high-risk environments without consent in narrow circumstances. However, businesses should treat this ruling as a structured framework for responsible deployment, not a green light for expanding surveillance by default. Carefully designed systems with a constrained purpose, rapid deletion, clear notice, and strong privacy governance will be more likely to satisfy the APPs. Poorly designed systems will attract regulatory attention and reputational harm.

HWLE’s privacy team has extensive experience in advising businesses regarding surveillance and other data collection issues. If you are concerned about the collection of sensitive information, please contact us for further information on how we can assist you.

This article was written by Daniel Kiley, Partner and Jasper Dowdell, Law Graduate.