Emie WangAustralia's most significant privacy ruling of 2026 arrived quietly in February — but its consequences for every shopper who walks into a hardware store, a supermarket, or a shopping centre are still unfolding.
The Administrative Review Tribunal (ART) handed down a landmark decision in Bunnings Group Limited and Privacy Commissioner [2026] ART, partially overturning an earlier 2024 ruling by the Office of the Australian Information Commissioner (OAIC) that Bunnings had unlawfully used facial recognition technology (FRT) in its stores.
The outcome: Bunnings can keep scanning your face. But the legal bar the tribunal set — and the conditions it imposed — have major implications for every Australian business now considering whether to follow suit.
What Bunnings Actually Did
Between 2018 and 2021, Bunnings deployed facial recognition technology across 62 retail stores in Victoria and New South Wales. The system continuously analysed CCTV footage of customers entering its stores, comparing facial data against a database of individuals flagged as high-risk — people who had previously engaged in actual or threatened violence, organised retail crime, or other serious misconduct at Bunnings locations.
In 2022, the Privacy Commissioner determined that Bunnings had breached the Australian Privacy Act 1988 (Cth), specifically the Australian Privacy Principles (APPs) covering transparency, notification and the collection of sensitive information. The OAIC ordered Bunnings to stop using FRT and destroy the biometric data it had collected.
Bunnings appealed. In February 2026, the ART delivered its decision.
What the Tribunal Actually Decided
The ART's ruling was a partial victory for Bunnings — and a carefully qualified one.
The tribunal agreed with the OAIC that Bunnings had breached APP 1 and APP 5, which relate to having a compliant privacy policy and providing adequate notification to people whose data was being collected. Bunnings' privacy notices were ruled "insufficient" — shoppers were not adequately informed they were being subjected to face scans.
However, the tribunal disagreed on the central question of whether the collection of biometric data was lawful at all. It found that the "unlawful activity" exception in APP 3 did apply in Bunnings' circumstances, meaning the collection of biometric information to identify known violent offenders was not prohibited under Australian privacy law.
The result: Bunnings can continue operating its facial recognition system, provided it fixes its privacy notifications and brings its privacy policy into compliance.
The Office of the Australian Information Commissioner released a statement emphasising that the ruling "confirms a high bar for the use of facial recognition technology in Australia" and that entities must conduct detailed risk assessments specific to their circumstances before deploying the technology.
What This Means for Australian Shoppers
The ruling does not give retailers a free hand to scan every customer's face. The conditions are significant.
First, any retailer using FRT must maintain a compliant privacy policy that clearly discloses the technology is in use, what data is collected, how long it is retained, and on what legal basis.
Second, the "unlawful activity" exception is narrow. It applies where the collection is genuinely necessary to prevent or lessen a serious threat to public health or safety, or is required by law. Using FRT to prevent shoplifting of low-value goods would likely not meet this threshold.
Third, any individual whose data is collected has rights under the Privacy Act: the right to access information held about them, the right to seek correction, and the right to lodge a complaint with the OAIC if they believe their privacy has been breached.
The Business Domino Effect
Following the ART ruling, legal commentary from Gilbert + Tobin, Clayton Utz and Bird & Bird all pointed in the same direction: retailers and venue operators across Australia would reassess their FRT ambitions. The Australian Retail Council had reported in 2026 that 81 per cent of Australians support using FRT to identify people who have previously threatened retail staff — suggesting public appetite for the technology.
What the tribunal made clear is that this appetite cannot be satisfied by quietly deploying cameras. The compliance obligations are real, the notification requirements are strict, and the risk assessment must be documented.
For businesses, this means legal advice is not optional before deploying FRT. The cost of getting it wrong — as Bunnings' multi-year legal battle demonstrates — can far exceed the cost of proper compliance review upfront.
Your Rights if You Think You've Been Scanned
If you are concerned that your biometric data has been collected by a retailer without your adequate knowledge, you have concrete options.
You can request access to any personal information a business holds about you under APP 12. You can request correction of that information under APP 13. And if a business refuses or you believe they have breached their obligations, you can lodge a complaint directly with the OAIC.
A privacy lawyer can help you understand whether a breach occurred, draft a formal access or erasure request, and advise on whether compensation may be available under the Privacy Act if your sensitive biometric information was mishandled.
The Bunnings ruling did not settle privacy law in Australia — it opened the door to a generation of cases as more businesses adopt biometric technology, and as Australians become more alert to when and how their faces are being used as data.
See also: Australia Post Kills Digital iD: What Happens to Your Personal Data
Legal notice: This article provides general information only and does not constitute legal advice. For advice on privacy compliance or individual data rights, consult a qualified Australian privacy lawyer.
