90 incidents on record · 2026 Headlights Incident reports by Ellie Harris · Melbourne
10 new this week Library last updated 13 July 2026
← The incident library
HD-INC-022
Retail & hospitality · Australia · 2024 · Biometric surveillance

Bunnings face-scanned hundreds of thousands of shoppers without telling them, and a regulator's finding was half-undone on appeal

By Ellie Harris · Filed November 2018 to November 2021

Alleged: Bunnings Group (Wesfarmers) developed or deployed the AI system implicated in this incident. Details are drawn from public reports; parties are presumed innocent of any wrongdoing not established by an official finding.

Bunnings face-scanned hundreds of thousands of shoppers without telling them, and a regulator's finding was half-undone on appeal

What happened

Between November 2018 and November 2021, Bunnings Group ran facial recognition technology through the in-store CCTV of 63 stores across Victoria and New South Wales. The system captured the face of every person who walked in, likely hundreds of thousands of people, and converted each face into a biometric template. Each template was compared, within milliseconds, against a database of individuals Bunnings had enrolled as persons of interest, people it associated with theft, violence, or abuse of staff. Where there was no match, which was almost everyone, the facial data was deleted near-instantly. Bunnings said the technology was there to protect its workers and customers from what it described as a rising tide of organised retail crime and aggression.

Shoppers were not told this was happening in any way they would notice. There was small signage at store entrances referring to CCTV, but nothing that would lead an ordinary person to understand that their face was being measured and matched against a watchlist as they walked through the door.

On 19 November 2024, the Office of the Australian Information Commissioner, in a determination by Privacy Commissioner Carly Kind, found that Bunnings had breached the Privacy Act 1988. The Commissioner found that Bunnings collected sensitive biometric information without consent (Australian Privacy Principle 3.3), failed to take reasonable steps to notify people that the collection was occurring (APP 5.1), failed to manage personal information in an open and transparent way or set the practice out in its privacy policy (APP 1.2 and 1.3), and failed to implement the practices, procedures, and systems needed to comply with the Australian Privacy Principles. Central to the reasoning was proportionality: facial recognition was the most privacy-intrusive option available, and it captured everyone who entered, not only the small number of high-risk individuals it was aimed at. The Commissioner did not impose a civil penalty, noting Bunnings had cooperated throughout, but ordered the company to stop the practice and to destroy the personal information it had collected after a twelve-month period.

Bunnings sought review of the determination. In February 2026, the Administrative Review Tribunal set aside the central finding that Bunnings had collected sensitive information without consent in breach of Australian Privacy Principle 3, accepting that Bunnings was entitled to rely on exemptions for the limited purpose of combatting significant retail crime and protecting people in its stores from violence and abuse. The Tribunal did not disturb the findings that Bunnings had failed to properly notify customers and had lacked adequate policies and procedures governing the technology. Commentators described the result as a mixed outcome. The Privacy Commissioner did not appeal, but warned publicly that the decision was not a green light for widespread biometric surveillance, and that any retailer using facial recognition would still need to prove strong privacy safeguards were in place.

What an auditable version would have shown

The dispute that ran for more than a year turned, in large part, on questions of fact that a proper record would have answered directly. How many people were scanned. How many were matched. What happened to the data of the people who were not matched, and how quickly. What individuals were told, and where, and when. Much of this had to be reconstructed and contested through the investigation and the review.

An auditable deployment would have produced, for every scan, a signed and tamper-evident record: the fact that a face was captured, the watchlist it was checked against, whether a match was returned, the action taken on a match, and the deletion of the template where there was no match. Crucially, the record would also capture the standing rules in force at the moment of collection, the consent basis being relied on, the notice that was supposed to have been given, and the retention rule that was supposed to apply. Whether Bunnings adequately told people what was happening — the finding the Tribunal upheld — would not have to be argued years later from photographs of entrance signs. The record would already show what each shopper was shown, and where, at the moment their face was scanned.

Where the gap was

The gap was not in the matching technology. It was in the absence of any enforced, recorded connection between the system’s operation and the rules that were meant to govern it.

A ConstraintGate sitting in front of collection would encode the standing rules as something the system has to satisfy before it acts: is there a lawful basis for collecting this biometric template, has the notice obligation been met for this store, is the retention period defined and enforced. An action that could not satisfy those conditions would be denied, or would require explicit, recorded approval, rather than proceeding silently. A ConductRecord written for every scan would then make the operation of the system legible after the fact, to an auditor, a regulator, or a tribunal, without anyone having to reverse-engineer it.

We are not inferring this. The Commissioner found — and the Tribunal upheld — that Bunnings failed to implement the practices, procedures and systems the Privacy Act required, and failed to notify the people it scanned; the Tribunal added that Bunnings should have run a formal, documented privacy risk assessment and had not. The matching worked exactly as designed, deleting non-matches in milliseconds. What was missing sat around it: the rules meant to govern collection — who was told, on what basis, how long data was kept — were never built into how the system ran, and nothing recorded whether they were met.

What governance should have looked like

A retailer deploying biometric matching for loss prevention has to settle the governance before the first camera is switched on, not after a regulator asks.

That means deciding in advance, store by store, what the lawful basis for collection is and how shoppers will be told in a way they actually register. Those answers become conditions the system enforces at the point of collection, the standing rules a ConstraintGate checks before it allows a single template to be stored, rather than claims assembled for an investigation later. That discipline is what separated the two halves of the Tribunal’s decision: Bunnings could defend the purpose of its system, but it could not defend the notice or the governance, because neither was ever built in.

Bunnings is unlikely to be the final word on retail facial recognition. The Tribunal left the door open to lawful use while making clear that transparency and governance are where these systems will be judged — so the next disputes will turn on exactly those points. Retailers that can produce the record will show they cleared that bar; the ones that cannot will be arguing it the way Bunnings did, years later, from photographs of entrance signs.

The reference implementation of ConstraintGate and ConductRecord is open source. It lives at github.com/saffronandindia/headlights-oss, Apache 2.0 licensed and free to install. Anyone can read every line and verify the signatures. The repository is public now.

Sources

The mailing list

Fresh incident reports every week. One email to match.

We add new incidents to the library regularly, and send a single short email each week with what's new. The library stays free and open; this is just how you keep up with it.

No tracking. Unsubscribe in one click.

The record

An auditable system would have produced a signed, tamper-evident record the moment this happened: what the system did, the version that did it, the basis it acted on, and the action taken, and Bunnings Group (Wesfarmers) could have produced it on demand.

This is the record the system as deployed did not produce in a signed, auditable form.

What this teaches
Capture what happened when it happens
What the system did, the version that did it, the basis it acted on, and the action taken, recorded at the moment, not reconstructed after.
Sign it, so no one has to trust the record-keeper
A tamper-evident entry. Edit it later and the signature breaks. The record does not ask for the benefit of the doubt.
Make it verifiable by anyone
A court, a regulator, a customer's lawyer can check the record themselves, without taking the company, or us, at our word.

Headlights summarises publicly reported AI incidents. All summaries are independently written, attributed to their original sources, and intended for research and educational purposes. Allegations are identified as such until established through official findings.

Last reviewed June 2026. This report is based on the sources listed above and reflects information available at the time of review; later developments may not be captured. Where a person is described as charged with or alleged to have done something, that allegation is unproven unless a conviction or a court or regulatory finding is stated. Headlights publishes journalism and commentary, not legal advice.

Want to write back?

Direct to my inbox.

ellie@useheadlights.com →