The report led Choice to lodge a complaint to the Office of the Australian Information Commissioner about potential breaches of the Privacy Act – which is currently being reviewed – due to the fact that the potential business gain does not outweigh the potential breach of privacy such technology poses, especially without customers explicitly consenting to being tracked when entering stores.
Of the three retailers, only The Good Guys has decided to pause its use of facial recognition in stores while the complaint is being investigated – a decision welcomed by Choice.
“Following our investigation, we have had an overwhelming response from the Australian community saying clearly they do not want this kind of technology used in retail stores,” Choice’s senior campaigns and policy advisor Amy Pereira said.
“We urge Kmart and Bunnings to reflect on the announcement made yesterday by The Good Guys, and ask them to end their use of facial recognition technology in store.”
Supermarket Woolworths has also been singled out after a slide from a 2020 training module, uploaded by a user on Reddit, claimed it uses facial mapping and artificial intelligence in its CCTV system, and had shared this data with police in order to help them apprehend suspects.
Woolworths told Crikey that while the slide was real, the business doesn’t “use any form of facial recognition technology in-store” and will “be updating the wording in the module to make it clearer.”
According to Reddit users, Woolworths and rival Coles use a software called Auror Crime Intelligence that shares data with other retailers on its network as well as collaborating law enforcement agencies. The software is used to gather evidence on repeat offenders, and is largely used to prevent theft and shrinkage.
Most customer’s “uncomfortable” with surveillance
Deloitte’s 2022 Australian Privacy Index, released last week, found that while 80 per cent of Australian consumers see the value in sharing data in order to receive a more personalised online experience, only 30 per cent are happy with the subsequent personalisation.
Additionally, while 83 per cent of brands are collecting the online browsing data of their customers – only 2 per cent disclose potential data sharing, online tracking, or other uses of data at customer sign up. The remaining 98 per cent do so only within their own privacy policies, which are often difficult for customers to find and parse.
To Deloitte’s national privacy and data protection lead partner and report author Daniella Kafouris, this lack of transparency is leading to a level of discomfort from consumers about what is actually happening with their data behind the scenes.
This, compounded by the fact that most are disappointed in the service they get for sharing said data, is creating tension between retailers and customers.
“There has been an increased use of data in a way that is not as transparent to consumers [as they would like],” Kafouris told Inside Retail.
“More than half of them are uncomfortable with the way they’re being monitored and the whole experience they go through.
“We’re seeing a lot of brands look at the regulations, tick the boxes, and then figure out what they need to do – there are few organisations that actually try to make data collection a good experience for their customers.”
University of the Sunshine Coast school of science, technology and engineering lecturer in cyber intelligence Dr Dennis Desmond told Inside Retail that, both in Australia and internationally, privacy laws have rarely kept up to date with rapidly changing technologies, and the opportunities they pose.
As a result, it’s often up to the brand to decide how to interact with new technology, such as facial recognition, in a respectful way.
“There’s the argument that the stores are using [facial recognition] for loss prevention, and to improve their ability to identify those that are engaging in criminal behaviour or theft. But if that were true, then there should be some acknowledgement that the data being collected is only stored locally, and only for that purpose, but we haven’t seen any discussions on that,” Dr Desmond said.
“There’s been no discussion of the deletion of still or video images of surveillance that’s happening in these stores, and that data could be used in a multitude of ways.”
Without adequate oversight, Dr Desmond argued, it wouldn’t be difficult for retailers to tie payment methods, shopping behaviours and purchase history to a customer’s face, and that such information could easily be shared or used in a way that customers haven’t consented to, such as being shared with police, if a retailer is asked.
“Imagine if someone didn’t make a child support payment, and was then identified within a store, and there was an immediate alert that notified law enforcement where that person was so they could intercept them,” Dr Desmond said.
“You could argue that it could improve society, and safety and security, but don’t we have a reasonable expectation of privacy?”
How to earn your customers’ trust
So how can retailers ensure that customers trust them to handle their data?
According to Deloitte’s Kafouris, the most important thing a business can do is to be transparent and upfront with what it needs from customers, and what it intends to do with that data.
“Brands need to increase their transparency with customers,” Kafouris said.
“I think they need to get to a place where they understand that this is something that customers want to know about, and that they need to take them on a journey beyond legal jargon and privacy notices.”
One of the difficult parts for customers is that every business uses its own language when it comes to discussing data collection. Some use “monitoring”, while others use “surveillance” or “tracking” to discuss the same thing, making it difficult to understand different privacy agreements.
Simplifying language could go a long way in helping customers understand what is being expected of them, but, regardless, Kafouris believes businesses should always ensure customers need to opt-in to any data collection that will take place: never take silence as consent.
By allowing customers to choose what data to share, and explaining where the data is going and why, businesses can start to educate their customers on why they might want to share their data without the need to feel uncomfortable.