TL;DR: On February 4, 2026, an Australian tribunal ruled that hardware chain Bunnings could use facial recognition on customers without their consent. The company scanned every person who walked into 63 stores across Victoria and New South Wales. The tribunal said it was justified because of “safety concerns.” Privacy experts warn this reasoning could let any business scan your face just by claiming it helps prevent crime. Australia’s privacy regulator is “carefully considering” whether to appeal.
What the Tribunal Ruled
Australia’s Administrative Review Tribunal just handed down a ruling that privacy advocates are calling a potential “free-for-all” for facial recognition [1].
The case: Between November 2018 and November 2021, Bunnings (Australia’s equivalent of Home Depot) ran facial recognition cameras in up to 63 stores. Every customer who walked through the door got their face scanned. The system compared faces against a database of people banned for theft, abuse, or threats. No match? The data was deleted in 4.17 milliseconds. Match? Staff got an alert [2][3].
The Privacy Commissioner investigated and found Bunnings broke the law. Specifically, they violated three Australian Privacy Principles (APPs): transparency, collection, and notification requirements. In October 2024, the Commissioner ruled against Bunnings [4].
Bunnings appealed. And on February 4, 2026, they won the important part [5].
The tribunal upheld the findings that Bunnings failed to properly notify customers and should have done a formal privacy risk assessment. But it threw out the consent violation: the part that actually matters [3][5].
The “Safety” Loophole
Here’s how Bunnings got away with it.
Australia’s Privacy Act normally requires consent before collecting “sensitive information,” which includes biometric data like facial scans. But Section 16(A) creates an exception: you don’t need consent if you “reasonably believe” the collection is “necessary to lessen or prevent a serious threat to the life, health or safety of any individual.” [1][3]
The tribunal accepted Bunnings’ argument that retail crime and abuse of staff created a serious safety threat. Therefore, scanning every customer’s face without asking was a “reasonable and proportionate response.” [3]
Privacy experts immediately spotted the problem.
“If non-consensual biometric processing is accepted in retail, the same logic can apply” everywhere else, wrote Margarita Vladimirova, a former Office of the Australian Information Commissioner lawyer now at Monash University. The ruling, she argued, transforms consent from something operative to something “formally recognised in law, but practically irrelevant.” [1]
Translation: any business can now claim “safety concerns” and start scanning faces.
The Scale of the Surveillance
Bunnings isn’t a small operation. It’s Australia’s largest home improvement chain, with over 300 stores nationwide. The facial recognition trial covered 63 stores across two of Australia’s most populous states [2][3].
Every person who entered those stores during the nearly three-year trial had their face captured, analyzed, and compared against Bunnings’ internal database. That includes families with children, casual browsers, and anyone who walked through the doors for any reason.
The company says data was deleted in milliseconds if no match was found. But that’s not the point. The point is they collected it at all, without asking.
What Happens Next
Australia’s Office of the Australian Information Commissioner (OAIC), the agency that brought the original case, issued a carefully worded statement after the ruling [4].
On one hand, they called it “an important reiteration of the key principles and protections contained in Australian privacy law.” On the other hand, they noted that “an appeal period applies” and they’re “carefully considering this decision and its implications.” [4]
The OAIC pointed to survey data: 62% of Australians view personal information protection as a major concern, and 84% want stronger privacy safeguards. Whether those concerns translate into an appeal remains to be seen [4].
Legal experts note the ruling isn’t a “complete win” for Bunnings. The company still has to maintain transparency: clear signage, proper privacy disclosures, documented risk assessments [2]. But the core question, whether retailers can scan your face without permission, went Bunnings’ way.
Part of a Pattern
Australia isn’t alone in wrestling with retail facial recognition. In January 2026, US grocery chain Wegmans announced it was scanning customer faces in some stores. Walmart, Kroger, and Home Depot have admitted to the same [6].
The difference: Australia just got a legal precedent that might make it easier for businesses to skip the consent step entirely.
In the US, states like Illinois, Texas, and Washington have biometric privacy laws that require explicit consent. But most states don’t. And federal law doesn’t touch it.
The Bunnings ruling could influence how other common-law countries interpret similar safety exceptions. If “preventing retail crime” justifies mass facial scanning in Australia, lawyers elsewhere will make the same argument.
What You Can Do
Look for Signs
In Australia, businesses using facial recognition must display notices. Look for them at entrances. The tribunal upheld this requirement even while allowing the surveillance.
Ask Questions
Under Australian privacy law, you can ask businesses what personal information they collect. Submit a formal request. Make them answer.
Support Reform
The OAIC has until early March 2026 to decide whether to appeal. If you’re Australian, contact the OAIC and your representatives. Tell them this ruling sets a dangerous precedent.
Know the Limits
Hats, sunglasses, and masks can reduce facial recognition accuracy. Not a perfect solution, but it’s something.
The Bottom Line
A hardware store just established that “safety concerns” can override your right to consent to biometric surveillance. The logic scales. If Bunnings can do it, so can every shopping mall, sports stadium, office building, and public venue that claims to worry about crime.
The tribunal didn’t just rule on one company’s facial recognition trial. It potentially opened the door to a world where your face is scanned everywhere you go, and nobody has to ask first.
Whether that door stays open depends on what the OAIC does next.
References
- The Conversation: Bunnings decision may open door to facial recognition surveillance free-for-all (February 2026)
- Inside FMCG: How the Bunnings ruling changes the future of AI surveillance (February 10, 2026)
- Clayton Utz: Bunnings “wins” appeal on Facial Recognition Technology: Key takeaways (February 2026)
- OAIC: Statement on Administrative Review Tribunal’s Bunnings decision
- Gilbert + Tobin: Administrative Review Tribunal upholds Bunnings’ use of facial recognition technology
- State of Surveillance: Wegmans and Major Retailers Using Facial Recognition