Privacy Commissioner’s Inquiry into Facial Recognition in Retail

TL;DR: Facial recognition technology (FRT) can be used lawfully in Aotearoa – but only if retailers get the privacy safeguards right.

The Privacy Commissioner’s inquiry into Foodstuff’s trial of FRT has concluded, providing valuable insights for organisations navigating the intersection of technology and privacy law.

Despite the highly intrusive nature of collecting biometric information from every customer, the Commissioner found the FRT system implemented in Foodstuff’s North Island stores met the Privacy Act’s requirements, primarily due to key safeguards like immediate deletion of most images and restricted access to match data.

Commissioner’s expectations

The Commissioner’s report on the inquiry sets out nine expectations for responsible use of FRT in Aotearoa:

1. Clearly justified: only use FRT if it’s genuinely necessary.
2. Proportionate to the risk: the benefits of using FRT must clearly outweigh the privacy intrusion.
3. Be transparent: organisations must be upfront with individuals about the use, purpose, and functioning of FRT.
4. Stick to the stated purpose: biometric information should only be used for the reason for which it was collected.
5. Collect and keep only what’s needed: only biometric information that’s strictly necessary should be collected and kept.
6. Avoid bias and misidentification: systems should be implemented to reduce the risk of misidentification and algorithmic bias (e.g. across skin tones and ethnicities).
7. Keep the information secure: strong technical and organizational security measures are essential.
8. Be accountable: organisations must have good privacy governance in place (e.g. documenting decisions, conducting privacy impact assessments, and training staff).
9. Review and assess regularly: continually evaluate whether FRT use remains necessary and effective.

For organisations exploring FRT, the Commissioner’s findings offer a practical benchmark and a caution: privacy compliance is not just about legal box-ticking. It’s about understanding the full spectrum of risks, especially where vulnerable communities may be disproportionately affected.

If your organisation is considering FRT (in whatever setting), now is the time to get clear on the risks, understand your obligations, and determine what responsible, lawful use looks like in your context. MoranLaw’s experienced team is well across the inquiry and the Commissioner’s findings, and can help your organisation navigate the potential use of FRT. Get in touch today.