Legal Guidelines for In-Store Video Surveillance (CCTV) and Customer Privacy

In Australia, the use of CCTV and advanced surveillance technologies like Facial Recognition Technology (FRT) in retail stores requires a careful balance between legitimate security interests and customer privacy rights.

With recent landmark legal decisions and ongoing privacy reforms, retailers must navigate a complex web of federal and state laws.

This guide outlines the key legal obligations, best practices, and critical lessons from recent tribunal decisions.

1. Understanding the Legal Framework

Retailers in Australia must comply with multiple layers of regulation when deploying surveillance technologies.

Privacy Act 1988 (Cth) and Australian Privacy Principles (APPs): These apply to businesses with an annual turnover of more than $3 million. The APPs regulate the collection, use, storage, and disclosure of personal information, including video footage and biometric data[citation:1][citation:3].
State and Territory Surveillance Laws: Each state has its own legislation (e.g., Surveillance Devices Act 2007 (NSW)) that governs the use of listening and surveillance devices. These laws generally require that surveillance be overt and that individuals are notified[citation:1][citation:3].
Workplace Surveillance Laws: Separate rules apply to employee surveillance and vary by state. Retailers must check local requirements when monitoring staff areas[citation:1].
Industry Codes of Practice: The Australian Retailers Association (ARA) has published a Video Surveillance Code of Practice that provides practical guidance on lawful surveillance in retail settings[citation:10].

2. The Landmark Bunnings FRT Case: Key Lessons for Retailers

The 2024-2026 legal battle between Bunnings and the Privacy Commissioner has become the defining case for biometric surveillance in Australian retail[citation:3][citation:6].

Key takeaway: Even data held for milliseconds constitutes 'collection' of sensitive biometric information requiring legal justification.

What Happened?

Between 2018 and 2021, Bunnings deployed FRT cameras in 63 stores. The system created facial templates of every customer entering the store and compared them against a database of individuals known for violent or criminal conduct.

Non-matches were deleted within 0.004 seconds[citation:3][citation:6].

The Privacy Commissioner's Original Finding (2024)

The Commissioner determined that Bunnings had breached multiple APPs because the FRT collected sensitive biometric information without consent[citation:3].

The Administrative Review Tribunal (ART) Decision (February 2026)

The ART largely overturned the Commissioner's decision, ruling that Bunnings could rely on a statutory exception under APP 3.4(a) – the 'permitted general situation' – because[citation:3]:

Bunnings had reason to suspect serious unlawful activity (organised retail crime, violence against staff) was occurring
The collection of biometric information was reasonably necessary to take appropriate action
Obtaining consent from every customer in a high-traffic retail environment was impracticable
The system design was proportionate: immediate deletion of non-matches and human verification before action

Critical Failings the ART Upheld Against Bunnings

Despite allowing the FRT use, the ART confirmed Bunnings breached other key obligations[citation:3][citation:6]:

APP 5.1 (Notice): Signage stating 'video surveillance, which may include facial recognition' was too vague. Customers must be positively notified that their sensitive biometric information is being collected.
APP 1.3 (Privacy Policy): The privacy policy did not mention FRT, biometric collection, or how such data would be managed.
APP 1.2 (Practices and Systems): Bunnings failed to conduct a formal, documented privacy impact assessment before deploying FRT. Informal and ad hoc internal enquiries were insufficient.

3. When Is CCTV Collection 'Reasonable' and 'Proportionate'?

The Office of the Australian Information Commissioner (OAIC) emphasises proportionality – the risk must be proportionate to the potential privacy harm[citation:1].

The Commissioner stated: 'just because a technology may be helpful or convenient, does not mean its use is justifiable.'[citation:1]

Key questions to assess reasonableness include[citation:1][citation:3]:

Is the surveillance necessary for a legitimate purpose (safety, theft prevention)?
Are there less privacy-intrusive alternatives that would achieve the same outcome?
How is the information collected, stored, and accessed?
How long is footage held before deletion?

4. Prohibited Areas for Surveillance

Under the ARA Code of Practice, surveillance should NOT be conducted in[citation:10]:

Change rooms and fitting rooms
Toilet cubicles
Any point-of-sale systems where payment security measures (such as PINs) could inadvertently be recorded
Any area of an intimate nature where people would reasonably expect privacy

5. Mandatory Signage and Notification Requirements

Notification is a fundamental requirement under both state surveillance laws and the APPs.

For Standard CCTV:

Signage must be prominently displayed at all entrances to the store[citation:10]
Signage should use simple language and consider languages other than English where necessary
Employees must be advised through staff noticeboards and induction processes[citation:10]

For FRT or Biometric Surveillance:

The Bunnings case established a higher standard[citation:3][citation:6]:

Signage must explicitly state that FRT (not just 'video surveillance') is in use
Customers must be told what biometric information is collected, why it is needed, and how it will be used
Vague or generic statements are insufficient
Individuals should be informed of the main consequences of collecting this information

6. Practical Compliance Blueprint for Retailers

Based on the ART's findings, the following steps are now expected features of responsible CCTV or FRT deployment[citation:3][citation:6]:

Conduct a formal Privacy Impact Assessment (PIA) before deployment. Document the necessity, proportionality, system design, data retention, and vendor due diligence.
Establish a clear safety or security justification. Demonstrate the specific unlawful activity or safety concern being addressed. Collect evidence of incidents (e.g., theft records, assault reports).
Minimise data collection and retention. Delete non-matches immediately, limit watchlists to current risk cases, and require human verification before any action is taken.
Provide specific and prominent notices. Explain exactly what technology is being used, what information is collected, why it is needed, and how individuals can raise concerns.
Maintain accurate and up-to-date privacy policies. These must specifically address biometric collection if FRT is used.
Implement strong security measures (APP 11). Ensure surveillance data is protected from breaches and unauthorised access.
Document everything. Keep records of approvals, incident logs, system design choices, and ongoing review processes.
Regularly review necessity. Reassess periodically whether the surveillance remains necessary and proportionate.

7. Risks and Penalties for Non-Compliance

Following the December 2024 privacy law reforms, penalties for non-compliance have increased significantly[citation:1].

Defects in privacy policies explaining how information is collected can now leave companies liable to substantial fines[citation:1]
A new statutory tort for serious invasions of privacy may apply, drawing on principles from defamation law[citation:1]
The OAIC has investigation and enforcement powers, including the ability to issue binding determinations
Reputational damage from adverse findings can be significant, even if no fine is imposed

In summary, while CCTV remains a valuable tool for retail security, the legal bar for compliance – especially with biometric technologies – has been raised.

Transparent communication, robust governance, and documented necessity are no longer optional extras but mandatory requirements.