Facial Recognition Laws In Australia: Compliance Guide For Businesses

Facial recognition technology has moved from “nice to have” to everyday reality for many Australian businesses. From smarter access control and faster customer check-in to fraud reduction and VIP service, it can deliver real value.

But with that value comes responsibility. Because facial recognition uses biometric information, it attracts strict privacy and surveillance rules in Australia. The good news? With the right approach, you can use it lawfully and build trust with your customers and staff.

In this guide, we’ll explain how facial recognition is regulated, when consent is required (and when it isn’t), where state surveillance laws fit in, and the practical steps to roll out the technology safely and compliantly.

What Is Facial Recognition And Why Does It Matter Legally?

Facial recognition is any technology that identifies or verifies a person by analysing their facial features. In practice, it may involve live cameras at store entrances, mobile app login, secure building access, staff timekeeping, or airport passenger screening.

Legally, the key point is that data used to recognise a face (for example, a face template or “faceprint”) is biometric information. Under the Privacy Act 1988 (Cth), biometric information that is used for the purpose of uniquely identifying an individual is “sensitive information.” Sensitive information has higher protections than regular personal information and triggers stricter rules for collection, use, disclosure and security.

Because facial recognition is also commonly deployed via cameras, you’ll often need to consider surveillance and workplace-specific laws on top of privacy law. We unpack both below.

Is Facial Recognition Legal In Australia?

Yes, businesses can use facial recognition in Australia - but there are safeguards you must follow. The main national law is the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs), which apply to most private sector organisations with an annual turnover of more than $3 million and certain smaller entities (for example, health service providers or businesses that trade in personal information).

When Is Consent Required (And When Not)?

Because biometric information used for identification is sensitive information, APP 3 generally requires you to obtain consent before collection. In practice, “consent” should be informed, specific, voluntary and unambiguous (often an explicit opt‑in, such as ticking a box or signing a form, especially in consumer-facing contexts).

However, consent is not always mandatory. APP 3.4 recognises limited exceptions for collecting sensitive information without consent, such as where:

• It is required or authorised by an Australian law or court/tribunal order.
• A “permitted general situation” applies (for example, to lessen or prevent a serious threat to life, health or safety, or for certain enforcement activities).

These exceptions are narrow. For most commercial use cases (e.g. retail analytics, faster check-in, timekeeping), plan on obtaining clear, informed consent.

Who Does The Privacy Act Cover?

Many small businesses with turnover under $3 million are exempt from the Privacy Act. But there are important carve-outs. You are still covered if, for example, you are a health service provider, trade in personal information, are a contractor to the Commonwealth, or operate certain credit-related services.

Even if the Act does not strictly apply to you, facial recognition is high-risk. Adopting privacy best practice (consent, notices, security and deletion) will protect your brand and prepare you for likely reforms.

What About The Employee Records Exemption?

Private sector employers benefit from an “employee records exemption” for acts or practices related to current and former employee records. This exemption is limited. It does not cover job applicants, contractors, or customers. It also doesn’t override other laws - in particular, workplace surveillance and monitoring laws at state/territory level still apply. If you deploy facial recognition for staff (for example, access control or time-and-attendance), assume you’ll need clear notice, a lawful purpose, and appropriate safeguards.

Key APP Obligations You’ll Need To Meet

In addition to APP 3 (collection), be ready to meet obligations including:

• APP 1 and 5: Be transparent, have an up-to-date Privacy Policy, and give a collection notice explaining what you collect, why, who you share it with, and how individuals can access or correct their data.
• APP 6: Use and disclosure must be for the purpose you told people about (or a directly related purpose they’d reasonably expect) unless an exception applies or you get fresh consent.
• APP 8: Cross-border disclosure safeguards if you transfer biometric data overseas (including cloud storage or offshore service providers).
• APP 11: Take reasonable steps to protect data (technical and organisational measures) and to destroy or de‑identify it when no longer needed.

Beyond The Privacy Act: Surveillance, CCTV And Workplace Laws

Privacy law is only part of the picture. Facial recognition commonly involves audio‑visual capture and monitoring, so you’ll also need to plan for surveillance and workplace rules that differ across states and territories.

• CCTV and public signage: If you’re using cameras in customer areas, signage and transparency are crucial. Start with the principles in security camera laws in Australia, including notice and reasonable use.
• Workplace surveillance: Many jurisdictions (for example, NSW and the ACT) have specific laws regulating workplace monitoring. Typical requirements include prior notice (often in writing), clear signage, and limits on covert surveillance. If you’re asking “are cameras legal in the workplace?”, our overview of workplace camera rules is a helpful starting point.
• Recording and covert monitoring: Covert or audio recording is restricted by surveillance devices laws. If your solution includes audio capture or recording of conversations, check the rules about recording laws in Australia and any state-specific requirements.
• Children and vulnerable people: If your venue serves children or vulnerable customers (e.g. schools, healthcare), regulators expect heightened care, clear alternatives and robust consent management.
• Anti-discrimination: Be mindful of potential bias, profiling or adverse decisions based on biometric data (for example, unequal false‑match rates). Build in human review for high‑impact decisions and avoid discriminatory criteria.
• Consumer law transparency: The Australian Consumer Law prohibits misleading or deceptive conduct. Be precise about what the technology does (and doesn’t do) in signage, onboarding screens and FAQs.

Your Compliance Checklist: Practical Steps To Use Facial Recognition Safely

Here’s a pragmatic roadmap you can follow to roll out facial recognition lawfully, minimise privacy risk and build trust.

1) Map Your Use Case And Necessity

• Define the purpose: fraud prevention, faster check‑in, access control, or VIP service.
• Challenge necessity: can you achieve the same outcome with a less intrusive option (e.g. badge access rather than biometrics)? If yes, regulators may expect you to choose the less intrusive method.
• Scope the data: images, face templates, metadata, timestamps, locations - and whether any of it leaves Australia.

2) Choose Your Lawful Basis And Consent Model

• For most private sector use cases, build an explicit opt‑in flow and record consent (e.g. staff acknowledgement or an in‑app checkbox linked to your notice).
• If you rely on a legal requirement or another APP exception, document the basis and why it applies.
• Offer an alternative pathway where feasible (for example, a non‑biometric access card).

3) Conduct A Privacy Risk Assessment

• Assess privacy impacts across the data lifecycle (collection, storage, access, sharing, retention and deletion).
• Identify high‑risk scenarios (covert capture, third‑party sharing, children) and put controls in place.
• For structured assessments, adopt a Privacy Impact Assessment plan and keep it updated as your use evolves.

4) Be Transparent: Notices, Policies And Signage

• Publish and maintain a clear, accessible Privacy Policy tailored to biometric data.
• Provide a collection notice at (or before) capture explaining the purpose, who you disclose to, retention period and how to opt out.
• Use prominent signage at entrances or capture points. In staff settings, provide written notice ahead of time and get acknowledgement.

5) Implement Consent And Rights Management

• Use a simple opt‑in mechanism (tick box, signature, or digital acknowledgement). A concise Privacy Consent Form can streamline this.
• Make it easy to withdraw consent and to request access, correction or deletion.
• Avoid bundling consent with other terms; consent should be specific to biometric processing.

6) Minimise, Secure And Delete

• Collect the minimum data necessary and avoid retaining raw images if a template will suffice.
• Apply strong security controls: encryption at rest and in transit, strict access controls, audit logs and vendor hardening.
• Set retention periods and enforce deletion or de‑identification once data is no longer needed.

7) Manage Vendors And Cross-Border Issues

• Perform due diligence on any vendor providing facial recognition or cloud hosting.
• Use a robust Data Processing Agreement with clear security, breach notification and deletion obligations.
• If data is stored or accessed overseas, meet APP 8 cross‑border disclosure requirements (assessing the recipient’s protections or obtaining informed consent with appropriate safeguards).

8) Train Your Team And Test Your System

• Train staff on lawful use, minimisation, data handling and incident reporting.
• Test for accuracy, bias and false matches. Calibrate thresholds to reduce harm and escalate edge cases for human review.

9) Prepare For Incidents

• Maintain an up-to-date Data Breach Response Plan that covers biometric data, with clear roles and timelines.
• Be ready to assess notifiable data breaches quickly and notify affected individuals and the OAIC if required.

10) Review Regularly

• Privacy expectations and laws evolve. Schedule periodic reviews of your notices, consent flows, retention and vendor controls.
• Reassess necessity if the business purpose changes or expands.

Key Documents To Have In Place

Strong documentation helps you demonstrate compliance and manage risk from day one. Depending on your use case, consider:

• Privacy Policy: Explains what biometric data you collect, why, where it’s stored, who you share it with, and how individuals can exercise their rights. A tailored Privacy Policy is essential.
• Collection Notice: Given at the point of capture, spelling out your purpose, lawful basis, disclosures, retention and opt‑out options. A clear Privacy Collection Notice makes this simple.
• Consent Form: A concise way to record informed, opt‑in consent, particularly for customers and staff. A standardised Privacy Consent Form helps you keep consistent records.
• Data Processing Agreement (DPA): Contractual protections when vendors handle biometric data for you, covering security, sub‑processors, audits, breach notification and deletion. See Data Processing Agreement.
• Workplace Policies And Notices: If using facial recognition for staff, update your Workplace Policy or Staff Handbook and provide written notice in line with local workplace surveillance laws.
• Signage Templates: Prominent signs at store entrances or capture points that explain camera use and key privacy details.
• Privacy Impact Assessment (PIA): A repeatable framework to identify and mitigate risks for new deployments, supported by a Privacy Impact Assessment plan.
• Incident Response Plan: Steps for containing and responding to a breach involving biometric data, typically your Data Breach Response Plan.

Not every business will need every document, but most will need several. The right mix depends on your industry, whether you’re customer‑facing or internal‑only, and whether any data leaves Australia.

Common Pitfalls (And How To Avoid Them)

Based on recent regulatory scrutiny, these are the issues that trip businesses up:

• Silent capture: Using cameras to generate face templates without clear signage or notices. Fix this with prominent signage and just‑in‑time notices before capture.
• Vague purposes: Saying you collect for “security and service improvement” without being specific. Be concrete about the use (e.g. “reduce fraud at self‑checkout” or “speed up check‑in”).
• Bundled consent: Hiding biometric consent inside general terms and conditions. Use a separate, specific consent step.
• Over‑collection: Keeping raw images or retaining data indefinitely. Minimise, set retention limits, and enforce deletion.
• Weak vendor controls: Using an overseas vendor without due diligence or contract protections. Put a strong DPA in place and check where data is stored and accessed.
• Workplace blind spots: Forgetting state/territory workplace surveillance notice requirements. If in doubt, assume you need prior written notice and reasonable transparency for staff monitoring.

If cameras are part of your solution, make sure your approach aligns with the principles in Australia’s security camera laws and check your setup against “are cameras legal in the workplace” guidance before you go live.

What Happens If You Get It Wrong?

Mishandling facial recognition carries significant risk. Consequences can include:

• Regulatory investigations: The OAIC (and state privacy or surveillance regulators) can investigate, require remediation and accept enforceable undertakings.
• Serious penalties: For serious or repeated interferences with privacy, penalties can be substantial. Orders may also require you to stop using the technology or delete data.
• Notifiable data breach obligations: If biometric data is compromised, you may have to notify affected individuals and the OAIC quickly.
• Class actions and complaints: Individuals may seek compensation where their sensitive information has been mishandled.
• Reputational damage: Trust is hard‑won and easily lost - mishandling biometrics can harm brand loyalty and retention.

Key Takeaways

• Facial recognition can be used by Australian businesses, but biometric data is “sensitive information” and attracts stricter privacy rules.
• Consent is the norm for commercial use, but there are narrow exceptions (for example, where required by law or a permitted general situation applies).
• Plan for more than the Privacy Act - CCTV, workplace surveillance and recording laws at state/territory level may apply to your setup.
• Build trust with transparency: clear notices, a tailored Privacy Policy, prominent signage and simple opt‑out options.
• Minimise data, secure it, set deletion timelines, and lock down your vendors with a Data Processing Agreement.
• Be breach‑ready with a tested Data Breach Response Plan and review your settings regularly as laws and technology evolve.

If you’d like a consultation on ensuring your business complies with facial recognition laws in Australia, you can reach us at 1800 730 617 or team@sprintlaw.com.au for a free, no‑obligations chat.