The Legality Of Using Facial Recognition Technology In Australian Businesses: What You Need To Know

Facial recognition technology is changing how Australian businesses manage security, streamline access and deliver personalised services. You’ll see it in airports and office buildings, but also in gyms, retail stores and stadiums.

It’s powerful-but it also handles biometric information, which is some of the most sensitive personal data under Australian law. That means strict rules around when and how you can collect it, what you can use it for, and how you must secure it.

If you’re weighing up whether you can legally use facial recognition in your business, this guide walks you through what’s allowed, what the law requires, key risks, and the practical steps to stay compliant and build customer trust.

What Is Facial Recognition Technology?

Facial recognition technology uses algorithms to analyse facial features from images or video, create a mathematical “template” and compare it to a stored database for identification or verification. In business, typical use cases include:

• Access control to buildings or secure areas
• Time and attendance verification for staff
• Loss prevention and fraud detection
• VIP recognition and personalised services
• Frictionless payments or member check-ins

When facial recognition creates or uses a biometric template for the purpose of identification or verification, it generally involves “sensitive information” under Australian privacy law. That triggers higher compliance obligations than ordinary personal information.

Is Facial Recognition Legal For Australian Businesses?

Yes-if you follow the rules. In Australia, using facial recognition is legal when you comply with privacy law (primarily the Privacy Act 1988 (Cth) and the Australian Privacy Principles), relevant state and territory surveillance laws, and consumer law requirements around transparency and fairness.

Two clarifications are important here:

• Consent is usually required for collecting biometric information, but there are limited exceptions in the Privacy Act. For example, where collection is required or authorised by law, or in very narrow circumstances concerning health or safety. In practice, most private sector use of facial recognition should be based on clear, informed consent.
• There’s a small business exemption in the Privacy Act for some businesses under $3 million annual turnover. However, many small businesses are still covered-for example, health service providers, businesses that trade in personal information, those that handle Tax File Number information, or those contracted to provide services to the Commonwealth. Even if exempt, state surveillance laws and the Australian Consumer Law still apply.

Bottom line: facial recognition can be a great tool, but you need a lawful basis to collect the data, robust security and clear disclosures so people understand what’s happening and why.

The Laws That Apply To Facial Recognition In Australia

Privacy Act 1988 (Cth) And The Australian Privacy Principles (APPs)

The Privacy Act sets out how most private sector organisations must collect, use, store and disclose personal information. Biometric templates used to identify an individual are “sensitive information”, which attracts stricter rules. Key points include:

• Collection: Only collect biometric information if it is reasonably necessary for your functions and you have consent (unless a narrow exception applies).
• Use and disclosure: Use the data only for the primary purpose you told people about, or for a directly related purpose they would reasonably expect, or with further consent.
• Security: Take reasonable steps to protect biometric data from misuse, interference, loss and unauthorised access or disclosure.
• Transparency and rights: Be clear in your privacy notices and allow people to request access to, or correction of, their information.
• Cross-border disclosure (APP 8): If a provider stores or processes the data overseas, you must take steps to ensure the recipient protects it to a comparable standard-often via strong contracts and due diligence.

Penalties for serious or repeated interferences with privacy have increased significantly. For organisations, the maximum civil penalty can be the greater of $50 million, three times the value of any benefit, or 30% of adjusted turnover during the breach period.

State And Territory Surveillance Laws

States and territories have their own surveillance regimes regulating optical devices and workplace monitoring. If you’re operating cameras in stores, venues or offices, you’ll need to comply with rules on notice, signage, and how recordings are used.

• Workplace surveillance laws (e.g. NSW and ACT) generally require written notice before monitoring employees and set rules for how monitoring can occur.
• Surveillance Devices Acts govern using optical devices in private activities or places. Visible, appropriate signage and procedures are critical in public-facing environments.

For a broader overview, many businesses review their approach against CCTV laws in Australia and whether cameras are legal in the workplace for their specific setup.

Australian Consumer Law (ACL)

Under the ACL, you must not mislead customers about data practices. Hidden collection, confusing notices or inaccurate claims about how facial data is used can amount to misleading or deceptive conduct. Clear disclosures build trust and reduce legal risk.

Small Business Exemption Nuances

As noted, some small businesses under $3 million turnover are exempt from the Privacy Act-but many are still covered due to the nature of their activities (for example, providing health services or trading in personal information). If you’re exempt, you still need to comply with surveillance laws and the ACL. In addition, reforms to Australia’s privacy regime are under active consideration, so exemptions may change.

Employees And The “Employee Records” Exemption

The Privacy Act has an employee records exemption for private sector employers in relation to employee records held directly related to the employment relationship. However, it has limits:

• It does not cover applicants, contractors, volunteers or customers.
• It does not remove obligations under workplace surveillance laws or industrial instruments.
• It does not excuse poor security, unfair practices or misuse of data.

Given the sensitivity of biometric data and the evolving legal landscape, treating employee biometrics with the same care as other sensitive personal information is best practice.

How To Use Facial Recognition Lawfully: A Practical Checklist

Here’s a step-by-step, plain-English roadmap you can follow. Think of it as your foundation for compliance and trust.

1) Map Your Use Case And Lawful Basis

• Be specific: exactly what are you using facial recognition for-access control, theft prevention, loyalty features, or staff attendance?
• Limit scope: collect the minimum data necessary, and avoid using it for new purposes without fresh consent.
• Confirm your lawful basis under the Privacy Act: for sensitive information, this will usually be consent. If you think an exception applies, get legal advice before relying on it.

2) Run A Privacy Impact Assessment

Before deploying, identify risks and set safeguards through a structured assessment. Many organisations document this planning using a Privacy Impact Assessment Plan to capture the purpose, data flows, security controls, retention rules and opt-out pathways.

3) Be Transparent At The Point Of Collection

• Use a clear, accessible Privacy Policy that explains what you collect, why, how long you keep it, who you share it with, and how people can access or correct their data.
• Provide a concise Privacy Collection Notice wherever facial recognition operates (for example, signage at entrances and just-in-time notices in apps).
• Keep language plain and honest. If someone would be surprised by a use of their data, call it out clearly.

4) Obtain Valid Consent (And Make Opt-Out Realistic)

• Consent should be voluntary, specific, informed and unambiguous. Avoid bundling it with unrelated terms.
• Offer a practical alternative (e.g. card or PIN access) so people aren’t forced to hand over biometrics to use your service.
• Record when and how consent was obtained, and make withdrawal simple.

5) Put Strong Security In Place

• Restrict access to biometric templates to a “need-to-know” group with role-based permissions and logging.
• Encrypt biometric data at rest and in transit. Separate identifiers from templates wherever possible.
• Delete data you no longer need, and set retention schedules appropriate to the purpose.

Prepare for the worst with a tested incident plan. A documented Data Breach Response Plan helps you identify, contain and notify quickly if something goes wrong.

6) Manage Vendors And Cross-Border Storage

• Know where data is stored and processed, especially if your supplier hosts overseas.
• Put robust contractual controls in place-many businesses use a Data Processing Agreement to set security standards, subcontractor controls, breach notification and audit rights.
• Undertake due diligence on the provider’s security certifications and track record.

7) Align With Surveillance Rules

• Install appropriate signage and give any required written notices, including for staff.
• Configure your cameras so they don’t capture areas where surveillance is prohibited.
• Review your setup against your local surveillance laws and your risk assessment-if you operate across states, align to the strictest standard.

8) Train Your Team And Refresh Regularly

• Train staff who manage the system on privacy, security and how to handle requests.
• Schedule periodic reviews of your notices, settings and retention rules-laws and expectations are moving fast in this space.

Using Facial Recognition For Employees

Facial recognition for staff (for example, time and attendance or secure access) needs extra care:

• Provide written notice under workplace surveillance laws where applicable, and make the monitoring transparent.
• Explain what is collected and why, and provide a reasonable alternative where you can.
• Apply strict access controls and short retention periods. Limit use to what’s necessary for the employment purpose.

For in-store systems or office CCTV, ensure your setup hews to workplace camera rules and general CCTV requirements to avoid compliance gaps.

What Legal Documents Will You Need?

You won’t need every document below, but most businesses using facial recognition will rely on several of them. Having clear, tailored documents signals that you take privacy and security seriously.

• Privacy Policy: Explains your collection, use, disclosure, storage and retention of personal information, including biometrics. A well-structured Privacy Policy is essential for transparency.
• Privacy Collection Notice: A short notice at the point of collection that tells people what you’re collecting, why, and how to find more information in your policy. A dedicated Privacy Collection Notice makes this simple.
• Consent Language (Forms or Digital Flows): Clear consent wording embedded in your sign-up or access process, with a practical opt-out or alternative pathway.
• Data Processing Agreement: If a supplier processes or stores biometric data, a Data Processing Agreement sets out security standards, breach notification and compliance obligations.
• Data Breach Response Plan: Your playbook for identifying, assessing and reporting data breaches, including roles and timelines. Many businesses formalise this in a Data Breach Response Plan.
• Workplace Policies: Where staff are monitored or use facial recognition systems, document acceptable use, monitoring, and data handling in your internal policies.
• Website Or App Terms: If facial recognition is offered through your digital platform, align your user terms with your data practices so customers are not misled.
• Records Of Processing: Internal documentation of your data flows, retention periods, access controls and vendor arrangements to support accountability and audits.

Key Takeaways

• Facial recognition is legal for Australian businesses, provided you comply with the Privacy Act, state and territory surveillance laws and the Australian Consumer Law.
• Biometric templates used for identification are sensitive information-consent is usually required, security must be strong and use must be limited to the stated purpose.
• Penalties for serious or repeated privacy breaches can reach the greater of $50 million, three times the benefit or 30% of adjusted turnover, so robust compliance is non-negotiable.
• Be transparent at the point of collection with clear signage and notices, and give people a practical alternative if they don’t want to provide biometric data.
• Lock down security, vendor contracts and cross-border data handling, and document your approach with a Privacy Impact Assessment, Privacy Policy and breach plan.
• Workplace use needs extra care-meet surveillance notice requirements, respect limits of the employee records exemption, and restrict use to what’s necessary.

If you would like a consultation about using facial recognition technology in your Australian business, you can reach us at 1800 730 617 or team@sprintlaw.com.au for a free, no-obligations chat.