top of page
Search

(Cth) End Implied Consent for Biometric Data Collection

  • Amber Nguyen, Maea Applegarth, Felicity Mulhall, Ben Kelly, Connor Maloney, Ola Wallis, Noussayba Skendri & Nicole Brideson
  • 4 days ago
  • 8 min read

Author:  Amber Nguyen, Maea Applegarth, Felicity Mulhall, Ben Kelly, Connor Maloney, Ola Wallis, Noussayba Skendri & Nicole Brideson | Publish date: 24/1/2026


  • P: Biometric information, such as facial identifiers, can be collected by third parties without voluntary, informed, current, specific and unambiguous consent.

  • S: The Attorney-General should amend Section 6(1) of the Privacy Act 1988 (Cth) to define ‘consent’ as voluntary, informed, current, specific, and unambiguous, in relation to the collection of biometric data.


Problem Identification: 

Section 6(1) of the Privacy Act 1988 (Cth) (the Act) defines consent as ‘express’ or ‘implied’. 


Thus, it is known that organisations can rely on implied consent when collecting biometric information. Dr Margarita Vladimirova, at Deakin University Law School, has said that organisations are permitted to treat everyday behaviour, such as simply entering a premises, as consent, even when individuals are unaware that their biometric information is being collected. She said, ‘for example, if you walk into a store that has a sign “facial recognition camera on the premises”, your consent is implied.’ As a result, people may have their biometric identifiers captured and stored without a genuine understanding.


Context: 

Biometric information refers to unique physical or behavioural identifiers such as facial features, fingerprints, iris patterns and voice data. 


CHOICE, a consumer advocacy group, has reported that facial recognition systems are already embedded in everyday retail operations, with some of Australia’s biggest firms, including Kmart, Bunnings, and The Good Guys, routinely collecting patrons' unique facial profiles without express consent. Professor Mark Andrejevic of Monash University has noted that these systems are typically used for security and theft prevention. A 2022 national survey by CHOICE found that 76% of respondents were unaware that major retailers were collecting their biometric data. 


The Australian Privacy Principles (APP) Guidelines define express consent as consent given explicitly, whereas implied consent arises where ‘consent may reasonably be inferred in the circumstances from the conduct of the individual’.


The Privacy Act 1988 (Cth), including the APP, was reviewed with findings released in 2023.


Arguments:

Global law firm DLA Piper has identified biometric information as presenting ‘heightened risks such as identity theft and intrusive monitoring’. They noted that this risk arises due to the data being ‘inherently personal and immutable’. Dr Ayse Keles and Dr Cemal Koçak (University of Galway; Gazi University) have similarly noted that the distinctiveness of this type of data could allow for personalised psychological and behavioural profiles to be generated without the individual’s consent, heightening potential damage from misuse. Dr Vladimirova has warned that the current state of the Act allows consent to be inferred ambiguously: ‘using implied consent opens our facial data up to potential exploitation.’ Further, the European Parliamentary Research Service has stated that the act of collecting such data without obtaining consent is a threat to ‘numerous fundamental rights, but also to democracy itself.’  


Michael Marcotte, cybersecurity specialist and CEO of Artius.iD, warned that centralised biometric databases are ‘a big red bullseye for hackers’. When held by organisations such as banks, these databases are vulnerable to breaches that may trigger systemic risks. This materialised in 2019, when it was reported that a security company used by the UK Police, defence contractors, and banks, had mishandled the biometric data of over 1 million people. Security researchers found that this left millions of records exposed to the general public and vulnerable to identity theft. 


Bunnings Group, which employs large-scale biometric data collection, has argued that it is ‘impractical’ to require express consent for such activities. However, Daniel Geiger of Business Insider has noted that the implementation of opt-in systems for biometric authentication and recognition services across education and real estate sectors demonstrates that obtaining express consent is both feasible and practicable. The Office of the Australian Information Commissioner (OAIC) has confirmed that explicit consent for biometric data can be obtained through electronic opt-ins such as 'an electronic medium or voice signature'. 


In cases where operators have argued that the discrete use of mass biometric data collection is necessary for security, the OAIC have found that such actions remain unjustified due to their intrusiveness.


Advice/Solution Identification:

Digital Rights Watch, the OAIC and Salinger Privacy have all called to define consent in relation to the collection of biometric data as voluntary, informed, current, specific and unambiguous. As identified by Deloitte, this could help to clarify the standard of consent required for the collection of biometric information and promote stronger privacy practices.


Precedent:

There is international precedent for requiring higher standards of consent for biometric data. In 2018, the EU’s GDPR prohibited the processing of biometric data unless explicit consent had been given, and defined consent as ‘freely given, specific, informed and unambiguous indication of the data subject’s wishes’. Similarly, in 2008, the US state of Illinois enacted legislation requiring companies to obtain written consent from individuals before collecting biometric identifiers.




Public Support: 


News Coverage:

  • BiometricUpdate.com“NSW Police faced questions on use of facial-recognition algorithm from 2011”. Reported on NSW Police for their long-term use of a facial-recognition algorithm without obtaining explicit public consent. By: Chris Burt | Tue 5 November 2025 - Read the article here.

  • Government News - “Face-ID database raised security concerns”. Detailed the preparation for the federal Government rollout of a biometric driver’s licence and face-ID database, which concerned the collection of sensitive biometric identifiers without explicit consent or sufficient regulatory safeguards. By: Christopher Kelly | Tue 21 October 2025  - Read the article here.

  • ABC News - “Kmart broke privacy laws by using facial recognition technology, commissioner finds”. The OAIC found that Kmart unlawfully collected sensitive biometric identifiers from tens of thousands of customers without consent. By: Ange Lavoipierre | Thu 18 September 2025 - Read the article here.

    • Note: A finding by the OAIC does not create common law, and the lack of clarity in the Act remains exploitable, according to Dr. Margarita Vladimirova (Deakin University). 

  • News.com.au - “‘Need to focus on consent’: Shock Australian venues using face-scanning technology”. A national privacy study found widespread use of facial recognition in venues and retail environments, despite low public awareness and inadequate consent practices. By: Melanie Burgess and Annabel Fleming | Fri 6 December 2024 - Read the article here.


Where to go to learn more: 

  1. Privacy Act Review Report 2022 - The Attorney‑General’s Department review of the Privacy Act 1988 evaluated protections for personal and sensitive data, recommended stronger consent requirements (including for biometric data), and proposed reforms to organisational accountability. Read it here.

  2. (2025) Protecting Personal Biometric Data: The Case of Facial Privacy - Institute for Calculated Futures (ICF) - A recent academic exploration of biometric data risks and the gaps in regulation. The paper argued for a rights‑based approach to biometrics, offering a strong theoretical backing for legal reform requiring explicit consent. Read it here.

  3. European Digital Rights (EDRi) - A leading European digital rights network that has advocated for strong data protection and biometric‑surveillance restrictions. Their materials have been used for understanding international standards and arguments for explicit consent or strict regulation of biometric data. Read about their research here.

  4. Office of the Australian Information Commissioner (OAIC), ‘Your Privacy Rights Hub’ - This page provided guidance on the Privacy Act, including biometric scanning, consent, ID scanning, privacy impact assessments, and the use and disclosure of personal information. View it here.

  5. Privacy Act 1988 (Cth) - Read the full Act here.


Human Perspective: 

TW: Surveillance, Privacy Impacts


Sasha is 29 and works shifts at a suburban retail centre in Melbourne. Most days, she stops into the nearby department store on her break to pick up groceries. She didn’t know the store had introduced facial-recognition cameras at the entrances, and no one asked for her consent. Several weeks later, the store notified customers that it had suffered a data breach involving its facial-recognition system. Biometric data derived from customer images had been accessed by an unauthorised third party. This was the first time Sasha understood that her face had been scanned, converted into biometric data, and stored by the store, and she feared the potential identity theft that could result from this breach. This fear was exacerbated given that Sasha cannot change her biometric identifiers to resecure them, the way she could change a password or card details. Sasha started to avoid the store and looked out for other stores that advertised the use of biometric data collection. However, she could not always be sure whether retailers were relying on implied consent to use this sort of technology. Sasha began worrying about where her biometric data might be held, whether it could be shared, and whether future employers could access it. Her younger brother, who sometimes shopped with her, was likely scanned too. For Sasha, what should have been an ordinary shopping trip turned into ongoing stress.


To protect the anonymity of those involved, this is a fictionalised account drawn from an amalgamation of real-life stories, experiences and testimonials gathered during the research process for this brief. Any resemblance to actual individuals is purely coincidental.


Conflict of interest/acknowledgment statement: 

N/A


Support 

If your organisation would like to add your support to this paper or suggest amendments, please email Info@foreaustralia.com


Reference list: 

ACLU of Illinois. (2025, August 26). Biometric Information Privacy Act (BIPA). https://www.aclu-il.org/en/campaigns/biometric-information-privacy-act-bipa


Alcatraz. (2025, July 18). Your Campus, Your Identity: Privacy-First Facial Authentication for Higher Education. Alcatraz. https://rock.alcatraz.ai/blog/privacy-first-facial-recognition-college-campus


Art. 4 GDPR – Definitions (2018). https://gdpr-info.eu/art-4-gdpr/


Art. 9 GDPR – Processing of Special Categories of Personal Data (2018). https://gdpr-info.eu/art-9-gdpr/


Attorney-General’s Department - Commonwealth of Australia. (2022). Privacy Act Review | Report 2022. https://www.ag.gov.au/sites/default/files/2023-02/privacy-act-review-report_0.pdf#page=110


Blakkarly, J. (2022, July 12). Kmart, Bunnings and The Good Guys using facial recognition technology in stores. CHOICE. https://www.choice.com.au/data-protection-and-privacy/data-collection-and-use/how-your-data-is-used/articles/kmart-bunnings-and-the-good-guys-using-facial-recognition-technology-in-store


Deloitte Australia. (2022). Submission on the Review of the Privacy Act 1988 Discussion Paper. https://consultations.ag.gov.au/rights-and-protections/privacy-act-review-discussion-paper/consultation/download_public_attachment?sqId=question-2021-10-22-3093449261-publishablefilesubquestion&uuId=1030874419


Dermendjieva, T. (2024, May 28). PIPEDA’s Guidelines for Obtaining Meaningful Consent. GDPR Local. https://gdprlocal.com/pipedas-guidelines-for-obtaining-meaningful-consent/


Digital Rights Watch. (2023, March 31). Submission to the Attorney-General’s Department on the 2022 Report regarding the review of the Privacy Act 1988. https://digitalrightswatch.org.au/wp-content/uploads/2023/04/Submission_-Privacy-Act-Review-Report-March-2023.pdf#page=5


European Parliamentary Research Service. (2021). Person identification, human rights and ethical principles: Rethinking biometrics in the era of artificial intelligence. https://www.europarl.europa.eu/RegData/etudes/STUD/2021/697191/EPRS_STU%282021%29697191_EN.pdf#page=7


Falk, A. (2021). Privacy Act Review – Discussion Paper. OAIC. https://www.oaic.gov.au/__data/assets/pdf_file/0023/11894/OAIC-submission-to-Privacy-Act~scussion-Paper-December-2021.PDF#page=16


Geiger, D. (2020). Facial-recognition scans are a big part of how some office buildings are planning to reopen. Top office landlord Vornado maps out where it’s installing the tech. Business Insider. https://www.businessinsider.com/vornado-landlord-using-facial-recognition-buildings-nyc-office-portfolio-biometrics-2020-8


Jose, R. (2024, November 19). Australian hardware chain Bunnings breached privacy with facial recognition tool, regulator says. Reuters. https://www.reuters.com/business/retail-consumer/australian-hardware-chain-bunnings-breached-privacy-with-facial-recognition-tool-2024-11-19/


Kus, I., Kocak, C., & Keles, A. (2026). A systematic review of vision transformer and explainable AI advances in multimodal facial expression recognition. Intelligent Systems with Applications, 29, 200615. https://doi.org/10.1016/j.iswa.2025.200615


McConvey, J. (2025, May 27). Obtaining consent to collect facial recognition data ‘impractical,’ says Bunnings. Biometric Update. https://www.biometricupdate.com/202505/obtaining-consent-to-collect-facial-recognition-data-impractical-says-bunnings


OAIC. (2023a, March 10). Biometric scanning. OAIC. https://www.oaic.gov.au/privacy/your-privacy-rights/surveillance-and-monitoring/biometric-scanning


OAIC. (2023b, March 24). Chapter B: Key concepts. OAIC. https://www.oaic.gov.au/privacy/australian-privacy-principles/australian-privacy-principles-guidelines/chapter-b-key-concepts


Office of the Victorian Information Commissioner. (n.d.). Biometrics and Privacy – Issues and Challenges – Office of the Victorian Information Commissioner. Retrieved January 10, 2026, from https://ovic.vic.gov.au/privacy/resources-for-organisations/biometrics-and-privacy-issues-and-challenges/


Privacy Act 1988 (Cth). https://www.legislation.gov.au/C2004A03712/2025-0610/20250610/text/original/epub/OEBPS/document_1/document_1.html#_Toc200109997 


Sharma, P. (2025). Biometric data breaches could kick off a global banking crisis, Industry expert warns. IBS Intelligence. https://ibsintelligence.com/ibsi-news/568829-2biometric-data-breaches-could-kick-off-a-global-banking-crisis-industry-expert-warns/


Salinger Privacy. (2020). Submission in response to the Privacy Act Review – Issues Paper, October 2020. https://www.ag.gov.au/sites/default/files/2020-12/salinger-consulting-pty-ltd.PDF#page=18


Sivell, L., & Grassi, M. (2025, November 6). From cameras to compliance: OAIC’s Kmart determination highlights facial recognition technology privacy risks. Clayton UTZ. https://www.claytonutz.com/insights/2025/november/from-cameras-to-compliance-oaics-kmart-determination-highlights-facial-recognition-technology-privacy-risks


Taylor, J. (2019, August 14). Major breach found in biometrics system used by banks, UK police and defence firms. The Guardian. https://www.theguardian.com/technology/2019/aug/14/major-breach-found-in-biometrics-system-used-by-banks-uk-police-and-defence-firms


Valentine, N., & Mitchell, V. (n.d.). Biometrics and privacy – consultation underway for regulation in Aotearoa, New Zealand. DLA Piper. Retrieved January 10, 2026, from https://www.dlapiper.com/en-au/insights/publications/2024/04/biometrics-and-privacy-regulation-in-aotearoa-new-zealand


Vladimirova, M. (2024, March 4). Your face for sale: Anyone can legally gather and market your facial data without explicit consent. The Conversation. https://doi.org/10.64628/AA.kdnhx9xew


Comments

Fuel your impact every week

Concise, expert-backed solutions delivered straight to your inbox.

Got an Idea?

We're always looking for expert-led, evidence-based solutions to explore.

 

If you have an idea you think we should look into, share a few quick details:

Otherwise email: info@foreaustralia.com

FORE Australia

Reach Out to FORE Australia

info@foreaustralia.com

Disclaimers

Content Guidelines

ACN: 681 117 135

ABN: 29 681 117 135

  • Instagram
  • LinkedIn

FORE Australia would like to acknowledge Aboriginal and Torres Strait Islander peoples as the Traditional Custodians of the land we live, learn, and work on.​

 

We value their cultures, identities, and continuing connection to country, waters, kin, and community. We pay our respects to Elders, both past and present, and are committed to supporting the next generation of young Aboriginal and Torres Strait Islander leaders. This always was and always will be Aboriginal land.

 

As an organisation dedicated to amplifying solutions, we recognise that First Nations peoples have long identified many of the pathways for environmental protection and meeting community needs. Our role is to listen, support, and amplify these voices.

bottom of page