Case Study: Privacy Risk in the Retail Sector

Retail has always been a data-intensive industry with customer purchasing behaviour, loyalty program memberships, staff records, and supplier relationships. The personal information flows through a modern retail operation are extensive, and in many cases, the business model depends on them.

What has changed is the scale and sophistication of retail data collection. Facial recognition at store entrances. Loyalty programs collecting transactional and location data across millions of members. Digital advertising platforms sharing data with hundreds of ad-tech vendors. Now we are hearing reports that supermarkets are considering dynamic pricing for groceries

The OAIC’s investigation of Bunnings has become a landmark case in Australian retail privacy, but it is one point in a broader pattern.

Bunnings: The Case That Changed the Privacy Impact Assessment Conversation

In 2025, the OAIC found that Bunnings had breached the Privacy Act 1988 (Cth) by deploying facial recognition technology in its stores, citing a lack of privacy governance and the absence of a legal basis under APP 3 for collection. The technology was used to identify individuals who had previously been flagged as presenting safety or security risks to staff.

Bunnings sought a review of the OAIC’s determination and the Administrative Review Tribunal (ART) found that the use of facial recognition technology in the specific context of a legitimate workplace safety objective may have been legally permissible. The specific workplace safety objective in Bunnings’ case was protecting staff from known criminals wielding deadly weapons.

While the ART found an applicable exception under APP 3 for collection, the review was still a loss for Bunnings because of its lack of privacy governance.

Why Bunnings Lost

Bunnings did not conduct a privacy impact assessment before deploying the facial recognition technology. That single governance failure was decisive. The Commissioner found that Bunnings had not assessed, before going live, whether:

• the collection of biometric information was proportionate to the stated safety objective

• less privacy-invasive alternatives could achieve the same purpose

• individuals whose biometric data was being collected had adequate notice, or

• the collection was necessary and the risk to individual privacy was justified

The lesson: the absence of a privacy impact assessment is itself a breach risk, independent of whether the underlying activity might have been permissible. Retailers deploying new data collection technologies need to conduct and document a PIA before those systems go live.

Biometrics in Retail: A Growing Risk Area

The Bunnings case involved facial recognition, but the broader category of biometric data collection has been expanding for years.

Some companies have attempted to implement biometric collection for staff. Back in 2019, the Full Bench of the Fair Work Commission in Lee v Superior Wood rejected the idea that telling employees to consent to the collection of their fingerprints was a ‘lawful and reasonable’ direction under employment law, saying such a direction breaches the Privacy Act.

We have also seen the deployment of services such as Auror and Clearview which harvest biometric information in the retail sector and other sectors, often without anyone knowing. Such services are a focus area for privacy regulators around the world with multiple ongoing investigations.

Retailers operating or planning to operate any biometric collection technology should treat a privacy impact assessment as a prerequisite, not a post-implementation review.

The Good Guys: When Loyalty Data Becomes a Liability

In 2022, The Good Guys was found to have disclosed the personal information of hundreds of thousands of loyalty program members to a third-party data analytics company without adequate notice or consent. The disclosure involved customer names, email addresses, phone numbers, and transactional data, shared for marketing analytics purposes.

The customers who had joined the loyalty program had not been meaningfully informed that their data would be shared in this way. The OAIC’s investigation resulted in a determination that The Good Guys had breached APP 6 (use and disclosure) and APP 5 (collection notice requirements).

The Loyalty Program Risk

Loyalty programs are, by design, data collection engines. The privacy risk in loyalty programs arises when:

• data is shared with third parties for purposes not disclosed at collection

• collection notices do not accurately describe the full scope of use and disclosure

• consent mechanisms are pre-ticked, buried in terms and conditions, or not genuinely voluntary, and

• loyalty data is combined with data from external sources in ways not contemplated at collection

For many Australian retailers, a privacy audit of the loyalty program reveals gaps that have accumulated over years as the program has evolved commercially without corresponding privacy governance updates. What many retailers may not appreciate is if their privacy governance does not keep pace with the data collection, the commercial benefit of a loyalty scheme can be erased when the regulator comes knocking. Breaches shatter customer trust, reduce participation, and can cause your loyalty program partners to reconsider their involvement, all leading to significant revenue loss.

Kmart Australia: A Breach Without a System Failure

In 2021, Kmart Australia disclosed a data breach in which customer information was exposed through a vulnerability in a customer service system. No financial information was compromised. By the standards of Medibank or Latitude, the breach was modest in scope — Kmart notified the OAIC, managed communications appropriately, and remediated the vulnerability.

The Kmart breach is instructive precisely because of its relatively modest scale. It demonstrates that privacy breaches do not require dramatic failure. They arise from system vulnerabilities not identified in structured reviews, in applications that have not been subject to a privacy impact assessment during development, and in configurations not tested against the threat model before deployment.

In this case, Kmart acted precisely how the Privacy Act intends companies to act. Despite the modest scale however, the breach still impacted Kmart’s reputation, took up valuable executive and staff time, and diverted focus away from their core objectives. In short, it was an unwanted and unnecessary distraction.

The Staff Data Dimension

Retail is one of Australia’s largest employment sectors. The management of employee personal information presents a distinct and frequently underestimated privacy risk:

• rostering and HR platforms: overseas SaaS platforms processing banking details, tax file numbers, and health information may not meet APP 8 requirements

• surveillance of staff: workplace monitoring technology raises privacy issues that require privacy impact assessments and adequate staff notice, and

• casual and temporary workforce training: privacy training for high-turnover retail workforces is often minimal or absent.

Many retailers, and many of their lawyers, will say the employee records exemption in section 7B(3) of the Privacy Act applies and therefore these are not privacy risks. Unfortunately, that is often not the case.

The employee records exemption is a very narrow exemption and only applies to personal information:

• already held by the business; governance, collection and notice obligations still apply, and

• that is directly related to the employment relationship.

Misapplying the employee records exemption will expose your business to privacy risks that are often not mitigated in any way.

What Australian Retailers Should Do Now

The Bunnings case, the Good Guys determination, and the emerging regulatory focus on retail data practices together define a clear set of priorities:

1. Conduct a privacy impact assessment for every existing and proposed customer-facing technology that collects biometric, location, or behavioural data

2. Audit your loyalty program: review collection notices, consent mechanisms, and data partner agreements for APP 6 compliance

3. Map your advertising technology and retail media data flows

4. Review your staff training program with retail-specific scenarios

5. Build privacy impact assessments into your technology procurement and development process

Privacy in retail is no longer a back-of-house compliance function. It is a customer trust issue, a regulatory risk, and increasingly, a commercial differentiator for the retailers who get it right.

Enigma Law is a privacy law firm based in Melbourne, advising retail businesses across Australia on privacy audits, privacy impact assessments, loyalty program compliance, and regulatory response. Contact jon@enigmalaw.com.au