CCTV and surveillance technologies in retail: How to balance retailers’ interests with customer privacy

CCTV is widely used across Australia, from councils monitoring public places to transport providers overseeing buses and trains. This surveillance technology is integral to maintaining public safety. In shopping centres, CCTV plays an important role in preventing theft, deterring crime and supporting law enforcement.

However, the use of surveillance technology is not without risks. There have been complaints about the legality of footage captured in retail stores and potential breaches of customer privacy. Beyond legal concerns, CCTV can raise other issues, such as misuse of footage and data breaches. This creates a complex trade-off between an individual’s right to privacy and anonymity, and the collective need for safety.

With ongoing privacy reforms strengthening individual rights and imposing tighter rules on how personal information can be collected and held, shopping centres need to consider this balance and ensure they are transparent with visitors to their centres about the technologies used and the protections around their potential misuses.

What do current privacy laws say about CCTV surveillance in retail spaces?

The Privacy Act 1988 (Act) requires entities to only collect personal information that is reasonably necessary for their functions or activities (Australian Privacy Principle 3.1). Obtaining valid and informed consent before collecting biometric data from individuals is of key importance. Under the Act, consent is required to be voluntary, informed, current, specific and given with capacity.

This is an additional layer on state-based surveillance laws which generally require, as a minimum, that surveillance be overt (i.e. to be notified about surveillance). Centre operators also need to be clear on additional workplace surveillance rules that vary by state where their employees are subject to surveillance.

When is capturing personal information ‘reasonable’?

One of the key issues the Office of the Australian Information Commissioner (OAIC) has been championing is proportionality – is the risk proportionate to the potential privacy harm? With the cost of surveillance technologies decreasing, using surveillance often seems like the inexpensive and easy option.

If surveillance is used, how is the information collected and stored? Who can access it? How long is it held for before being deleted? These are all questions that go to privacy harms. Organisations need to have a strong data governance framework around its collection and use.

Key risks for shopping centres – scope creep

CCTV surveillance is one thing, but if it is supplemented with AI to target known individuals or, as is increasingly the case, if facial recognition technology (FRT) is used, then additional precautions to protect the privacy of individuals need to be put in place. The OAIC’s October 2024 determination against Bunnings serves as a critical precedent, highlighting that vague or generic privacy policies and notices are insufficient.

The Privacy Commissioner found that Bunnings’ use of facial recognition in stores between 2018 and 2021 was neither sufficiently transparent nor reasonably necessary. The ruling emphasised the need for clear and prominent signage about surveillance and data collection, ensuring customers can opt-out of being captured, and publishing comprehensive privacy notices explaining how and why personal information is collected and used.

The case is currently under appeal, with a hearing scheduled for October 2025. Regardless of the outcome, the determination offers a blueprint for best practice.

More importantly, after the reforms passed in December 2024, defects in privacy policies explaining how information is collected and used can now leave companies liable to fines – which was not the case at the time of the Bunnings determination.

In addition, information captured by FRT is sensitive biometric information and the new statutory tort for serious invasions of privacy may have application to captured FRT information. The tort draws on principles from defamation law. While the new law is yet to be tested, retailers holding sensitive information should ensure their security practices are not vulnerable to claims of being inadequate or ‘reckless’ in how that information is securely held and stored.

Balancing customer privacy and public safety

The balancing act between customer privacy and public safety requires careful consideration as to transparency, consent and robust governance, especially when collecting sensitive biometric information. As the Privacy Commissioner said in her press statement, “just because a technology may be helpful or convenient, does not mean its use is justifiable.”

The Bunnings determination demonstrates the importance of embedding privacy protections into governance frameworks to ensure surveillance practices are necessary and lawful.

CCTV and other surveillance technologies remain valuable tools for improving security in retail environments, but they come with a range of legal obligations which, if not met, could create more problems than they solve.

A well-governed surveillance system and a robust privacy policy need to be part of leadership’s risk management and governance agenda, and be well thought out and documented to best position the organisation in the event of a complaint, claim or breach.

If you have any questions regarding the use of surveillance technology, please contact us here. 

• This article was originally published in Shopping Centre News.

Disclaimer
The information in this article is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavour to provide accurate and timely information, we do not guarantee that the information in this article is accurate at the date it is received or that it will continue to be accurate

Published by:

Lyn Nicholson

Emily Booth

Share this