Australia

A website collected my biometric data (facial recognition) without asking. Is this a privacy breach?

Privacy Act

Governing law

s. 6(1)

Biometric definition

APP 3.3

Consent required

APP 5.1

Notification rule

The Short Answer

Yes, collecting your facial recognition data without consent is likely a privacy breach under Australia’s Privacy Act, which requires notice and consent for handling sensitive biometric information.

What the Law Says

Australia’s Privacy Act 1988 regulates how organisations collect, use, and disclose personal information — including biometric data like facial recognition templates. Such data is classified as 'sensitive information', triggering stricter protections.

Under the Privacy Act 1988, biometric information — including facial recognition data used for identification — is defined as 'sensitive information' in section 6(1). This means it receives higher-level protection than ordinary personal information.

The Australian Privacy Principles (APPs) require organisations to obtain your informed consent before collecting sensitive information (APP 3.3), and to notify you about why it’s being collected, who it might be shared with, and your right to access or correct it (APP 5.1).

If a website collected your facial scan or template without telling you or asking for permission, it likely breached both APP 3.3 and APP 5.1 — even if the site is based overseas but targets or collects data from Australians.

Statutory Text
‘biometric information’ means personal information resulting from measurements or recordings of a person’s physical or behavioural characteristics that are used to identify them
— Privacy Act 1988 (Cth), s. 6(1) — Interpretation

Statutory Text
An APP entity must not collect sensitive information about an individual unless… the individual consents to the collection
— Privacy Act 1988 (Cth), APP 3.3 — Collection of solicited personal information

Statutory Text
An APP entity that collects personal information about an individual must take such steps (if any) as are reasonable in the circumstances to notify the individual…
— Privacy Act 1988 (Cth), APP 5.1 — Notification of collection of personal information

What to Do

Contact the website and ask how and why they collected your facial data, and request its deletion.

Lodge a privacy complaint with the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au.

Keep screenshots or records showing the collection occurred without notice or consent.

If you suffered harm (e.g., identity misuse), consider seeking legal advice about remedies.

Sources

statutePrivacy Act 1988 (Cth), s. 6(1) — Interpretation statutePrivacy Act 1988 (Cth), APP 3.3 — Collection of solicited personal information statutePrivacy Act 1988 (Cth), APP 5.1 — Notification of collection of personal information

Not legal advice. This article is general information based on publicly available sources, written for educational purposes. Laws change and individual situations vary. Consult a licensed attorney in your jurisdiction before acting on anything you read here. Last reviewed: 2026-06-08.