Melbourne based start-up 'Kepler Analytics' made the news recently after completing a $4 million Series A funding round in order to facilitate its transition to the US to supply a Fortune 500 retailer with its Radio Frequency (RF) Sensors and accompanying AI and business software.

Its RF sensors are a form of people tracking technology increasingly being used by retail stores to detect the presence, in-store location and movement patterns of customers by detecting the MAC address emitted by a mobile phone when its wi-fi is enabled. This gives retailers the ability to log passers-by, which entrances are being used, movement patterns around the store, specific hotspots or ‘dead zones’, who’s using the fitting rooms and who’s buying.

For retail the aim of the game is, unsurprisingly, to turn this data into increased sale conversions by analysing behavioural trends, store layouts and other actionable insights. But Kepler Analytics' RF sensors are just one of many emerging technologies in the retail people tracking space which is allowing bricks and mortar stores to leverage big data like their online competitors have been doing for years.

For example, technologies being contemplated for deployment in retail stores also include facial recognition cameras, AI vision and deep learning (to interpret raw video footage), Bluetooth low energy beacons, infrared beams, 3D stereo video analytics, 3D spatial learning, and the list goes on…

Um, Privacy?

You'd be right to instinctively consider these technologies invasive. They immediately raise concerns as to how they are used and how they fit within Australia's existing privacy and surveillance framework.

The first thing to consider is whether the data being collected amounts to ‘personal information’ under the Privacy Act 1988 (Cth) (Privacy Act) (which means information or an opinion about an identified individual, or an individual who is reasonably identifiable) and whether or not it is therefore subject to certain collection and use restrictions under the Privacy Act and the Australian Privacy Principles (APPs).

According to APP 3, an entity governed under APPs must solicit and collect personal information only by lawful and fair means (i.e. not unreasonably intrusive). APP 5 states that entity must take reasonable steps, before, or at the time it collects personal information. If this is not practicable, reasonable steps must be taken as soon as practicable after collection.

Kepler Analytics’ states that its RF sensors irreversibly encrypt the MAC addresses it uses to track shoppers. As a result, it appears the company doesn’t know who you are, just that you have a wi-fi enabled device. This keeps the data anonymised and probably avoids it being defined as ‘personal information’ for the purposes of the Privacy Act. In the case of thermal imaging cameras, the solution is somewhat in-built, as the raw data collected may only visually amount to an unrecognisable humanoid blob.

Other systems (such as facial recognition cameras) collect biometric data which potentially falls squarely into the Privacy Act’s definition of ‘sensitive information’, imposing even greater restrictions on its collection and use (including requiring the shopper’s consent). However even these systems aim to avoid obligations imposed by the Privacy Act by applying random identifiers and similarly anonymising their data (and where anonymisation is not possible, or an individual is still ‘reasonably identifiable’ in conjunction with other information the retailer holds, the shopper’s consent may be obtained or inferred via a company’s privacy policy or captured expressly online either via the retailer’s own mobile application, or even via third-parties such as Facebook).

But even if data is sufficiently anonymised, retailers are still required to comply with relevant surveillance legislation, which in Australia is regulated on a state-by-state basis. In NSW, for example, the express or implied consent of the individual is required to install, use or maintain a tracking device to determine a person’s location, even if the identity of the person is unknown. This means that Kepler’s RF sensors may still require shopper consent in a jurisdiction such as NSW, even if they track consumers anonymously.

We have seen details of some of the extensive online tracking technologies summarised in the final report of the ACCC Digital Platforms Inquiry.  It is readily apparent that the expansion of tracking technologies into our lives is not limited to the digital world.

Authors: Alexander Ryan, Rosalind Moffat and Tim Gole