Under watchful eyes: Navigating the NSW hotels and clubs code of practice for facial recognition technology

Licensed venues using Facial Recognition Technology (FRT) for security and self-exclusion purposes have operated in a grey area for some time.  

In late 2022, the NSW Government proposed the Registered Clubs Amendment Bill 2022 (NSW), which suggested changes to the Registered Clubs Act 1976 (NSW) explicitly permitting the use of FRT for enforcing exclusions.  That bill was shelved, and express regulation of the use of FRT in clubs and hotels has not been revisited – until now.  

Regulatory framework

The Code of Practice: Facial Recognition Technology in Hotels and Clubs (the Code) released on 16 March 2026 marks a significant step in the governance of FRT in the NSW hospitality sector.  It aims to balance harm minimisation with responsible data handling and respecting privacy.  Licensed venues using or thinking of implementing FRT to assist with identifying self-excluded patrons should promptly ensure that their FRT practices are compliant with the Code and other regulatory obligations.

Importantly, licensed venues should be aware that the introduction of the Code does not displace a venue's obligation to comply with the Privacy Act 1988 (Cth) (Privacy Act).  Privacy compliance has been a key cause of consternation in the uptake of FRT by venues unsure of whether the ability to easily identify excluded persons outweighs the compliance burden of obtaining privacy consents from each patron that enters its premises.  This is due to the nature of the information that is collected by FRT.

How to implement FRT

FRT works by capturing an image of a person's face, extracting their distinct facial features into a 'biometric template', and then comparing that biometric template against a database of persons (in this case, excluded persons).  Under the Privacy Act, a biometric template is considered as sensitive information, which generally attracts a higher level of protection than personal information.  For example, except in limited circumstances, sensitive information cannot be collected unless the individual consents and that information is reasonably necessary for one of the organisation's functions.  An exception to this requirement is where the collection of the information is required or authorised under an Australian law; however, the use of FRT is not mandated.

The Code sets out minimum standards for the use of FRT in licensed venues, with a focus on supporting gambling harm minimisation through the effective operation of self-exclusion registers.  In particular, venues using or seeking to use FRT must take certain steps, including:

• Privacy Impact Assessment (PIA): Conduct a PIA before deploying FRT, addressing necessity, proportionality, alternatives, and privacy risks.  Venues with existing FRT installed that have not completed a PIA may do so retrospectively.  The PIA must be retained for inspection by Liquor & Gaming NSW (L&GNSW) upon request.
• Data breach response plan: Review your data breach response plan to ensure it addresses FRT-specific risks, including unauthorised access to biometric data and notification obligations under the Notifiable Data Breaches scheme.
• Privacy policy: Update your privacy policy to clearly explain the use of FRT, the types of data collected, purposes of collection, data storage, and deletion practices.  Your privacy policy should also address the other types of personal information you collect and how it is handled.
• Signage and consent: Display prominent signage provided by L&GNSW to inform all patrons of FRT use.  L&GNSW is still in the process of considering signage options, and will notify licensees once this becomes available.  To ensure compliance with the Privacy Act and Australian Privacy Principles, venues should also obtain and document express, informed consent to the use of FRT where possible.
• Data security and localisation: Ensure your venue's systems meet the Code’s minimum standards, data linked to the FRT system remains exclusively in Australia, and implement strict access controls and data security measures.
• Ongoing monitoring: Review FRT system usage reports within the required timeframes, monitor and report on system accuracy, including false positives/negatives, and review FRT effectiveness over time.
• Review FRT provider arrangements: Confirm that your FRT provider meets the minimum requirements in ‘Attachment A’ to the Code, including data security, system accuracy, and support for compliance monitoring.

The Bunnings Appeal: implications for hotels and clubs

Shortly before the Code’s release, a significant Privacy Act decision was handed down that forms an important part of the regulatory backdrop against which the Code operates.

On 4 February 2026, approximately six weeks before the Code was published, the Administrative Review Tribunal (ART) delivered its decision in Bunnings Group Limited and Privacy Commissioner (Guidance and Appeals Panel) [2026] ARTA 130 (Bunnings Appeal), partially overturning the Australian Privacy Commissioner’s 2024 determination that Bunnings had breached the Privacy Act by deploying FRT in 62 of its stores across New South Wales and Victoria between 2018 and 2021.

The ART affirmed the Privacy Commissioner’s findings that Bunnings had breached APPs 1.2, 1.3 and 5.1 (relating to privacy governance, privacy policy transparency, and notice to individuals respectively), but set aside the finding that Bunnings had breached APP 3.3 by collecting sensitive biometric information without consent. The ART held that Bunnings could rely on the “permitted general situation” exception in section 16A of the Privacy Act, given documented incidents of violence in its stores and the nature of products on its shelves that could be used as weapons. The Privacy Commissioner subsequently confirmed that the ART decision in Bunnings confirms a high bar for the use of FRT in Australia and not a “green light” for general FRT use, and flagged the Office of the Australian Information Commissioner (OAIC) will update its FRT regulatory guidance.

The ART’s decision informed the regulatory context in which the Code was developed and provides important guidance for licensed venues on their Privacy Act obligations when operating FRT.  For licensed venues, the key takeaways are these:

1. The section 16A exception is fact-specific: the ART’s findings turned on Bunnings’ unique risk profile, and venues cannot assume the same exception will apply without their own documented evidentiary basis.
2. Consistent with the Code’s own guidance, obtaining express consent from patrons remains the safer approach and is more readily achievable for licensed venues through existing membership and sign-in processes.
3. The ART’s affirmation of the APP 1 and APP 5 breaches confirms that having robust governance, a PIA, clear privacy policy disclosure, and unambiguous patron-facing notices are fundamental obligations under the Privacy Act, and not merely recommended steps under the Code.

Moving forward

The Code is a significant step forward in providing clarity and operational guidance for venues.  By requiring a PIA, robust privacy documentation, and technical controls, it helps venues demonstrate compliance with the Privacy Act’s requirements for handling sensitive information.  The focus on governance, transparency, and data minimisation aligns with best practice and regulator expectations.

However, the Code does not create a “safe harbour”.  Compliance with the Code does not prevent regulatory action by the OAIC for failing to comply with Privacy Act obligations, or by L&GNSW for a breach of liquor or gaming requirements.  To better promote privacy compliance, clubs and hotels should seek to obtain a patron's express consent to the use of FRT where possible (e.g. in membership applications, or when signing in for guests and visitors).  It is also helpful where FRT use is for confined areas.

L&GNSW expects that venues using FRT will swiftly take steps to ensure compliance with the Code.  Venues requiring significant upgrades to existing systems to meet one or more requirements of the Code must become compliant within six months of the Code's release, other venues sooner.

For more information on the Code and its application contact our Clubs, Gaming and Hospitality team, or for information on broader facial recognition technology issues contact our Technology team.

Authors

Arj Puveendran | Partner | +61 2 8248 3494 | apuveendran@tglaw.com.au

Francesco Mazzitelli | Associate | +61 2 8248 5863 | fmazzitelli@tglaw.com.au  

Hayden Delaney | Partner | +61 7 3338 7517 | hdelaney@tglaw.com.au

‍