The Australian state of New South Wales has rolled out a new Code of Practice for facial recognition technology use in hotels and clubs, aimed at significantly improving a self-exclusion system reliant on ‘eyesight and memory of venue staff’.
Liquor & Gaming NSW published the code earlier this month, coming into effect after it was gazetted. While NSW ‘encourages all venues to ensure they are compliant with the Code’, ‘venues cannot be penalized for contravening the Code’, meaning that the standards for venues laid out are ‘not necessarily what is mandated by legislation’.
The importance of facial recognition was recently highlighted by Endeavour Group’s General Manager for Regulatory & Compliance at the Regulating the Game 2026 conference, who highlighted how many pubs often relied on printed photo books of excluded patrons, with staff expected to memorize faces. Even for long-serving staff members, difficulties were encountered in identifying patrons whose appearance had significantly changed over time.
While the introduction of Facial Recognition Technology helps greatly to mitigate such challenges, the Endeavour executive highlighted that privacy concerns remain significant.
Responsible application of tech
New South Wales’ approach, under the code, links FRT with existing ClubSafe and BetSafe exclusion registers and aims to ‘support the ethical and responsible application of the technology and to improve the ability of venues to detect excluded patrons’.
This is done primarily through ‘one-to-any’ FRT, ‘comparing a captured image against a large database of recorded images’ – a method that ‘is notably more prone to error’ and ‘also has greater privacy implications’ than one-to-one FRT use, such as that used in unlocking a smartphone.
The code aims to comply with 13 Australian Privacy Principles (APPs) under the Privacy Act governing the collection, use, and disclosure of personal information. If venues breach any of the APPs, they can be subject to regulatory action and penalties, as ‘facial biometric information is considered sensitive information under the act’. This means that ‘the information about whom the sensitive information relates must consent to its collection unless an exemption applies.
The Privacy Act and its APPs automatically apply to organizations with an annual turnover of more than AU$3 million ($2.07 million), with those under the threshold encouraged to opt in.
The Australian Information and Privacy Commission also ‘may at any time exercise its regulatory power to investigate and take enforcement action’ regarding a venue or FRT provider’s compliance with the APPs, irrespective of their compliance with the new code.
What does it mean for hotels and clubs?
Under the code, venues must communicate with an exclusion register or a venue’s patron data store, use the data to compare it with patrons entering a venue or gaming area, send a notification to an authorized person at the venue if a suspected excluded person is identified, and prevent unauthorized access, use, and disclosure of any data collected.
This means that the venue, via its FRT provider or legal advisor, must complete a Privacy Impact Assessment on the use of the FRT product in its venue prior to the installation of any technology. If already installed, an existing report may be repurposed. These PIAs must be retained and provided to Liquor & Gaming NSW on request.
Venues must also update their privacy policy to reflect the use of FRT in the venue and set up a response plan for suspected or confirmed data breaches.
Installation of FRT systems must be done by ‘persons holding the appropriate trade credentials’, with the venue consulting the FRT provider on the ‘appropriate number and positioning of the cameras’ and ensuring any monitoring displays are only visible to authorized staff, in locations where they are ‘consistently present […] including during non-trading hours’.
Venues must have a ‘secure, high-speed, and reliable internet connection’, with internet providers mandated to ensure peak download and upload speeds of at least 25/5 Mbps. FRT is permitted to be used offline during an unplanned disruption for a maximum of 48 hours.
In addition, the FRT systems are not allowed to be linked to ‘any other venue software that stores biographical data, including venue sign-in databases, scanned credentials, or payment mechanisms, to preserve patron anonymity’.
Signage is also mandated, provided by Liquor & Gaming NSW, and clearly visible to patrons in all areas where FRT is being used – such as the entrance to the gaming area or venue entrance. This must comply with the original dimensions of printed material. For electronic signs, this must be on a screen measuring at least 21.5 inches diagonally, displayed in high resolution, and maintaining the original aspect ratio. These must always be visible and not part of a rolling display.
Interestingly, while the code directs venues to the NSW government webpage for printable and digital signange, it doesn’t contain signage for FRT.
Data storage, access, and use
For data storage linked to the FRT system, it must ‘remain exclusively in Australia and cannot be exported overseas, regardless of whether the venue uses an on-premises or cloud-based solution’. On-premise servers must be under lock and key and not accessible to unauthorized staff. Excluded patron data must also be stored in a separate location to other venue data, with the venue only allowed to store the ‘minimum necessary information to identify and assist an excluded patron – this includes the patron’s image, name, start and end date of exclusion, and areas of the venue from which they’re excluded.
Data on a previously excluded patron must be deleted from the venue’s data store ‘as soon as practicable following expiry or revocation of the self-exclusion’.
For staff, the venue must have documented control processes for authorizing access to the user interface and must keep a record of staff that have been trained ‘for at least five years’.
The venue must also ‘ensure that excluded patrons have given express consent’ for their biometric information to be used’.
One interesting detail in the code is that, while FRT must ‘primarily be used for the purpose of enforcing gambling-related exclusions’, it may also ‘be used for compliance with other regulatory obligations, including liquor banning orders or financial crime-related exclusions’.
The code explicitly prohibits the use of patrons’ personal and biometric information ‘for any commercial or marketing application, or to track patrons for other non-regulatory purposes’, which cannot be negated by obtaining a patron’s express consent.
The venue also ‘must not use information provided by a previously excluded patron for the purpose of contacting them to encourage their return to the venue and/or to gamble’. This is not solely limited to communications or marketing that promotes gambling.
Progress in tackling problem gambling
The implementation of FRT is bound to improve the efficiency of self-exclusion systems and comes amongst increasing reforms aimed at reducing gambling harm. Just recently, the New South Wales government mandated that venues shut down their pokie machines for six hours daily, from 4am to 10am, closing a loophole that previously allowed over 650 venues across the state to allow gambling in the early hours of the morning. Experts have identified early morning gamblers as those most at risk to gambling harm.
Further moves, such as a shift to cashless gaming technology and carded play, are expected to improve enforcement and reduce problem gambling, alongside moves to limit gambling advertisements and stamp out underage gambling.
There are bound to be bumps in the road, but harm mitigation efforts have largely been lauded by industry insiders, hoping to promote a sustainable gaming culture that supports gambling as entertainment.
