Facebook has recently been subject to scrutiny by privacy regulators in Europe, as well as by the US Federal Trade Commission, in relation to the introduction of its ‘tag suggest’ feature. This feature uses face recognition technology to create a biometric template of users’ faces, and had been introduced to Facebook users as a default (opt-out) setting. One outcome of the recent scrutiny has been the temporary deactivation of the tag suggest feature. However, there is every indication that Facebook intends to re-introduce the feature in the not too distant future. This article canvasses some of the privacy implications of face recognition technology, particularly as it is used by Facebook, and in the private sector generally. Legal implications of Facebook’s use of biometric templates and the generation and use of biometric information are considered by reference to the Privacy Act 1988 (Cth) as recently amended by the Privacy Amendment (Enhancing Privacy Protection) Act 2012 (Cth). In particular, the threshold issue of the application of Australia’s federal information privacy laws to overseas organisations that have no presence in Australia and do not have servers in the country is considered. Definitional issues around the fundamental terms ‘collect’ and ‘receive’, as used in the amended Privacy Act, are also discussed, along with an overview of possible compliance risks for Facebook arising from Australia’s information privacy regime. Finally, the article offers some reflections on the efficacy of Australian information privacy laws in regulating the creation and use of biometric face templates and associated information in the social media context.