Privacy Commissioner finds that KMart’s use of facial recognition technology breached the Privacy Act and was unlawful
September 18, 2025 |
First it was Bunnings and now KMart have breached the Privacy Act 1988 in the use of facial recognition technology. Today the Privacy Commissioner published the results of a Commissioner instigated Investigation that found K Mart Australia breached Australian Privacy Principles in the collection of personal and sensitive information through facial recognition technology in the period June 2022 to July 2022. The story is covered by Information Age’s article Kmart facial recognition broke privacy laws, regulator finds. It is also covered by the ABC, the Australian Financial Review, Reuters, SBS News, News.com, Sky and Cyber Daily.
The Privacy Commissioner’s media release provides:
Privacy Commissioner Carly Kind has found that Kmart Australia Limited (Kmart) breached Australians’ privacy by collecting their personal and sensitive information through a facial recognition technology (FRT) system designed to tackle refund fraud.
Between June 2020 and July 2022, Kmart deployed FRT to capture the faces of every person who entered 28 of its retail stores, and all individuals who presented at a returns counter, in an attempt to identify people committing refund fraud.
In a determination published today, the Privacy Commissioner found that Kmart did not notify shoppers or seek their consent to use FRT to collect their biometric information, which is sensitive personal information and enjoys higher protections under the Privacy Act.
The retailer argued that it was not required to obtain consent because of an exemption in the Privacy Act that applies when organisations reasonably believe that they need to collect personal information to tackle unlawful activity or serious misconduct. The Privacy Commissioner’s determination focused on assessing whether Kmart met the conditions for relying on the exemption, and concluded:
-
- The sensitive biometric information of every individual who entered a store was indiscriminately collected by the FRT system.
- There were other less privacy intrusive methods available to Kmart to address refund fraud.
- Deploying the FRT system to prevent fraud was of limited utility.
- Considering that the FRT system impacted on the privacy of many thousands of individuals not suspected of refund fraud, the collection of biometric information on Kmart customers was a disproportionate interference with privacy.
“Understanding how FRT accords with the protections contained in Privacy Act requires me to balance the interests of individuals in having their privacy protected, on the one hand, and the interests of entities in carrying out their functions or activities, on the other. Relevant to a technology like facial recognition, is also the public interest in protecting privacy,” the Privacy Commissioner said.
Relevant factors considered by the Commissioner included the estimated value of fraudulent returns against the respondent’s total operations and profits, the limited effectiveness of the FRT system, and the extent of the privacy impacts in collecting the sensitive information of every individual who entered the relevant stores.
“I do not consider that the respondent (Kmart) could have reasonably believed that the benefits of the FRT system in addressing refund fraud proportionately outweighed the impact on individuals’ privacy,” the Commissioner stated.
The determination is the second issued by the Office of the Australian Information Commissioner (OAIC) on the use of FRT in retail settings. In October 2024, the Privacy Commissioner found that Bunnings Group Limited had contravened Australians’ privacy through their use of FRT in 62 of its retail stores across Australia. That decision is currently under review by the Administrative Review Tribunal.
“These two decisions do not impose a ban on the use of FRT. The human rights to safety and privacy are not mutually exclusive; rather, both must be preserved, upheld and promoted. Customer and staff safety, and fraud prevention and detection, are legitimate reasons businesses might have regard to when considering the deployment of new technologies. However, these reasons are not, in and of themselves, a free pass to avoid compliance with the Privacy Act,” she stated.
The Commissioner’s determination is instructive for entities that are considering new technologies such as FRT. Privacy considerations should be a key feature. The OAIC has also published guidance on its website: Facial recognition technology: a guide to assessing the privacy risks
Kmart has been under investigation by the OAIC since July 2022, at which time it ceased operating the FRT system. It has cooperated with the OAIC throughout the investigation.
Although the Privacy Commissioner reached a similar conclusion in the Kmart and Bunnings decisions, the cases differ considerably and focus on different uses of FRT.
The Privacy Act is technology-neutral and does not proscribe the use of any particular technology. When considering the roll-out and use of new technologies such as FRT, the OAIC’s guidance encourages entities to consider factors such as proportionality, transparency, the risk of bias and discrimination, and governance for the collection, use and retention of sensitive personal information.
Commissioner Kind has published a blog post with further takeaways for other retailers considering using FRT.
The Information Age article provides:
Retail giant Kmart breached Australia’s privacy laws by “indiscriminately” using facial recognition technology (FRT) at 28 stores without telling shoppers or seeking their consent, the nation’s privacy commissioner has found.
Kmart captured the biometric data of all customers entering the stores during various periods between June 2020 and July 2022 according to a determination published on Thursday by Privacy Commissioner Carly Kind, following a three-year investigation.
The company had also used facial recognition to collect information about individuals at returns counters “in an attempt to identify people committing refund fraud”, the Office of the Australian Information Commissioner (OAIC) said.
Kmart allegedly argued consent was not needed due to an exemption in the Privacy Act for tackling unlawful activity, but Kind rejected that argument and found the information it collected using FRT was sensitive personal data which required protection.
The use of FRT on what “would likely be tens of thousands” of customers — including those not suspected of fraud — was “a disproportionate interference with privacy”, the commissioner said.
Kmart was also found to have left some relevant privacy information out of its privacy policies.
“The potential harms generally arising from the use of FRT are significant, and include the risk of commercial surveillance, discrimination, unlawful and arbitrary arrest, and inequality before the law,” Kind said.
Kmart stopped using the FRT system in July 2022 when the commissioner’s investigation began, OAIC said.
Using facial recognition to prevent fraud was found to be “of limited utility” to Kmart and there were “other less privacy intrusive methods” available, Kind said, such as using more radio frequency identification (RFID) tags or locating returns counter outside of stores.
“I do not consider that the respondent (Kmart) could have reasonably believed that the benefits of the FRT system in addressing refund fraud proportionately outweighed the impact on individuals’ privacy,” Kind said.
Kmart has been ordered not to use facial recognition, and to make a public statement apologising for and explaining its use within 30 days.
The company has also been told to keep any information it obtained through the FRT system for 12 months, before destroying it.
Kmart told Information Age it was “disappointed” with the commissioner’s findings and was “reviewing its options to appeal the determination”.
“From August 2024 to March 2025 alone, refund-related customer threatening incidents increased by 85 per cent,” the company said in a statement.
“Customer threatening incidents unrelated to refund requests increased by 28 per cent over the same period, demonstrating the heightened risk of the refund task for team members.”
How Kmart’s facial recognition worked
The 28 stores chosen for Kmart’s facial recognition “pilot program” were in every state and territory, excluding the Northern Territory and Tasmania.
One store had the system for approximately two years, while other stores used it for periods between seven and 12 months.
The system used CCTV cameras and unnamed third-party software to capture “five to six facial images” of individuals when they entered the store or attended a returns counter, OAIC found.
Images from a returns counter were compared with a database of all people who had entered the store, as well as with people who had entered other stores whom Kmart believed “may engage in refund fraud across stores”, the OAIC said.
Staff members were notified if the system identified a person of interest, and could refuse them refunds — but the commissioner argued “they were likely forming a suspicion that fraud may have occurred rather than ‘detecting’ fraud”.
Facial data which did not match a person of interest was not accessible to Kmart staff and was deleted after an undisclosed period, OAIC said.
Kmart told OAIC that “to the best of its knowledge”, a child’s data was never included in the database of persons of interest.
First Bunnings, now Kmart
While the use of facial recognition is not banned in Australia — it is often used in airports and in gambling establishments — OAIC’s findings against Kmart come after the regulator last year found hardware giant Bunnings breached Australians’ privacy through its own use of facial recognition in 62 stores.
Bunnings argued it had used FRT to better protect its staff and customers following a number of violent incidents, but OAIC argued Bunnings had collected individuals’ sensitive information without consent, had failed to take reasonable steps to notify customers, and had omitted required information from its privacy policy.
OAIC’s decision against Bunnings is currently being reviewed by the Administrative Review Tribunal, at the retailer’s request.
“Customer and staff safety, and fraud prevention and detection, are legitimate reasons businesses might have regard to when considering the deployment of new technologies,” Kind said.
“However, these reasons are not, in and of themselves, a free pass to avoid compliance with the Privacy Act.”
Digital Rights Watch’s head of policy, Tom Sulston, told ABC News he saw Kmart’s conduct as “very invasive” and raised concerns over what he argued was “very little regulation or laws that cover the use of facial surveillance technologies”.
“We’re asking for a moratorium on the use of facial surveillance until we can be confident that we’ve got our regulatory environment up to scratch, to take care of Australians, to take care of our rights and our privacy, and make sure that systems are being used with our best interests in mind,” he said.
Kind said she would continue to apply the Privacy Act to emerging technologies on a case-by-case basis “in the absence of parliamentary intervention to specifically authorise the use of FRT systems without consent”.