Kmart breached Australians’ privacy by using facial recognition technology to combat refund fraud without telling customers or seeking their consent, the Privacy Commissioner has found.
In a determination released on Wednesday, Privacy Commissioner Carly Kind concluded Kmart Australia Limited contravened the Privacy Act by deploying facial recognition technology (FRT) across 28 stores between June 2020 and July 2022. The system captured the faces of every person entering those stores and anyone presenting at a returns counter in an attempt to identify people involved in refund fraud.
Kmart argued it did not need consent because it relied on an exemption that allows organisations to collect personal information where they reasonably believe it is needed to address unlawful activity or serious misconduct. The Commissioner rejected that position, finding that the retailer’s approach involved the indiscriminate collection of sensitive biometric information from all shoppers, there were less privacy-intrusive ways to address refund fraud, the FRT was of limited utility, and the impact on many thousands of people not suspected of wrongdoing was disproportionate.
“Understanding how FRT accords with the protections contained in Privacy Act requires me to balance the interests of individuals in having their privacy protected, on the one hand, and the interests of entities in carrying out their functions or activities, on the other. Relevant to a technology like facial recognition, is also the public interest in protecting privacy,” the Privacy Commissioner said.
Relevant factors included the estimated value of fraudulent returns relative to Kmart’s overall operations and profits, the limited effectiveness of the system, and the breadth of the privacy impacts in collecting sensitive information from every person entering the stores. “I do not consider that the respondent (Kmart) could have reasonably believed that the benefits of the FRT system in addressing refund fraud proportionately outweighed the impact on individuals’ privacy,” the Commissioner stated.
The decision is the second from the Office of the Australian Information Commissioner (OAIC) concerning FRT in retail settings, following an October 2024 finding that Bunnings Group Limited had contravened privacy law through its use of the technology at 62 stores. That decision is under review by the Administrative Review Tribunal. Although similar in outcome, the OAIC said the Kmart and Bunnings cases differed in their focus and the way FRT was used.
“These two decisions do not impose a ban on the use of FRT. The human rights to safety and privacy are not mutually exclusive; rather, both must be preserved, upheld and promoted. Customer and staff safety, and fraud prevention and detection, are legitimate reasons businesses might have regard to when considering the deployment of new technologies. However, these reasons are not, in and of themselves, a free pass to avoid compliance with the Privacy Act,” she stated.
The Privacy Act treats biometric information as sensitive personal information, which attracts higher protections. The OAIC said its technology-neutral framework requires entities to weigh proportionality, ensure transparency, address risks of bias and discrimination, and implement strong governance around the collection, use and retention of sensitive data. It has published guidance for organisations assessing the privacy risks of FRT and the Commissioner has issued a blog post with further takeaways for retailers.
Kmart has been under investigation since July 2022, when it stopped operating the FRT system, and has cooperated with the OAIC throughout. The company has been contacted for comment. Determinations of the Privacy Commissioner can be reviewed by the Administrative Review Tribunal.
