Watchdog Determines Kmart's Facial Recognition Technology Violated Australians' Privacy Laws

Share this @internewscast.com

Kmart has violated Australian privacy laws by implementing facial recognition technology (FRT) on its shoppers, according to the privacy commissioner.

In the period from June 2020 to July 2020, Kmart utilized FRT to record the faces of everyone entering 28 of its stores as well as individuals visiting a returns counter, which the Privacy Commission noted was “an effort to identify individuals committing return fraud”.

FRT is a type of biometric technology that takes a digital image of a person’s face and converts it into a biometric template, subsequently comparing it against existing templates for facial identification.

The Privacy Commission has been scrutinizing Kmart since 2022, concluding that the company neither informed customers nor gained their consent to deploy FRT.

FRT falls under increased protections according to the Privacy Act since it gathers “sensitive information”. The law mandates that the use of FRT must be necessary and proportionate, and individuals’ consent must be obtained.

What did the Privacy Commission find?

The commission said the retail giant argued it wasn’t required to obtain consent because of an exemption in the Privacy Act that applies when organisations believe they need to collect personal information to tackle unlawful activity or serious misconduct.

But privacy commissioner Carly Kind said there were “less privacy intrusive” methods available to Kmart to address return fraud.

“The sensitive biometric information of every individual who entered a store was indiscriminately collected by the FRT system,” Kind said.

The commissioner also determined that the FRT system’s role in fraud prevention was of “limited utility” and the widespread application — which affected thousands not suspected of return fraud — represented a “disproportionate interference with privacy”.

Kind said the assessment took into account the estimated value of fraudulent returns and the retailer’s profits, the “limited effectiveness” of the FRT system, and the extent of the privacy impacts of the individuals affected.

“I do not believe that Kmart could have reasonably assumed that the advantages of the FRT system in tackling refund fraud outweighed the impact on individuals’ privacy,” she stated.

Kmart ‘disappointed’ by the findings

In a statement provided to SBS News, a Kmart spokesperson said they were “disappointed” with the decision and were reviewing appeal options.

“Kmart is disappointed with the privacy commissioner’s determination regarding our limited trial of facial recognition technology (FRT) and is reviewing its options to appeal the determination,” the Kmart spokesperson said.

“Like many other retailers, Kmart is facing growing incidents of theft in stores, frequently accompanied by anti-social conduct or violence against staff and patrons.”

“To tackle a growing problem of refund fraud in our stores, we conducted a limited trial of FRT, commencing in one store, and extending to another 27 stores with high levels of refund fraud between June 2020 to July 2022,” the Kmart spokesperson said.

“We implemented controls to protect the privacy of our customers. Images were only retained if they matched an image of a person of interest reasonably suspected or known to have engaged in refund fraud. All other images were deleted, and the data was never used for marketing or any other purposes. ”

The spokesperson said the trial was ceased when the privacy commissioner started the investigation.

They reported that “refund-related customer threatening incidents” had surged by 85 per cent from August 2024 to March 2025, which they claimed translated to a “heightened risk of the refund task for team members”.

Kmart case differs ‘considerably’ from previous Bunnings finding

It’s the second time the privacy commissioner has made a recent finding on FRT and privacy against a large Australian retailer.

In October 2024, Bunnings was found to have breached privacy laws through its use of FRT in 62 stores.

The regulator’s decision is under review by the Administrative Review Tribunal.

Kind said while they had reached a similar conclusion with the Bunnings decision, the cases “differ considerably”.

“These two decisions do not impose a ban on the use of FRT,” she said.

“Customer and staff safety, and fraud prevention and detection, are legitimate reasons businesses might have regard to when considering the deployment of new technologies. However, these reasons are not, in and of themselves, a free pass to avoid compliance with the Privacy Act.”

Kmart has been under investigation by the Office of the Australian Information Commissioner (OAIC) since July 2022, when it stopped using the FRT system. Kmart had cooperated with the OAIC throughout the investigation.