Close×

Low-price retailer Kmart has been found to have breached the privacy of Australian shoppers in its use of facial recognition technology, according to the Privacy Commissioner Carly Kind.

This comes three years after Kmart, and its sister business Bunnings under Wesfarmers, ended the use of facial recognition technology across a selection of its stores in a bid to crack down on refund fraud. Kmart deployed the technology between June 2020 to July 2022. 

The technology captured the faces of every person who entered 28 of its retail stores, and all individuals who presented at a returns counter, in an attempt to identify people committing refund fraud.

In a determination published today, the Privacy Commissioner found that Kmart did not notify shoppers or seek their consent to use FRT to collect their biometric information, which they said is sensitive personal information and enjoys higher protections under the Privacy Act.

According to the commissioner, Kmart argued that it was not required to obtain consent because of an exemption in the Privacy Act that applies when organisations reasonably believe that they need to collect personal information to tackle unlawful activity or serious misconduct. 

The Privacy Commissioner’s determination focused on assessing whether Kmart met the conditions for relying on the exemption, and concluded that the sensitive biometric information of every individual who entered a store was indiscriminately collected by the FRT system. 

It also found that there were other less privacy-intrusive methods available to Kmart to address refund fraud, and that deploying the FRT system to prevent fraud was of limited utility.

In a statement issued to Ragtrader, a Kmart spokesperson said the low-price retailer is “disappointed” with the commissioner’s determinations and is reviewing its options to appeal the verdict. 

“Like most other retailers, Kmart is experiencing escalating incidents of theft in stores which are often accompanied by anti-social behaviour or acts of violence against team members and customers,” the spokesperson shared.

“To tackle a growing problem of refund fraud in our stores, we conducted a limited trial of FRT, commencing in one store, and extending to another 27 stores with high levels of refund fraud between June 2020 to July 2022. We implemented controls to protect the privacy of our customers. 

“Images were only retained if they matched an image of a person of interest reasonably suspected or known to have engaged in refund fraud. All other images were deleted, and the data was never used for marketing or any other purposes. ”

Kmart then ceased the trial when the Privacy Commissioner commenced its investigation.

“From August 2024 to March 2025 alone, refund-related customer threatening incidents increased by 85 per cent,” the spokesperson continued.  “Customer threatening incidents unrelated to refund requests increased by 28 per cent over the same period, demonstrating the heightened risk of the refund task for team members.

“At Kmart we believe that all our team members deserve protections that make their workplaces safe, and that customers should also feel safe where and when they shop.

“Kmart remains committed to finding tools to reduce crime in our stores, so we deliver on team member and customer safety, and retain our ability to continue delivering on our low-price credentials for our customers.”

According to the commissioner, the FRT trial by Kmart during the pandemic would have impacted the many thousands of individuals not suspected of refund fraud, making it a disproportionate invasion of privacy.

“Understanding how FRT accords with the protections contained in Privacy Act requires me to balance the interests of individuals in having their privacy protected, on the one hand, and the interests of entities in carrying out their functions or activities, on the other,” the commissioner Carly Kind said. “Relevant to a technology like facial recognition, is also the public interest in protecting privacy.

Relevant factors considered by the commissioner included the estimated value of fraudulent returns against the respondent’s total operations and profits, the limited effectiveness of the FRT system, and the extent of the privacy impacts in collecting the sensitive information of every individual who entered the relevant stores.

The commissioner said they did not consider that Kmart could have reasonably believed that the benefits of the FRT system in addressing refund fraud proportionately outweighed the impact on individuals’ privacy.

The determination is the second issued by the Office of the Australian Information Commissioner (OAIC) on the use of FRT in retail settings. 

In October 2024, the Privacy Commissioner found that Bunnings Group Limited had contravened Australians’ privacy through their use of FRT in 62 of its retail stores across Australia. That decision is currently under review by the Administrative Review Tribunal.

“These two decisions do not impose a ban on the use of FRT,” Kind continued. “The human rights to safety and privacy are not mutually exclusive; rather, both must be preserved, upheld and promoted. 

“Customer and staff safety, and fraud prevention and detection, are legitimate reasons businesses might have regard to when considering the deployment of new technologies. However, these reasons are not, in and of themselves, a free pass to avoid compliance with the Privacy Act.”

The commissioner added that Kmart cooperated with the commissioner throughout the investigation, and further noted that although it reached a similar conclusion between both parties, the cases differ considerably and focus on different uses of FRT.

The Privacy Act is technology-neutral and does not proscribe the use of any particular technology. When considering the roll-out and use of new technologies such as FRT, the OAIC’s guidance encourages entities to consider factors such as proportionality, transparency, the risk of bias and discrimination, and governance for the collection, use and retention of sensitive personal information.

comments powered by Disqus