Retail giant Kmart breached Australia’s privacy laws by “indiscriminately” using facial recognition technology (FRT) at 28 stores without telling shoppers or seeking their consent, the nation’s privacy commissioner has found.
Kmart captured the biometric data of all customers entering the stores during various periods between June 2020 and July 2022 according to a determination published on Thursday by Privacy Commissioner Carly Kind, following a three-year investigation.
The company had also used facial recognition to collect information about individuals at returns counters “in an attempt to identify people committing refund fraud”, the Office of the Australian Information Commissioner (OAIC) said.
Kmart allegedly argued consent was not needed due to an exemption in the Privacy Act for tackling unlawful activity, but Kind rejected that argument and found the information it collected using FRT was sensitive personal data which required protection.
The use of FRT on what "would likely be tens of thousands” of customers — including those not suspected of fraud — was “a disproportionate interference with privacy”, the commissioner said.
Kmart was also found to have left some relevant privacy information out of its privacy policies.
“The potential harms generally arising from the use of FRT are significant, and include the risk of commercial surveillance, discrimination, unlawful and arbitrary arrest, and inequality before the law,” Kind said.
Kmart stopped using the FRT system in July 2022 when the commissioner’s investigation began, OAIC said.
Using facial recognition to prevent fraud was found to be “of limited utility” to Kmart and there were “other less privacy intrusive methods” available, Kind said, such as using more radio frequency identification (RFID) tags or locating returns counter outside of stores.
“I do not consider that the respondent (Kmart) could have reasonably believed that the benefits of the FRT system in addressing refund fraud proportionately outweighed the impact on individuals’ privacy,” Kind said.
Kmart has been ordered not to use facial recognition, and to make a public statement apologising for and explaining its use within 30 days.
The company has also been told to keep any information it obtained through the FRT system for 12 months, before destroying it.
Kmart told Information Age it was "disappointed" with the commissioner's findings and was "reviewing its options to appeal the determination".
"From August 2024 to March 2025 alone, refund-related customer threatening incidents increased by 85 per cent," the company said in a statement.
"Customer threatening incidents unrelated to refund requests increased by 28 per cent over the same period, demonstrating the heightened risk of the refund task for team members."
How Kmart’s facial recognition worked
The 28 stores chosen for Kmart's facial recognition “pilot program” were in every state and territory, excluding the Northern Territory and Tasmania.
One store had the system for approximately two years, while other stores used it for periods between seven and 12 months.
The system used CCTV cameras and unnamed third-party software to capture “five to six facial images” of individuals when they entered the store or attended a returns counter, OAIC found.
CCTV cameras and unnamed third-party software were used in Kmart's facial recognition 'pilot program'. Image: Shutterstock
Images from a returns counter were compared with a database of all people who had entered the store, as well as with people who had entered other stores whom Kmart believed “may engage in refund fraud across stores”, the OAIC said.
Staff members were notified if the system identified a person of interest, and could refuse them refunds — but the commissioner argued “they were likely forming a suspicion that fraud may have occurred rather than ‘detecting’ fraud”.
Facial data which did not match a person of interest was not accessible to Kmart staff and was deleted after an undisclosed period, OAIC said.
Kmart told OAIC that “to the best of its knowledge”, a child’s data was never included in the database of persons of interest.
First Bunnings, now Kmart
While the use of facial recognition is not banned in Australia — it is often used in airports and in gambling establishments — OAIC’s findings against Kmart come after the regulator last year found hardware giant Bunnings breached Australians’ privacy through its own use of facial recognition in 62 stores.
Bunnings argued it had used FRT to better protect its staff and customers following a number of violent incidents, but OAIC argued Bunnings had collected individuals’ sensitive information without consent, had failed to take reasonable steps to notify customers, and had omitted required information from its privacy policy.
OAIC’s decision against Bunnings is currently being reviewed by the Administrative Review Tribunal, at the retailer’s request.
“Customer and staff safety, and fraud prevention and detection, are legitimate reasons businesses might have regard to when considering the deployment of new technologies,” Kind said.
“However, these reasons are not, in and of themselves, a free pass to avoid compliance with the Privacy Act."
Digital Rights Watch’s head of policy, Tom Sulston, told ABC News he saw Kmart’s conduct as “very invasive” and raised concerns over what he argued was “very little regulation or laws that cover the use of facial surveillance technologies”.
"We’re asking for a moratorium on the use of facial surveillance until we can be confident that we’ve got our regulatory environment up to scratch, to take care of Australians, to take care of our rights and our privacy, and make sure that systems are being used with our best interests in mind,” he said.
Kind said she would continue to apply the Privacy Act to emerging technologies on a case-by-case basis “in the absence of parliamentary intervention to specifically authorise the use of FRT systems without consent”.
