Several Australian retailers have kept facial recognition technology (FRT) on despite the Australian Privacy Commissioner ruling Kmart and Bunnings’s use of the technology breached privacy laws, sparking concerns from computer scientists, unions and privacy advocates.
Retailers still using real-time FRT range from bottle shops operating under the national Metcash-owned Thirsty Camel brand to independent groceries like Carlton Super Markets, whose owner, Moshen Nejad let Information Age inspect its real-time Dahua Technology FRT system, saying: "I promise it’s [FRT] only used to prevent crime”.
Seven days ago, a Dahua spokesperson told Information Age it would “review the questions”, but, since then, has not replied to inquiries about how many of its retail clients use FRT.
The manager of a Thirsty Camel store on Chapel Street in Melbourne confirmed it currently uses Scantek’s FRT software, but Metcash did not reply when asked about the scale of FRT’s use by the hundreds of IGAs and Thirsty Camel businesses that include a mix of Metcash-owned stores and independently owned stores.
Australian retailers with FRT disclosures in current privacy policies include Drakes Supermarkets, which operates 75 groceries, liquor stores and newsagents in South Australia and Queensland; Harris Farm Markets, which operates 30 grocery stores in NSW, Queensland and Canberra; and budget department store Kmart.
Drakes Supermarkets and Harris Farm Markets did not reply to requests for comment, but a Kmart spokesperson told Information Age that the use of real-time FRT had “ceased”.
“To tackle a growing problem of refund fraud in our stores, we conducted a limited trial of FRT, commencing in one store, and extending to another 27 stores with high levels of refund fraud between June 2020 to July 2022.”
Although Kmart uses theft-prevention platform Auror, which allows its retail clients to retain and share “anonymised” data, the Kmart spokesperson said that “images were only retained if they matched an image of a person of interest reasonably suspected or known to have engaged in refund fraud.”
“All other images were deleted, and the data was never used for marketing or any other purposes.”
Real-time and post-event FRT
In September 2025, retail theft prevention platform Auror made real-time FRT, also called ‘live FRT’, available to Australian retailers by “integrating” with systems like Axon and Reveal Media.
An Auror spokesperson told Information Age that live FRT products are not "being used by [its] customers in Australia presently”, but did not address whether its retail customers use post-event FRT, which as Auror’s CEO Phil Thomson put it, in mid-2023, means "an image...uploaded into the platform... can then be referenced...to see if it's the same person" after an incident.
Auror’s customers including Drakes Supermarket, The Reject Shop and Wesfarmers-owned Officeworks, Priceline, and Woolworths declined to comment.
Endeavour Group-owned BWS and Dan Murphy’s, which completed “Auror system implementation to enable better sharing of data with peers” mid-last year in 1,726 stores, according to its annual reports, did not reply to requests for comment.
Wesfarmers-owned Auror user Bunnings told Information Age that “FRT is currently not in use at all”.
AI blurs the meaning of ‘anonymised’
University of Sydney law lecturer Dr Zofia Bednarz told Information Age that “the so-called ‘de-identification’ or ‘anonymisation’” of data “is a prime example” of how “the current definition of personal information under the Australian Privacy Act and the GDPR” have not kept up with modern technology.
“How can you de-identify biometric data? I don’t think you can,” she said.
Peer-reviewed research published in Proceedings on Privacy Enhancing Technologies and The Lancet last year demonstrated that de-identified and anonymised facial data can be re-identified with both open-source and commercially available FRT systems.
Platforms that use biometric data to help Australian retailers prevent asset loss like Auror and Black.AI, which — like Scantek — did not reply, do not define or detail how they anonymise or de-identify data, even though they describe them as key privacy safeguards.
Macquarie University computer science lecturer Dr Hassan Asghar told Information Age that “Data can be an asset and a liability if not handled correctly.”
“History has taught us that data cannot be properly anonymised by simple approaches. Blurring someone’s face for example, may impede their identification, but does nothing to hide their clothes and body shape. An issue with anonymising data is that it must still exist within the system to be useful.
“For example, on Auror you can search for insights based on features such as age and hair colour allowing for the identification of specific individuals.”
Piotr Kulaga, who’s worked in user experience, interface design and multiple facets of computing for over two decades told Information Age that biometric data poses an especially "problematic" set of risks to privacy: “like the obvious fact that we can't 'move on', the way one can make another 'account'.”
Digital Rights Watch head of policy Tom Sulston told Information Age that “the privacy commissioner’s recent rulings against Bunnings and Kmart show that retail theft and fraud are not sufficiently important problems to justify such a huge imposition on the privacy rights of the Australian public to go about our lives without being surveilled.”
Employee performance management
The Commonwealth Bank of Australia’s recent use of its own customer app’s FRT logs to collect data on one of its employees that it sacked highlights how platforms’ biometric security features can be repurposed to discipline staff.
In addition to FRT, Auror users can integrate the platform with human resource systems to “access data from your organisation's staff directory to autocomplete relevant details for internal events when the person involved in an event is an employee.”
The Retail and Fast Food Workers Union (RAFFWU) told Information Age that Auror is “also used for surveilling, performance managing and disciplining employees.”
“It’s not just flagging shoplifters but workers detected for policy breaches,” RAFFWU secretary Cullinan said.
"Management has used Auror to build cases against our members for intervening with thieves or personal transaction discrepancies.
“We believe workers should not be responsible for theft prevention, but the tool spies on employees and is operated in total secrecy, making it harder to defend members when it’s weaponised to unfairly sack them.”
