Kmart facial recogniton ruled to have violated customer privacy
Embedded Files
Occurred: June 2020-July 2022
Page published: September 2025
Australian retailer Kmart illegally used facial recognition to unlawfully collect sensitive biometric data about its customers, violating privacy laws by scanning faces without consent or adequate notification.
What happened
What happened
Kmart used facial recognition across 28 stores across Australia to combat refund fraud. Operating between June 2020 and July 2022, the system captured facial images of every person entering the stores and anyone approaching returns counters, creating biometric templates that were compared against a database of individuals suspected of fraudulent returns.
While images that did not match suspected fraudsters were automatically deleted, the system indiscriminately collected sensitive biometric information from potentially hundreds of thousands of innocent customers without their knowledge or consent.
The Office of the Australian Information Commissioner (OAIC) determined that Kmart breached multiple provisions of the country's Privacy Act 1988, including failing to obtain consent for collecting sensitive information, inadequate notification to customers, and maintaining insufficient privacy policies.
The Commissioner found that the privacy invasion was disproportionate to the limited benefits achieved, as the fraud detected was minimal compared to Kmart's overall operations and revenue.
Why it happened
Why it happened
Kmart implemented the facial recognition system as part of its strategy to address rising retail theft and refund fraud, which the company argued was necessary to protect staff and customers from increasingly violent incidents.
The retailer attempted to justify the collection under an exemption in the Privacy Act that allows organisations to collect personal information without consent when addressing unlawful activity or serious misconduct.
However, the Privacy Commissioner rejected this defence, finding that Kmart could not reasonably believe the facial recognition system was necessary because less privacy-intrusive alternatives were available, such as enhanced staff training for document checks or relocating returns counters.
The Commissioner emphasised that the collection lacked proportionality and transparency, fundamental requirements under Australian privacy law.
The decision requires Kmart to publish an apology and detailed statement on its website, retain all facial recognition data for 12 months for compliance purposes before destruction, and permanently cease using the system in its previous form.
What it means
What it means
The ruling establishes clear precedent that retailers cannot deploy mass surveillance technologies under the guise of security without proper privacy safeguards.
The Commissioner emphasised that while fraud prevention and safety are legitimate business concerns, they do not provide a "free pass to avoid compliance with the Privacy Act".
It also signals a growing regulatory pushback against indiscriminate biometric data collection.
Facial recognition system
A facial recognition system is a technology potentially capable of matching a human face from a digital image or a video frame against a database of faces.
Source: Wikipedia 🔗
System 🤖
System 🤖
Unknown
Developer:
Country: Australia
Sector: Retail
Purpose: Identify criminal suspects
Technology: Facial recognition
Issue: Accountability; Privacy; Proportionality; Transparency
Regulation ⚖️
Regulation ⚖️
Legal, regulatory👩🏼⚖️
Legal, regulatory👩🏼⚖️
Commissioner Initiated Investigation into Kmart Australia Limited (Privacy) [2025] AICmr 155
Office of the Australian Privacy Commissioner. Kmart’s use of facial recognition to tackle refund fraud unlawful, Privacy Commissioner finds
News, commentary, analysis 🗞️
News, commentary, analysis 🗞️
AIAAIC Repository ID: AIAAIC2041
Google Sites
Report abuse