The Privacy Commissioner found the retailer's use of facial recognition technology was unlawful
Popular homeware giant Kmart breached Australians’ privacy by scanning customers' faces and collecting their personal and private information, according to the country’s top privacy watchdog.
Kmart deployed facial recognition technology (FRT) in 28 stores between June 2020 and July 2022, capturing vision of everyone entering their shops, and people visiting returns counters. The retailer was using the technology in an attempt to clamp down on “refund fraud”.
Kmart did not tell shoppers or seek their consent to use FRT to collect their biometric data, “which is sensitive personal information and enjoys higher protections under the Privacy Act”, Privacy Commissioner Carly Kind said of the determination, published Thursday.
Kmart told the Office of the Australian Information Commissioner (OAIC) it did not need the consent of its customers because of an exception in the Privacy Act, when organisations believe they need information to tackle unlawful activity, or serious misconduct.
When coming to its determination, the Commission said it assessed whether Kmart had met the conditions relying on the exemptions, concluding it had not.
In her reasoning, Commissioner Kind said the collection of sensitive biometric information had been indiscriminate, and there were less invasive methods available for the retailer to address fraud, adding that the FRT system was of limited utility.
The FRT system also impacted on the privacy of thousands of Kmart customers not involved in retail fraud, disproportionately interfering with their privacy.
“I do not consider that the respondent (Kmart) could have reasonably believed that the benefits of the FRT system in addressing refund fraud proportionately outweighed the impact on individuals’ privacy,” Kind said in a statement today.
Kmart response to decision
Kmart said in a statement to HRD it is reviewing options to appeal the decision.
“Like most other retailers, Kmart is experiencing escalating incidents of theft in stores which are often accompanied by anti-social behaviour or acts of violence against team members and customers,” a Kmart spokesperson said.
FRT was launched as a limited trial, beginning in one store, before being extended another 27, to tackle high levels of retail fraud, the spokesperson said.
“Images were only retained if they matched an image of a person of interest reasonably suspected or known to have engaged in refund fraud.
“All other images were deleted, and the data was never used for marketing or any other purposes.”
Staff continue to face heightened threats around refunds, with refund-related customer threats increasing 85% from August 2024 to March 2025, while customer threats not related to refunds grew 28% over the same period.
“At Kmart we believe that all our team members deserve protections that make their workplaces safe, and that customers should also feel safe where and when they shop,” the Kmart spokesperson said.
Frontline workers and customers face escalating violence
Chris Rodwell, CEO of the Australian Retailers Association, said it was vital to find a way to responsibly use facial recognition technology (FRT) in retail environments to protect frontline workers and customers from escalating violence, threats and abuse.
“Tackling the horrific levels of retail crime and violence requires new solutions. Last year. there were around 800,000 retail crime incidents across Australia and that number continues to grow," he said in a statement.
"FRT is not a magic cure, but it is part of the solution, especially in combatting the impact of repeat offenders. Its use in other countries has delivered strong results.”
Bunnings challenging similar decision
The determination comes just over three years after the OAIC announced it was investigating both Kmart and Bunnings - both owned by Wesfarmers - for using FRT.
In October last year, a similar rebuke was handed to hardware giant Bunnings for their use of FRT in retail settings.
But amidst a growing retail violence crisis, Bunnings Managing Director Mike Schneider has continued to champion FRT, and is appealing the Commission’s determination in the decision in the Administrative Review Tribunal.
Schneider said in a statement last year the FRT trial had been effective in creating safer environments for staff, with fewer incidents recorded compared to stores without FRT. He also said customer privacy was not at risk, and in most cases the data was deleted in less than a second.
“Everyone deserves to feel safe at work,” he said.
“No one should have to come to work and face verbal abuse, threats, physical violence or have weapons pulled on them.”
Kind said the determinations on Bunnings’ and Kmart’s use of FRT are not a “ban” on the use of the technology.
“The human rights to safety and privacy are not mutually exclusive; rather, both must be preserved, upheld and promoted,” she said.
“Customer and staff safety, and fraud prevention and detection, are legitimate reasons businesses might have regard to when considering the deployment of new technologies.
However, these reasons are not, in and of themselves, a free pass to avoid compliance with the Privacy Act.”
