Kmart Australia Found in Breach of Privacy Laws with Facial Recognition in Stores
Published on September 18, 2025
- Facial recognition: Australia’s Kmart store breached the country’s privacy laws between 2020 and 2022.
- Customer privacy: OAIC said the retailer collected customer biometric information without consent.
- Controversial solution: Kmart used facial recognition tech to combat refund fraud by creating a biometric template of shoppers' faces.
Australia’s budget department store, Kmart, has been found in breach of national privacy laws for its use of facial recognition technology across 28 of its stores. The Office of the Australian Information Commissioner (OAIC) determined that the Wesfarmers-owned retailer collected sensitive biometric information from customers without their knowledge or consent.
OAIC Investigation and Findings
The OAIC investigation revealed that between June 2020 and July 2022, Kmart deployed facial recognition technology (FRT) to capture images of every customer entering select stores. The system was intended to combat refund fraud by creating a biometric template of shoppers' faces.Â
Kmart contended that its actions were permissible under an exemption in the Privacy Act, which allows for the collection of personal information to address unlawful activity. In response, a Kmart spokesperson stated that the technology only retained images that matched individuals suspected of refund fraud, with all other data being deleted.
"Kmart is disappointed with the privacy commissioner's determination regarding our limited trial of FRT and is reviewing its options to appeal the determination," a Kmart spokesperson said, cited by SBS News.
However, the OAIC rejected this argument, stating that the retailer failed to provide proper notification to shoppers or obtain their consent before collecting their sensitive data.
Privacy Commissioner Carly Kind emphasized that while businesses have legitimate reasons to prevent fraud, these do not provide a "free pass to avoid compliance with the Privacy Act," according to SBS.
Using FRT impacted thousands of individuals not suspected of return fraud and was a "disproportionate interference with privacy," Kind added.
Implications for Privacy
This case represents the second recent finding by the OAIC regarding a retailer owned by Wesfarmers, a WA-based company, following a ruling against Bunnings Warehouse last year. The Kmart privacy breach determination reinforces the strict interpretation of Australia privacy laws concerning biometric data.Â
It serves as a significant directive for businesses considering the deployment of such technologies, highlighting the high standard required for consent and transparency when handling sensitive personal information.
In October 2024, Meta announced plans to use its controversial facial recognition tech to spot celebrity scam ads and protect its users outside the U.K. and the E.U.
Related
Get expert insights on threats, breaches, scams, and security trends — delivered every Saturday.
Most Popular
Get expert insights on threats, breaches, scams, and security trends — delivered every Saturday.
Most Popular