Kmart has broken Australian privacy laws by using facial recognition technology (FRT) on customers, the privacy commissioner has found.
Between June 2020 and July 2020, Kmart used FRT to capture the faces of every person who entered 28 of its retail stores, and all individuals who presented at a returns counter, in what the Privacy Commission said was "an attempt to identify people committing return fraud".
FRT is a form of biometric technology that captures a digital image of a person's face and converts it into a biometric template, which is then compared against previous templates for facial identification.
The Privacy Commission has been investigating Kmart since 2022 and found that the company did not notify shoppers or seek their consent to use FRT.
FRT has higher protections under the Privacy Act as it collects "sensitive information". Laws require the use of FRT to be necessary and proportionate, and for consent to be sought from individuals.
What did the Privacy Commission find?
The commission said the retail giant argued it wasn't required to obtain consent because of an exemption in the Privacy Act that applies when organisations believe they need to collect personal information to tackle unlawful activity or serious misconduct.
But privacy commissioner Carly Kind said there were "less privacy intrusive" methods available to Kmart to address return fraud.
"The sensitive biometric information of every individual who entered a store was indiscriminately collected by the FRT system," Kind said.
She also concluded that the FRT system to prevent fraud was of "limited utility" and the breadth of use — which impacted thousands of individuals not suspected of return fraud — was a "disproportionate interference with privacy".
Kind said the assessment took into account the estimated value of fraudulent returns and the retailer's profits, the "limited effectiveness" of the FRT system, and the extent of the privacy impacts of the individuals affected.
"I do not consider that the respondent [Kmart] could have reasonably believed that the benefits of the FRT system in addressing refund fraud proportionately outweighed the impact on individuals' privacy," she stated.
Kmart 'disappointed' by the findings
In a statement provided to SBS News, a Kmart spokesperson said they were "disappointed" with the decision and were reviewing appeal options.
"Kmart is disappointed with the privacy commissioner's determination regarding our limited trial of facial recognition technology (FRT) and is reviewing its options to appeal the determination," the Kmart spokesperson said.
"Like most other retailers, Kmart is experiencing escalating incidents of theft in stores which are often accompanied by anti-social behaviour or acts of violence against team members and customers. "
"To tackle a growing problem of refund fraud in our stores, we conducted a limited trial of FRT, commencing in one store, and extending to another 27 stores with high levels of refund fraud between June 2020 to July 2022," the Kmart spokesperson said.
"We implemented controls to protect the privacy of our customers. Images were only retained if they matched an image of a person of interest reasonably suspected or known to have engaged in refund fraud. All other images were deleted, and the data was never used for marketing or any other purposes. "
The spokesperson said the trial was ceased when the privacy commissioner started the investigation.
They said "refund-related customer threatening incidents" had increased by 85 per cent from August 2024 to March 2025, which they added amounted to a "heightened risk of the refund task for team members".
Kmart case differs 'considerably' from previous Bunnings finding
It's the second time the privacy commissioner has made a recent finding on FRT and privacy against a large Australian retailer.
In October 2024, Bunnings was found to have breached privacy laws through its use of FRT in 62 stores.
The regulator's decision is under review by the Administrative Review Tribunal.
Kind said while they had reached a similar conclusion with the Bunnings decision, the cases "differ considerably".
"These two decisions do not impose a ban on the use of FRT," she said.
"Customer and staff safety, and fraud prevention and detection, are legitimate reasons businesses might have regard to when considering the deployment of new technologies. However, these reasons are not, in and of themselves, a free pass to avoid compliance with the Privacy Act."
Kmart has been under investigation by the Office of the Australian Information Commissioner (OAIC) since July 2022, when it stopped using the FRT system. Kmart had cooperated with the OAIC throughout the investigation.
