The Australian Privacy Commissioner, Carly Kind, has found that Kmart Australia Limited was unlawful and breached Australians’ privacy by collecting personal and sensitive information through a facial recognition technology (FRT) system designed to tackle refund fraud.
Kmart deployed FRT between June 2020 and July 2022 to capture the faces of every person who entered 28 of its retail stores and every person who presented at a returns counter. The retailer wanted to identify people committing refund fraud. The OAIC’s investigation started in July 2022.
The Privacy Commissioner says Kmart did not notify shoppers or seek their consent to use FRT to collect their biometric information. The retailer argued that it didn’t require consent because of an exemption in the Privacy Act. The exemption applies when organisations reasonably believe they need to collect personal information to tackle unlawful activity or serious misconduct.
The Privacy Commissioner’s findings
The Privacy Commissioner’s determination assessed whether Kmart met the conditions for relying on the exemption. She concluded:
- The sensitive biometric information of every individual who entered a store was indiscriminately collected by the FRT system.
- There were other less privacy intrusive methods available to Kmart to address refund fraud.
- Deploying the FRT system to prevent fraud was of limited utility.
- The collection of biometric information on Kmart customers was disproportionate considering it impacted thousands of individuals not suspected of refund fraud.
The Commissioner also considered:
- The estimated value of fraudulent returns against the respondent’s total operations and profits
- The limited effectiveness of the FRT system
- The extent of the privacy impacts in collecting the sensitive information of every individual who entered the relevant stores.
Australian retailers need to be careful
This is second time the Office of the Australian Information Commissioner (OAIC) investigated the unlawful use of facial recognition in retail settings. In October 2024, the Privacy Commissioner found that Bunnings Group Limited had contravened Australians’ privacy when it used FRT in 62 retail stores across Australia. That decision is currently under review by the Administrative Review Tribunal.
The commissioner has published some further information whether there is a place for facial recognition in Australian society.
Anthony is the founder of Australian Apple News. He is a long-time Apple user and former editor of Australian Macworld. He has contributed to many technology magazines and newspapers as well as appearing regularly on radio and occasionally on TV.