Kmart broke privacy laws by scanning shoppers’ faces

Retail giant Kmart breached Australians’ privacy by scanning shoppers’ faces without consent, Australia’s privacy commissioner has ruled. Between June 2020 and July 2022, Kmart installed facial-recognition cameras in 28 stores to combat refund fraud.

Every customer who entered – not just suspected fraudsters – had their biometric data captured. Privacy commissioner Carly Kind said that after a three-year investigation, she found the practice was “a disproportionate interference with privacy”.

“I do not consider that the respondent [Kmart] could have reasonably believed that the benefits of the facial-recognition technology system in addressing refund fraud proportionately outweighed the impact on individuals’ privacy,” she said in a statement.

“[It was] also minimal with respect to [Kmart’s] annual revenue, which was $9.2 billion in the 2020 financial year.”

The ruling stressed that biometric data – which is considered sensitive personal information under the Privacy Act – enjoys special legal protections, and collecting it without notice or consent is a serious breach.

Kmart argued it was entitled to use the technology under an exemption in the act for tackling unlawful activity. But Kind rejected that defence, concluding the collection of biometric information from thousands of innocent customers was unjustified.

A Kmart spokeswoman said the company was “disappointed with the determination” and was reviewing its options to appeal.

“Like most other retailers, Kmart is experiencing escalating incidents of theft in stores, which are often accompanied by anti-social behaviour or acts of violence against team members and customers,” the spokeswoman said.

“We implemented controls to protect the privacy of our customers. Images were only retained if they matched an image of a person of interest reasonably suspected or known to have engaged in refund fraud. All other images were deleted, and the data was never used for marketing or any other purposes. ”

She said Kmart ceased the trial when the commissioner commenced the investigation, and that from August 2024 to March 2025, refund-related treats from customers increased by 85 per cent.

“At Kmart we believe that all our team members deserve protections that make their workplaces safe, and that customers should also feel safe where and when they shop,” she said. “Kmart remains committed to finding tools to reduce crime in our stores, so we deliver on team member and customer safety, and retain our ability to continue delivering on our low-price credentials for our customers.”

Kmart has been ordered not to repeat the practice in the future and will have to publish a statement explaining its use of facial recognition technology and the regulator’s finding against it.

This is the second time the regulator has ruled against facial recognition in retail, following a similar finding against Bunnings last year – a decision that is currently under review by the Administrative Review Tribunal.

In Bunnings’ case, the DIY chain took the data of customers’ faces over a three-year period and compared them against a database of individuals the company had deemed a potential risk due to past crime or violent behaviour. Its managing director Mike Schneider said stores that participated in the trial had seen a clear reduction in violent incidents.

The watchdog opened an investigation into Kmart for its use of facial-recognition technology at the same time as the Bunnings investigation. Wesfarmers, which operates Kmart, Bunnings and Officeworks, confirmed Officeworks does not use the technology.

Kind said the findings did not mean facial-recognition technology was banned outright, but that retailers and public venues have to weigh crime prevention measures with customer privacy.

“These two decisions do not impose a ban on the use of facial-recognition technology,” she said. “Customer and staff safety, and fraud prevention, are legitimate reasons businesses might consider these technologies. However, these reasons are not a free pass to avoid compliance with the Privacy Act.”

The Business Briefing newsletter delivers major stories, exclusive coverage and expert opinion. Sign up to get it every weekday morning.