Australia’s data privacy regulator has found that a discount department chain’s use of facial recognition technology breaches privacy rules.
Shutterstock.com/Daria Nipot
Kmart, one of Australia’s largest retailers, unlawfully collected sensitive biometric data without consent through facial recognition systems designed to tackle refund fraud, the Office of the Australian Information Commissioner (OAIC) said today. Its 3-year investigation revealed that Kmart did not notify or seek consent from shoppers that it was collecting and processing their biometric data.
The chain had used the technology to capture the faces of every individual that entered 28 of its stores between June 2020 and July 2022, the OAIC said.
The regulator said Kmart argued it was not required to obtain consent due to an exemption in the Privacy Act that applies when organisations “reasonably believe” they must collect sensitive information to mitigate unlawful activity or serious misconduct.
Privacy commissioner Carly Kind said in a statement that Kmart’s use of facial recognition technology was “a disproportionate interference with privacy” and there were less intrusive methods that could have been deployed.
“I do not consider that the respondent (Kmart) could have reasonably believed that the benefits of the FRT [facial recognition technology] system in addressing refund fraud proportionately outweighed the impact on individuals’ privacy,” Kind said.
Kmart has been ordered by the commissioner to cease the prohibited activity and publish the decision and an apology in a statement within 30 days on its website.
The investigation was launched in July 2022 after consumer advocacy group CHOICE submitted information on the companies use of facial recognition technology. The commissioner said today Kmart stopped using the system after this.
In October 2024, the commissioner found that another retail chain, Bunnings Group, breached shoppers’ privacy through its use of facial recognition in 62 outlets without consent. Bunnings said at the time that it is appealing the decision with the Administrative Tribunal Review.
A Kmart spokesperson told Lexology PRO it used facial recognition technology to "protect the privacy" of its customers and the images were only retained if they matched an image of a person suspected of refund fraud, and all other images were deleted.
Kmart said it was "disappointed" with the decision and is "reviewing it's options to appeal the determination."