24/09/2025
Australian retail giant Kmart’s facial recognition practices have been found to have breached Australia’s Privacy Act.
The Privacy Commissioner, Carly Kind, of the Office of the Australian Information Commissioner (OAIC), handed down her determination on 26 August 2025.
Kmart deployed facial recognition (FR) cameras in 28 of its stores during a pilot program between 22 June 2020 and 15 July 2022. The cameras were located at store entrances and refund counters, as the pilot program was aimed at combating ‘refund fraud’. The system worked by generating biometric templates from the faces of everyone passing the cameras and comparing these to a set of biometrics generated from images of known individuals. If a match was found, an alert would be triggered for Kmart refund counter staff. Staff could also add new faces to the system, if new incidents of fraud were discovered that could be linked to an individual who had been filmed at a refund counter.
A biometric template is defined in the Privacy Act as ‘sensitive information’, a special category of personal information that generally must be collected by consent.
The Commissioner stated that “the FRT system involved capturing and processing the facial images of every individual who entered a relevant store during the relevant period, regardless of their age, appearance, demeanour or intentions, and comparing the metadata generated from those facial images against other metadata as part of the matching process. Each collection of sensitive information from every individual who entered the relevant stores during the relevant period – potentially tens or even hundreds of thousands of individuals … – impacts upon the privacy of the respective individuals”.
Kmart argued that firstly, it did not collect the personal information of unmatched individuals as these people were not ‘reasonably identifiable’. Commissioner Kind did not accept that argument.
Kmart further argued that an exception in the Privacy Act allowed it to collect the images without consent, because it:
(a) ‘had reason to suspect that unlawful activity, or misconduct of a serious nature [i.e. refund fraud] …has been, is being or may be engaged in’, and
(b) ‘reasonably believed that the collection, use or disclosure [of the FR images] was necessary’ in order for it to take appropriate action in relation to the matter.
Commissioner Kind accepted (a) but not (b). Essentially she found that while retail fraud was a genuine concern, Kmart’s FR scanning of all individuals entering a store without their consent was a disproportionate response to the size and cost of the problem, especially when considered against Kmart’s $9.2 billion annual turnover, and when a number of other less invasive methods were open to it (such as always requiring a receipt for a refund, relocating refund counters to the front of stores so that customers could only transact at them before entering, and using RFID tags). In addition, by Kmart’s own admission the FR system had practical limitations, meaning it could only effectively combat some of the common types of retail fraud.
Kmart’s in-store signage about FR and its online Privacy Policy were also found to be inadequate.
At present Kmart has been directed to cease using FR as it was deployed in the pilot, issue an apology, and to delete all pilot data in 12 months’ time. OAIC has not yet applied to impose a pecuniary civil penalty on Kmart although this course is still open to it.
Bunnings, another Wesfarmers business, also fell foul of the Privacy Act last year for its use of FR technology in 62 stores. As with Kmart, OAIC found Bunnings had collected individuals’ sensitive information without consent, had failed to take reasonable steps to notify customers, and had omitted required information from its privacy policy. Bunnings is currently appealing that determination in the Administrative Review Tribunal.