Kmart faces privacy ruling over facial-recognition at returns counters
Australia's privacy watchdog finds the retailer breached privacy laws by using biometric technology to deter refund fraud; ordered apology and ban on future use
An Australian privacy ruling has found that Kmart breached privacy laws by using facial-recognition technology at returns counters in 28 stores between June 2020 and July 2022 to deter refund fraud. Privacy Commissioner Carly Kind said the scheme collected biometric data from shoppers without adequate safeguards or informed consent.
The volumes of biometric data captured were described as indiscriminate, affecting thousands of people who entered the stores during refunds processing and representing a disproportionate interference with privacy. Kmart argued that it was exempt from requiring consent under a Privacy Act provision allowing information collection to address unlawful activity or serious misconduct. After a three-year investigation, the commissioner concluded that less-intrusive methods could have addressed refund fraud and that the benefits did not justify the privacy impact.
The Office of the Australian Information Commissioner ordered Kmart to stop using the facial-recognition system and to publish an apology to customers in stores and on its website within 30 days. Kmart, part of Wesfarmers, said it was disappointed with the decision and was evaluating its options to appeal, noting that privacy controls had been implemented during the scheme. It also said images were retained only if they matched an image of a person reasonably suspected or known to have engaged in refund fraud.
This ruling is the second time the OAIC has found a retailer in breach over the use of facial recognition. In October, the hardware chain Bunnings, owned by Wesfarmers, was found to contravene privacy laws across 62 stores and is appealing the finding. The decisions reflect growing regulatory scrutiny of biometric data in retail settings and raise questions about consent, transparency, and the balance between fraud prevention and consumer privacy.
Retailers and privacy advocates say the case could influence how biometric technologies are deployed in stores going forward, potentially prompting clearer consent mechanisms, stricter data minimization, and stronger retention and deletion controls. Regulators have signaled they will continue to scrutinize the use of facial-recognition and other biometrics as retail technology expands, particularly in high-traffic environments such as refunds counters.