Kmart found to breach privacy with nationwide facial recognition program, OAIC rules
Australian privacy watchdog rules Kmart's use of facial recognition across 28 stores unlawful; consumer advocates say current laws are inadequate
An Australian privacy regulator ruled that Kmart breached privacy laws by secretly installing facial recognition technology across 28 stores to deter refund fraud. The Office of the Australian Information Commissioner (OAIC) revealed that between June 2020 and July 2022, Kmart captured biometric data from shoppers and anyone visiting returns counters, all without knowledge or consent. Privacy Commissioner Carly Kind concluded that the privacy impact of the program far outweighed any potential benefit.
Kind said, 'I do not consider that Kmart could have reasonably believed that the benefits of the FRT system proportionately outweighed the impact on individuals' privacy.' The retailer stopped using the technology in 2022 when the investigation began and cooperated with the OAIC. CHOICE investigative journalist Jarni Blakkarly called the practice 'deeply concerning' and noted that 'while you can easily change your email address if it's involved in a data breach, you can't get a new face. Consumers shouldn't have to take that risk every time they buy clothes or household items.' CHOICE, which first raised the alarm about the practice three years ago, said the ruling highlights the weakness of Australia's privacy laws and called for stronger, fit-for-purpose rules to hold businesses accountable for privacy breaches.
Refund fraud at Kmart involves exploiting the returns system to obtain money or store credit, including cases where stolen items are returned for a refund, or where barcodes are swapped to claim more value than an item is worth. Such activities laid the groundwork for the OAIC inquiry and the subsequent finding of unlawful use of biometric data.
While the OAIC ruling targets a single retailer, it raises broader questions about the use of facial recognition in retail and other sectors. Privacy advocates say the case underscores the need for clearer consent standards and stronger penalties for breaches. The ruling aligns with ongoing debates about the balance between fraud prevention and privacy rights in an era of pervasive biometric data collection. The case has already sparked calls for legislative reform to modernize privacy protections, particularly around biometric data, and to ensure accountability for organizations deploying facial recognition technologies.
Observers say the decision could prompt further OAIC inquiries into other deployments of facial recognition technology and accelerate regulatory scrutiny of how retailers collect and store biometric data. There has been no publicly published comment from Kmart's parent company in the notes, but the OAIC's determination stands as the central finding of record in this case.